Re: [Auth]Re: What I percieve is wrong with IDsec (was IDsec specification draft)

[David Sugar]

What Hans said was what my comment was going to be, which, essentially, 
in the IDsec model, you can always be your own profile provider, and one 
hopes one can trust oneself :).  In that respect, it is not a 
fundimental weekness, nor is it at all bad that one can establish 
organizations or commercial entities that also act as profile providers; 
you can use them if you want or use yourself.  There is also choice, 
since anyone is free to be or act as a profile provider for others, 
rather than an exclusive club or only one such entity.

That being said, there are issues worth looking at in IDsec, and it, 
among other potential solutions, are of course still evolving.  We 
should look at the strengths and weekenesses of each.  One question to 
consider in IDsec is knowledge leaking, or what information is leaked or 
reveled even if one does run one's own profile provider.  If I learn 
that person "X" from IP "Y" is always person "X", is that nessisary bad? 
Is this something that can be learned thru other means anyway?  The 
question I wish to consider in more detail is not so much what a given 
session reveals but what correlative data might be revealed that would 
allow content provider site "A" to learn that person "X" is the same as 
a given person identified thru IDsec at  content provider "B", and if 
IDsec enables this to happen even if no correlative data is enabled to 
be shared in the profile.  Certainly if you share credit cards, for 
example, with both providers, this correlation can be done, but what if 
I use IDsec only for the purpose of signon with both?  Does IDsec as a 
session protocol reveal something that allows such correlations to occur?

Hans Zandbelt wrote:

> Hi John,
>
> Thanks for your comments! I have added some clarifications below.
>
> > In this information exchange architecture, the Content Provider "needs"
> > to know the URI of the agency where I store my data to conduct a
> > transaction? That meta-data (who my content provider is) is my private
> > business! Unless I want to tell the content provider where my data is, I
> > should not have to, but the IDsec transaction architecture forces me
>
> Right. But one has to make a decision here: either transfer your profile
> with your request or pass a URI where it can be fetched. We chose for
> the latter because it enables users to delegate the task of profile
> provisioning which we think is an advantage. However it also
> incorporates the first: you can still be your own profile provider.
>
> And yes, you tell the Content Provider where your data is, but in the
> case of running your own profile provider, this boils down to your own
> IP address, which he knows anyway because you visit his site...
>
> > too! Additionally, the Profile Provider knows who I am interacting with
> > by virtue of the IP address of the requestor. My profile provider should
> > not know whether I'm accessing the Wall Street Journal anymore than he
> > should know I'm accessing a pay-per-view porn camsite. That information
> > is my private business regardless of who I am, or what I am accessing.
> > Once my Content Provider knows who my Profile Provider is, they can
>
> Right. You have to trust your Profile Provider; if you don't, you have to
> be your own Profile Provider. A scenario in which a Profile Provider
> merely acts as a remote storage provider (by means of encrypted profiles)
> is too clumsy in my opinion. In that case the Storage Provider does not
> give you added value because you would have to do the tasks of
> profile provisioning yourself (which by the way is covered in the
> be-your-own-profile-provider scenario); if you don't want to do it
> yourself you get the problem of distributing keys to Content Providers
> to decrypt profile (parts). This would require secure connections
> between End-Users and Content Providers which is something that we
> didn't want to enforce.
>
> > IDsec *requires* that I trust my profile provider, now and in the future
> > and for all time. I shouldn't have to. IDsec requires me to. IDsec may
>
> Yes, that's true but necessary in my opinion. Again:
> if you don't trust anyone to be your Profile Provider, the
> solution is to be your own Profile Provider (and still use IDsec :-)).
>
> > let me distribute only the personal data I choose, but (and this is a
> > sticky but) IDsec gives me no control over what metadata I distribute.
>
> I don't think that this metadata is sensitive or that it is much:
> in fact it's only a URI. I really think that security should not consist
> of hiding a URI: it won't work anyway in the long run, the solution is to
> protect *access* to the URI.
>
> > Hans, I'm still working on the schema extraction of the Mozilla wallet.
> > Still interested?
>
> Yes, I just chose some (fairly random) attributes for standardization
> myself.
> But I really need a more exhaustive, real-world set.
>
> Thanks again,
>
> Hans.
>
>
> _______________________________________________
> Auth mailing list
> address@hidden
> http://subscribe.dotgnu.org/mailman/listinfo/auth