Understanding Personal Information Cards
CardSpace provides users the ability to access, create and manage their Information Cards. In the same way that the information represented by bank cards, drivers' licenses, passports, and credit cards are assured by an organization, each Information Card represents data that is digitally signed by a provider. This document demonstrates the creation of Personal Information Cards, and discusses their security features.
Personal Information Cards
Personal Information Cards (also called Self-issued Cards) are Information Cards that a user creates and provides all of the data. Personal Information Cards are stored locally in an encrypted store along with the data that the cards contain, unlike Managed Cards, where the data is stored with the Identity Provider. Personal Information Cards contain a fixed set of claims, which cannot be expanded. In addition to the claims that are stored locally, a master key is generated and stored along with the card. The master key is used to generate cryptographic key-pairs and the unique identifier that are used to secure and uniquely identify the card. Personal Information Cards can be used for authentication, and provide services and Web sites with common information that the user wants to communicate.
Creating a Personal Information Card
To create a Personal Information Card, start the CardSpace Identity Selector.
Creating a Personal Card
On the Start menu, click Control Panel.
Double click the Windows CardSpace icon.
When the Identity Selector appears, double-click the card labeled Add A Card.
The Identity Selector will show two options, Create a Personal Card and Install a Managed Card. Click Create a Personal Card.
Fill in one or more fields in the card, and optionally select a graphic for the card using the Browse button.
Click the Save button to save the card to the encrypted store.
Close the CardSpace Identity Selector.
Notice that the details in the card are all of "telephone book" quality. No credit-card numbers, passwords, or account information, only data that could be found in a directory. This is designed to allow users to store commonly used data with the card, but not to expose them to risk by storing sensitive information.
Claims
Here are the claims that are available in Personal Information Cards, along with the URIs that represent each of the claims.
Claim | URI |
---|---|
Given Name |
https://schemas.xmlsoap.org/ws/2005/05/identity/givenname |
Last Name |
https://schemas.xmlsoap.org/ws/2005/05/identity/surname |
Street |
https://schemas.xmlsoap.org/ws/2005/05/identity/streetaddress |
Locality (City) |
https://schemas.xmlsoap.org/ws/2005/05/identity/locality |
State or Province |
https://schemas.xmlsoap.org/ws/2005/05/identity/stateorprovince |
Postal Code |
https://schemas.xmlsoap.org/ws/2005/05/identity/postalcode |
Country/Region |
https://schemas.xmlsoap.org/ws/2005/05/identity/country |
Phone Number |
https://schemas.xmlsoap.org/ws/2005/05/identity/homephone |
Other Phone |
https://schemas.xmlsoap.org/ws/2005/05/identity/otherphone |
Mobile Phone |
https://schemas.xmlsoap.org/ws/2005/05/identity/mobilephone |
Date of Birth |
https://schemas.xmlsoap.org/ws/2005/05/identity/dateofbirth |
Gender |
https://schemas.xmlsoap.org/ws/2005/05/identity/gender |
PPID |
https://schemas.xmlsoap.org/ws/2005/05/identity/privatepersonalidentifier |
Web Page |
https://schemas.xmlsoap.org/ws/2005/05/identity/webpage |
Email Address |
https://schemas.xmlsoap.org/ws/2005/05/identity/emailaddress |
Relying on a Personal Information Card
Given that information in Personal Information Cards is all self-asserted by the user, the question is, "How can a Web site rely on any of the information contained in the card?" In the same way that Web sites currently accept information that the user types into forms, Web sites can accept information from Personal Information Cards with the same level of trust.
Each Personal Information Card is created with a Master Key, which is a string of random data. When the user selects a card that represents the data to send to a site, data from the site's certificate and the master key is used to generate two features for that association: the "private personal identifier" (PPID) claim and the public/private key-pair used for signing. The PPID claim can be requested by the relying party like any other claim (with its URI).
To be able to rely on the card as a form of authentication, the site can use the public key and the PPID of a Personal Information Card to generate a unique identifier, for use instead of using a user name and password to identify the user. Typically this can be done using a simple hash algorithm of the concatenation of public key and the PPID. Because re-creating a card will also generate a new Master Key, regardless of entering the same data in the claims, two Personal Information Cards will not be recognized as equal.