realm-based identifier differentiation
John Bradley
john.bradley at wingaa.com
Wed Jul 7 15:11:44 UTC 2010
Using a pairwise identifier based on Realm is not in the spec.
There is a PAPE message that can be sent to request one. This is a requirement for some RP that are precluded from correlating across sites as some Government agencies are.
I think Google is the only OP to use them by default for all RP.
You may be able to do a migration based on the Google verified email address.
I don't think there is an easy way to do the migration.
Using something other than the realm is possible but it needs to maintain the anti-corralation property.
John B.
On 2010-07-07, at 3:21 AM, matake at gmail wrote:
> Hi experts,
>
> I have an issue related to realm-based identifier differentiation which Google is doing.
>
> We are plaining to change our domain (= realm).
> After that, we can't identify the Google OpenID users because their OpenID identifier changes.
>
> Do you have any solution for that, or any other places/person I should ask?
>
> ps.
> I would like OpenID spec allows using non-realm RP identifier (ie. OAuth consumer key?), I'm not sure the realm-base identifier differentiation itself is in the spec though.
>
> --
> Nov Matake (=nov)
> http://matake.jp
> http://twitter.com/nov
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
More information about the specs
mailing list