Sometimes one encounters the following flow:
1. User comes to web site and logs in to existing account with UN / PW.
2. Web site issues m-card to user because that's a better way to log in.
3. User logs out.
4. A bit later user comes back to same web site and logs in with m-card.
5. Web site asks user to "associate" m-card with existing account by
entering account UN / PW again.
6. User is logged in.
Step 5 happens only once. After the association is done, the user can log in
with the m-card at any time without further hassle.
What I am wondering is if it is possible to eliminate step 5 altogether.
Instead, I want to associate the new m-card with the existing user account
already at step 2, because at that point I already know who the user is.
Or in other words, if I am running the STS, and if I know my own
certificate, can I "predict" what PPID the user will have when they log in
to my own site?
I guess the question comes down to whether the "Client Pseudonym" is
calculated in a way that is deterministic and consistent across different
P.S. Another piece of feedback I have is that it would be really cool if it
was possible to include the private key in a .crd file for an X.509 backed
card, so that one could issue a card that "simply works" without needing
UN/PW or a p-card to back it....