Here is a simple and likely RP scenario that I’d like you to consider:
A given site wants to allow users to pay with either their Visa or their Mastercard information card. They do not, however, accept American Express. How should they create their security policy such that Visa and Mastercard managed cards are both highlighted in the Identity Selector if present, but also such that an American Express Card is grayed out and not clickable?
Would you all agree that this is a pretty important thing for a Relying Party to be able to implement? I think it’s important too, but I don’t see an easy way to actually accomplish it.
To my knowledge, there are two ways to choose what cards are highlighted and what cards are grayed out in the identity selector:
- if a card’s issuer matches the value of the issuer parameter
- if the entire set of required claim types are all present in a given card.
In the scenario above, the issuer parameter is a non-starter, because Windows CardSpace v1.0 only accepts a single issuer. And at this point in the identity metasystem, what WCS says, goes. I can specify Visa’s STS, or I can specify Mastercard’s STS, or I can choose not to specify an STS at all, but I cannot specify exactly two of them. Bottom line: as soon as I need to create a policy that lists more than one issuer, but less than all issuers, I cannot use the issuer statement.
So – that leaves us claims. Claims are great – when you can use what’s in them. In this case, however, the RP can’t work with claim values, only with claim types. In order to succeed in my scenario using claims, I would need to be able to specify a claim type that both Visa and Mastercard offer, but that AmEx doesn’t, in order to have the right cards show up and the wrong cards gray out. What exact claim type would that be? The only way I can see to architect such a thing is to have a commonly agreed upon but different claim type for every possible distinct combination of credit cards. Let’s say that there are 6 major credit card companies out there. How many permutations & combinations of claim types would be necessary to cover every single combination of 2,3,4, and 5 accepted cards, and how ugly would it be to add a new credit card?
It could theoretically be done. Identity Providers would have to start publishing two very separate types of claim types — contentless claim types that advertise capabilities, and content-rich claim types that would deliver actual data values. If you implement the capability claim types as constants and not as directory schema, it isn’t so bad — but the big problem is, it takes the ‘distributed’ out of this wonderful distributed system.
Unless things change (or unless I’m proven wrong, maybe I’m just missing some answers and need to be educated), here is what I fear will happen: users would go to a Relying Party Site, only to be presented with an HTML “menu” of supported managed card providers. They would then click on the card provider logo, and an HTML object would be invoked which has an issuer tailored to that single provider. Is this what we want to have happen?
If it does happen, I can see all sorts of fallout:
- Common claim types are no longer needed to ensure the user picks the right card. This is good.
- Every RP has to alter HTML to support a new Identity Provider. This is bad, or at least worse than adding a url to an allow or deny list.
- The ability for a Relying Party to require the same claims from every Identity Provider becomes damaged. This is bad. Of course, with issuer in the state it is in, I would say that no matter what, this is already the case.
- The system is more distributed, but MUCH less consistent for the user. This is bad.
- It opens the door for the more established Identity Providers to set arbitrary rules on what attributes “must” be asked for in order to interoperate, forcing Relying Parties to embed different code for each provider. This is bad.
Of course, all of this hinges on how important the initial card presentation ceremony becomes to the world. Remember that we are not talking about the RP’s ability to accept or reject a card once it has been selected. We are only talking about how to get the most user-friendly initial display of highlighted or grayed out cards when the selector opens. Maybe this small part of the information card ceremony won’t end up being that important — but I predict that it will. If I could have have any kind of solution to the problem, it would be the ability not just to list multiple issuers, but to apply Boolean logic to the list, so that I could represent ideas like “every issuer except these two”.
Kim, Mike, what can we do? Is this as big a problem as I’ve made it out to be, or am I just whining about something inconsequential? What is your vision of how my scenario could be implemented? Can this be solved with a few best practices, or do we need to change the way that information card RP security policies can be specified?
Update:Â Kim answers here – thanks for being so responsive Â :)
FYI I can’t speak for CardSpace, but in theory having multiple, alternative, issuers in theory could be written in the
WS-SecurityPolicy encoding of RP policy. This is much
more expressive than what can be written in the HTML OBJECT PARAM or XHTML encodings of RP policy.
Quoting section 3.1.1 of WS-SecurityPolicy
“Letâ€™s say that a policy wishes to express requirements for A and (B or C). This could be described as two policy statements …
Alternatively, we can use the wsp:All and wsp:ExactlyOne elements to describe the alternative policy in a single wsp:Policy element…”
I don’t remember seeing anything in the CardSpace Technical Reference of December 2006
that said CardSpace 1.0 identity selector’s support of WS-SecurityPolicy couldn’t or wouldn’t support parsing nested policies, though I haven’t yet tried it.
Informed Control Inc.
Pingback: Kim Cameron’s Identity Weblog » Pamela Dingle on multiple issuers
My understanding is that WCS v1.0 can’t handle multiple issuers, even if those multiple issuers come from a validly formed WS-SecurityPolicy statement. I haven’t tried it though, and it would be great to get ‘official’ confirmation of the fact.
Pingback: Identity 2.0 » Blog Archive » I got the issuer bluesâ€¦
I’ve ran into a similar problem, when using WCF. I’ve detailed it in the following post (Microsoft’s WCF forum):