OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Representing anonymous Subjects

Title: RE: Representing anonymous Subjects

Hi Hal,

I disagree with the above paragraph.  To me, anonymous means "anonymous in every sense" (that is, not only do you not know who is at the other end, but there is no traceability between sessions either).  A vending machine is a server; requesters insert money and ask for a chocolate bar or pop or whatever, but the server has no idea who is requesting and has no idea whether or not they've ever visited before.  This is anonymity.

If you want to be able to determine that "two sessions that this person conducts were conducted by the same person", this is the purpose of pseudonymity.  Whether the pseudonym is of the form "USER123456", "Donald Duck", or an entirely random bit string (i.e., whether or not it can potentially be confused with a legitimate human name) is, I think, unimportant.  The whole point is that it is different from the actual human name of the person conducting the session (and can't readily be linked to this name), but allows traceability between sessions.  [Note:  pseudonyms that cannot be confused with legitimate human names are preferable (so that different sessions are not inappropriately linked together), but I don't think this is mandatory.]

So, in my opinion, anonymity requires a blank subject name.  (Note:  this is a "necessary-but-not-sufficient" sense of "requires".  I recognize that there may be other things in the assertion or in the transaction itself that will allow traceability.  I can pay cash at a store to try to achieve anonymity, but if I show up the next day to buy something else and happen to get the same teller, traceability may certainly be possible.)  Pseudonymity, on the other hand, requires a subject name to be present.

One final comment.  The above discussion pertains to the presence or absence of a subject name, and traceability with respect to its contents, if present.  However, the presence of an authenticator field (or whatever we decide to call it) with a value other than "bearer" allows the possibility of traceability between unnamed session conductors.  "I've no idea who this is, but it's the same entity as this other time because the same private key was used to authenticate (or the same password was supplied, or whatever)."  This is not anonymity in the truest sense {no identity; no traceability}, but is still a form of anonymity {no identity; traceability}.  Pseudonymity {false identity} always allows traceability through the (false) name, and perhaps also through the authenticator (if not "bearer").


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC