I3:Information Card Identity Selector Features
From OSIS Open Source Identity Systems
Feature-Basic use of Self-Issued Information Card
| list help copy as XML edit |
| Information Card Identity Selector Basic use of Self-Issued Information Card - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Support for self-issued cards containing claims maintained by the user. | Verify correct communication of self-issued claim values | Required and selected optional claims delivered | Additional claims delivered or some selected claims not delivered |
Tests
I3:FeatureTest-Selector Use with Self-Issued Cards
Feature-Basic use of PIN-protected Self-Issued Information Card
| list help copy as XML edit |
| Information Card Identity Selector Basic use of PIN-protected Self-Issued Information Card - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Support for self-issued cards protected by a user-set PIN number | Use a self-issued information card protected by a PIN number | Required and selected optional claims delivered | Additional claims delivered or some selected claims not delivered |
Tests
I3:FeatureTest-Selector PIN-protection of Cards
Feature-Basic use of Managed Card backed by Self-Issued Information Card
| list help copy as XML edit |
| Information Card Identity Selector Basic use of Managed Card backed by Self-Issued Information Card - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Support for import and use of a managed card backed by a self-issued card. | Create a managed card backed by a self-issued card, import it into the Selector, and use it at a relying party. | Works | Fails |
Tests
I3:FeatureTest-Selector with card-backed Managed Cards
Feature-Basic use of Managed Card backed by X.509 Certificate
| list help copy as XML edit |
| Information Card Identity Selector Basic use of Managed Card backed by X.509 Certificate - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Support for import and use of a managed card backed by an X.509 certificate | Create a managed card backed by an X.509 certificate, import it into the Selector, and use it at a relying party. | Works | Fails |
Tests
I3:FeatureTest-Selector Support for Managed Card backed by X.509 Certificate
Feature-Basic use of Managed Card backed by Kerberos
| list help copy as XML edit |
| Information Card Identity Selector Basic use of Managed Card backed by Kerberos - Maturity: Emerging | |||
|---|---|---|---|
| Support for import and use of a managed card backed by a Kerberos ticket | Create a managed card backed by a Kerberos ticket, import it into the Selector, and use it at a relying party. | Works or fails with actionable error message | Fails |
Tests
Feature-Basic use of Managed Card backed by Username and Password
| list help copy as XML edit |
| Information Card Identity Selector Basic use of Managed Card backed by Username and Password - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Support for import and use of a managed card backed by a username and password | Create a managed card backed by a password, import it into the Selector, and use it at a relying party. | Possible to specify a password and complete the transaction | Error or unable to specify a password |
Tests
I3:FeatureTest-Selector with UNPW-backed Managed Cards
Feature-Support for Auditing Cards
| list help copy as XML edit |
| Information Card Identity Selector Support for Auditing Cards - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Cards with mandatory RequireAppliesTo property, as per ISIP § 4.1.1.5, 4.3.3 | Import and use card with mandatory RequireAppliesTo. | If AppliesTo supplied by RP, send AppliesTo value from RP policy in token request to IP. If not supplied, send the RP endpoint to which token will be sent as the value of AppliesTo in token request to IP. | Other behaviors |
Tests
I3:FeatureTest-Selector Support for Auditing Cards
Feature-Support for Auditing-Optional Cards
| list help copy as XML edit |
| Information Card Identity Selector Support for Auditing-Optional Cards - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Cards with optional RequireAppliesTo property, as per ISIP § 4.1.1.5, 4.3.3 | Import and use card with optional RequireAppliesTo. | If AppliesTo supplied by RP, send AppliesTo value from RP policy in token request to IP. If not supplied, do not send AppliesTo in token request to IP. | Other behaviors |
Tests
I3:FeatureTest-Selector Support for Auditing-Optional Cards
Feature-Support for Non-Auditing Cards
| list help copy as XML edit |
| Information Card Identity Selector Support for Non-Auditing Cards - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Cards without RequireAppliesTo property, as per ISIP § 4.1.1.5, 4.3.3 | Import and use card without RequireAppliesTo | If AppliesTo supplied by RP, fail with actionable error message. If not, Do not send AppliesTo in token request to IP. | Other behaviors |
Tests
I3:FeatureTest-Selector Support for Non-Auditing Cards
Feature-Cards supporting multiple token types
| list help copy as XML edit |
| Information Card Identity Selector Cards supporting multiple token types - Maturity: Emerging | |||
|---|---|---|---|
| As per ISIP § 4.1.1.3 | Import and use card capable of offering multiple token types | Token type requested is delivered | Card fails to match for some token types. Token of wrong type delivered. |
Tests
Feature-Cards supporting multiple authentication methods
| list help copy as XML edit |
| Information Card Identity Selector Cards supporting multiple authentication methods - Maturity: Emerging | |||
|---|---|---|---|
| As per ISIP § 4.1.1.2 | Import and use card supporting multiple authentication methods | Selector uses all endpoints in order until one succeeds | Only first endpoint tried |
Tests
Feature-Import .crd file containing Managed Card
| list help copy as XML edit |
| Information Card Identity Selector Import .crd file containing Managed Card - Maturity: Established (I1 ) | |||
|---|---|---|---|
| A single card can be imported from a .crd file | Import card from .crd file | Successful card import | Error or Exception |
Tests
I3:FeatureTest-Selector Import of .crd Files
Feature-Export one or more Cards to .crds file
| list help copy as XML edit |
| Information Card Identity Selector Export one or more Cards to .crds file - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Cards can be exported to the .crds file format | Export cards to .crds file | Successful Export | Error or Exception |
Tests
I3:FeatureTest-Selector Import-Export of .crds Files
Feature-Import Cards from .crds file
| list help copy as XML edit |
| Information Card Identity Selector Import Cards from .crds file - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Cards can be imported from the .crds file format. | Import a valid .crds file | Successful Import | Error or Exception |
Tests
I3:FeatureTest-Selector Import-Export of .crds Files
Feature-Relying Party specific identifiers constructed for Self-Issued Cards and standard SSL Relying Party certificate
| list help copy as XML edit |
| Information Card Identity Selector Relying Party specific identifiers constructed for Self-Issued Cards and standard SSL Relying Party certificate - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Privatepersonalidentifier, signing key, and if present, friendly identifier must be compatible for sites using a standard SSL Certificate as per ISIP § 8.6, 4.3.4 | Use a self-issued card at an RP site using Standard SSL certificates and assess correctness of identifiers created. | Identifiers match ISIP specifications | Identifiers do not meet ISIP specifications |
Tests
I3:FeatureTest-Selector Constructs Site-Specific Identifiers for Self-Issued Cards
Feature-Relying Party specific identifiers constructed for Self-Issued Cards and EV SSL Relying Party certificate
| list help copy as XML edit |
| Information Card Identity Selector Relying Party specific identifiers constructed for Self-Issued Cards and EV SSL Relying Party certificate - Maturity: Emerging | |||
|---|---|---|---|
| privatepersonalidentifier, signing key, and friendly identifier if present must be compatible for EV SSL sites for self-issued cards as per ISIP § 8.6, 4.3.4 | Use an information card at a site with an EV certificate and verify the resulting PPID and friendly ID | Identifiers match ISIP specifications | Identifiers do not meet ISIP specifications |
Tests
Feature-Relying Party specific identifiers constructed for Self-Issued Cards when AppliesTo supplied
| list help copy as XML edit |
| Information Card Identity Selector Relying Party specific identifiers constructed for Self-Issued Cards when AppliesTo supplied - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| privatepersonalidentifier, signing key, and friendly identifier if present must be compatible for sites providing a wsp:AppliesTo element for self-issued cards as per ISIP § 8.6, 4.3.4 | Use an information card at a site known to provide wsp:AppliesTo element and verify the resulting PPID and friendly ID | Identifiers match ISIP specifications | Identifiers do not meet ISIP specifications |
Tests
I3:FeatureTest-Selector Constructs Site-Specific Identifiers for Self-Issued Cards
Feature-Relying Party specific identifiers constructed for Self-Issued Cards when AppliesTo not supplied
| list help copy as XML edit |
| Information Card Identity Selector Relying Party specific identifiers constructed for Self-Issued Cards when AppliesTo not supplied - Maturity: Emerging | |||
|---|---|---|---|
| privatepersonalidentifier, signing key, ClientPseudonym handling, and friendly identifier if present must be compatible for sites not providing an wsp:AppliesTo element as per ISIP § 8.6, 4.3.4 | Use an information card at a site known to not provide wsp:AppliesTo element and verify the resulting PPID and friendly ID | Identifiers match ISIP specifications | Identifiers do not meet ISIP specifications |
Tests
Feature-Retrieval and display of Display Token values for Managed Cards
| list help copy as XML edit |
| Information Card Identity Selector Retrieval and display of Display Token values for Managed Cards - Maturity: Established (I2 ) | |||
|---|---|---|---|
| Correctly show the display token values provided with a token by an Identity Provider from the Identity Selector as per ISIP § 4.3.6 | Retrieve managed card attributes from within an Identity Selector, and compare results to what is passed to an RP | Displays current token correctly. | Other behavior |
Tests
I3:FeatureTest-Selector Display of Managed Card Display Tokens
Feature-Display Identity Provider Privacy Policy from Managed Card
| list help copy as XML edit |
| Information Card Identity Selector Display Identity Provider Privacy Policy from Managed Card - Maturity: Emerging | |||
|---|---|---|---|
| Display from the Selector a link to the IdP privacy policy, if present in a managed card as per ISIP § 4.1.1.6 | Attempt to view the privacy policy for a managed card with a known embedded value | Link is displayed, matches value in card | Link not displayed, value doesn’t match |
Tests
Feature-Display Relying Party Privacy Policy
| list help copy as XML edit |
| Information Card Identity Selector Display Relying Party Privacy Policy - Maturity: Established (I2 ) | |||
|---|---|---|---|
| Display from the Selector a link to the RP privacy policy as per ISIP § 3.2 | Attempt to view the privacy policy for an RP with a known available value | Link is displayed, matches value in card | Link not displayed, value doesn’t match |
Tests
I3:FeatureTest-Selector Display of RP Privacy Policy
Feature-Display Relying Party certificate details on initial Relying Party site access
| list help copy as XML edit |
| Information Card Identity Selector Display Relying Party certificate details on initial Relying Party site access - Maturity: Emerging | |||
|---|---|---|---|
| Show standard certificate detail information on first access to an RP | Access an RP Site unknown to the Selector, but known to use a standard SSL certificate | Correct Details Shown | No Details Shown or Incorrect Details Shown |
Tests
Feature-Display Relying Party certificate details on demand
| list help copy as XML edit |
| Information Card Identity Selector Display Relying Party certificate details on demand - Maturity: Emerging | |||
|---|---|---|---|
| Show standard certificate detail information during any transaction with that RP, at user’s request | Access an RP Site known to the Selector and known to use a standard SSL certificate | Correct Details Shown | No Details Shown or Incorrect Details Shown |
Tests
Feature-Display Identity Provider certificate details on Card import
| list help copy as XML edit |
| Information Card Identity Selector Display Identity Provider certificate details on Card import - Maturity: Emerging | |||
|---|---|---|---|
| Show IdP Standard SSL certificate detail information on demand by user | Import a card produced by an IdP known to use a standard SSL certificate | Correct Certificate Details Shown | No Details Shown or Incorrect Details Shown |
Tests
Feature-Display fault reason text from SOAP Faults
| list help copy as XML edit |
| Information Card Identity Selector Display fault reason text from SOAP Faults - Maturity: Emerging | |||
|---|---|---|---|
| Support for SOAP Faults as per ISIP § 6 and http://blogs.msdn.com/card/archive/2007/10/04/how-identity-providers-can-show-custom-error-messages-in-cardspace.aspx | Simulate Each Fault | Fault is recognized and acted upon | Fault ignored or exception caused |
Tests
Feature-Support for Identity Provider using Transport Binding to secure SOAP message
| list help copy as XML edit |
| Information Card Identity Selector Support for Identity Provider using Transport Binding to secure SOAP message - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Support for IdP use of transport security to secure the transaction on the channel as per ISIP Guide § 5.1.1.1 and WS-SecurityPolicy 1.2 § 8.3 | Use a managed card whose provider is known to use transport binding against an RP that is also known to correctly handle transport binding. | Successful transaction | Error or exception |
Tests
Feature-Support for Identity Provider using Symmetric Binding to secure SOAP message
| list help copy as XML edit |
| Information Card Identity Selector Support for Identity Provider using Symmetric Binding to secure SOAP message - Maturity: Emerging | |||
|---|---|---|---|
| Support for IdP use of message security, specifically a symmetric binding to secure the transaction on the channel as per ISIP Guide § 5.1.1.2 and WS-SecurityPolicy 1.2 § 8.4 | Use a managed card whose provider is known to use symmetric binding against an RP that is also known to correctly handle symmetric binding. | Successful transaction | Error or exception |
Tests
Feature-Support for Identity Provider using Asymmetric Binding to secure SOAP message
| list help copy as XML edit |
| Information Card Identity Selector Support for Identity Provider using Asymmetric Binding to secure SOAP message - Maturity: Emerging | |||
|---|---|---|---|
| Support for IdP use of message security, specifically an asymmetric binding to secure the transaction on the channel as per WS-SecurityPolicy 1.2 § 8.5. (Do not test in this Interop if not implemented by any Selector.) | Use a managed card whose provider is known to use asymmetric binding against an RP that is also known to correctly handle asymmetric binding. | Successful transaction | Error or exception |
Tests
Feature-Accept Policy Data from Relying Parties using Relying Party STS
| list help copy as XML edit |
| Information Card Identity Selector Accept Policy Data from Relying Parties using Relying Party STS - Maturity: Established (I2 ) | |||
|---|---|---|---|
| Support for use of an RP/STS to communicate RP policy data as per ISIP Guide § 3 | Access an RP Site using an RP/STS & verify policy received. | Complete policy received | Incorrect or incomplete policy received or Selector not triggered |
Tests
I3:FeatureTest-Selector Support for Relying Party STSs
Feature-Accept Policy Data from Rich Client Application using a separate Relying Party
| list help copy as XML edit |
| Information Card Identity Selector Accept Policy Data from Rich Client Application using a separate Relying Party - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Ability for Selector to be triggered from a rich client application (with no browser used) and to receive RP policy data from a separate Relying Party | Demonstrate using the Identity Selector from a smart client application (with no browser involved) where the user selects a card and causes a token to be sent to a relying party | Selector invoked and token from selected card sent to relying party | Selector not invoked, token not sent to RP, or other failures |
Tests
I3:FeatureTest-Selector Support for Rich Clients
Feature-Accept Policy Data from Rich Client Application that is also the Relying Party
| list help copy as XML edit |
| Information Card Identity Selector Accept Policy Data from Rich Client Application that is also the Relying Party - Maturity: Emerging | |||
|---|---|---|---|
| Ability for Selector to be triggered from a rich client application (with no browser used), and to receive RP policy data from that rich application | Demonstrate using the Identity Selector from a smart client application (with no browser involved) where the user selects a card and causes a token to be sent to the application from an identity provider | Selector invoked and token from selected card delivered to application | Incorrect or incomplete policy, or Selector not triggered |
Tests
Feature-Identity Selector support for SOAP 1.1
| list help copy as XML edit |
| Information Card Identity Selector Identity Selector support for SOAP 1.1 - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Support for IdP & RP Components which use SOAP 1.1 | Access components that are known to exclusively use SOAP 1.1 | Transaction Succeeds | Error or Exception |
Tests
Feature-Identity Selector support for WS-Trust 1.2, WS-SecurityPolicy 1.1
| list help copy as XML edit |
| Information Card Identity Selector Identity Selector support for WS-Trust 1.2, WS-SecurityPolicy 1.1 - Maturity: Established (I1 ) | |||
|---|---|---|---|
| Support for IdP and RP Components which use WS-Trust 1.2 and WS-SecurityPolicy 1.1 as per ISIP and ISIP Guide | Access components that are known to exclusively use ISIP versions of WS-Trust & WS-SecurityPolicy | Transaction Succeeds | Error or Exception |
Tests
Feature-Support for editing Self-Issued Information Cards
| list help copy as XML edit |
| Information Card Identity Selector Support for editing Self-Issued Information Cards - Maturity: Established (I2 ) | |||
|---|---|---|---|
| Allow user to edit a self-issued information card already held in the Selector to contain new information from the user | Attempt to edit self-issued card information | Unable to update or self-issued cards | Able to update and save self-issued cards |
Tests
Feature-Notify user of need for Managed Information Card refresh
| list help copy as XML edit |
| Information Card Identity Selector Notify user of need for Managed Information Card refresh - Maturity: Emerging | |||
|---|---|---|---|
| If, on attempted use of a managed information card, the Identity Provider returns an InformationCardRefreshRequired SOAP Fault, Selector must notify the user as per ISIP § 4.1.1.1, 4.3.1, 6.2 | Attempt to use a card which needs a refresh | User notified of more recent card version | No notification of new version |
