Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

ISIP Interop Issues

Revision as of 17:53, 21 May 2008 by Paul.socialphysics.org (Talk | contribs) (OpenID Integration Options)

{{#eclipseproject:technology.higgins}}

Issues related to ISIP and interop with CardSpace (UI, selector, RP functionality,etc.)

Selector User Experience

  • Higgins selector has implemented remember this password/PIN
  • Higgins selector has implemented remember this card

RP Experience

  • RP text fill-in, branding
  • Best Practice for .crd data stream
    • "attachment" vs. "inline" disposition on card issuing site
  • user experience when user doesn't have a selector?

RP: Extensions to the object tag

  • How can we allow N>1 issuers to be listed?

RP: Requiring multiple cards--useability issues

  • If an RP site requires three managed cards (e.g. managed government id card, personal physical address card and managed payment card) how can improve the user experience from the situation today where the selector must pop up three times in a row? [I'm not talking about U-Prove/Idemix ZKP tech]

Browser-to-Selector Integration

  • We need a better understand of the IE 7's informationCard default behavior (for our HBX-IE).

OpenID Integration Options

Many options:

  1. OpenID card "SXIP" variant
    • Selector does the form filling
    • Use WS-Trust RST to create "OpenID tokens"
    • The RP is oblivious to this--it gets the same blob that it would have gotten
  2. OpenID card "John Bradley" variant (we don't understand this one yet)
  3. OpenID card where the selector uses something other than WS-Trust to get the token
  4. Pass in the auth request that the RP would have
  5. Use OpenID as "master" authentication to hosted card service in SEP in XRDS
  6. OpenID (perhaps with AX) Context Provider

ISIP Spex

When will the new/complete ISIP version be available?

  • E.g. documenting how CardSpace works with non-SSL relying parties, and specifically how the PPID is generated? (for IP reasons we can implement from what's on Caleb and Mike Jones' blogs (e.g. http://blogs.msdn.com/card/))

.CRD File Format

  • Right now we have some troubles with importing managed cards into CardSpace (using .crds file format and with username/password credentials) that have been exported from Higgins (java only). It looks like the problem is related to the value of IssuerId element (<ic:RoamingInformationCard>/<ic:InformationCardMetaData>/<ic:IssuerId>) which is practically not documented in the latest CardSpace tech references we're able to find. If IssuerId element in our roaming card is missing or contains no value CardSpace refuses to load card collection. On the other hand CardSpace will import this card, if IssuerId contains a random base64-encoded value. The CardSpace tech refs about IssuerId says the following: "This required element contains an identifier for the identity provider using which a self-issued credential descriptor in a card issued by that identity provider can be resolved to the correct self-issued card. The element content may be empty." So, there are the following questions:
    • How exactly CardSpace uses IssuerId value?
    • What algorithm should we use to calculate this value.
    • --Paul.socialphysics.org 12:17, 21 May 2008 (EDT): Mike M says that according to schema it is required
    • --Paul.socialphysics.org 12:21, 21 May 2008 (EDT): MikeM asks: if two cards have the same issuer (URI) should they have the same issuerId?

.CRD Format Extensibility

  • We would like to be able to specify protocol(s) (instead of being WS-Trust-only)
  • Need to clarify that "extra" XML elements are:
    • ignored on import
    • preserved and exported
  • We need to confirm that extra spaces are now tolerated
  • May need PIN protection on some of the new extensibility elements

.CRDS Format

  • We would like the export format to include card history
  • We need a way to efficiently associate a managed card with the personal card that is backing it
  • May need PIN protection on some of the new extensibility elements. E.g. Protecting Cached intermediate values required to compute PPID RP-Id vales. (Perhaps {scheme,host,port} <--> digests of CA chain)

Selector Selector

The Higgins project has created an experimental HSS, that uses different "connector" components to launch different (CardSpace, Higgins Digital Me, Higgins RCP, Higgins AIR, OpenInfoCard, etc.) selectors. What's been learned so far:

  • Would be good to limit the number of different ways that we can launch these things
  • Need to move away from separate "connector" approach for security, performance and complexity reasons

Back to the top