Monday, June 25, 2007

Clash of the Titans

Generally, whenever heavyweights like Kim and Conor go at it, I cower in a corner and wait for the storm to blow over before coming out and picking from the debris like some Welsh coastal farmer.

Well the 'storm' turned out to be more of a squall. And so to the looting.

Kim writes
So, returning to the axes for linkability that we set up in Evolving Technology for Better Privacy, we see that from an identity point of view, the identity provider “sees all” - without the requirement for any collusion. Knowing each other’s identity, the relying party and the identity provider can, in the absence of appropriate policy and suitable auditing, exchange any information they want, either through the redirection channel, or through a “back channel” that dispenses with the user and her browser altogether.

Some thoughts

  1. 'sees all' is presumably in quotes because, as Irving had earlier pointed out (and as Kim acknowledged), the IDP doesn't see 'all'.
  2. an IDP 'merely' seeing the RPs to which a user is visiting is not case of collusion. Collusion requires inappropriate cooperation, i.e. two or more entities have to be 'in cahoots'. All else being equal, for the IDP to have this knowledge (where the user goes) when it doesn't need it can be undesirable from a privacy point of view, but it's not collusion, it's leakage (and of course, all else isn't equal as Conor pointed out).
  3. if the RP and the IDP are 'exchanging any information they want' without considering the privacy policies of the user, then the two of them are in cahoots, and colluding against that user. Both RP and IDP have 'turned'. The bar for two providers to go bad and collude against their users/customers is of course higher than for a single provider. How they find each other is one challenge. Do they advertise in the classifieds?
    SP seeks IDP partner for malicious & casual collusion. I enjoy curling up with a good book, stealing identity and walks on the beach. I 'm trying to learn to play the guitar, defraud the government, and snowboard Double Diamond runs. No kinkiness.
  4. 'dispenses with the user and her browser altogether', in the sense of enabling identity flow without the user's active mediation, is of course necessary if you want to support use cases in which the user is 'offline' (as will be the case for many social-sharing use cases). How will active mediation systems like Cardspace support such use cases? Just pile up the requests for identity until such time as the user comes online?


Kim Cameron said...

I think your "is not a case of collusion" and my "without the requirement for any collusion" are pretty much the same thing, "eh?"...

And so on and so on

Paul Madsen said...

Kim, indeed eh, but your very next sentence describes IDP/RP collusion. Perhaps I inappropriately correlated the two sentences? :-)