On August 9th, the Information-Technology Promotion Agency (IPA) announcedIdentity Management Technology ExplainedThe draft version of the textbook "The Japanese Textbook for the Future" [1] has been released. The August version is still a draft, and is apparently a working rough draft that will be revised in response to criticism from various quarters. It is a tremendous work, and we eagerly await the final version.
I have already responded to various comments, but Table 5.2-1 comparing SAML and OpenID is clearly incorrect, so I would like to point this out here before it takes on a life of its own.
The table in question is as follows:
Please take a look at the OpenID column in this table. Below, I will point out the mistakes one by one.
Mistake 1: "One digital identity"
The definition of a digital identity is a collection of attributes. In OpenID 2.0, the attributes to be provided to each target site are determined based on the user's consent. In addition, the identifier sent at that time is also called a PPID (Pairwise Pseudonymous Identifier), which is a different identifier for each site. Therefore, this statement is incorrect.
Mistake 2. Trust relationships between providers are built on a case-by-case basis
Once a trust relationship is created, it remains valid unless either party cancels it. Therefore, it is incorrect to say that it is created every time. It would be correct to say that it is dynamically created when the first connection is made.
Mistake 3: Privacy is an issue
I don't understand how there are any privacy issues. Unlike many SAML implementations that do not ask for user consent, OpenID 2.0 SHOULD, in principle, require user permission before providing attributes. Therefore, most implementations are done in this way.
Also, it is recommended to use PPID as an identifier, so there should be no problems in this regard.
Mistake 4: The user's identifier is the URL of the web page the user owns
The user identifier that the site receives is a non-reusable identifier (character string) assigned by the IdP, and is not the URL of a web page owned by the user (it does not even have to be a URL).
As you can see, almost all of the sentences are wrong.
The description in this table is actually about OpenID 1.1
In fact, the description in Table 5.2-1 is correct for OpenID 1.1, which is hardly used. It seems that the description was taken from somewhere about OpenID 1.1. However, the explanation of OpenID in this book is written about OpenID 2.0. Therefore, the information in this table should be about OpenID 2.0. I have heard that the next draft of this book will be revised, but readers of the August version should be aware of the above.