[higgins-dev] The certificate issue in the managed i-card backed with a

[Tie Li <litie@xxxxxxxxxx>]

Hi, 

We were trying a scenario where we use
a managed card that backed with a personal card. (that means, the identity
provider of this card needs authenticate through a SAML token; and when
the managed card try to access the issuer, it need first use a personal
card to get the SAML token.)   

Here, when the identity provider creates
the managed card, it requires the end-user providing a personal card's
PPID, and write this PPID into the managed card as the credential.

Later, when an end-user use this managed
card to login some RP site, it need to find the personal card according
to this PPID. But for personal card, the PPID is not a fixed string, but
a function of the card and the RP site. So then card selector has to compute
this PPID for every personal cards, and find which one can compute out
a value that equals to the one inside the managed card.

The issue here is, the PPID computing
function need not just the certificate (inside the managed card), but the
whole certificate chain.   

Currently, our implementation is, we
try to create the chain by searching the "cacerts" file of the
JVM. But this means that the end-user have to put the root certificate
into the JVM's carcerts manually, otherwise, most of the IdPs can not be
used.

Does anyone have some ideas here? 

Li Tie | IBM Lotus | Eclipse committer
| Phone: 86-10-82452494 | Tieline: 9052494