yadis Digest, Vol 13, Issue 14

Drummond Reed drummond.reed at cordance.net
Thu May 25 17:33:00 UTC 2006


Josh is right -- this use case is popping up everywhere now. A few weeks ago
at the Internet Identity Workshop session on the SAML version of ISSO (the
i-name single sign-on protocol being specified at XDI.org), "anonymous
single sign-on" ended out being the main subject of discussion.

The basic principle is the same whether the identifiers used are URLs or
XRIs/i-names: if you want to login anonymously on a site, rather than
logging in with your own URL or XRI/i-name, you login with the URL or
XRI/i-name of an anonymizing authentication service offered by your identity
provider/i-broker.

That anonymizing identity service then generates a site-specific URL or XRI
that will identify you to that site. The end-user does not have to remember
or keep track of this site-specific URL or XRI because all the end-user
needs to remember is the URL or XRI/i-name of the anonymizing authentication
service.

I'm cc'ing Peter Davis at NeuStar who is authoring the SAML version of the
ISSO protocol (he should have it posted at XDI.org shortly -- we'll post a
link when it is) as he's looking at adding this anonymous single sign-on
option explicitly to the spec (although it may not be until v1.1).

=Drummond (http://xri.net/=drummond.reed)  

-----Original Message-----
From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
On Behalf Of Josh Hoyt
Sent: Thursday, May 25, 2006 8:08 AM
To: Chris Drake
Cc: yadis at lists.danga.com
Subject: Re: yadis Digest, Vol 13, Issue 14

On 5/25/06, Chris Drake <christopher at pobox.com> wrote:
> How is my privacy being protected if I have to give my ID to a relying
> party?  For example - I don't want the folks at "shame-your-boss.com"
> to know my ID in case they later see me at work in my sourceforge
> account - or do I have to create a collection of new Yadis IDs, one
> for each new web site I go to ?   Am I missing something here?

Use different identifiers in places where you do not want to be
identified as the same person. Identity providers can (and will) make
this easy, without requiring you to have more than one account.

It is possible for your IdP to issue one identifier per site that you
visit to get the convenience of single-sign-on without giving up any
privacy. A case that I expect to be even more common is to use
different identifiers in different communities, such as work and
family.

I hope that helps.

Josh




More information about the yadis mailing list