Sorry I am playing catchup on this thread.

There may be use cases where you want to rotate the users PPID URI.
That is only practical if you have a per user salt.

Are you talking about letting groups of RP's in a close federation generate the same PPID?

We solved this two ways in info-card:
1 For RP's with Class 2 certificates the "Client Pseudonym" is based on a subset of the fields in the DN. Or, Locality, State/Prov, and Country. This allows the CN for SSL to differ but generate the same PPID for sites within the same organization. 2. We have something called a RP/STS that allows multiple RPs that have a trust relationship say inside a company to proxy trust through a common authentication point.

2 would be difficult for openID but 1 is certainly worth considering.

If the RP has a cert the CN or other fields could be used to calculate the "Client Psyudonim" rather than the realm.

John Bradley

On 13-May-09, at 12:07 PM, specs-requ...@openid.net wrote:

Date: Wed, 13 May 2009 16:00:25 +0900
From: Nat Sakimura <sakim...@gmail.com>
Subject: Re: Requiring Pseudonymous Identifier
To: Dick Hardt <dick.ha...@gmail.com>
Cc: OpenID Specs Mailing List <specs@openid.net>
Message-ID:
        <bf26e2340905130000r2adc5f09ve15e2f653ea9b...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Sorry for a slow response. This week is especially busy for me...

I borrowed the notion from Austrian Citizen ID system.
In there, the services are divided into "sectors."
A sector may span several agencies.
They call ID as PIN (Personal Identification Number).

There is a secret PIN (sPIN) which is not used anywhere but in their SmartCard.
Then, sector sepcific PIN (ssPIN) is calculated in the manner of :

SHA1(sPIN + SectorID)

(Note, there is a bit more details but...)

I have thrown OP secret into it.
To avoid the analytic attack, I agree that it is better to use
individual secret, as some of you
points out.

Regards,

=nat

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to