imi-comment message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: issue m-card and remember it?
- From: Markus Sabadello <markus.sabadello@gmail.com>
- To: imi-comment@lists.oasis-open.org
- Date: Sat, 2 Jan 2010 11:34:14 +0100
Hello IMI TC,
Sometimes one encounters the following flow:
1. User comes to web site and logs in to existing account with UN / PW.
2. Web site issues m-card to user because that's a better way to log in.
3. User logs out.
4. A bit later user comes back to same web site and logs in with m-card.
5. Web site asks user to "associate" m-card with existing account by entering account UN / PW again.
6. User is logged in.
Step 5 happens only once. After the association is done, the user can log in with the m-card at any time without further hassle.
What I am wondering is if it is possible to eliminate step 5 altogether.
Instead, I want to associate the new m-card with the existing user account already at step 2, because at that point I already know who the user is.
Or in other words, if I am running the STS, and if I know my own certificate, can I "predict" what PPID the user will have when they log in to my own site?
I guess the question comes down to whether the "Client Pseudonym" is calculated in a way that is deterministic and consistent across different selector implementations?
Markus
P.S. Another piece of feedback I have is that it would be really cool if it was possible to include the private key in a .crd file for an X.509 backed card, so that one could issue a card that "simply works" without needing UN/PW or a p-card to back it....
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]