{"id":812,"date":"2007-06-20T16:06:28","date_gmt":"2007-06-21T00:06:28","guid":{"rendered":"\/?p=812"},"modified":"2007-06-20T16:12:25","modified_gmt":"2007-06-21T00:12:25","slug":"what-does-the-identity-provider-know","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=812","title":{"rendered":"What does the identity provider know?"},"content":{"rendered":"<p>I&nbsp;appreciate the&nbsp;correction by <a href=\"http:\/\/www.controlledflight.ca\/2007\/06\/20\/the-ip-knows\/\">Irving Reid<\/a>&nbsp;in a posting called <a href=\"http:\/\/www.controlledflight.ca\/2007\/06\/20\/the-ip-knows\/\">What did the identity provider know?<\/a><\/p>\n<p style=\"margin-left: 30px\">\u00e2\u20ac\u00a6And when did it know it?<\/p>\n<p style=\"margin-left: 30px\">Kim Cameron <a href=\"\/?p=811\">sums up the reasons<\/a> why we need to understand the technical possibilities for how digital identity information can affect privacy; in short, we can\u00e2\u20ac\u2122t make good policy if we don\u00e2\u20ac\u2122t know how this stuff actually works.<\/p>\n<p style=\"margin-left: 30px\">But I want to call out one assertion he (and he\u00e2\u20ac\u2122s not the only one) makes:<\/p>\n<p style=\"margin-left: 60px\">&nbsp;First,&nbsp;part of what&nbsp;becomes evident is&nbsp;that with browser-based technologies like&nbsp;Liberty, WS-Federation and OpenID, &nbsp;NO collusion is actually necessary&nbsp;for the identity provider to \u00e2\u20ac\u0153see everything\u00e2\u20ac\u009d.<\/p>\n<p style=\"margin-left: 30px\">The identity provider most certainly does not \u00e2\u20ac\u0153see everything\u00e2\u20ac\u009d. The IP sees which RPs you initiate sessions with and, depending on configuration, has some indication of how long those sessions last. Granted, that is *a lot* of information, but it\u00e2\u20ac\u2122s far from \u00e2\u20ac\u0153everything\u00e2\u20ac\u009d. The IP must collude with the RPs to get any information about what you did at the RP during the session.<\/p>\n<p>Completely right. I&#39;ll try to make this clearer as I go on. Without collusion, the IP doesn&#39;t know how the user&nbsp;actually behaved while at&nbsp;the RP.&nbsp; I was too focussed on the &#8220;identity channel&#8221;, thinking about the fact that the IP knows times, what RPs were visited, and what claims were released for each particular user to each RP.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Irving Reid says the identity provider sees *a lot* of information, but it\u00e2\u20ac\u2122s far from \u00e2\u20ac\u0153everything\u00e2\u20ac\u009d. <\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,17,10,38,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/812"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=812"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/812\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}