在Microsoft CardSpace 1.0中,是可以用PIN code保护managed card的,但是这一点在规范中说的却很模糊,到底保护了什么数据? Managed card不自己存储claim value, 也没有master key, 所以没有需要用PIN code来加密的数据.
另外, Managed card有自己的方式来防止其被冒用, 因为STS是需要认证的.
基于上述原因,我们在Higgins中不支持managed card的PIN code保护, 这一点是与CardSpace不同的. 我需要测试一个从Cardspace导出的.crds文件, 包含有经过PIN code保护的managed card, 到底有没有被PIN code加密过的字段. 如果没有, 我们将忽略PINDigest.
微软的Mike Jones讨论到这个问题时,承认这是一个document flaw, 详细的讨论在这里可以找到:
[url]http://mailman.netmesh.us/pipermail/osis-general/2008-April/thread.html[/url]
摘录一些文字如下:
Hi Tony,
After reviewing the ISIP, I see you have identified an inconsistency.
[i]7.1. Pre-Encryption Transfer Format
Each information card in the transfer stream may contain metadata maintained by the originating identity selector in addition to the original information card metadata. If an identity selector includes a co-resident self-issued identity provider (described in Section 8), an exported self-issued card may also contain key material as well as any associated claims information. This information is referred to as the “information card private data”. For managed information cards, the private data is absent as that data resides at the managed identity provider.[/i]
The highlighted statement isn’t completely accurate. I think what was meant here was the claim values are not present for managed cards. However, there actually is a masterkey in managed card, that is created when the .crd is imported ( which also means there is an ‘information card private data’ element for managed cards.) ISIP Section 4.3.4.1 describes how this masterkey from a managed card is used to calculate the ClientPseudonym, which is included in the RST to the IP, when an RP requests a PPID.
I'm glad we're finding these nits due to the interop. That way Mike can fix them in revision of the ISIP that he's working on.
Thanks,
Caleb
另外, Managed card有自己的方式来防止其被冒用, 因为STS是需要认证的.
基于上述原因,我们在Higgins中不支持managed card的PIN code保护, 这一点是与CardSpace不同的. 我需要测试一个从Cardspace导出的.crds文件, 包含有经过PIN code保护的managed card, 到底有没有被PIN code加密过的字段. 如果没有, 我们将忽略PINDigest.
微软的Mike Jones讨论到这个问题时,承认这是一个document flaw, 详细的讨论在这里可以找到:
[url]http://mailman.netmesh.us/pipermail/osis-general/2008-April/thread.html[/url]
摘录一些文字如下:
Hi Tony,
After reviewing the ISIP, I see you have identified an inconsistency.
[i]7.1. Pre-Encryption Transfer Format
Each information card in the transfer stream may contain metadata maintained by the originating identity selector in addition to the original information card metadata. If an identity selector includes a co-resident self-issued identity provider (described in Section 8), an exported self-issued card may also contain key material as well as any associated claims information. This information is referred to as the “information card private data”. For managed information cards, the private data is absent as that data resides at the managed identity provider.[/i]
The highlighted statement isn’t completely accurate. I think what was meant here was the claim values are not present for managed cards. However, there actually is a masterkey in managed card, that is created when the .crd is imported ( which also means there is an ‘information card private data’ element for managed cards.) ISIP Section 4.3.4.1 describes how this masterkey from a managed card is used to calculate the ClientPseudonym, which is included in the RST to the IP, when an RP requests a PPID.
I'm glad we're finding these nits due to the interop. That way Mike can fix them in revision of the ISIP that he's working on.
Thanks,
Caleb
3279
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
