Requiring Pseudonymous Identifier

Allen Tom atom at yahoo-inc.com
Thu May 14 04:23:12 UTC 2009


I don't think it makes sense to use an AX attribute for the pseudonymous 
identifier, since assertion will still contain the correlatable OpenID 
identifier. It seems that the OP should return a unique RP-specific 
OpenID in the response.

Breno's idea about using an identifier-less request is interesting, but 
the RP is asking to sign the user in, so the request is about an identifier.

Allen

David Recordon wrote:
> Does it make more sense to use a PAPE policy requesting a pseudonymous 
> identifier or an AX attribute requesting one?  Any of these approaches 
> would work, I just don't think we've mapped out the pros/cons of each.
>
> --David
>
> On May 13, 2009, at 8:44 AM, George Fletcher wrote:
>
>> I don't think OpenID should specify how pseudonymous identifiers are 
>> generated. That should be up to the OP. But I like the idea of using 
>> a fixed URI as the claimed_id value to specify the behavior desired 
>> by the RP. If, however, we need to grow this to cover anonymous based 
>> identifiers (i.e. the claims based models from earlier in this 
>> thread) then it might make sense to look at a PAPE extension that 
>> covers the type of identifier requested.
>>
>> Thanks,
>> George
>>
>> Nat Sakimura wrote:
>>> Sorry for a slow response. This week is especially busy for me...
>>>
>>> I borrowed the notion from Austrian Citizen ID system.
>>> In there, the services are divided into "sectors."
>>> A sector may span several agencies.
>>> They call ID as PIN (Personal Identification Number).
>>>
>>> There is a secret PIN (sPIN) which is not used anywhere but in their 
>>> SmartCard.
>>> Then, sector sepcific PIN (ssPIN) is calculated in the manner of :
>>>
>>> SHA1(sPIN + SectorID)
>>>
>>> (Note, there is a bit more details but...)
>>>
>>> I have thrown OP secret into it.
>>> To avoid the analytic attack, I agree that it is better to use
>>> individual secret, as some of you
>>> points out.
>>>
>>> Regards,
>>>
>>> =nat
>>>
>>> On Tue, May 12, 2009 at 5:55 PM, Dick Hardt <dick.hardt at gmail.com> 
>>> wrote:
>>>
>>>> On 12-May-09, at 1:36 AM, Nat Sakimura wrote:
>>>>
>>>>> Reason for using RP's Subject in XRD instead of simply using realm is
>>>>> to allow for something like group identifier.
>>>>>
>>>> would you elaborate on the group identifier concept?
>>>>
>>>>
>>>>> This is just one idea. Downside of this approach
>>>>> is that we need to set up a WG.
>>>>>
>>>>> I am sure there are more ideas. It might be possible to utilize AX
>>>>> so that it will only be a profile that does not require a WG.
>>>>>
>>>>> So shall we start discussing which direction we want to go forward?
>>>>>
>>>> sure!
>>>>
>>>>
>>>
>>>
>>>
>>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs




More information about the specs mailing list