I think that there are several ways to implement password cards. 1) extend p-card with new non-standard claims 2) define m-card with "special" issuer Although I think that p-cards with new non-standard claims make sense and should be blessed by the ICF and OASIS IMI TC as valid, I think that password cards are not the best reason for them. For password cards I prefer a managed card with a special issuer. This could be either something like what I have choosen "urn:openinfocard:storage:component" (we should define something "standard" for this) or - if you want to stick closer to the standard - a http://localhost:32007/issue url. Or you could have this issuer in the cloud... <TokenServiceList> <TokenService> <wsa:EndpointReference> <wsa:Address>http://localhost:32007/issue</wsa:Address> <wsa:Metadata> <wsx:Metadata> <wsx:MetadataSection> <wsx:MetadataReference> <wsa:Address>http://localhost:32007/mex</wsa:Address> </wsx:MetadataReference> </wsx:MetadataSection> </wsx:Metadata> </wsa:Metadata> </wsa:EndpointReference> <UserCredential> <DisplayCredentialHint>internal</DisplayCredentialHint> <UsernamePasswordCredential> <Username>internal</Username> </UsernamePasswordCredential> </UserCredential> </TokenService> </TokenServiceList>
My current format does not have a ServiceEndpointList and no metadata-endpoint. but this is not necessary for a special build-in issuer. I think that it is possible to build password cards with a format that is 100% conformant to ISIP. I believe that a selector that is outside the browser; either in the local operating system or in the cloud - should go this 100% way. A selector like openinfocard could/should go another way. openinfocard as a Firefox extension could/should use the browsers password-store directly. The login credentials would be presented as cards but the internal format is not changed. And the Firefox login manager is protected by the Firefox masterpassword. If you have a local or remote issuer for these cards then that issuer should be protected by some credential. -Axel I added some schema definition to the card below and Netbeans tells me that the format is valid with resp to identity.xsd <?xml version="1.0" encoding="UTF-8"?> <RoamingStore xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; xmlns:wsa='http://www.w3.org/2005/08/addressing' xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust' xmlns='http://schemas.xmlsoap.org/ws/2005/05/identity' xsi:schemaLocation='http://schemas.xmlsoap.org/ws/2005/05/identity http://schemas.xmlsoap.org/ws/2005/05/identity/identity.xsd'> <RoamingInformationCard> <InformationCardMetaData xml:lang="en"> <InformationCardReference> <CardId>urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM 6Ly93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0=</CardId> <CardVersion>1</CardVersion> </InformationCardReference> <CardName>https://www.kuppingercole.com</CardName> <Issuer>urn:openinfocard:storage:component</Issuer> <TimeIssued>2009-04-30T18:48:46.949Z</TimeIssued> <SupportedTokenTypeList> <wst:TokenType>urn:openinfocard:tokentype:usernamepassword</wst:TokenTyp e> </SupportedTokenTypeList> <SupportedClaimTypeList> <SupportedClaimType Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/username /urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3 cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <DisplayTag>username</DisplayTag> <Description>username</Description> </SupportedClaimType> <SupportedClaimType Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/password /urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3 cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <DisplayTag>password</DisplayTag> <Description>password</Description> </SupportedClaimType> <SupportedClaimType Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/username field/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6L y93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <DisplayTag>usernameField</DisplayTag> <Description>usernameField</Description> </SupportedClaimType> <SupportedClaimType Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/password field/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6L y93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <DisplayTag>passwordField</DisplayTag> <Description>passwordField</Description> </SupportedClaimType> </SupportedClaimTypeList> <IsSelfIssued>false</IsSelfIssued> <HashSalt>fL59RqJZ5ZgVBPEjGx2N2mjaUqs=</HashSalt> <TimeLastUpdated>2009-04-30T18:48:46.949Z</TimeLastUpdated> <IssuerId/> <IssuerName>MeMyselfAndI</IssuerName> <BackgroundColor>16777215</BackgroundColor> </InformationCardMetaData> <InformationCardPrivateData> <MasterKey>X9hOswYlTQK5jdM4GJpEg8a43aQF3XVv5XTVCHA/jvCrJzMQawXbqswrBdEQP bZDnBlGyOjh7xgVHdv8Gqw5CQ==</MasterKey> <ClaimValueList> <ClaimValue Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/password /urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3 cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <Value>YXNkZg==</Value> </ClaimValue> <ClaimValue Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/username /urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6Ly93d3 cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <Value>c2RmYXM=</Value> </ClaimValue> <ClaimValue Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/password field/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6L y93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <Value>cGFzc3dvcmQ=</Value> </ClaimValue> <ClaimValue Uri="http://schemas.openinfocard.org/ws/2009/03/identity/claims/username field/urn:openinfocard:W2h0dHA6Ly93d3cua3VwcGluZ2VyY29sZS5jb20saHR0cHM6L y93d3cua3VwcGluZ2VyY29sZS5jb20sbnVsbF0="> <Value>dXNlcm5hbWU=</Value> </ClaimValue> </ClaimValueList> </InformationCardPrivateData> </RoamingInformationCard> </RoamingStore> _____ Von: [email protected] [mailto:[email protected]] Im Auftrag von John Bradley Gesendet: Freitag, 1. Mai 2009 02:50 An: Higgins (Trust Framework) Project developer discussions Betreff: Re: AW: [higgins-dev] Re: Re[2]: Password Cards Axel, are you thinking of this as a normal m-card or crating a custom personal STS for the issuer? If the URI is a one way hash then you could also include password manager secret into the string to be hashed. The user could give the "password secret" to approved password managers. That prevents accidental disclosure. A third party can't ask for a card for a site without knowing the secret. The question would be where the actual site name is stored in the card for display. Perhaps the password manager could include the un-encoded information in the card when it issues it. Who or what do you see issuing the card? John B.
_______________________________________________ higgins-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/higgins-dev
