On Wed, Jul 7, 2010 at 09:12, mat...@gmail <[email protected]> wrote: > Hi John, > >> Using a pairwise identifier based on Realm is not in the spec. >>>> There is a PAPE message that can be sent to request one. This is a >>>> requirement for some RP that are precluded from correlating across sites >>>> as some Government agencies are. > > I see. > >> I think Google is the only OP to use them by default for all RP. > > NTT, biggest telecom company in Japan, is also doing same thing. > (and unfortunately they don't support AX or any other method to give verified > email address) > >> You may be able to do a migration based on the Google verified email address. > > > It's good idea, and seems the only solution for now. > Some Google OpenID users don't have gmail address though..
This is a particular instance of a larger problem, dealing with legacy IDs in the same OP. For instance, some providers would like to port their existing http URLs to https URLs for security reasons. The spec does not support it. It'd be useful if future versions of OpenID specs provided some guidance in this area. > >> Using something other than the realm is possible but it needs to maintain >> the anti-corralation property. > > > Yes, but this issue will become bigger and bigger. > Consider that RP has only PC site (example.com) now, and is opening new > mobile site (m.example.com) on different domain, so that they have to use > different realm. > Of course RP can use wildcard realm for both site, but anyway the realm > changes. > > If I want to discuss this issue in this group, PAPE list is the best place? > > thanks > > -- > Nov Matake (=nov) > http://matake.jp > http://twitter.com/nov > > On 2010/07/08, at 0:11, John Bradley wrote: > >> Using a pairwise identifier based on Realm is not in the spec. >> >> There is a PAPE message that can be sent to request one. This is a >> requirement for some RP that are precluded from correlating across sites as >> some Government agencies are. >> >> I think Google is the only OP to use them by default for all RP. >> >> You may be able to do a migration based on the Google verified email address. >> >> I don't think there is an easy way to do the migration. >> >> Using something other than the realm is possible but it needs to maintain >> the anti-corralation property. >> >> John B. >> On 2010-07-07, at 3:21 AM, mat...@gmail wrote: >> >>> Hi experts, >>> >>> I have an issue related to realm-based identifier differentiation which >>> Google is doing. >>> >>> We are plaining to change our domain (= realm). >>> After that, we can't identify the Google OpenID users because their OpenID >>> identifier changes. >>> >>> Do you have any solution for that, or any other places/person I should ask? >>> >>> ps. >>> I would like OpenID spec allows using non-realm RP identifier (ie. OAuth >>> consumer key?), I'm not sure the realm-base identifier differentiation >>> itself is in the spec though. >>> >>> -- >>> Nov Matake (=nov) >>> http://matake.jp >>> http://twitter.com/nov >>> >>> _______________________________________________ >>> specs mailing list >>> [email protected] >>> http://lists.openid.net/mailman/listinfo/openid-specs >> > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
