[OpenID] OpenID 2.0, PAPE and directed identities
Martin Paljak
martin at paljak.pri.ee
Sat Dec 8 10:44:36 PST 2007
Hi!
The Estonian OpenID scheme makes heavy use of OpenID 2.0 directed
identity feature as one of the main selling points is the ability to
'remain anonymous and only reveal the properties I want from my eID
card' - something that is not possible with the standard eID
authentication schemes and became possible with OpenID 2.0.
As a quick introduction, the Estonian OpenID service provides three
types of URLs (all available via directed identity as well):
1. openid.ee/martin.paljak (or openid.ee/john.smith.49 if the name is
common) - possibly the only one that people would like to type in
somewhere
2. openid.ee/EE:38207162722 which is a uniform, cross-border
identifier with a country sign and a country specific personal ID
code. - useful because you can pre-create accounts for people who have
not visited the site.
3. openid.ee/4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 which is a
"pseudo-anonymous" or "opaque" per-site identifier. - used for
'partial anonymity', something that consumers very often would like to
use.
People would like to build sites where the only knowledge of the users
is 'human being, male, above 21' and for that to be possible anonymous
openids should be used.
One way of doing this would be generic directed identity scheme and
checking the URL on the RP side and suggesting "no, for my site logic
to work please go and select the 'anonymous' openid instead" but this
is apparently not useful from the anonymity point of view.
To overcome the problem and to create a button "log in anonymously
with the openid.ee service" I abused PAPE and created a new
authentication policy - http://openid.ee/2.0/anonymous - which, if
asked for, makes the OP to give out (or create on the fly) the
anonymous OpenID only.
Why piggy pack PAPE? Because it is really easy to implement (libraries
have PAPE support already) and the problem scope seems a bit similar
to me.
What do you think - are such directed identity hints to the OP useful?
Could/should PAPE be used to transfer this information? Is it worth
standardization (to some extent. I believe the anonymous OpenID hint
would be universal somewhat)?
m.
--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495
More information about the general
mailing list