Tests
Feature-Notify user on Card import if imported Card already exists in Card Store
| list help copy as XML edit |
| Information Card Identity Selector Notify user on Card import if imported Card already exists in Card Store - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Notify the user if, during card import, Selector detects an incoming card is a duplicate of one that exists in the card store | Attempt to import a card that is already in the card store | User notified and given choice of whether to import | User not notified or error |
Tests
I3:FeatureTest-Selector preserves MasterKey when overwriting card
Feature-Relying Party specific identifiers constructed for Self-Issued Cards at Relying Parties using HTTP
| list help copy as XML edit |
| Information Card Identity Selector Relying Party specific identifiers constructed for Self-Issued Cards at Relying Parties using HTTP - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| privatepersonalidentifier, signing key, and friendly identifier compatible for no-SSL sites for self-issued cards as per http://blogs.msdn.com/card/archive/2007/09/25/deploy-cardspace-on-your-site-without-a-ssl-certificate.aspx | Use an information card at a site not using an SSL Certificate and verify the resulting PPID and friendly ID | Identifiers match ISIP specifications | Identifiers do not meet ISIP specifications |
Tests
I3:FeatureTest-Selector Constructs Site-Specific Identifiers for Self-Issued Cards
Feature-Support for Relying Parties using HTTP
| list help copy as XML edit |
| Information Card Identity Selector Support for Relying Parties using HTTP - Maturity: Established (I2 ) | |||
|---|---|---|---|
| Support for use of a no-SSL RP as per http://blogs.msdn.com/card/archive/2007/09/25/deploy-cardspace-on-your-site-without-a-ssl-certificate.aspx | Access an http-only RP Site and use an Information Card | Requested claims provided | Selector not triggered |
Tests
I3:FeatureTest-Selector Constructs Site-Specific Identifiers for Self-Issued Cards
Feature-Identity Selector support for SOAP 1.2
| list help copy as XML edit |
| Information Card Identity Selector Identity Selector support for SOAP 1.2 - Maturity: Emerging | |||
|---|---|---|---|
| Support for IdP & RP Components which use SOAP 1.2 | Access components that are known to exclusively use SOAP 1.2 | Transaction Succeeds | Error or Exception |
Tests
Feature-Identity Selector support for WS-Trust 1.3, WS-SecurityPolicy 1.2
| list help copy as XML edit |
| Information Card Identity Selector Identity Selector support for WS-Trust 1.3, WS-SecurityPolicy 1.2 - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Support for IdP and RP Components which use WS-Trust 1.3 and WS-SecurityPolicy 1.2 (the OASIS standard versions) as per http://blogs.msdn.com/card/archive/2007/11/22/cardspace-support-for-oasis-ws-sx-standards.aspx | Access components that are known to exclusively use OASIS versions of WS-Trust & WS-SecurityPolicy | Transaction Succeeds | Error or Exception |
Tests
I3:FeatureTest-Selector Support for WS-Trust 1.3 and WS-SecurityPolicy 1.2
Feature-Enforcement of IdP choice to limit use of Card to only sites with SSL
| list help copy as XML edit |
| Information Card Identity Selector Enforcement of IdP choice to limit use of Card to only sites with SSL - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Restriction of site access when a card is used that limits card access to non-SSL Sites as per http://blogs.msdn.com/card/archive/2007/09/25/deploy-cardspace-on-your-site-without-a-ssl-certificate.aspx | Import HTTPS only card and try to use it at https and http sites | Card usable at an https site but can not be selected to use at an http site | Card can not be imported or not usable at https site or can be used at an http site |
Tests
I3:FeatureTest-Selector Support for RequireStrongRecipientIdentity
Feature-Identity Selector informs user when an RP site Privacy Policy has Changed
| list help copy as XML edit |
| Information Card Identity Selector Identity Selector informs user when an RP site Privacy Policy has Changed - Maturity: Emerging | |||
|---|---|---|---|
| Selector must be able to detect when a new version of the RP privacy policy is available, and notify the user | Trigger a Selector transaction where the privacy policy has changed | User is notified | User is not notified |
Tests
Feature-PPID for Auditing Managed Card remains the same after overwriting card in Selector
| list help copy as XML edit |
| Information Card Identity Selector PPID for Auditing Managed Card remains the same after overwriting card in Selector - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Information provided to the Identity Provider for the card used to generate the PPID is consistent between old and new version of the card | Import one version of the card, use it, and record PPID. Import second version of the card, and verify that the PPID doesn’t change. | The card generates the same PPID after being overwritten | PPID changes after the card is overwritten |
