[Prev]

1.1 Format and Properties of IDs

As specified in [TAS3PROTO] (also Annex A of [TAS3ARCH]), the primary token format of TAS3 is SAML 2.0 Assertion (A7N). In SAML 2.0, the users are identified by a Name ID, which can come in several variants. TAS3 chooses to use two principal kinds, see [SAML2core] sections 8.3.7 and 8.3.8, and attributes them (at least) the following properties:

Persistent Name ID

Whenever the Identity Provider (IdP), or discovery, and federation partner talk about a user (e.g. IdP vouching authentication of the user to SP in a SSO transaction), they always use the same identifier, across the sessions. I.e. it can be understood that it is always the same user. Typically SP might maintain a database and use this identifier as a key.

Additional properties are required:

  1. ID MUST be difficult to guess, ideally it should be at least 128 bit random number.

  2. The ID used for same user towards different parties MUST NOT be easily inferable (e.g. it MUST NOT be same, statistically related, or guessable from the other ID).

The essence of our approach is that while a User may choose to (or be required to) allow one party to track his actions across sessions (hence persistent), this should not imply that this party can compare notes with other parties. The persistence property allows tracking by legitimate party, while the "not easily inferable" property keeps the parties from colluding or comparing notes.

The e-Government sector specific ID approach, e.g. tax number is different from social security number and so forth for all government agencies, comes quite close to what we mean by persistent.

Persistent Name ID is often called a pseudonym.

Transient Name ID

This identifier format allows identification of the user for duration of one session. It has the same properties as pseudonym, including (a) and (b) above, but will not persist across sessions, thus providing better privacy guarantee than the Persistent Name ID, at the cost of not allowing the SP to maintain a database. Often the motivation for using Transient Name ID is exactly to prevent such databases from being created.

It is important to understand that the nonce and transient properties alone do not provide significant privacy benefit if the random transient identifier is shared across web sites even momentarily. Even single instance of such sharing would provide the sites with a correlation handle despite the nonce and transient properties. Just a single occurrence of a correlation handle allows all (persistent) past and future click-trails to be linked across the web sites.

Other kinds of Name IDs are possible and allowed, depending on agreement within the Trust Network. However, it should be fully understood what the privacy and other properties of the chosen ID scheme are. TAS3 has analyzed privacy and integrity of Persistent and Transient Name ID solutions.


[Prev | Next]