Some clear and advanced thinking from Pamela Dingle at Eternal Optimist:
Here is a simple and likely RP scenario that I’d like you to consider:
A given site wants to allow users to pay with either their Visa or their Mastercard information card. They do not, however, accept American Express. How should they create their security policy such that Visa and Mastercard managed cards are both highlighted in the Identity Selector if present, but also such that an American Express Card is grayed out and not clickable?
Would you all agree that this is a pretty important thing for a Relying Party to be able to implement? I think it’s important too, but I don’t see an easy way to actually accomplish it.
To my knowledge, there are two ways to choose what cards are highlighted and what cards are grayed out in the identity selector:
-
if a card’s issuer matches the value of the issuer parameter
-
if the entire set of required claim types are all present in a given card.
In the scenario above, the issuer parameter is a non-starter, because Windows CardSpace v1.0 only accepts a single issuer. And at this point in the identity metasystem, what WCS says, goes. I can specify Visa’s STS, or I can specify Mastercard’s STS, or I can choose not to specify an STS at all, but I cannot specify exactly two of them. Bottom line: as soon as I need to create a policy that lists more than one issuer, but less than all issuers, I cannot use the issuer statement.
So – that leaves us claims. Claims are great – when you can use what’s in them. In this case, however, the RP can’t work with claim values, only with claim types. In order to succeed in my scenario using claims, I would need to be able to specify a claim type that both Visa and Mastercard offer, but that AmEx doesn’t, in order to have the right cards show up and the wrong cards gray out. What exact claim type would that be? The only way I can see to architect such a thing is to have a commonly agreed upon but different claim type for every possible distinct combination of credit cards. Let’s say that there are 6 major credit card companies out there. How many permutations & combinations of claim types would be necessary to cover every single combination of 2,3,4, and 5 accepted cards, and how ugly would it be to add a new credit card?
It could theoretically be done. Identity Providers would have to start publishing two very separate types of claim types — contentless claim types that advertise capabilities, and content-rich claim types that would deliver actual data values. If you implement the capability claim types as constants and not as directory schema, it isn’t so bad — but the big problem is, it takes the ‘distributed’ out of this wonderful distributed system.
Unless things change (or unless I’m proven wrong, maybe I’m just missing some answers and need to be educated), here is what I fear will happen: users would go to a Relying Party Site, only to be presented with an HTML “menu†of supported managed card providers. They would then click on the card provider logo, and an HTML object would be invoked which has an issuer tailored to that single provider. Is this what we want to have happen?
If it does happen, I can see all sorts of fallout:
-
Common claim types are no longer needed to ensure the user picks the right card. This is good.
-
Every RP has to alter HTML to support a new Identity Provider. This is bad, or at least worse than adding a url to an allow or deny list.
-
The ability for a Relying Party to require the same claims from every Identity Provider becomes damaged. This is bad. Of course, with issuer in the state it is in, I would say that no matter what, this is already the case.
-
The system is more distributed, but MUCH less consistent for the user. This is bad.
-
It opens the door for the more established Identity Providers to set arbitrary rules on what attributes “must†be asked for in order to interoperate, forcing Relying Parties to embed different code for each provider. This is bad.
Of course, all of this hinges on how important the initial card presentation ceremony becomes to the world. Remember that we are not talking about the RP’s ability to accept or reject a card once it has been selected. We are only talking about how to get the most user-friendly initial display of highlighted or grayed out cards when the selector opens. Maybe this small part of the information card ceremony won’t end up being that important — but I predict that it will. If I could have have any kind of solution to the problem, it would be the ability not just to list multiple issuers, but to apply Boolean logic to the list, so that I could represent ideas like “every issuer except these twoâ€.
Kim, Mike, what can we do? Is this as big a problem as I’ve made it out to be, or am I just whining about something inconsequential? What is your vision of how my scenario could be implemented? Can this be solved with a few best practices, or do we need to change the way that information card RP security policies can be specified?
Pam's thinking is unassailable. The problems she outlines are issues we just didn't have time to solve in version 1.0 of CardSpace.
We were aware of them, but wanted to get the first round of our technology “out there” so everyone could start doing proofs of concept and implementations that would help clarify the right approaches. I think in practice we'll have time to fix this before people anyone really “feels” it. Not all credit card providers will be supporting information cards at once. Meanwhile we'll be pumping out more advanced versions of CardSpace that address the issue.
The same problems Pam describes with respect to issuers apply with respect to RP support for multiple token types (e.g. SAML tokens plus OpenID tokens). Currently we can address this by accepting “any” token type, and that will get us by for a while, but ultimately we will need to be able to specify rich combinations.
WS-SecurityPolicy is powerful enough to express boolean logic, so theoretically the relying party can publish metadata that has all the capabilities Pam calls for. For example, you can say you will accept American Express AND Visa as issuers but not Diner's Club. You can also require different claim types from different issuers. So the architecture is adequate to the problems.
So given that the architecture is right, it represents an opportunity for our competitors… And we ourselves are working really hard to solve this problem in our next version – before it anyone feels the pain.
I completly agree with the problem stated by Pamela Dingle.
I also have a similar problem regarding multiple issuers when using WCF. It is described in the following post (Microsoft's WCF forum) : http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1578774&SiteID=1
If I read this right, it means you get only one (external) IdP per user/identity selector/desktop. But that's just version 1.0. I have no doubt that your thinking doesn't include the other possibilities for the future, but I'll list them anyway. Think of this a just a checklist, I reckon.
I'll use IdP here to mean a service that provides testimony about the accuracy of a claim (and not the self-asserted kind).
Different IdPs per card/security token, but only one IdP per card. This is Pam's case.
One card with multiple IdPs. For example, when I select a card, testimony about my ability to pay is provided by my bank and about my employment status is provided by my employer. In my mind, this is what it takes to call CardSpace “claims-based”; until then it's just card-based.
One claim with testimony from independent IdPs. That is, “Two forms of ID, please”. Yes, I suppose this is a challenge to some folk's notion of “authoritative source”. That notion seems too religious to me.
Oh sorry. I meant “… thinking also includes…” above. I.e. you're already aware of the possibilities. That will teach me to use a double negative 🙂 🙂
I must be having a bad day. After rereading what Pam said. she's talking about how RPs can specify which IdPs (instead of claims) would be accepted and which ones wouldn't.
Nevertheless, that doesn't invalidate my checklist.
I'm sorry for the confusion.
In January I consulted to a company that is in this very situation. As we could not enumerate a list of STS we devised a ayatem of “Present or Not” claims that would determine if the STS was permitted.
For example, we added a couple of claims: the first could be “IsPaymentProver”, and this would be used to allow any payment provider. The second could be “IsPaymentProviderX”, required by an RP that only allowed payments from provider X.
I think that is is crucial that CardSpace allows multiple issuers to be set so that this kind of scenario can be easily met.
It seem that CardSpace (maybe its WCF) does not allo for policy alternatives
I like the one-time-pass feature.
I like it too
Thanks for addressing this Kim.
And the one-time pass thing is COOL!!!
Pam