All the schemes are taking privacy pretty seriously. One of the starting
points here though is the observation that much of the privacy sensitive
personal data being collected at Web sites is not actually the data that
is really wanted in the first place. Advertising driven web sites want
to know your demographic profile, they ask you for zip code and date of
birth because they are proxies for that. In the process they obtain a
75% unique identifier.
If you are willing to use a custom client and a shared domain name you
can create a cypherpunks grade privacy solution pretty effectively with
all the Identity 2.0 schemes.
The key part is that each identifier binds to exactly one person but
each person can have multiple identifier.
So you could have a client that automatically binds new identities on
the fly each time you go to a different Web site. The Shiboleth people
did something of this sort on top of SAML.
-----Original Message-----
From: smb(_at_)cs(_dot_)columbia(_dot_)edu
[mailto:smb(_at_)cs(_dot_)columbia(_dot_)edu]
Sent: Sunday, February 12, 2006 7:16 PM
To: Hallam-Baker, Phillip
Cc: Richard Shockey; John Merrells; Ted Hardie; Hollenbeck,
Scott; Lisa Dusseault; ietf(_at_)ietf(_dot_)org
Subject: Re: IETF 65 BOF Announcement: Digital Identity
Exchange (DIX)
In message
<198A730C2044DE4A96749D13E167AD3792A388(_at_)MOU1WNEXMB04(_dot_)vcorp(_dot_)ad(_dot_)vrsn(_dot_)c
om>, "Hallam-Baker, Phillip" writes:
I am sure that the security area gurus will insist that the
resulting
protocols will be proof against man in the middle attack and do not
result in passwords being exchanged enclair.
Actually, my bigger concern is privacy. I like to decouple
the identity I use on different web sites....
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf