<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I dont think this fits either PAPE or AX.<br>
<br>
I cant see how the privacy characteristics of an identifier are part of
'authentication policy'. How the user authenticates to the OP is
(mostly) orthogonal to the nature of the identifier the OP asserts.<br>
<br>
Nor does it fit the AX description of attribute as "a unit of personal
identity information".<br>
<br>
regards<br>
<br>
paul<br>
<br>
Andrew Arnott wrote:
<blockquote
cite="mid:216e54900905131726p36f43a3bt25d4539a41f410b5@mail.gmail.com"
type="cite">This scenario doesn't fit what I've always felt AX was
for. I don't expect a fetch request to change anything about the
underlying openid transport other than prompting the user for
information disclosure at the OP. <br>
<br>
PAPE fits better in my mind. But again, if PAPE is the only way to get
a psuedo-anonymous identifier, then unsolicited assertions can't get it
right. But if we allow PAPE requests to ask for one, and for it to
also be discoverable via the RP return_to service in its XRDS, then
both unsolicited assertion and RP-behind-firewall scenarios work.<br
clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - S. G. Tallentyre<br>
<br>
<br>
<div class="gmail_quote">On Wed, May 13, 2009 at 4:58 PM, David
Recordon <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:david@sixapart.com">david@sixapart.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Does
it make more sense to use a PAPE policy requesting a pseudonymous
identifier or an AX attribute requesting one? Any of these approaches
would work, I just don't think we've mapped out the pros/cons of each.<br>
<font color="#888888">
<br>
--David</font>
<div>
<div class="h5"><br>
<br>
On May 13, 2009, at 8:44 AM, George Fletcher wrote:<br>
<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I don't think OpenID should specify how pseudonymous identifiers are
generated. That should be up to the OP. But I like the idea of using a
fixed URI as the claimed_id value to specify the behavior desired by
the RP. If, however, we need to grow this to cover anonymous based
identifiers (i.e. the claims based models from earlier in this thread)
then it might make sense to look at a PAPE extension that covers the
type of identifier requested.<br>
<br>
Thanks,<br>
George<br>
<br>
Nat Sakimura wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Sorry for a slow response. This week is especially busy for me...<br>
<br>
I borrowed the notion from Austrian Citizen ID system.<br>
In there, the services are divided into "sectors."<br>
A sector may span several agencies.<br>
They call ID as PIN (Personal Identification Number).<br>
<br>
There is a secret PIN (sPIN) which is not used anywhere but in their
SmartCard.<br>
Then, sector sepcific PIN (ssPIN) is calculated in the manner of :<br>
<br>
SHA1(sPIN + SectorID)<br>
<br>
(Note, there is a bit more details but...)<br>
<br>
I have thrown OP secret into it.<br>
To avoid the analytic attack, I agree that it is better to use<br>
individual secret, as some of you<br>
points out.<br>
<br>
Regards,<br>
<br>
=nat<br>
<br>
On Tue, May 12, 2009 at 5:55 PM, Dick Hardt <<a
moz-do-not-send="true" href="mailto:dick.hardt@gmail.com"
target="_blank">dick.hardt@gmail.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On 12-May-09, at 1:36 AM, Nat Sakimura wrote:<br>
<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Reason for using RP's Subject in XRD instead of simply using realm is<br>
to allow for something like group identifier.<br>
<br>
</blockquote>
would you elaborate on the group identifier concept?<br>
<br>
<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
This is just one idea. Downside of this approach<br>
is that we need to set up a WG.<br>
<br>
I am sure there are more ideas. It might be possible to utilize AX<br>
so that it will only be a profile that does not require a WG.<br>
<br>
So shall we start discussing which direction we want to go forward?<br>
<br>
</blockquote>
sure!<br>
<br>
<br>
</blockquote>
<br>
<br>
<br>
<br>
</blockquote>
_______________________________________________<br>
specs mailing list<br>
<a moz-do-not-send="true" href="mailto:specs@openid.net"
target="_blank">specs@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
</blockquote>
<br>
_______________________________________________<br>
specs mailing list<br>
<a moz-do-not-send="true" href="mailto:specs@openid.net"
target="_blank">specs@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
</body>
</html>