yadis Digest, Vol 13, Issue 14

Chris Drake christopher at pobox.com
Thu May 25 19:51:44 UTC 2006 

Hi Drummond,

I'm just thinking out loud here relating to anonymous IDs (sorry if
I'm just re-stating the obvious):-

The relying party needs to know how to "get to" (or verify assertions
from) the identity provider (IdP).  To protect a users privacy:-

A) the relying party directs the user elsewhere to authenticate (some
   kind of trusted authentication proxy) - from the users point of
   view - they would merely click on the "inames" logo on enabled web
   sites to begin their login process - no typing anything in there.

   + really easy for users - one click.
   - trusted proxy knows everywhere the user goes.
   
B) the user tells the relying party who their IdP is - so the user
   enters 2idi.com in the box (not their username) and clicks the
   inames logo to commence the login stuff.

   ~ not so easy for users to understand
   - relying party at least knows the IdP - a privacy problem for
     small IdP's
   - IdP knows everywhere the user goes.
   
C) the relying party tells the user what *their* iSSO URL is, the user
   carries this off to their IdP, logs in, and gets directed back to
   the replying parties URL.  (implementationwise - the user need only
   do this once - if their IdP "saves" their relying-party URL, a nice
   post-signon interface could be presented, eg: "where do you want to
   go today", listing all the places the user might want to log into.

   ~ initially tricky for users to grasp
   + really easy - one click - future signins
   - IdP knows everywhere the user goes.
   - "shoulder surfers" and hackers "getting in" to users account at
     IdP knows everywhere the user goes.
   
D) relying party issues a one-time token (nonce?), user carries *this*
   off to their IdP, uses it to obtain a signed credential, carries
   this back to the relying party, and logs in with it.
   
   - extra tricky for users
   + IdP has no idea where the user's going
   - relying party probably again knows the users IdP
   
Users already must trust their IdP (a rouge IdP is perfectly placed to
impersonate it's users) - so - I don't think it's too much to ask that
users also trust an IdPs policy of NOT recording where the user uses
their credentials.

I hope this helps someone, somewhere - good luck!

Kind Regards,
Chris Drake


Friday, May 26, 2006, 3:33:00 AM, you wrote:

DR> Josh is right -- this use case is popping up everywhere now. A few weeks ago
DR> at the Internet Identity Workshop session on the SAML version of ISSO (the
DR> i-name single sign-on protocol being specified at XDI.org), "anonymous
DR> single sign-on" ended out being the main subject of discussion.

DR> The basic principle is the same whether the identifiers used are URLs or
DR> XRIs/i-names: if you want to login anonymously on a site, rather than
DR> logging in with your own URL or XRI/i-name, you login with the URL or
DR> XRI/i-name of an anonymizing authentication service offered by your identity
DR> provider/i-broker.

DR> That anonymizing identity service then generates a site-specific URL or XRI
DR> that will identify you to that site. The end-user does not have to remember
DR> or keep track of this site-specific URL or XRI because all the end-user
DR> needs to remember is the URL or XRI/i-name of the anonymizing authentication
DR> service.

DR> I'm cc'ing Peter Davis at NeuStar who is authoring the SAML version of the
DR> ISSO protocol (he should have it posted at XDI.org shortly -- we'll post a
DR> link when it is) as he's looking at adding this anonymous single sign-on
DR> option explicitly to the spec (although it may not be until v1.1).

DR> =Drummond (http://xri.net/=drummond.reed)  

DR> -----Original Message-----
DR> From: yadis-bounces at lists.danga.com
DR> [mailto:yadis-bounces at lists.danga.com]
DR> On Behalf Of Josh Hoyt
DR> Sent: Thursday, May 25, 2006 8:08 AM
DR> To: Chris Drake
DR> Cc: yadis at lists.danga.com
DR> Subject: Re: yadis Digest, Vol 13, Issue 14

DR> On 5/25/06, Chris Drake <christopher at pobox.com> wrote:
>> How is my privacy being protected if I have to give my ID to a relying
>> party?  For example - I don't want the folks at "shame-your-boss.com"
>> to know my ID in case they later see me at work in my sourceforge
>> account - or do I have to create a collection of new Yadis IDs, one
>> for each new web site I go to ?   Am I missing something here?

DR> Use different identifiers in places where you do not want to be
DR> identified as the same person. Identity providers can (and will) make
DR> this easy, without requiring you to have more than one account.

DR> It is possible for your IdP to issue one identifier per site that you
DR> visit to get the convenience of single-sign-on without giving up any
DR> privacy. A case that I expect to be even more common is to use
DR> different identifiers in different communities, such as work and
DR> family.

DR> I hope that helps.

DR> Josh

More information about the yadis mailing list