[OpenID] OpenID 2.0, PAPE and directed identities

Martin Paljak martin at paljak.pri.ee
Sat Dec 8 10:44:36 PST 2007 

Hi!

The Estonian OpenID scheme makes heavy use of OpenID 2.0 directed  
identity feature as one of the main selling points is the ability to  
'remain anonymous and only reveal the properties I want from my eID  
card' - something that is not possible with the standard eID  
authentication schemes and became possible with OpenID 2.0.

As a quick introduction, the Estonian OpenID service provides three  
types of URLs (all available via directed identity as well):

1. openid.ee/martin.paljak (or openid.ee/john.smith.49 if the name is  
common) - possibly the only one that people would like to type in  
somewhere
2. openid.ee/EE:38207162722 which is a uniform, cross-border  
identifier with a country sign and a country specific personal ID  
code. - useful because you can pre-create accounts for people who have  
not visited the site.
3. openid.ee/4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 which is a  
"pseudo-anonymous" or "opaque" per-site identifier. - used for  
'partial anonymity', something that consumers very often would like to  
use.

People would like to build sites where the only knowledge of the users  
is 'human being, male, above 21' and for that to be possible anonymous  
openids should be used.

One way of doing this would be generic directed identity scheme and  
checking the URL on the RP side and suggesting "no, for my site logic  
to work please go and select the 'anonymous' openid instead" but this  
is apparently not useful from the anonymity point of view.

To overcome the problem and to create a button "log in anonymously  
with the openid.ee service" I abused PAPE and created a new  
authentication policy - http://openid.ee/2.0/anonymous - which, if  
asked for, makes the OP to give out (or create on the fly) the  
anonymous OpenID only.

Why piggy pack PAPE? Because it is really easy to implement (libraries  
have PAPE support already) and the problem scope seems a bit similar  
to me.

What do you think - are such directed identity hints to the OP useful?  
Could/should PAPE be used to transfer this information? Is it worth  
standardization (to some extent. I believe the anonymous OpenID hint  
would be universal somewhat)?

m.

-- 
Martin Paljak
http://martin.paljak.pri.ee
+3725156495

More information about the general mailing list