ER> Chris Drake <[EMAIL PROTECTED]> writes: >>>>>>> "Eric" == Eric Rescorla <ekr at networkresonance.com> writes: >> >> >> I don't believe that my requirements would require that the >> >> relying party talk to the identity provider. >> >> How do you propose to protect my privacy in this scenario? I do not >> want the same credentials of mine revealed when I log in to >> "shame-your-boss.com" as when I log in to my sourceforge account, but >> I would like to avoid having to remember multitudes of different >> usernames and passwords for every web site I visit, as well as enjoy >> phishing defences...
ER> And you'd prefer to have your identity provider have a record ER> of every site you've visited? Which would you prefer? Neither is ideal - the best solution would in fact *be* neither, but if I'm *forced* to let either the site who I chose to trust with my identity and privacy know where I go, or, let everywhere I go know who I am - I'll reluctantly choose the former. If my ID provider publishes a privacy policy telling me that they don't keep records of these things - then I might even be happy with my decision. No amount of relying party privacy policies will make me happy though - it's difficult to trust one site with my identity, impossible to trust them all. I forget offhand how double-blind emailling and mixmaster stuff works, but I think the concept of enabling dix and at the same time preventing either the relying party or the IdP form knowing too much is just a cryptographic solution? (except for the problem of HTTP REFERRER it's just simple asymmetric-key-protected transaction.) Additionally - I can't, off the top of my head, think how to get my long-term credential into the relying party's web site without using HTTP redirects (introducing the referrer problem), extra installed software components (which corporate/internet-cafe users won't have permission to install), or users copy/pasting things into input boxes (tricky, unsafe, no phishing protection) > Nicolas Williams Wrote: >If you're your own IdP... Or if your ISP is your IdP... (your ISP >already knows what sites you visit) I don't think Joe User's going to be able to be their own IdP or use their ISP for it - too many of them surf both from home and work, and if they can't get their email when they're on holidays, dix has failed. Kind Regards, Chris Drake _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
