Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
can the IdP be hidden, or irrelevant? (20070620)
Eric Norman wrote in "Collusion Takes Effort; How Much?" that
"In some of the cases, not much is said about how the parties that are involved in such a conspiracy would find each other. In the case of RPs colluding with each other, how would one of the RPs even know that there's another RP to conspire with and who the other RP is?"
and Kim Cameron of Microsoft in his reply wrote that
"... even if you blind the IP as to the identity of the RP, you clearly can't prevent the inverse, since the RP needs to know who has made the claims! "
The public or semi-public nature of the identity provider is a typical assumption in X.509, SAML, CardSpace, but is it an absolute requirement of an identity metasystem?
Does the RP need to know that an IdP authenticating a user is the same IdP that authenticated a user before? Can a user have accounts and multiple IdPs and switch between them without revealing this to the RP? Might there be trust models in which the identity provider need not be revealed to the RP?
- Perhaps there is a party that anonymizes the IdP, trusted by both the IdP and the RP.
- Perhaps the IdP is a collective opinion, but the decisions contributing to the opinion are not revealed to the RP.
- Perhaps the RP doesn't care who the IdP is, so long as the IdP has certain claims about it.
- etc.
In the United States during and after the Civil War, the federal government attempted to standardize and regulate the generation of bank notes (paper money) in the United States (previously, more than 10,000 different and inconvertible forms of bank notes were in circulation). The new notes were only to be issued by national banks, and carried the name of the bank. According to the OCC history,
"Once the basic engraving and printing were done (at first by private printers, later by the U.S. Bureau of Engraving and Printing), the notes were entered on the books of the Office of the Comptroller of the Currency, then returned to the printer where the seal of the Treasury Department was stamped on each. Next, the notes were shipped to the bank whose name appeared on them, where they were signed by two senior bank officers."
By 1929, there were more than 7600 national banks in existence in the US. For example, the "First National Bank of Waverly $20 note":
This $20 bill would be acceptable to anyone in Waverly, and would be valid for any transaction anywhere in the US, although the farther the relying party was from Waverly, the more suspicious the RP might be that the bill is counterfeit, as RPs typically saw notes issued from banks in their locale. An RP which had dealings nationwide would often rely upon a catalog of bank note styles, that described the expected appearance of each bank's notes, to help them detect a fake.
If one of these bills were found today, the US treasury would still exchange it for a current $20 bill (although it would probably be worth far more to collectors).