Thursday, February 28, 2008

Pat's Password Proxying Proposal

Pat proposes using Cardspace as a password-manager, i.e. using the identity selector to retrieve the username & password for the user for a particular site when needed.

How would the RP indicate what it wanted? As a (newly defined) required claim URI? In this case the RP is not simply asking for a piece of static identity data that is the same for all RPs, e.g. email address etc. It's asking for 'the username & password that the user previously stored against my endpoint'.

In this sense, the username & password are just like the existing 'private personal identifier' in Cardspace (or a pseudonym shared between a SAML IDP and SP).

Is it just another claim?

<OBJECT type="application/x-informationCard" name="xmlToken">
<PARAM Name="RequiredClaims" value=

Presumably, current selectors would not know to process this as it would a PPID, and not an email address.


No comments: