Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

I-Card

Revision as of 15:44, 8 December 2006 by Paul.socialphysics.org (Talk | contribs) (Token Issuing I-Cards)

This page describes the Higgins concept of an I-Card.

What is an I-Card?

  • Overview
    • Are displayed as card icons
      • These icons provide a visual metaphor representing identity information about one or more Digital Subjects in a context.
    • Have a schema describing their supported claims
    • Are implemented in code by I-Card Providers
  • The card metaphor is related to things we know like library cards, association cards, business cards, credit cards, badges, etc. but in other ways it is different.
  • Unlike physical cards, I-Cards are not limited as to size/length/capacity, and they can be easily copied (if desired)
  • An I-Card holds only metadata. The metadata references identity information that is external to the card itself, and stored locally or remotely
  • I-Cards are created by an entity known as a creator
  • Some kinds of I-Cards are used for authentication interactions where the holder of the card is presenting its associated claims to a relying party.
  • If the claims are trusted by the relying party, these claims will allow the holder to take some further action, be granted access to resources, etc. In this usage the card acts like a key.
  • Some I-Cards can be used to enable long term, dynamic, sharing of identity information between two or more parties. Whether or not attributes supported by the card are editable and by which party, depends on the context.

Supported Claims Schema

  • I-Cards declare the schema of the claims/attributes they support and the claim space (claim namespace) of each
  • This schema is used by Higgins I-Card Selector Service to match against the relying system’s policy requirements
  • At its simplest, the schema is a linear list of claim/attribute types described as a URI (e.g. a URI for "surname")
  • An I-Card may reference information about multiple Digital Subjects (e.g. a buddy list or directory).
  • Further, an I-Card may support complex attribute types (e.g. postal address) whose values contain structure
  • The schema of these more complex I-Cards is captured in an OWL-DL schema

I-Card Types

  • Higgins defines several I-Card Interfaces one or more of which are implemented by specific types of I-Cards
  • I-Cards are implemented, instantiated, managed by I-Card Providers that plug in to the I-Card Registry
  • Note: See I-Card Provider for a description of the types of I-Cards under development or planned
  • I-Cards do not talk to relying parties directly. The RP Protocol Support component consumes I-Cards and uses their metadata to obtain data with which to exchange with RP sites & systems.
  • Example 1
    • Some types of I-Cards can (by delegating to a Token Service) package and encrypt their information as a Digital Identity in token form that can be used by relying parties for authentication purposes.
    • Higgins is developing a CardSpace compatible I-Card that requests Digital Identities from CardSpace/WS-Trust compatible identity providers (STSes).
  • Example 2
    • Other types of I-Cards can be used to support a periodic or continuous, uni- or bi-directional data exchange channels with external network endpoints.
    • For example, Higgins plans to develop a card compatible with OpenID servers.
    • RP Protocol Support will support an RSS-SSE channel between the RP site and a site-specific I-Card
    • This can allow the external site or service some level of authentication/recognition but can also allow it to update, and/or append information represented by the I-Card.

Appearance

  • I-Cards appear in the ISS Web UI, ISS Client UI or the I-Card Manager UI as rectangular icons
  • Cards have a name that is displayed as a text string (called the CardName) that is set by the card’s creator
  • Cards display in a text string the name of the issuer who originated the card (IssuerName)
  • Card display in a text string the name of the creator of the card
  • Cards may have a (GIF or JPEG) background image (CardImage) set by the card’s issuer
  • By pressing a "Retrieve" button with a card selected the user can retrieve and display the latest values of the card's contained claims/attributes.

Token I-Cards

  • Token issuing cards encrypt and digitally sign a set of claims about a single Digital Subject
  • This signing process (e.g. STS) is called the card issuer
  • As an example, an I-Card used to present credit card information would used signed data

Channel I-Cards

  • Channel I-Cards are channels to information stored at identity attribute providing endpoints
  • These I-Cards have one metadata field, a ContextRef, that is the URI of a Context
  • This URI may be an XRI, if so the I-Card implementation must use XRI resolution to map this to a URL
  • Higgins will include an implmentation of a Channel I-Card that will use an IdAS service to open a channel to the Context

I-Card Issuers

  • Managed cards are cards issued by an external party (person or organization) and made available to you
  • Examples of managed cards include credit cards and driver’s licenses
  • You can also create your own cards (and for these you are the issuer) called personal (aka self-issued) cards

Managed I-Cards

  • Managed cards reference identity data from the issuer that provided the card to the person
  • For example, CardSpace managed cards retrieve their Digital Identities (in token form) from an external Identity Provider using WS-Trust

Provider vs. Personal I-Cards

  • Provider cards reference identity data from the issuer entity that provided the card to the person
  • For example, CardSpace provider cards retrieve their Digital Identities (in token form) from an external Identity Provider using WS-Trust
  • Personal cards are created by a person for their own use

Access Control

  • The I-Card Registry maintains an Access Control List (ACL) for each card
  • The ACL is a list of URLs
  • Each URL is a site that has been granted access.
  • Future: support regular expressions, wildcards and exceptions

Release Policy

  • The I-Card Registry maintains a release policy for each card.
  • This policy is one of: (EveryTime, FirstTime, Never).
  • As in “ask the user (EveryTime, FirstTime, or Never) before releasing this information to an external site/person”
  • Note: We don't yet know whether the convenience advantages of Never or FirstTime are worth the risk for certain kinds of cards

Editability

  • Varies by card...
  • Personal cards (e.g. those issued by you) may be completely editable by you
  • Some cards (e.g. a CardSpace managed card) are not editable at all by you (except the cardName)
  • Some cards (e.g. a IdAS card) may have some fields that you can edit and some fields that you can’t

I-Card Accessed List

  • The I-Card Registry maintains an accessed list for each card that provides the history of what parties have at one time or another been granted access to the card
  • It is list of triples:
    • Relying Party’s URL
    • Timestamp of first access
    • Timestamp of most recent access
  • Notes
    • This accessed list history is not exported with the card when a card is exported.
    • Should the accessed list be "clearable" by the user?
    • Should we be able to export an entire I-Card Registry?

I-Card Providers

  • I-Cards are implemented by plug-ins called I-Card Providers
  • Different I-Card Providers implement different identity exchange protocols with external IdPs
  • Some I-Card Providers use IdAS as their source of identity data
  • Some I-Card Providers use both IdAS (to get the attributes) and a Token Service (to package and sign the claims)

See Also

Retrieved from "https://wiki.eclipse.org/index.php?title=I-Card&oldid=19835"

Back to the top