Tests
I3:FeatureTest-Selector preserves MasterKey when overwriting card
Feature-PPID for Auditing Managed Card remains the same after updating card to newer version in Selector
| list help copy as XML edit |
| Information Card Identity Selector PPID for Auditing Managed Card remains the same after updating card to newer version in Selector - Maturity: Emerging | |||
|---|---|---|---|
| Information provided to the Identity Provider for the card used to generate the PPID is consistent between old and new version of the card | Import one version of the card, use it, and record PPID. Import second version of the card, and verify that the PPID doesn’t change. | Different versions of the same card generate the same PPID | PPID changes between versions of the card |
Tests
Feature-PPID for Non-Auditing Managed Card remains the same after updating card to newer version in Selector
| list help copy as XML edit |
| Information Card Identity Selector PPID for Non-Auditing Managed Card remains the same after updating card to newer version in Selector - Maturity: Emerging | |||
|---|---|---|---|
| Information provided to the Identity Provider for the card used to generate the PPID is consistent between old and new version of the card | Import one version of the card, use it, and record PPID. Import second version of the card, and verify that the PPID doesn’t change. | Different versions of the same card generate the same PPID | PPID changes between versions of the card |
Tests
Feature-Verify AppliesTo information is present in Relying Party policy when Auditing Card used
| list help copy as XML edit |
| Information Card Identity Selector Verify AppliesTo information is present in Relying Party policy when Auditing Card used - Maturity: Emerging | |||
|---|---|---|---|
| Check that the RP has returned token scope information with AppliesTo when the card used at the RP is auditing mandatory (Behavior per Token Scope table in ISIP § 4.3.3) | Use an Auditing mandatory card in an RP transaction where the RP does not supply AppliesTo | Actionable Message | Other behavior |
Tests
Feature-Verify AppliesTo information is not present in Relying Party policy when Non-Auditing Card used
| list help copy as XML edit |
| Information Card Identity Selector Verify AppliesTo information is not present in Relying Party policy when Non-Auditing Card used - Maturity: Emerging | |||
|---|---|---|---|
| Check that the RP has not returned token scope information with AppliesTo when the card used at the RP is non-auditing (behavior per Token Scope table in ISIP § 4.3.3) | Use a non-auditing card with an RP where the RP supplies AppliesTo | Fail with actionable error message. | Other behavior |
Tests
Feature-Verify format of .crd file prior to import
| list help copy as XML edit |
| Information Card Identity Selector Verify format of .crd file prior to import - Maturity: Emerging | |||
|---|---|---|---|
| Check that the .crd file is a valid XML document before importing it | Attempt to import a faulty .crd file | Failure with actionable message | Exception, no error notification |
Tests
Feature-Validate certificate signing .crd file prior to import
| list help copy as XML edit |
| Information Card Identity Selector Validate certificate signing .crd file prior to import - Maturity: Emerging | |||
|---|---|---|---|
| Validate that the certificate signing the .crd file is the certificate of the owner of the STS | Attempt to import a .crd file signed by a certificate different than that of the issuing STS | Failure with actionable message | Exception, no error notification |
Tests
Feature-Verify format of .crds file prior to import
| list help copy as XML edit |
| Information Card Identity Selector Verify format of .crds file prior to import - Maturity: Emerging | |||
|---|---|---|---|
| Check that the .crds file is a valid XML document before importing it | Attempt to import a faulty .crds file | Failure with actionable message | Exception, no error notification |
Tests
Feature-Verify passcode of .crds file prior to import
| list help copy as XML edit |
| Information Card Identity Selector Verify passcode of .crds file prior to import - Maturity: Emerging | |||
|---|---|---|---|
| All .crds files should require the passcode to be correctly provided by the user | Attempt to import a .crds file when the passcode given is invalid | Failure with actionable message | Exception, no error notification |
Tests
Feature-Verify X.509 certificate associated with Identity Provider at time of Card use
| list help copy as XML edit |
| Information Card Identity Selector Verify X.509 certificate associated with Identity Provider at time of Card use - Maturity: Emerging | |||
