[imi-comment] issue m-card and remember it? - Markus Sabadello - org.oasis-open.lists.imi-comment

1 message in org.oasis-open.lists.imi-comment[imi-comment] issue m-card and rememb...

From	Sent On	Attachments
Markus Sabadello	Jan 2, 2010 2:33 am

Subject:	[imi-comment] issue m-card and remember it?
From:	Markus Sabadello (mark...@gmail.com)
Date:	Jan 2, 2010 2:33:38 am
List:	org.oasis-open.lists.imi-comment

Hello IMI TC,

Sometimes one encounters the following flow: 1. User comes to web site and logs in to existing account with UN / PW. 2. Web site issues m-card to user because that's a better way to log in. 3. User logs out. 4. A bit later user comes back to same web site and logs in with m-card. 5. Web site asks user to "associate" m-card with existing account by entering account UN / PW again. 6. User is logged in.

Step 5 happens only once. After the association is done, the user can log in with the m-card at any time without further hassle.

What I am wondering is if it is possible to eliminate step 5 altogether. Instead, I want to associate the new m-card with the existing user account already at step 2, because at that point I already know who the user is.

Or in other words, if I am running the STS, and if I know my own certificate, can I "predict" what PPID the user will have when they log in to my own site?

I guess the question comes down to whether the "Client Pseudonym" is calculated in a way that is deterministic and consistent across different selector implementations?

Markus

P.S. Another piece of feedback I have is that it would be really cool if it was possible to include the private key in a .crd file for an X.509 backed card, so that one could issue a card that "simply works" without needing UN/PW or a p-card to back it....

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets