The internal pseudonym is determined by the AD and MUST be unique within the AD its context. Every time the same authentication token is used, it should return the same internal pseudonym. When requested by the user, a new pseudonym MAY always be ignored. An internal pseudonym that has been used MUST NOT be reused. The only exception is when an authentication token is replaced and the AD can determine with sufficient certainty that it is really being replaced. In this case, the same internal pseudonym MAY be used for the new authentication token.
The format of the internal pseudonym MUST have a hexadecimal value of 32 byte. For example, ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890