Using a pairwise identifier based on Realm is not in the spec. There is a PAPE message that can be sent to request one. This is a requirement for some RP that are precluded from correlating across sites as some Government agencies are.
I think Google is the only OP to use them by default for all RP. You may be able to do a migration based on the Google verified email address. I don't think there is an easy way to do the migration. Using something other than the realm is possible but it needs to maintain the anti-corralation property. John B. On 2010-07-07, at 3:21 AM, mat...@gmail wrote: > Hi experts, > > I have an issue related to realm-based identifier differentiation which > Google is doing. > > We are plaining to change our domain (= realm). > After that, we can't identify the Google OpenID users because their OpenID > identifier changes. > > Do you have any solution for that, or any other places/person I should ask? > > ps. > I would like OpenID spec allows using non-realm RP identifier (ie. OAuth > consumer key?), I'm not sure the realm-base identifier differentiation itself > is in the spec though. > > -- > Nov Matake (=nov) > http://matake.jp > http://twitter.com/nov > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
