issue m-card and remember it?

[Markus Sabadello <markus.sabadello@gmail.com>]

Hello IMI TC,

Sometimes one encounters the following flow:
1. User comes to web site and logs in to existing account with UN / PW.
2. Web site issues m-card to user because that's a better way to log in.
3. User logs out.
4. A bit later user comes back to same web site and logs in with m-card.
5. Web site asks user to "associate" m-card with existing account by entering account UN / PW again.
6. User is logged in.

Step 5 happens only once. After the association is done, the user can log in with the m-card at any time without further hassle.

What I am wondering is if it is possible to eliminate step 5 altogether.
Instead, I want to associate the new m-card with the existing user account already at step 2, because at that point I already know who the user is.

Or in other words, if I am running the STS, and if I know my own certificate, can I "predict" what PPID the user will have when they log in to my own site?

I guess the question comes down to whether the "Client Pseudonym" is calculated in a way that is deterministic and consistent across different selector implementations?

Markus

P.S. Another piece of feedback I have is that it would be really cool if it was possible to include the private key in a .crd file for an X.509 backed card, so that one could issue a card that "simply works" without needing UN/PW or a p-card to back it....