[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Chaining m-cards
I have been thinking about chaining m-cards. The simple form of that would be a m-card backed m-card. In IMI 1.0 we clarify PPID generation for m-cards. This effectively prevents the selector from controlling what PPID is sent to any RP or STS acting as an RP. A side effect of this is that the selector on its own can no longer calculate the PPID on its own as it can for p- cards. When a issuer is creating an m-card backed by another card it stores the PPID it receives in ic:PrivatePersonalIdentifier in the m-card it is issuing. This is used by the selector to match the appropriate card to use as a credential in the RST. The problem for m-cards is that the Selector has no way to do the match, it can only calculate the ic:ClientPseudonym. The ic:ClientPseudonym is no longer passed as the PPID to the RP. The question is should the RP be able to request the ic:ClientPseudonym to use for things like card chaining? I don't see any obvious security problem with a RP requesting the ic:ClientPseudonym that the selector sent to the STS to calculate the PPID, as long as the IdP is using per-card entropy. Even if the IdP isn't, it really only helps the RP impersonate the user at itself. I don't think building this claim in to the selector is necessary or desirable. My thought is that this could be defined as a ICF claim and m-card issuers that want there cards to be capable of being chained to would include the claim on the card. There STS would need some logic to take the value of ic:ClientPseudonym from the RST and return it as a claim. The issuer of the new m-card if they wanted to support chaining would need to request a card with the ic:ClientPseudonym claim and then place the value of ic:ClientPseudonym in ic:PrivatePersonalIdentifier or its equivalent for a m-card ic:UserCredential. I understand that a selector is unlikely to work correctly if you reuse ic:PrivatePersonalIdentifier in ic:UserCredential. I am looking for alternative ideas on how you can match a m-card for the authentication of a RST by the selector. Any opinions on the security implications of potentially divulging the ic:ClientPseudonym to the RP. Yes I am interested in m-card chaining in the next version if IMI:) Has anyone built any chaining prototypes and did our recommended change to the PPID algorithm on the STS break them? Regards John Bradley
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]