OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

imi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Chaining m-cards

I have been thinking about chaining m-cards.  The simple form of that  
would be a m-card backed m-card.

In IMI 1.0 we clarify PPID generation for m-cards.  This effectively  
prevents the selector from controlling what PPID is sent to any RP or  
STS acting as an RP.   A side effect of this is that the selector on  
its own can no longer calculate the PPID on its own as it can for p- 
cards.

When a issuer is creating an m-card backed by another card it stores  
the PPID it receives in ic:PrivatePersonalIdentifier in the m-card it  
is issuing.

This is used by the selector to match the appropriate card to use as a  
credential in the RST.

The problem for m-cards is that the Selector has no way to do the  
match,  it can only calculate the ic:ClientPseudonym.

The ic:ClientPseudonym is no longer passed as the PPID to the RP.

The question is should the RP be able to request the  
ic:ClientPseudonym to use for things like card chaining?

I don't see any obvious security problem with a RP requesting the  
ic:ClientPseudonym that the selector sent to the STS to calculate the  
PPID, as long as the IdP is using per-card entropy.   Even if the IdP  
isn't, it really only helps the RP impersonate the user at itself.

I don't think building this claim in to the selector is necessary or  
desirable.

My thought is that this could be defined as a ICF claim and m-card  
issuers that want there cards to be capable of being chained to would  
include the claim on the card.  There STS would need some logic to  
take the value of ic:ClientPseudonym from the RST and return it as a  
claim.

The issuer of the new m-card if they wanted to support chaining would  
need to request a card with the ic:ClientPseudonym claim and then  
place the value of ic:ClientPseudonym in ic:PrivatePersonalIdentifier  
or its equivalent for a m-card ic:UserCredential.

I understand that a selector is unlikely to work correctly if you  
reuse ic:PrivatePersonalIdentifier in ic:UserCredential.

I am looking for alternative ideas on how you can match a m-card for  
the authentication of a RST by the selector.

Any opinions on the security implications of potentially divulging the  
ic:ClientPseudonym  to the RP.

Yes I am interested in m-card chaining in the next version if IMI:)

Has anyone built any chaining prototypes and did our recommended  
change to the PPID algorithm on the STS break them?

Regards
John Bradley

smime.p7s

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]