|---|---|---|---|
| The X.509 Certificate of an Identity Provider should be validated in the following ways: the certificate chain should be validated, the certificate should be checked for revocation as per RFC 3280, and the host associated with the certificate should match the host presenting the certificate | Attempt to use a Selector at an Identity Provider with an invalid X.509 certificate | Failure with actionable message | Exception, continue |
Tests
Feature-Verify Relying Party X.509 certificate at time of Card use
| list help copy as XML edit |
| Information Card Identity Selector Verify Relying Party X.509 certificate at time of Card use - Maturity: Emerging | |||
|---|---|---|---|
| The X.509 Certificate of an Identity Provider should be validated in the following ways: the certificate chain should be validated, the certificate should be checked for revocation as per RFC 3280, and the host associated with the certificate should match the host presenting the certificate | Attempt to use a Selector at an Relying Party with an invalid X.509 certificate | Failure with actionable message | Exception, continue |
Tests
Feature-Verify X.509 certificate associated with imported Card prior to importing
| list help copy as XML edit |
| Information Card Identity Selector Verify X.509 certificate associated with imported Card prior to importing - Maturity: Emerging | |||
|---|---|---|---|
| The X.509 Certificate of an Identity Provider should be validated in the following ways: the certificate chain should be validated, the certificate should be checked for revocation as per RFC 3280, and the host associated with the certificate should match the host presenting the certificate | Attempt to import a managed card with an invalid associated X.509 certificate | Failure with actionable message | Card import succeeds |
Tests
Feature-Behavior when an Identity Provider STS never responds to a request
| list help copy as XML edit |
| Information Card Identity Selector Behavior when an Identity Provider STS never responds to a request - Maturity: Emerging | |||
|---|---|---|---|
| Attempts to communicate with an STS should be limited to a pre-defined time period, after which control is returned to the user. | Attempt to use a card whose STS does not respond | Reasonable timeout with error message | Hang |
Tests
Feature-Behavior when a Relying Party STS never responds to a request
| list help copy as XML edit |
| Information Card Identity Selector Behavior when a Relying Party STS never responds to a request - Maturity: Emerging | |||
|---|---|---|---|
| Attempts to communicate with an RP/STS should be limited to a pre-defined time period, after which control is returned to the user. | Attempt to use a card at an RP/STS that does not respond | Reasonable timeout with error message | Hang |
Tests
Feature-Provide ability to disable Selector invocation to prevent denial of service by malicious relying parties
| list help copy as XML edit |
| Information Card Identity Selector Provide ability to disable Selector invocation to prevent denial of service by malicious relying parties - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Users should be able to disable Selector invocation manually – to prevent against malicious code spawning Selector transaction after Selector transaction | Attempt to use Selector at an RP that tries to DOS the workstation by triggering repeating Selector transactions | User can disable Selector invocation | User cannot disable Selector invocation |
Tests
I3:FeatureTest-Identity Selector DOS Avoidance
Feature-Behavior when the relying party request contains no claims
| list help copy as XML edit |
| Information Card Identity Selector Behavior when the relying party request contains no claims - Maturity: Emerging | |||
|---|---|---|---|
| If there are no required or optional claims requested by the RP, the Selector should match cards based on token type only | Attempt to use Selector at an RP that requests no claims | Match only on token type | Match all cards or no cards |
Tests
Feature-Behavior when the Relying Party request contains only optional claims
| list help copy as XML edit |
| Information Card Identity Selector Behavior when the Relying Party request contains only optional claims - Maturity: Emerging | |||
|---|---|---|---|
| If there are no required claims but some optional claims requested by the RP, the Selector should match cards based on token type only | Use Selector at an RP that requests only Optional claims | Match only on token type | Match all cards or no cards |
Tests
Feature-Support for Information Card Refreshes
| list help copy as XML edit |
| Information Card Identity Selector Support for Information Card Refreshes - Maturity: Emerging | |||
|---|---|---|---|
