I appreciate the correction by Irving Reid in a posting called What did the identity provider know?
…And when did it know it?
Kim Cameron sums up the reasons why we need to understand the technical possibilities for how digital identity information can affect privacy; in short, we can’t make good policy if we don’t know how this stuff actually works.
But I want to call out one assertion he (and he’s not the only one) makes:
First, part of what becomes evident is that with browser-based technologies like Liberty, WS-Federation and OpenID, NO collusion is actually necessary for the identity provider to “see everythingâ€.
The identity provider most certainly does not “see everythingâ€. The IP sees which RPs you initiate sessions with and, depending on configuration, has some indication of how long those sessions last. Granted, that is *a lot* of information, but it’s far from “everythingâ€. The IP must collude with the RPs to get any information about what you did at the RP during the session.
Completely right. I'll try to make this clearer as I go on. Without collusion, the IP doesn't know how the user actually behaved while at the RP. I was too focussed on the “identity channel”, thinking about the fact that the IP knows times, what RPs were visited, and what claims were released for each particular user to each RP.
Disclosure: SAML's RelayState mechanism, if used inappropriately, could give the IDP even more information, i.e. the various resources the user was visiting at an RP when authentication was first required
Fortuately, the RP controls what goes in.and so controls the exposure
Paul