discussed in part one<\/a>. <\/p>\nBen argues that CardSpace breaks this Fourth Law. In this he is wrong. I suspect he is confusing CardSpace, which is just a way of selecting between identity providers, and the identity providers themselves. Let's get that really straight.<\/p>\n
CardSpace is one component of the Identity Metasystem – by which I mean a distributed mesh of parties asserting and depending upon identity. CardSpace informs the user about the identity providers that can satisfy a given relying party request, and provides a mechanism to tell the user what information must be released to the relying party in order to gain admission to the site. But the identity selector does not itself make assertions or sign them cryptographically, or do anything that introduces linkability or traceability<\/em>. If linkability is introduced, it is because of the choice of the identity provider people use with the the system, and of the cryptographic systems they employ. <\/p>\nPrivacy characteristics of the self-asserted Identity Provider<\/strong> <\/p>\nWhile CardSpace is an identity selector, we have built it to include<\/em> a self-asserted identity provider as a way to bootstrap the system. So what are the privacy characteristics of this provider?<\/p>\n\n- It emits no identifiers<\/strong> that allow the identity of the user on one system to be linked to the identity of the user on any other. <\/li>\n
- A different signing key<\/strong> is used at each site visited so keys and signatures cannot be correlated.<\/li>\n
- Relying parties cannot collude<\/strong> with this identity provider because it is run by the user. <\/li>\n<\/ul>\n
So the Identity Provider that ships with CardSpace does not break the Fourth Law either<\/em>.<\/p>\nManaged Card Providers<\/strong> <\/p>\nNow let's talk about managed card providers, and think about other systems such as Liberty or Shibboleth or OpenID or SAML or WS-Federation in browser mode. <\/p>\n
These systems always <\/strong>identify the relying party to the identity provider. They do so because they need to tell the identity provider how to redirect the client's browser back to the relying party. So they are what I call panoptical by design<\/strong>. There is zero collusion required for the identity provider to know what is being asserted where – that knowledge is designed right into the system.<\/p>\nCardSpace breaks with this paradigm, and I hope Ben comes to recognize this. <\/p>\n
To support use cases where we do NOT want linkability, CardSpace hides the identity of the relying party<\/strong> from the identity provider. If we had built it without this feature, it too would have been “panoptical by design”. But we didn't do that. We built it to conform with the Fourth Law. In other words, CardSpace does not provide unnecessary handles to facilitate linkability.<\/p>\nHow does CardSpace hide the identity of the relying party? It associates some random information – unknown to the identity provider – with each Information Card. Then it hashes this random information (let's call it a “salt”) with the identity of the site being visited. That is conveyed to the identity provider instead of<\/strong> the identity of the site. We call it the “Client Pseudonym”. Unlike a Liberty Alliance client pseudomym, the identity provider doesn't know what relying party a client pseudonym is associated with. <\/p>\nThe identity provider can use this value to determine that the user is returning to some site she has visited before, but has no idea which site that would be. Two users going to the same site would have cards containing different random information. Meanwhile, the Relying Party does not see the client pseudonym and has no way of calculating what client pseudonym is associated with a given user. <\/p>\n
The question now becomes that of how identity providers behave. Given that suddenly they have no visibility onto the relying party, is linkability still possible? I'll discuss this next.<\/p>\n","protected":false},"excerpt":{"rendered":"
Ben Laurie confuses CardSpace, which is a way of selecting between identity providers, and the characteristics of the identity providers themselves.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[16,8,7,3,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/780"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=780"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/780\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}