We are now entering the next stage of i-card evolution and adoption where we want to start to extend the list of claims. I am finding that the simple patterns established by the first claim set makes this issue seem more trivial than it is.
The pattern that I personally, mistakenly, thought I was seeing in the WS-*, InfoCard, dance was:
RP says to Card Selector: “I want a nickname claim”
Card Selector says to User: “Pick one of these cards that has a nickname claim”
User selects a card and the nickname claim from that card is sent to the RP.
My misunderstanding was the assumption that the communication between the RP and the selector meant that I would only be able to select a card that would result in a successful transaction. Not only is this not true it is looking to me like I may get very little guidance from the selector as to which card I should select.
In my nickname example above just having a nickname claim may not be enough to... for example... post a blog comment. The value of the claim may be null... The RP may tell me that someone with a different PPID has already used that nickname. And Nickname was an example that I picked as 'the most trivial self asserted claim'. When you get into claims of higher value this problem becomes more apparent. Try registering to leave a comment on Kims blog: All it requires is an email address claim BUT that email address is then validated via an email round trip (as it should be), my point being that the fact that the selector says a card can satisfy the policy of the site only gets me so far.
SO... I foresee, or fear, this user experience:
- I navigate to a web site and see the i-card logo and click on it to 'login'.
- The Card Selector pops up with... lets say... 5 cards highlighted.
- I consider for a moment which one I want to send... and pick number 4.
- The site then tells me that the VALUE in one of the fields is unacceptable (wrong issuer, non-unique, not a member of the formal options,etc..)
- So... I try another of the cards that are highlighted and that one fails too.
- So... I try another one... or did I try that one already?
Not only is the experience nasty, I just submitted 4 sets of data to one RP in a VERY correlate-able way.
So how do we avoid this pitfall?
It is possible that all of this can be solved in the selector, maybe it already is and I don't know it, PLEASE let me know if it is! The in-selector solution would be that the RP can communicate more of its policy to the selector so that the selector can make smarter decisions based on claims values and claims metadata not just the presence or absence of a claim in the schema.
Meanwhile... I have a problem... and I'm not sure what the solution is. Here's the problem:
I want to issue a Library i-card. One of the logical claims that one makes about the holder of a library card is what roles they play at the library; note that I say roleS not role. It is very common for an individual to have multiple roles at the same Library; they may be staff and a part-time student, faculty and staff, faculty and alumnus, etc...
So how do we model this in an i-card?
There seem to be 2 solutions; have one claim that returns a multi-value response OR have a claim for each possible role.
The first option; a single claim called 'library-roles':
- In this case the RP always gets to know all of the roles of the current user even if all they needed to know is if they had a specific role.
- I could have 4 cards highlighted in my selector but find that none of them deliver a claim that can actually satisfy the RP (after i have given them a LOT of information about myself).
- In the vast majority of cases the user only has one library card and it will either work or won't work.
- The RPs are likely to be libraries and therefore trustable anyway?
In summary of option 1... can seriously compromise privacy, but that's OK.... if you don't care about privacy.
Option 2 is have a claim for each role. With this option you can maintain privacy but at the cost of usability. As I navigate the RP site I will be repeatedly prompted for 'another' card (could be the same one) as I move to parts of the site that require different roles. In this case I progressively give up privacy, if I want to, in order to get access to functionality. This again assumes that the presence or absence of the claim is actually more important than the claim value, which in this case is always assumed to be 'true' in order for this scheme to make any sense.
If you have managed to get to this point in this diatribe.... I would love to hear which option you think I should use... Or is there another option I haven't thought of?
4 comments:
As a third option, you could have a different card for each role. The user can choose to use their Staff card, or their Alumni card, etc.
http://citeseer.ist.psu.edu/seamons97internet.html
Eric,
What is written in the paper that you provided seems like a great idea for the CardSpace developers to read (or the developers of any selector). However as a simple user of these pieces of 'infrastructure' I don't see how this helps me solve my problem... Sorry if I'm being thick!
A more complex policy language may help here. Right now WS-Policy allows only for the attribute operator "=" and the logical operators AND and XOR.
OASIS works on a version 3.0 of XACML. XACML allows for very complex policy statements. You can use stuff like "<" "IN" an more. You can even build your own functions. XACML is used to define access control conditions. XACML 3.0 is working on an extension of WS-Policy to allow for "XACML-like condition statements". See http://www.oasis-open.org/committees/download.php/24951/xacml-3.0-profile-webservices-spec-v1-wd-10-en.pdf.
Post a Comment