Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
ISIP Interop Issues
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
Issues related to ISIP and interop with CardSpace (UI, selector, RP functionality,etc.)
Contents
- 1 Selector User Experience
- 2 RP: User Experience
- 3 RP: Extensions to the object tag
- 4 RP: Requiring multiple cards--useability issues
- 5 UN/PW Token Type
- 6 HTML UN/PW
- 7 Browser-to-Selector Integration
- 8 OpenID Integration Options
- 9 ISIP "1.5" Spex
- 10 .CRD File Format
- 11 .CRD Format Extensibility
- 12 Selector Selector
- 13 Selector Capabilities Advertisement
Selector User Experience
- Higgins selector has implemented remember this password/PIN
- Higgins selector has implemented remember this card
RP: User Experience
- RP text fill-in, branding
- Best Practice for .crd data stream
- "attachment" vs. "inline" disposition on card issuing site
- user experience when user doesn't have a selector?
- Try to improve the user experience for setting up a managed card backed with a personal card
RP: Extensions to the object tag
- How can we allow N>1 issuers to be listed?
RP: Requiring multiple cards--useability issues
- If an RP site requires three managed cards (e.g. managed government id card, personal physical address card and managed payment card) how can improve the user experience from the situation today where the selector must pop up three times in a row? [I'm not talking about U-Prove/Idemix ZKP tech]
UN/PW Token Type
- RP just adds <object> tag and requests un/pw token
HTML UN/PW
- "login" form fill card type (think Sxipper, Roboform)
- perhaps SSL-only
- 401 handling
- draft a RFC HTTP password change-expiration proposal: policy to gen password, policy for expiration period
Browser-to-Selector Integration
- We need a better understand of the IE 7's informationCard default behavior (for our HBX-IE).
OpenID Integration Options
Many options:
- OpenID card "SXIP" variant #1
- Selector does the form filling
- Use WS-Trust RST to create "OpenID tokens"
- The RP is oblivious to this--it gets the same blob that it would have gotten
- OpenID card "John Bradley" variant #2 (we don't understand this one yet)
- OpenID card where the selector uses something other than WS-Trust to get the token
- Use OpenID as "master" authentication to hosted card service in SEP in XRDS
- OpenID (perhaps with AX) Context Provider
ISIP "1.5" Spex
- We need this before we can implement it in Higgins
- We think that it might be available in draft form in July or so
- E.g. documenting how CardSpace works with non-SSL relying parties, and specifically how the PPID is generated? (for IP reasons we can implement from what's on Caleb and Mike Jones' blogs (e.g. http://blogs.msdn.com/card/))
- Web integration doc
- XHTML - do we still need this?
- Object tag
- Javascript
.CRD File Format
- We would like the export format to include card history
- We need a way to efficiently associate a managed card with the personal card that is backing it
- May need PIN protection on some of the new extensibility elements. E.g. Protecting Cached intermediate values required to compute PPID RP-Id vales. (Perhaps {scheme,host,port} <--> digests of CA chain)
- Right now we have some troubles with importing managed cards into CardSpace (using .crds file format and with username/password credentials) that have been exported from Higgins (java only). It looks like the problem is related to the value of IssuerId element (<ic:RoamingInformationCard>/<ic:InformationCardMetaData>/<ic:IssuerId>) which is practically not documented in the latest CardSpace tech references we're able to find. If IssuerId element in our roaming card is missing or contains no value CardSpace refuses to load card collection. On the other hand CardSpace will import this card, if IssuerId contains a random base64-encoded value. The CardSpace tech refs about IssuerId says the following: "This required element contains an identifier for the identity provider using which a self-issued credential descriptor in a card issued by that identity provider can be resolved to the correct self-issued card. The element content may be empty." So, there are the following questions:
- How does CardSpace use IssuerId value?
- What algorithm should we use to calculate this value?
- --Paul.socialphysics.org 12:17, 21 May 2008 (EDT): Mike M says that according to schema it is required
- --Paul.socialphysics.org 12:21, 21 May 2008 (EDT): MikeM asks: if two cards have the same issuer (URI) should they have the same issuerId?
.CRD Format Extensibility
- We would like to be able to specify protocol(s) (instead of being WS-Trust-only)
- Need to clarify that "extra" XML elements (for new card types) are:
- ignored on import
- preserved and exported
- We need to confirm that extra spaces are now tolerated
- May need PIN protection on some of the new extensibility elements
Selector Selector
The Higgins project has created an experimental HSS, that uses different "connector" components to launch different (CardSpace, Higgins Digital Me, Higgins RCP, Higgins AIR, OpenInfoCard, etc.) selectors. What's been learned so far:
- Would be good to limit the number of different ways that we can launch these things
- Need to move away from separate "connector" approach for security, performance and complexity reasons
- We leave it to the user to decide which is the current selector (there is no automated selection of the selector based on RP x capabilities matrix)
Selector Capabilities Advertisement
- We need to finalize this collaborative discussion and design. And then implement it.