Identifier portability: the fundamental issue

Dick Hardt dick at sxip.com
Sun Oct 15 02:22:38 UTC 2006


On 14-Oct-06, at 7:28 AM, Chris Drake wrote:
> JH> Where is power being granted to the RP? It has pretty much none.
> JH> It *does* have responsibility, but only as much as is necessary to
> JH> make the protocol work.
>
> If RPs are allowed to build up linked portfolios of everyones
> identifiers, they can get together with other RPs (or sniff IDs in
> google) to snoop on and conspire against our users behind their backs.
> If the true spirit of OpenID is to empower users, it's seriously
> neglectful to block users from protecting their own privacy.

NOTE: There are instances when the user will WANT the RPs to know  
they are the same user across sites. Right now my reputation on a  
site is locked into that site. No other site can know that I have  
done things on other sites, so that I can go to a new site and take  
my reputation with me.

Real world example: when I give a talk, I use the same identifier so  
that people know it is me. I use the same email on different mailing  
lists so people know it is the same person.


>
>>> Can we not adopt my earlier suggestion: just ensure OpenID can  
>>> permit
>>> IdP-initiated logins.  This permits every scenario of portability  
>>> (and
>>> privacy) that everyone wants, without us having to continue to  
>>> debate
>>> it ?
>
> JH> Huh? How is IdP-initiated login related to privacy or portability?
>
> It is ** NONE OF THE RPs BUSINESS ** how the OpenID that got presented
> to it was originally selected by, or resolved for, our Users.  Letting
> the IdP initiate a login allows the IdP to PRIVATELY negotiate with
> the user over which identity to present (which for anyone who cares
> about privacy, will usually be a per-site identity not linked to their
> main OpenID or vanity domain or whathaveyou.).

I completely agree. This was the major issue Sxip had with OpenID  
1.x. The user had to identify themselves with no assistance from  
their IdP, and hence no support for directed identity.

> The beauty of this suggestion is that we don't even need to debate it:
> so long as IdP initiated logins are supported, market forces will then
> decide whether or not privacy and security become widespread in
> OpenID.

As we are building and testing software, it is interesting as to what  
become the common cases. More later. :-)
>
> I notice the current spec:
> http://openid.net/specs/openid-authentication-2_0-10.html
> does not even *mention* privacy? (besides the allusion in the
> abstract: "It does this without the Relying Party needing access to
> password, email address, or other sensitive information." - but
> somehow nobody's understanding that the users OpenID *itself* is
> "sensitive information", especially in the way google will in future
> let anyone troll back through our users online "tracks" using this
> ID...)
>
> Also missing are
>
> 16.  Security Considerations
>
> and
>
> 16.1.  Preventing Attacks
>
> Perhaps someone should add a section on privacy, and someone should
> take a crack at the security aspects!  Who is in charge of writing
> this stuff?  I've submitted 102 (one hundred and two!!!) security
> considerations in the posts I've made to this list so far:  Shouldn't
> someone be documenting this?

Yes, these things do need to be addressed. Would be great to get  
additional seasoned security gurus to review and comment.

-- Dick



More information about the specs mailing list