realm-based identifier differentiation

matake@gmail matake at gmail.com
Wed Jul 7 16:12:51 UTC 2010 

Hi John,

> Using a pairwise identifier based on Realm is not in the spec.
> 
> There is a PAPE message that can be sent to request one.  This is a requirement for some RP that are precluded from correlating across sites as some Government agencies are.

I see.

> I think Google is the only OP to use them by default for all RP.  

NTT, biggest telecom company in Japan, is also doing same thing.
(and unfortunately they don't support AX or any other method to give verified email address)

> You may be able to do a migration based on the Google verified email address.


It's good idea, and seems the only solution for now.
Some Google OpenID users don't have gmail address though..

> Using something other than the realm is possible but it needs to maintain the anti-corralation property.


Yes, but this issue will become bigger and bigger.
Consider that RP has only PC site (example.com) now, and is opening new mobile site (m.example.com) on different domain, so that they have to use different realm.
Of course RP can use wildcard realm for both site, but anyway the realm changes.

If I want to discuss this issue in this group, PAPE list is the best place?

thanks

--
Nov Matake (=nov)
http://matake.jp
http://twitter.com/nov

On 2010/07/08, at 0:11, John Bradley wrote:

> Using a pairwise identifier based on Realm is not in the spec.
> 
> There is a PAPE message that can be sent to request one.  This is a requirement for some RP that are precluded from correlating across sites as some Government agencies are.
> 
> I think Google is the only OP to use them by default for all RP.  
> 
> You may be able to do a migration based on the Google verified email address.
> 
> I don't think there is an easy way to do the migration.
> 
> Using something other than the realm is possible but it needs to maintain the anti-corralation property.
> 
> John B.
> On 2010-07-07, at 3:21 AM, matake at gmail wrote:
> 
>> Hi experts,
>> 
>> I have an issue related to realm-based identifier differentiation which Google is doing.
>> 
>> We are plaining to change our domain (= realm).
>> After that, we can't identify the Google OpenID users because their OpenID identifier changes.
>> 
>> Do you have any solution for that, or any other places/person I should ask?
>> 
>> ps.
>> I would like OpenID spec allows using non-realm RP identifier (ie. OAuth consumer key?), I'm not sure the realm-base identifier differentiation itself is in the spec though.
>> 
>> --
>> Nov Matake (=nov)
>> http://matake.jp
>> http://twitter.com/nov
>> 
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>

More information about the specs mailing list