OpenID, YADIS and Directed Identity

[Michael Graves]

Josh Hoyt <josh <at> janrain.com> writes:

> 
> On 2/12/06, Martin Atkins <mart <at> degeneration.co.uk> wrote:
> > So I enter my identity URL as mart.whatever.com and my identity server
> > tells the relying party "The remote user is 8769387639.whatever.com".
> > What have I gained here? They know I originally entered
> > mart.whatever.com, so they can tell that the two correlate.
> 
> If you just specify your server rather than specifying your URL, and
> lots of other people use it, then it would provide some anonymity.
> IIRC, the URL-based SXIP works this way.
> 
> Josh
> 
> 

Martin, my answer would closely match with Josh's. You're absolutely right, 
that in the (conceivable) case that you wanted to run your own IDP on your 
ThinkPad, it wouldn't help very much to create aliases, as you would be easily 
correlated by colluding parties -- you're the only one at the host address you 
gave. Even if you can proliferate domain/server names, you can be tracked by IP 
in many cases.

So this doesn't help foil correlation when you start contemplating identity 
servers that have just a small number of people using them. But for a server 
with a good number of users -- in the thousands say -- it becomes too complex 
for would-be correlators to make efficient inferences about which IDs can be 
normalized around which individuals.

Josh is right. What I've suggested is a recapitulation of the Sxip interaction 
sequence. It provides a "hook" for "IDs on the fly" that may both prove useful 
in themselves, but will also provide "architectural cover" from the security 
and privacy vultures that inevitably begin to circle as this framework emerges. 
In other words, it's primarily utility may not lie in how often the average 
user uses this function, but simply in the fact that the average user *can* use 
it.

Directed identity is a double edged sword, as a conversation I had with Dick 
Hardt about this a couple weeks ago revealed: making your personae *anonymous* 
in the "non-correlatable" sense certainly does protect your privacy, but it 
also necessarily elminates any social capital you hope to invest in your IDs.

How so? If I deploy a persona with an "opaque" URL -- e.g. "37430.idsrus.com", 
in one way might say it's anonymous, in that it can be configured to reveal no 
other personal information about me. I can use that ID on any number of sites, 
and as long as I don't reveal any extra information to relying parties that 
compromises my privacy, I'm protected from the threats of correlation, or most 
of them anyway. In other words, 44 websites might get together and share notes, 
and see that yes, this same ID -- "37430.idsrus.com" -- was used at each of our 
sites, but beyond the IP addresses we may have been able to passively collect, 
that ID yielded nothing else with which to correlate. Perhaps we can compare 
the text of the comments and posts made and glean some thing from that, but 
nothing "structured" can be correlated.

The *benefit* of this is, that I, as 343992.idrus.com can collect and benefit 
from social capital I accumulate from this ID. By virtue of my good behavior 
across these 44 sites, I might garner a high level of "karma" -- to use the 
Slashdot term. So, noobody knows who's behind the ID, but 343992.idrus.com can 
benefit and use any social capital derived from its use. 

Now. If I'm using directed identities -- a different, non-matchable ID for each 
site -- any available social capital is squandered. Since none of the 44 sites 
can know that *I* am the unifying person behind them all, I can't accrue any 
benefit that comes from the sites comparing notes and affirming (generally) 
that I'm not a spammer, can be trusted to edit Wikis responsibly, can moderate 
discussions, or whatever. 

So in many scenarios, directed identities will be largely overkill, and a 
hindrance to many of the user's goals rather than an enabler.

I realize that's a bit off topic here, but as long as we're winding on the 
directed identity meme, I thought I'd throw that out to think about.

Dick Hardt rejects the "shared" anonymous ID -- where I use 343992.idrus.com in 
many different places but simply refuse to reveal any other identifying 
information -- as an anonymous construct. And technically, he would be correct. 
I'm all for precise language, doncha know, so I'm happy to find an agreeable 
term that denotes this practice that won't be confused with a truly anonymous 
persona. A truly anonymous persona, apparently, cannot be reused or shared 
between relying parties. 

Whatever you want to call it -- "pseudo-anonymous"?, "opaque ID"? -- this 
shared-but-non-revealing ID strategy is quite useful - it's a pattern I use 
right now with OpenID.

Apologies for the run down the rabbit hole...

-Mike