Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[higgins-dev] PPID generation
In the MS infocard doco, they talk about how a ppid is generated and made unique for a particular RP
 
the doco
 
<start>

7.5.2. PPID

The PPID MUST be computed as follows using the card identifier (value of the ic:CardId

element in the information card) and the RP identifier (constructed as in Section 160H7.5.1):

Encode the value of the ic:CardId element of the information card into a sequence

of bytes, call it CardIdBytes, using Unicode encoding.

Hash CardIdBytes using the SHA256 hash function to obtain the canonical card

identifier CanonicalCardId.

CanonicalCardId = SHA256 (CardIdBytes)

Hash the RP identifier with the CanonicalCardId using the SHA256 hash function to

obtain the PPID.

PPID = SHA256 (RP identifier + CanonicalCardId)

<end>
 
my question is this, can a rp be tricked by someone trying to generate a PPID for someone elses card.  Is it all dependent on the unique cardid ?  it seems like this algorithem could easily replicate a PPID if you know the RP you are going to, and the cardid naming scheme used by the users card provider.  I must be wrong...
 

Jeffrey C. Broberg
CA
Director, Senior Architect
Security Systems
Advanced Technology Group
Tel: +1-508-628-8490
Jeffrey.Broberg@xxxxxx
=jeff.broberg

http://jyte.com/widget/claim/cardspace-will-be-a-success

Back to the top