This means, by default, the
user is not transmitting some global identi?¬?er.
This ful?¬?lls the promise of the fourth law of identity: ???Directed
Identity.??? Different RPs get different identity identi?¬?ers from
users, which increases the protection of their privacy by ensuring
that RPs cannot simply correlate information behind the
backs of users.
How Is the RP Certi?¬?cate Used?
It is important to understand how CardSpace uses the certi?¬?cate to generate the
PPID and keypair so that the same values will be generated when certi?¬?cates
change or when there are multiple servers supporting a site.
Most X.509 certi?¬?cates de?¬?ne the subject of the certi?¬?cate by specifying a subject
Distinguished Name (DN) that looks something like ???CN=www.contoso.com
O=Contoso L=Redmond S=WA C=United States???. As shown in this example, the
CN is usually the domain name of the site; O is the organization name; and L, S,
and C give local, state, and country information. For an Extended Validation (EV)
certi?¬?cate, CardSpace use the O,L,S, and C (OLSC) values from the certi?¬?cate to
help generate the PPID and keypair. When certi?¬?cate keys are refreshed or the
same organization deploys CardSpace on different sites, the self-issued token
identi?¬?ers will stay the same as long as OLSC remains the same.
Pages:
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312