Requiring Pseudonymous Identifier

John Bradley jbradley at mac.com
Thu May 14 03:16:49 UTC 2009


Sorry I am playing catchup on this thread.

There may be use cases where you want to rotate the users PPID URI.
That is only practical if you have a per user salt.

Are you talking about letting groups of RP's in a close federation  
generate the same PPID?

We solved this two ways in info-card:
1 For RP's with Class 2 certificates the "Client Pseudonym" is based  
on a subset of the fields in the DN.
	Or, Locality, State/Prov, and Country.   This allows the CN for SSL  
to differ but generate the same PPID for sites within the same  
organization.
2. We have something called a RP/STS that allows multiple RPs that  
have a trust relationship say inside a company to proxy trust through  
a common authentication point.

2 would be difficult for openID but 1 is certainly worth considering.

If the RP has a cert the CN or other fields could be used to calculate  
the "Client Psyudonim" rather than the realm.

John Bradley

On 13-May-09, at 12:07 PM, specs-request at openid.net wrote:

> Date: Wed, 13 May 2009 16:00:25 +0900
> From: Nat Sakimura <sakimura at gmail.com>
> Subject: Re: Requiring Pseudonymous Identifier
> To: Dick Hardt <dick.hardt at gmail.com>
> Cc: OpenID Specs Mailing List <specs at openid.net>
> Message-ID:
> 	<bf26e2340905130000r2adc5f09ve15e2f653ea9b7e7 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Sorry for a slow response. This week is especially busy for me...
>
> I borrowed the notion from Austrian Citizen ID system.
> In there, the services are divided into "sectors."
> A sector may span several agencies.
> They call ID as PIN (Personal Identification Number).
>
> There is a secret PIN (sPIN) which is not used anywhere but in their  
> SmartCard.
> Then, sector sepcific PIN (ssPIN) is calculated in the manner of :
>
> SHA1(sPIN + SectorID)
>
> (Note, there is a bit more details but...)
>
> I have thrown OP secret into it.
> To avoid the analytic attack, I agree that it is better to use
> individual secret, as some of you
> points out.
>
> Regards,
>
> =nat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090513/fc29d346/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1722 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090513/fc29d346/attachment-0002.bin>


More information about the specs mailing list