<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">That works, but may not be ideal for managing sessions. <div class=""><br class=""></div><div class="">It is probably better to define a transient identifier type that is limited to the session length so that it can be used in backchannel single logout.</div><div class=""><br class=""></div><div class="">The string Anonymous is fine if you are never going to do stepup or loggout and if the RP understand it is a special value. </div><div class=""><br class=""></div><div class="">At the moment most RP would just log everyone into the same account for a "sub" anonymous. </div><div class="">That may not be ideal. As it requires the RP to do something special.</div><div class=""><br class=""></div><div class="">Having a transient sub should work with all existing RP without them having to do anything special.</div><div class="">At some point they will figure out that they have a bunch of dead accounts that they need to clean out though.</div><div class="">If they recognized the transient identifier type then they could be a bit more proactive about what they let those accounts do and cleaning them up.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 15, 2015, at 2:03 PM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" class="">torsten@lodderstedt.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
Hi Eve, Nat,<br class="">
<br class="">
thanks for your advice. <br class="">
<br class="">
Our current implementation uses a constant "identifier" with a value
of "anonymous".<br class="">
<br class="">
kind regards,<br class="">
Torsten.<br class="">
<br class="">
<div class="moz-cite-prefix">Am 11.03.2015 um 14:06 schrieb Nat
Sakimura:<br class="">
</div>
<blockquote cite="mid:CABzCy2DyT0TaKx=7CQUTW5aKFTPD4x6m1iGY4mN4=9npgENrwQ@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">
<div class="">Hi Torsten, </div>
<div class=""><br class="">
</div>
<div class="">Not sure how it went but l<span style="font-size:13.1999998092651px;line-height:1.5" class="">ike I
said before, ephemeral identifier is perfectly legal in
OpenID Connect. </span></div>
<br class="">
<div class="">It is just the matter of asking for it, and I suggested
using ACR for it. </div>
<div class=""><br class="">
</div>
<div class="">The resulting sub/user_id is going to be one time only -
anonymous identifier. </div>
<div class="">That's how an attribute based credential should be created
using OpenID Connect. </div>
<div class=""><br class="">
</div>
<div class="">Perhaps we should write a mini-spec / I-D so that we can
register the value "anonymous" to the registry. </div>
<div class=""><br class="">
</div>
<div class="">Nat</div>
</div>
<br class="">
<div class="gmail_quote">On Wed, Mar 11, 2015 at 9:57 PM Eve Maler
<<a moz-do-not-send="true" href="mailto:eve@xmlgrrl.com" class="">eve@xmlgrrl.com</a>>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word" class="">
<div class="">Hi Torsten-- N.B.: I don't think I have posting
privileges on this list; not sure if the moderator let my
previous note through, or if you'll see it simply because
I'm sending it directly to you as well...</div>
<div class=""><br class="">
</div>
<div class="">As long as the identifier coming from the IdP is
"directed" (in OpenID-speak), meaning it makes a different
federated identifier for each RP so that multiple RPs
can't collude to identify the user on the basis of the IDs
they've been given, then that's one issue taken care of.
The next issue is whether the identifier itself reveals
anything about the user. It's possible to create "directed
identities" that are revealing -- e.g., <a moz-do-not-send="true" href="mailto:bob+rp1@gmail.com" target="_blank" class="">bob+rp1@gmail.com</a>, <a moz-do-not-send="true" href="mailto:bob+rp2@gmail.com" target="_blank" class="">bob+rp2@gmail.com</a>... But the usual
intent with federated identifiers is to make them
non-revealing, e.g. "randomstring6234sdfd345" for RP1,
etc. Making them explicitly transient as well as
pseudonymous also limits the temporal scope of their
usefulness, which helps avoid the trap of internal
correlation at the RP or collusion with others over time
as the pseudonym ages. In SAML, the assumption is that the
temporal scope limitation is session-length, to at least
allow for things like single logout while protecting
against cross-session correlation.</div>
<div class=""><br class="">
</div>
<div class="">FWIW,</div>
<div class=""><br class="">
</div>
<div class=""><span style="white-space:pre-wrap" class=""> </span>Eve</div>
</div>
<div style="word-wrap:break-word" class=""><br class="">
<div class="">
<div class="">On 1 Dec 2012, at 7:26 AM, Torsten Lodderstedt <<a moz-do-not-send="true" href="mailto:torsten@lodderstedt.net" target="_blank" class="">torsten@lodderstedt.net</a>>
wrote:</div>
<br class="">
<blockquote type="cite" class="">Hi Eve,<br class="">
<br class="">
thanks for pointing this out. At first glance it seems
to be feasable although I honestly don't know whether
such an identifier would conflict with the OIDC
semantics. <br class="">
<br class="">
To give you more context: I'm looking for a way to
"just" assert a boolean claim to the RP. The use case,
I'm currently investigating, is age verification. The RP
wants the OP to attest whether the user is above 18.
