OpenID, YADIS and Directed Identity
mgraves at verisign.com
Sun Feb 12 19:34:19 UTC 2006
Josh Hoyt <josh <at> janrain.com> writes:
> On 2/12/06, Martin Atkins <mart <at> degeneration.co.uk> wrote:
> > So I enter my identity URL as mart.whatever.com and my identity server
> > tells the relying party "The remote user is 8769387639.whatever.com".
> > What have I gained here? They know I originally entered
> > mart.whatever.com, so they can tell that the two correlate.
> If you just specify your server rather than specifying your URL, and
> lots of other people use it, then it would provide some anonymity.
> IIRC, the URL-based SXIP works this way.
Martin, my answer would closely match with Josh's. You're absolutely right,
that in the (conceivable) case that you wanted to run your own IDP on your
ThinkPad, it wouldn't help very much to create aliases, as you would be easily
correlated by colluding parties -- you're the only one at the host address you
gave. Even if you can proliferate domain/server names, you can be tracked by IP
in many cases.
So this doesn't help foil correlation when you start contemplating identity
servers that have just a small number of people using them. But for a server
with a good number of users -- in the thousands say -- it becomes too complex
for would-be correlators to make efficient inferences about which IDs can be
normalized around which individuals.
Josh is right. What I've suggested is a recapitulation of the Sxip interaction
sequence. It provides a "hook" for "IDs on the fly" that may both prove useful
in themselves, but will also provide "architectural cover" from the security
and privacy vultures that inevitably begin to circle as this framework emerges.
In other words, it's primarily utility may not lie in how often the average
user uses this function, but simply in the fact that the average user *can* use
Directed identity is a double edged sword, as a conversation I had with Dick
Hardt about this a couple weeks ago revealed: making your personae *anonymous*
in the "non-correlatable" sense certainly does protect your privacy, but it
also necessarily elminates any social capital you hope to invest in your IDs.
How so? If I deploy a persona with an "opaque" URL -- e.g. "37430.idsrus.com",
in one way might say it's anonymous, in that it can be configured to reveal no
other personal information about me. I can use that ID on any number of sites,
and as long as I don't reveal any extra information to relying parties that
compromises my privacy, I'm protected from the threats of correlation, or most
of them anyway. In other words, 44 websites might get together and share notes,
and see that yes, this same ID -- "37430.idsrus.com" -- was used at each of our
sites, but beyond the IP addresses we may have been able to passively collect,
that ID yielded nothing else with which to correlate. Perhaps we can compare
the text of the comments and posts made and glean some thing from that, but
nothing "structured" can be correlated.
The *benefit* of this is, that I, as 343992.idrus.com can collect and benefit
from social capital I accumulate from this ID. By virtue of my good behavior
across these 44 sites, I might garner a high level of "karma" -- to use the
Slashdot term. So, noobody knows who's behind the ID, but 343992.idrus.com can
benefit and use any social capital derived from its use.
Now. If I'm using directed identities -- a different, non-matchable ID for each
site -- any available social capital is squandered. Since none of the 44 sites
can know that *I* am the unifying person behind them all, I can't accrue any
benefit that comes from the sites comparing notes and affirming (generally)
that I'm not a spammer, can be trusted to edit Wikis responsibly, can moderate
discussions, or whatever.
So in many scenarios, directed identities will be largely overkill, and a
hindrance to many of the user's goals rather than an enabler.
I realize that's a bit off topic here, but as long as we're winding on the
directed identity meme, I thought I'd throw that out to think about.
Dick Hardt rejects the "shared" anonymous ID -- where I use 343992.idrus.com in
many different places but simply refuse to reveal any other identifying
information -- as an anonymous construct. And technically, he would be correct.
I'm all for precise language, doncha know, so I'm happy to find an agreeable
term that denotes this practice that won't be confused with a truly anonymous
persona. A truly anonymous persona, apparently, cannot be reused or shared
between relying parties.
Whatever you want to call it -- "pseudo-anonymous"?, "opaque ID"? -- this
shared-but-non-revealing ID strategy is quite useful - it's a pattern I use
right now with OpenID.
Apologies for the run down the rabbit hole...
More information about the yadis