Hi. In many jurisdictions, some regulated entities are not allwoed to store correlatable identifiers (e.g., Austria, New Zealand). Under such circumstances, the current OpenID spec is kind of problematic that there is no defined way of requesting non-correlatable pseudonymous identifier from the relying party.
One approach would be to utilize the variation on identifier_select. Instead of sending http://specs.openid.net/auth/2.0/identifier_select, an RP might send something like http://specs.openid.net/auth/2.1/non_cor_psudonym etc. We could utilized RP's XRD as well. My initial thinking would be to use such an request identifier as above, and the OP to compute the pseudonym by SHA256(RP's Subject in XRD + User's Persistent ID + OP Secret). Reason for using RP's Subject in XRD instead of simply using realm is to allow for something like group identifier. This is just one idea. Downside of this approach is that we need to set up a WG. I am sure there are more ideas. It might be possible to utilize AX so that it will only be a profile that does not require a WG. So shall we start discussing which direction we want to go forward? -- Nat Sakimura (=nat) http://www.sakimura.org/en/ _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
