[Openid-specs-ab] Further rationale for ephemeral identiifer

[Nat Sakimura]

Dear AB/C WG

I am writing to elaborate on the rationale for writing the ephemeral
identifier spec.

There are multiple reasons for this:

As Ralph points out, it is already used in some ecosystems. Standardising
it would therefore reduce existing variations.

Additionally, it is a condition needed to prove OIDC/SIOP to fulfil the
Unlinkability Level (UL) 3A+. This Unlinkability Level is defined in
ISO/IEC 27551 Information security, cybersecurity and privacy protection —
Requirements for attribute-based unlinkable entity authentication. It
defines seven different kinds of "unlinkability" and it also defines
Unlinkability Levels (UL) as satisfying some kind of unlinkability would
automatically satisfy other types of unlinkability.

According to ISO/IEC 27551, to attain unlinkability level N attribute-based
entity authentication, the protocol: a) shall be correct; b) shall be
unforgeable;  c) shall satisfy the assurance level on attributes that is
required by the RP; and  d) shall satisfy the unlinkability properties at
level N.

The correctness, unforgeability and unlinkability are also defined in the
document. I will not go into the details (as it would take pages) of the
definition, but generically, a protocol itself is said to be unlinkable if
its executions cannot be linked, given explicit settings for the adversary
and target entity role, where "linked" means the adversary to make a
correct guess, with a probability significantly better than one half.

In ISO/IEC 27551 Appendix C.2, there is a mathematical proof that the
presented implementation of OpenID Connect belongs to the class UL 3A+ and
this "implementation" requires an ephemeral identifier.

I hope this provides further clarity.

Best regards,

Nat Sakimura
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250609/26368e34/attachment-0001.htm>