realm-based identifier differentiation

John Bradley john.bradley at wingaa.com
Wed Jul 7 15:11:44 UTC 2010


Using a pairwise identifier based on Realm is not in the spec.

There is a PAPE message that can be sent to request one.  This is a requirement for some RP that are precluded from correlating across sites as some Government agencies are.

I think Google is the only OP to use them by default for all RP.  

You may be able to do a migration based on the Google verified email address.

I don't think there is an easy way to do the migration.

Using something other than the realm is possible but it needs to maintain the anti-corralation property.

John B.
On 2010-07-07, at 3:21 AM, matake at gmail wrote:

> Hi experts,
> 
> I have an issue related to realm-based identifier differentiation which Google is doing.
> 
> We are plaining to change our domain (= realm).
> After that, we can't identify the Google OpenID users because their OpenID identifier changes.
> 
> Do you have any solution for that, or any other places/person I should ask?
> 
> ps.
> I would like OpenID spec allows using non-realm RP identifier (ie. OAuth consumer key?), I'm not sure the realm-base identifier differentiation itself is in the spec though.
> 
> --
> Nov Matake (=nov)
> http://matake.jp
> http://twitter.com/nov
> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs



More information about the specs mailing list