In the MS infocard doco, they talk about how a ppid is
generated and made unique for a particular RP
the doco
<start>
7.5.2. PPID
The PPID MUST be computed as follows using the card identifier
(value of the ic:CardId
element in the information card) and the RP identifier
(constructed as in Section 160H7.5.1):
• Encode the value of the
ic:CardId element of the information card into a sequence
of bytes, call it CardIdBytes, using Unicode
encoding.
• Hash CardIdBytes using the
SHA256 hash function to obtain the canonical card
identifier CanonicalCardId.
CanonicalCardId = SHA256 (CardIdBytes)
• Hash the RP identifier with the
CanonicalCardId using the SHA256 hash function to
obtain the PPID.
PPID = SHA256 (RP identifier +
CanonicalCardId)
<end>
my question is this, can a rp be tricked by someone trying
to generate a PPID for someone elses card. Is it all dependent on the
unique cardid ? it seems like this algorithem could easily replicate a
PPID if you know the RP you are going to, and the cardid naming scheme used by
the users card provider. I must be wrong...
|