Nicolas Williams <[EMAIL PROTECTED]> writes: > On Thu, May 25, 2006 at 08:20:46AM -0700, Eric Rescorla wrote: >> Chris Drake <[EMAIL PROTECTED]> writes: >> > How do you propose to protect my privacy in this scenario? I do not >> > want the same credentials of mine revealed when I log in to >> > "shame-your-boss.com" as when I log in to my sourceforge account, but >> > I would like to avoid having to remember multitudes of different >> > usernames and passwords for every web site I visit, as well as enjoy >> > phishing defences... >> >> And you'd prefer to have your identity provider have a record >> of every site you've visited? > > If you're your own IdP... Or if your ISP is your IdP... (your ISP > already knows what sites you visit)
But neither of these cases is universal--and of course you can hide your actions from your IdP using a number of techniques (Tor, for instance). My point is merely that there are also privacy implications to having your IdP involved in every transaction. Moreover, it's not a necessary condition for providing minimal information to the relying party. You could, for instance, have the IdP issue separate credentials for a bunch of attributes (all ties to the same underlying authentication credential) and have the user control which ones are provided to the relying party. -Ekr _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
