Kim Cameron introduces a nice diagram into his series exploring linkability & correlation in different identity systems.
Kim categorizes correlation as either 'IP sees all', 'RP/RP collusion', or 'RP/IP collusion', depending on which two entities can 'talk' about the user.
A meaningful distinction for RP/RP collusion that Kim omits (at least in the diagram and in his discussion of X.509) is 'temporal self-correlation', i.e. that in which the same RP is able to correlate the same user's visits occurring over time.
Were an IDP to use transient (as opposed to persistent pseudonymous) identifiers within a SAML assertion each time it asserted to a RP, then not only would RP's be unable to collude with each other (based on that identifier), they'd be unable to collude with themselves (the past or future themselves).
I was working on a diagram comparable to Kim's, but got lost in the additional axis for representing time (e.g. 'what the provider knows and when they learned it' when considering collusion potential).
Separately, Kim will surely acknowledge at some point (or already has) that these identity systems, with their varying degrees of inhibiting correlation & subsequent collusion, will all be deployed in an environment that, by default, does not support the same degree of obfuscation. Not to say that designing identity systems to inhibit correlation isn't important & valuable for privacy, just that there is little point in deploying such a system without addressing the other vulnerabilities (like a masked bank robber writing his 'hand over the money' note on a monogrammed pad).
Post a Comment