Because the PPID and the cryptographic
key pair are unique to a speci?¬?c Personal Card, when
it is used at a speci?¬?c RP, the relying party can use the PPID and
keypair to validate which card is being used. To create this mapping,
the RP would save the PPID in the token it gets from
CardSpace and the public key in the token. Then when a card is
submitted, it associates this information with an account. When
subsequent tokens are submitted with the same PPID and public
key, the RP can identify that it is the same user and log him in to
the associated account. Figure 3-8 shows how these two identi-
?¬?ers are created using the RP certi?¬?cate.
Two very signi?¬?cant features follow from this. First, because
users now have something speci?¬?c only to them and that cannot
be derived from other information, users can use that to identify
A Deeper Look at Information Cards
Relying Party??™s
Certificate Card ID PPID +
Relying Party??™s
Certificate Master Key Public/Private Key Pair +
Figure 3-8 The card??™s PPID and cryptographic keypair are generated
when visiting a site.
192 Windows CardSpace
themselves to a party. Second, because the PPID and cryptographic
keypair are generated using information that differs for
each RP, either the certi?¬?cate or domain name, the values generated
are also different for each RP.
Pages:
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311