Sorry I am playing catchup on this thread. There may be use cases where you want to rotate the users PPID URI. That is only practical if you have a per user salt.
Are you talking about letting groups of RP's in a close federation generate the same PPID?
We solved this two ways in info-card:1 For RP's with Class 2 certificates the "Client Pseudonym" is based on a subset of the fields in the DN. Or, Locality, State/Prov, and Country. This allows the CN for SSL to differ but generate the same PPID for sites within the same organization. 2. We have something called a RP/STS that allows multiple RPs that have a trust relationship say inside a company to proxy trust through a common authentication point.
2 would be difficult for openID but 1 is certainly worth considering.If the RP has a cert the CN or other fields could be used to calculate the "Client Psyudonim" rather than the realm.
John Bradley On 13-May-09, at 12:07 PM, specs-requ...@openid.net wrote:
Date: Wed, 13 May 2009 16:00:25 +0900 From: Nat Sakimura <sakim...@gmail.com> Subject: Re: Requiring Pseudonymous Identifier To: Dick Hardt <dick.ha...@gmail.com> Cc: OpenID Specs Mailing List <specs@openid.net> Message-ID: <bf26e2340905130000r2adc5f09ve15e2f653ea9b...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Sorry for a slow response. This week is especially busy for me... I borrowed the notion from Austrian Citizen ID system. In there, the services are divided into "sectors." A sector may span several agencies. They call ID as PIN (Personal Identification Number).There is a secret PIN (sPIN) which is not used anywhere but in their SmartCard.Then, sector sepcific PIN (ssPIN) is calculated in the manner of : SHA1(sPIN + SectorID) (Note, there is a bit more details but...) I have thrown OP secret into it. To avoid the analytic attack, I agree that it is better to use individual secret, as some of you points out. Regards, =nat
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
