[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [higgins-dev] Problem with current scheme for IContext.open(AuthNSelfIssuedMaterials)
|
I disagree with the premise that a personal card should be only associated
with a single context.
I want to be able to create multiple digital subjects all representing
some unique subset of my identity.
I do not see any reason to force me to create a unique personal card for
each managed card reqpresenting each of these identities at a provider,
especially when the solution is so easy.
Thanks,
Mike
higgins-dev-bounces@xxxxxxxxxxx wrote on 02/14/2007 09:55:27 AM:
> When we analyzed this problem, we came to the conclusion that
> associating multiple managed cards with the same personal card was
> not a problem, as long as the personal card is associated with only
> one user in the directory. When the managed card that is backed by
> a personal card is issued, the application that issues the card
> needs to know what user object to add the personal card's
> cardKeyHash value to. The assumption is that someone will have to
> identify the user object (by entering username/password perhaps) to
> associate the cardKeyHash value with. If the cardKeyHash value is
> already on the user object in the directory, no big deal - it is ok
> - no matter that multiple managed cards are using the same personal
> card - the personal card's cardKeyHash is being used to identify
> only a single user in the directory. If, on the other hand, it is
> discovered that the cardKeyHash has already been associated with a
> different user, the application issuing the managed card should
> refuse to issue the managed card, and indicate that the selected
> personal card is already associated with another user. -- Note that
> the a particular personal card belongs to one particular user on a
> particular client machine anyway, so I don't think it is a valid use
> case to associate a personal card with multiple users in the
> directory. If you eliminate the use case of having a personal card
> associated with multiple users in the directory, there is no problem.
>
> If the two managed cards are actually intended for different users,
> they ought to be backed by different personal cards. But in that
> case, I would anticipate that there would be different card stores
> for those users - every user on the Windows box will have a
> different set of cards.
>
> My 2 cents.
>
> Daniel
>
> Daniel Sanders
> Software Engineer
> dsanders@xxxxxxxxxx
> 801-861-4193
> [image removed]
>
> >>> Michael McIntosh <mikemci@xxxxxxxxxx> 2/14/2007 1:52 AM >>>
> One thing I had not fully realized until yesterday, was that the current
> implementation depends on the (ppid+modulus+exponent) from a specific
self
> issued (SI) credential (token from personal card) being used only once.
If
> one wants to create multiple entries/contexts and associate them with
the
> same self issued credential, the current scheme will not work. It should
> be noted that it is possible to associate multiple self issued
credentials
> with a single entry/context since the cardKeyHash is a multi-valued
> attribute.
>
> The reason for the limitation is that we are using the personal card as
> the key into the entry behind a managed card, and not using any
identifier
> from the managed card itself in the key.
>
> I'd like to discuss the feasibility of changing the scheme to include
> (Managed Card ID+SI PPID+SI Modulus+SI Exponent) in the cardKeyHash
> computation. This would enable one personal card to be associated with
> multiple managed cards.
>
> Thanks,
> Mike
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev