Requiring Pseudonymous Identifier

John Bradley jbradley at mac.com
Thu May 14 03:00:02 UTC 2009 

I think encoding attributes into identifiers has proved to be a bad  
idea in the past.

Attributes like group membership belong in AX, not in the identifier.

I suspect the idea is to have a pseudonymous identifier that discloses  
nothing about the person using it other than the fact that they can  
assert the same ID each time they return to prevent correlation.

This was one of Kim Camerons laws of identity regarding minimal  
disclosure.

Info-card takes this approach with personal cards using a PPID +  
public key that allows a totally pseudonymous identity  to be asserted.

I think Google is on the right track using AX to assert identity  
information like email but keeping the openID itself non- 
correlatable.  It also leaves open a path for users moving between  
OP's if the important part of the assertion is not the URL itself.

I think users should have the option to use both correlatable and non- 
correlatable identities as appropriate,  and wish more OPs supported it.

John Bradley
On 13-May-09, at 12:07 PM, specs-request at openid.net wrote:

> Date: Tue, 12 May 2009 23:13:01 -0700
> From: Luke Shepard <lshepard at facebook.com>
> Subject: Re: Requiring Pseudonymous Identifier
> To: Martin Atkins <mart at degeneration.co.uk>, OpenID Specs Mailing List
> 	<specs at openid.net>
> Message-ID: <C62FB2FD.BCEB%lshepard at facebook.com>
> Content-Type: multipart/alternative;
> 	boundary="_000_C62FB2FDBCEBlshepardfacebookcom_"
>
> --_000_C62FB2FDBCEBlshepardfacebookcom_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> Agreed. If all you want is a group, then I'd think that the response  
> would =
> just not include an identifier.
>
> You could use an extension, perhaps AX, to request information about  
> the gr=
> oup a user belongs to.
>
> For example, if you wanted to understand company membership, you  
> could requ=
> est and return only http://axschema.org/company/name.
>
> On 5/12/09 11:08 PM, "Martin Atkins" <mart at degeneration.co.uk> wrote:
>
> Chris Messina wrote:
>>
>> So, imagine I use directed identity in a school application... when  
>> I sig=
> n
>> in to the OP, it will return something like schoolname.edu/student  
>> as the
>> identifier.
>>
>
> Overloading our existing concept of an identifier to support  
> identifying
> a group worries me. Most consumers expect an identifier to be for a
> person and are designed around this principle.
>
> I think if groups are useful their design should be different such  
> that
> consumers are able to distinguish between a user and a group.
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1722 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090513/c418de0e/attachment-0002.bin>

More information about the specs mailing list