<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Sorry I am playing catchup on this thread.<div><br></div><div>There may be use cases where you want to rotate the users PPID URI.</div><div>That is only practical if you have a per user salt.</div><div><br></div><div>Are you talking about letting groups of RP's in a close federation generate the same PPID?</div><div><br></div><div>We solved this two ways in info-card:</div><div>1 For RP's with Class 2 certificates the "Client Pseudonym" is based on a subset of the fields in the DN.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Or, Locality, State/Prov, and Country. This allows the CN for SSL to differ but generate the same PPID for sites within the same organization.<br></div><div>2. We have something called a RP/STS that allows multiple RPs that have a trust relationship say inside a company to proxy trust through a common authentication point. </div><div><br></div><div>2 would be difficult for openID but 1 is certainly worth considering. </div><div><br></div><div>If the RP has a cert the CN or other fields could be used to calculate the "Client Psyudonim" rather than the realm. </div><div><br></div><div>John Bradley</div><div><br></div><div><div><div>On 13-May-09, at 12:07 PM, <a href="mailto:specs-request@openid.net">specs-request@openid.net</a> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: -webkit-monospace; font-size: 10px; ">Date: Wed, 13 May 2009 16:00:25 +0900<br>From: Nat Sakimura <<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>><br>Subject: Re: Requiring Pseudonymous Identifier<br>To: Dick Hardt <<a href="mailto:dick.hardt@gmail.com">dick.hardt@gmail.com</a>><br>Cc: OpenID Specs Mailing List <<a href="mailto:specs@openid.net">specs@openid.net</a>><br>Message-ID:<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:bf26e2340905130000r2adc5f09ve15e2f653ea9b7e7@mail.gmail.com">bf26e2340905130000r2adc5f09ve15e2f653ea9b7e7@mail.gmail.com</a>><br>Content-Type: text/plain; charset=ISO-8859-1<br><br>Sorry for a slow response. This week is especially busy for me...<br><br>I borrowed the notion from Austrian Citizen ID system.<br>In there, the services are divided into "sectors."<br>A sector may span several agencies.<br>They call ID as PIN (Personal Identification Number).<br><br>There is a secret PIN (sPIN) which is not used anywhere but in their SmartCard.<br>Then, sector sepcific PIN (ssPIN) is calculated in the manner of :<br><br>SHA1(sPIN + SectorID)<br><br>(Note, there is a bit more details but...)<br><br>I have thrown OP secret into it.<br>To avoid the analytic attack, I agree that it is better to use<br>individual secret, as some of you<br>points out.<br><br>Regards,<br><br>=nat</span></blockquote></div><br></div></body></html>