Requiring Pseudonymous Identifier
Nat Sakimura
sakimura at gmail.com
Tue May 12 08:36:25 UTC 2009
Hi.
In many jurisdictions, some regulated entities are not allwoed to store
correlatable identifiers (e.g., Austria, New Zealand).
Under such circumstances, the current OpenID
spec is kind of problematic that there is no defined way of requesting
non-correlatable pseudonymous identifier from the relying party.
One approach would be to utilize the variation on identifier_select.
Instead of sending http://specs.openid.net/auth/2.0/identifier_select,
an RP might send something like
http://specs.openid.net/auth/2.1/non_cor_psudonym etc.
We could utilized RP's XRD as well.
My initial thinking would be to use such an request identifier as above,
and the OP to compute the pseudonym by
SHA256(RP's Subject in XRD + User's Persistent ID + OP Secret).
Reason for using RP's Subject in XRD instead of simply using realm is
to allow for something like group identifier.
This is just one idea. Downside of this approach
is that we need to set up a WG.
I am sure there are more ideas. It might be possible to utilize AX
so that it will only be a profile that does not require a WG.
So shall we start discussing which direction we want to go forward?
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
More information about the specs
mailing list