Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [higgins-dev] Problem with current scheme for IContext.open(AuthNSelfIssuedMaterials)

When we analyzed this problem, we came to the conclusion that associating multiple managed cards with the same personal card was not a problem, as long as the personal card is associated with only one user in the directory.  When the managed card that is backed by a personal card is issued, the application that issues the card needs to know what user object to add the personal card's cardKeyHash value to.  The assumption is that someone will have to identify the user object (by entering username/password perhaps) to associate the cardKeyHash value with.  If the cardKeyHash value is already on the user object in the directory, no big deal - it is ok - no matter that multiple managed cards are using the same personal card - the personal card's cardKeyHash is being used to identify only a single user in the directory.  If, on the other hand, it is discovered that the cardKeyHash has already been associated with a different user, the application issuing the managed card should refuse to issue the managed card, and indicate that the selected personal card is already associated with another user. -- Note that the a particular personal card belongs to one particular user on a particular client machine anyway, so I don't think it is a valid use case to associate a personal card with multiple users in the directory.  If you eliminate the use case of having a personal card associated with multiple users in the directory, there is no problem.
 
If the two managed cards are actually intended for different users, they ought to be backed by different personal cards.  But in that case, I would anticipate that there would be different card stores for those users - every user on the Windows box will have a different set of cards.
 
My 2 cents.
 
Daniel
 
Daniel Sanders
Software Engineer
dsanders@xxxxxxxxxx
801-861-4193

>>> Michael McIntosh <mikemci@xxxxxxxxxx> 2/14/2007 1:52 AM >>>
One thing I had not fully realized until yesterday, was that the current
implementation depends on the (ppid+modulus+exponent) from a specific self
issued (SI) credential (token from personal card) being used only once. If
one wants to create multiple entries/contexts and associate them with the
same self issued credential, the current scheme will not work. It should
be noted that it is possible to associate multiple self issued credentials
with a single entry/context since the cardKeyHash is a multi-valued
attribute.

The reason for the limitation is that we are using the personal card as
the key into the entry behind a managed card, and not using any identifier
from the managed card itself in the key.

I'd like to discuss the feasibility of changing the scheme to include
(Managed Card ID+SI PPID+SI Modulus+SI Exponent) in the cardKeyHash
computation. This would enable one personal card to be associated with
multiple managed cards.

Thanks,
Mike
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev

Back to the top