| AW: AW: [higgins-dev] Re: Re[2]: Password Cards |
|
I think that there are several ways to implement password
cards.
1) extend p-card with new non-standard
claims
2) define m-card with "special" issuer
Although I think that p-cards with new non-standard claims
make sense and should be blessed by the ICF and OASIS IMI TC as valid, I think
that password cards are not the best reason for them.
For password cards I prefer a managed card with a special
issuer. This could be either something like what I have choosen "urn:openinfocard:storage:component"
(we should define something "standard" for this) or - if you want to stick
closer to the standard - a http://localhost:32007/issue url. Or you
could have this issuer in the cloud...
<TokenServiceList>
<TokenService> <wsa:EndpointReference> <wsa:Address>http://localhost:32007/issue</wsa:Address> <wsa:Metadata> <wsx:Metadata> <wsx:MetadataSection> <wsx:MetadataReference> <wsa:Address>http://localhost:32007/mex</wsa:Address> </wsx:MetadataReference> </wsx:MetadataSection> </wsx:Metadata> </wsa:Metadata> </wsa:EndpointReference> <UserCredential> <DisplayCredentialHint>internal</DisplayCredentialHint> <UsernamePasswordCredential> <Username>internal</Username> </UsernamePasswordCredential> </UserCredential> </TokenService> </TokenServiceList> My current format does not have a ServiceEndpointList and
no metadata-endpoint. but this is not necessary for a special build-in
issuer.
I think that it is possible to build password cards with a
format that is 100% conformant to ISIP.
I believe that a selector that is outside the browser;
either in the local operating system or in the cloud - should go this 100%
way.
A selector like openinfocard could/should go another way.
openinfocard as a Firefox extension could/should use the browsers password-store
directly. The login credentials would be presented as cards but the internal
format is not changed. And the Firefox login manager is protected by the Firefox
masterpassword.
If you have a local or remote issuer for these cards then
that issuer should be protected by some credential.
-Axel
I added some schema definition to the card below and
Netbeans tells me that the format is valid with resp
to identity.xsd
<?xml version="1.0"
encoding="UTF-8"?>
<RoamingStore xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsa='http://www.w3.org/2005/08/addressing' xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust' xmlns='http://schemas.xmlsoap.org/ws/2005/05/identity' xsi:schemaLocation='http://schemas.xmlsoap.org/ws/2005/05/identity http://schemas.xmlsoap.org/ws/2005/05/identity/identity.xsd'> <RoamingInformationCard> <InformationCardMetaData xml:lang="en"> <InformationCardReference> <CardId>urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0=</CardId> <CardVersion>1</CardVersion> </InformationCardReference> <CardName>https://www.kuppingercole.com</CardName> <Issuer>urn:openinfocard:storage:component</Issuer> <TimeIssued>2009-04-30T18:48:46.949Z</TimeIssued> <SupportedTokenTypeList> <wst:TokenType>urn:openinfocard:tokentype:usernamepassword</wst:TokenType> </SupportedTokenTypeList> <SupportedClaimTypeList> <SupportedClaimType Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/username/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <DisplayTag>username</DisplayTag> <Description>username</Description> </SupportedClaimType> <SupportedClaimType Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/password/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <DisplayTag>password</DisplayTag> <Description>password</Description> </SupportedClaimType> <SupportedClaimType Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/usernamefield/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <DisplayTag>usernameField</DisplayTag> <Description>usernameField</Description> </SupportedClaimType> <SupportedClaimType Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/passwordfield/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <DisplayTag>passwordField</DisplayTag> <Description>passwordField</Description> </SupportedClaimType> </SupportedClaimTypeList> <IsSelfIssued>false</IsSelfIssued> <HashSalt>fL59RqJZ5ZgVBPEjGx2N2mjaUqs=</HashSalt> <TimeLastUpdated>2009-04-30T18:48:46.949Z</TimeLastUpdated> <IssuerId/> <IssuerName>MeMyselfAndI</IssuerName> <BackgroundColor>16777215</BackgroundColor> </InformationCardMetaData> <InformationCardPrivateData> <MasterKey>X9hOswYlTQK5jdM4GJpEg8a43aQF3XVv5XTVCHA/jvCrJzMQawXbqswrBdEQPbZDnBlGyOjh7xgVHdv8Gqw5CQ==</MasterKey> <ClaimValueList> <ClaimValue Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/password/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <Value>YXNkZg==</Value> </ClaimValue> <ClaimValue Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/username/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <Value>c2RmYXM=</Value> </ClaimValue> <ClaimValue Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/passwordfield/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <Value>cGFzc3dvcmQ=</Value> </ClaimValue> <ClaimValue Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/usernamefield/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <Value>dXNlcm5hbWU=</Value> </ClaimValue> </ClaimValueList> </InformationCardPrivateData> </RoamingInformationCard> </RoamingStore>
|