In combination,
the RSA signing key and PPID value can be used to identify
the subject and authenticate the user. The RSA signing key is
required because it provides the cryptographic proof of identity,
and PPID can be a useful lookup key for ?¬?nding the user??™s account
in a database. You can ?¬?nd more information about how
to deploy this in Chapter 5.
Accepting Managed Cards at a Website
In principal, the process for accepting a Managed Card is very
similar to accepting a Personal Card. We will take a look at the
implementation details for the canonical case of age veri?¬?cation.
In this example, the issuer will be the ?¬?ctitious Managed
Card provider Department of Licensing, whose issuer URI is
http://issuer/departmento?¬‚icensing. The wine seller site trusts
them to perform age veri?¬?cation and requests an age veri?¬?cation
claim. The Managed Card provider has developed the claim
The signing key
is used to prove
possession of a
Personal Card
To request a
Managed Card the
card issuer should
be speci?¬?ed
Using CardSpace in the Browser 245
"http://id4less/claims/legalToDrink" for this very purpose.
The wine shop then hosts the following HTML in their
login page:
method="post"
action="TokenProcessingPage.
Pages:
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370