Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

ISIP Interop Issues

Revision as of 16:41, 21 May 2008 by Paul.socialphysics.org (Talk | contribs) (OpenID)

{{#eclipseproject:technology.higgins}}

Issues related to ISIP and interop with CardSpace (UI, selector, RP functionality,etc.)

UI

  • Higgins selector has implemented remember this password/PIN
  • Higgins selector has implemented remember this card

RP

OpenID Integration

  • Use OpenID as "master" authentication
  • Hosted card service in SEP in XRDS

ISIP Spex

When will the new/complete ISIP version be available?

  • E.g. documenting how CardSpace works with non-SSL relying parties, and specifically how the PPID is generated? (for IP reasons we can implement from what's on Mike Jones' blog)

Browser/Selector Integration

  • We need a better understand of the IE 7's informationCard default behavior (for our HBX-IE).

.CRD File Format

  • Right now we have some troubles with import of managed cards with username/password credentials from higgins into CardSpace (using .crds file format). It looks like the problem is related to the value of IssuerId element (<ic:RoamingInformationCard>/<ic:InformationCardMetaData>/<ic:IssuerId>) which is practically not documented in the latest CardSpace tech references we're able to find. If IssuerId element in our roaming card is missing or contains no value CardSpace refuses to load card collection. On the other hand CardSpace will import this card, if IssuerId contains a random base64-encoded value. The CardSpace tech refs about IssuerId says the following: "This required element contains an identifier for the identity provider using which a self-issued credential descriptor in a card issued by that identity provider can be resolved to the correct self-issued card. The element content may be empty." So, there are the following questions:
    • How exactly CardSpace uses IssuerId value?
    • What algorithm should we use to calculate this value.
    • --Paul.socialphysics.org 12:17, 21 May 2008 (EDT): Mike M says that according to schema it is required
    • --Paul.socialphysics.org 12:21, 21 May 2008 (EDT): MikeM asks: if two cards have the same issuer (URI) should they have the same issuerId?

.CRD Format Extensibility

  • We would like to be able to specify protocol(s) (instead of being WS-Trust-only)
  • Need to clarify that "extra" XML elements are:
    • ignored on import
    • preserved and exported
  • We need to confirm that extra spaces are now tolerated
  • May need PIN protection on some of the new extensibility elements

.CRDS Format

  • We would like the export format to include card history
  • We need a way to efficiently associate a managed card with the personal card that is backing it
  • May need PIN protection on some of the new extensibility elements. E.g. Protecting Cached intermediate values required to compute PPID RP-Id vales. (Perhaps {scheme,host,port} <--> digests of CA chain)

Comments on the "old" ISIP 1.0 spex

  • Assemble comments on this document prior to its being submitted to OASIS?


Best Practice for .crd data stream

  • "attachment" vs. "inline" disposition on card issuing site

Extensions to the RP object tag

  • How can we allow N>1 issuers to be listed?

RPs requiring multiple cards--useability issues

  • If an RP site requires three managed cards (e.g. managed government id card, personal physical address card and managed payment card) how can improve the user experience from the situation today where the selector must pop up three times in a row? [I'm not talking about U-Prove/Idemix ZKP tech]

Selector Selector

The Higgins project has created an experimental HSS, that uses different "connector" components to launch different (CardSpace, Higgins Digital Me, Higgins RCP, Higgins AIR, OpenInfoCard, etc.) selectors. What's been learned so far:

  • Would be good to limit the number of different ways that we can launch these things
  • Need to move away from separate "connector" approach for security, performance and complexity reasons

Back to the top