Tuesday, June 19, 2007

A fellow traveller

Kim (a fellow traveller of mine don't you know) Cameran disagrees

The one statement Paul makes that I don’t agree with is this:

Were an IDP to use transient (as opposed to persistent pseudonymous) identifiers within a SAML assertion each time it asserted to a RP, then not only would RP’s be unable to collude with each other (based on that identifier), they’d be unable to collude with themselves (the past or future themselves)

I’ve been through this thinking myself.

Suppose we got rid of the user identifier completely, and just kept the assertion ID that identifies a given SAML token (must be unique across time and space - totally transient). If the relying party received such a token and colluded with the identity provider, the assertionID could be used to tie the profile at the relying party to the person who authenticated and got the token in the first place. So it doesn’t really prevent linking once you try to handle the problem of collusion.

Yes, but then we are no longer talking about 'RP/RP' collusion, in which (by my definition at least), the IDP stays pure and it is only the RPs that cross to the Dark Side. Bringing in the IDP changes everything (as Kim acknowledges by creating the separate 'RP/IP' correlation category.

Irving joins in (and he must be agreeing with me or I wouldn't link to him) to point out a Shib use-case. I was going to (smugly) point out how Sun used SAML/Liberty for enabling employee access to BIPAC as another example but, on digging a bit, it seems that they aren't using transient identifiers. I guess BIPAC wanted to provide employees continuity of service, e.g. no repeated questions like 'Are you now or have you ever been a member of the Communist Party?'

1 comment:

Kim Cameron said...

Correct - I had jumped beyond RP/RP collusion - and agree that this is especially problematic. It would be interesting to hear more about the other use case you were going to describe. I don't know enough about it to fully understands what sounds like an interesting set of considerations.

I like the idea of running into my identity buddies as we traipse around the world doing our work. The dopplr thing is cool and I kind of like the way they handle the privacy aspects - as far as I understand them.