The display token is embedded in the RSTR (Request
for a Security Token Response) along with the token intended for
the RP. When the user gets the token from the IP, CardSpace
uses the values in the display token to display the data to the
user. Figure 7-1 shows an example.
Although it is not possible to forcethe IP to construct the display
token in such a way that guarantees that the data shown to the
user is the same as the contents of the token provided to the RP,
the IP should always ensure that the contents of the token are
accurately represented in the display token because users are
approving the release of the token to the RP based on what they
can see. Failure to ensure this is a violation of the ?¬?rst law
(???User Control and Consent???).
CardSpace makes
you aware of the
data that will be
sent to the IP
339 Walking a Mile in the User??™s Shoes
?– Perspective: There Is No Such Thing as a Free Search
IPs are a lot like any other service provider on the Internet, except that they deal
in data that is quite often very sensitive. An IP??™s responsibility to protect the privacy
of their customers??™ data should be taken very seriously, as it??™s easier to
damage your reputation than it is to repair it.
Pages:
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487