There is no session between RP and OP and the OP will
typically not disclose any further data. I would prefer
to realize this without the need to make up an
identifier just to fulfill the protocol requirements.<br class="">
<br class="">
regards,<br class="">
Torsten.<br class="">
<br class="">
<div class="gmail_quote"><br class="">
<br class="">
Eve Maler <<a moz-do-not-send="true" href="mailto:eve@xmlgrrl.com" target="_blank" class="">eve@xmlgrrl.com</a>>
schrieb:
<blockquote class="gmail_quote" style="margin:0pt 0pt
0pt 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<pre style="white-space:pre-wrap;word-wrap:break-word;font-family:sans-serif;margin-top:0px" class="">This sounds just like the justification for SAML's transient pseudonyms -- good only for the current session, handy for cases where the RP needs some sort of unique "handle" for internal user/session management, and useful for session timeouts or single logout a bit later on.
Eve
On 30 Nov 2012, at 8:19 AM, Torsten Lodderstedt <<a moz-do-not-send="true" href="mailto:torsten@lodderstedt.net" target="_blank" class="">torsten@lodderstedt.net</a>> wrote:
<blockquote class="gmail_quote" style="margin:0pt 0pt 1ex 0.8ex;border-left:1px solid #729fcf;padding-left:1ex">We don't want the RP to track the user. So we would need to issue different user_id for every request. But I don't think is fit into the Connect philosophy.
regards,
Torsten.
Am 30.11.2012 17:11, schrieb Justin Richer:
<blockquote class="gmail_quote" style="margin:0pt 0pt 1ex 0.8ex;border-left:1px solid #ad7fa8;padding-left:1ex">Would
using pairwise identifiers make this work?
-- Justin
On 11/30/2012 11:09 AM, Torsten Lodderstedt wrote:
<blockquote class="gmail_quote" style="margin:0pt 0pt 1ex 0.8ex;border-left:1px solid #8ae234;padding-left:1ex">Hi,
in some cases we want to provide RPs with attributes but no user_id, which is similar to AX. How can this be realized in Connect? The scope value "openid" activates the OpenID mode at the AS but it also requests access to the user_id Claim. If we do not want to disclose a user_id, does this mean we need to define a new, distinct scope for our use case, e.g. "attribute_x"?
regards,
Torsten.
<hr class="">
Openid-specs-ab mailing list
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></blockquote>
</blockquote><hr class="">
Openid-specs-ab mailing list
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></blockquote>
Eve Maler <a moz-do-not-send="true" href="http://www.xmlgrrl.com/blog" target="_blank" class="">http://www.xmlgrrl.com/blog</a>
+1 425 345 6756 <a moz-do-not-send="true" href="http://www.twitter.com/xmlgrrl" target="_blank" class="">http://www.twitter.com/xmlgrrl</a>
</pre>
</blockquote>
</div>
</blockquote>
</div>
<br class="">
<div class="">
<span style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; font-size: inherit;" class=""><span style="font-family:Courier" class=""><br class="">
Eve Maler <a moz-do-not-send="true" href="http://www.xmlgrrl.com/blog" target="_blank" class="">http://www.xmlgrrl.com/blog</a><br class="">
+1 425 345 6756 <a moz-do-not-send="true" href="http://www.twitter.com/xmlgrrl" target="_blank" class="">http://www.twitter.com/xmlgrrl</a><br class="">
<br class="">
</span></span>
</div>
<br class="">
</div>
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</blockquote>
</div>
</blockquote>
<br class="">
</div>
_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab<br class=""></div></blockquote></div><br class=""></div></body></html>