| The user must be notified in the case where they attempt to use a card from an Information Provider that responds that a refresh of that card is necessary | Attempt to use a card which requires a card refresh | Actionable Message | Transaction continues or else stops without an actionable message |
Tests
Feature-Verify presence of backing Self-Issued Card
| list help copy as XML edit |
| Information Card Identity Selector Verify presence of backing Self-Issued Card - Maturity: Emerging | |||
|---|---|---|---|
| Check that the backing self-issued card is present prior to allowing the managed card to be used | Attempt to use a managed card whose backing self-issued card is missing | Actionable Message | Failure or transaction continues |
Tests
Feature-Binary install package for Identity Selector available
| list help copy as XML edit |
| Information Card Identity Selector Binary install package for Identity Selector available - Maturity: Emerging | |||
|---|---|---|---|
| Simple installation for users | Install Selector | Easy | Hard |
Tests
Feature-Ability to PIN protect a Card
| list help copy as XML edit |
| Information Card Identity Selector Ability to PIN protect a Card - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| Users must be able to add and remove a PIN to a card as per ISIP § 7.1.1 | Attempt to add a PIN to a card, then attempt to remove it | Able to add and remove PIN protection | Not able to PIN-protect |
Tests
I3:FeatureTest-Selector PIN-protection of Cards
Feature-Ability to export and import PIN protected Cards
| list help copy as XML edit |
| Information Card Identity Selector Ability to export and import PIN protected Cards - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| PIN information must be part of .crds file as per ISIP § 7.1.1 | Import PIN-protected card – verify that PIN is intact | PIN intact | PIN missing or altered |
Tests
I3:FeatureTest-Selector Import-Export of .crds Files
Feature-Browser independence
| list help copy as XML edit |
| Information Card Identity Selector Browser independence - Maturity: Emerging | |||
|---|---|---|---|
| Selector can be invoked from different browsers (possibly with the addition of a Browser Add-On) | Attempt to use from more than one browser | Possible | Not possible |
Tests
Feature-Manual invocation of Selector by user for Card management functions
| list help copy as XML edit |
| Information Card Identity Selector Manual invocation of Selector by user for Card management functions - Maturity: Emerging | |||
|---|---|---|---|
| Selector can be started without having accessed a Relying Party for the purposes of managing a user's information card storage, enabling actions such as acquiring new cards, deleting undesired ones, and auditing their usage. | Manually invoke Identity Selector and manage information cards and card details. | Card management can be launched and performed without contacting a relying party. | Relying party must be contacted to interact with IA. |
Tests
Feature-Internationalization
| list help copy as XML edit |
| Information Card Identity Selector Internationalization - Maturity: Emerging | |||
|---|---|---|---|
| User interface elements should be presented in current locale for operating system | Attempt to use Selector with a locale other than English set on the operating system | Natural language and formatting conventions used the same as the OS | Fixed-language interface |
Tests
Feature-Identity Selector informs user when a site is being used for the first time
| list help copy as XML edit |
| Information Card Identity Selector Identity Selector informs user when a site is being used for the first time - Maturity: Emerging | |||
|---|---|---|---|
| IA must be able to detect whether this is first or subsequent visit to an RP and inform the user in an actionable manner. This is a key part of the phishing defense enabled by Identity Selectors. | Visit an RP site which has never been seen before | Signal to user on first visit must be distinguishable from what the user sees on subsequent visits. The object of the game here is to make the signal so blatant that the user will terminate the login process if the signal says first visit but she already has an account at the RP. | What user sees is very similar between the first/subsequent visit cases. For instance, they are only shown which cards match the claims policy of the RP. |
Tests
Feature-Relying Party site information shown during card selection
| list help copy as XML edit |
| Information Card Identity Selector Relying Party site information shown during card selection - Maturity: Emerging | |||
|---|---|---|---|
| In the user interface used to select and send a card, information about the Relying Party site is shown to the user. | Select a card and attempt to view RP certificate details | RP information (text, logo, or both) must be shown. | RP information not shown. |
Tests
Feature-Ability to select which optional claims to send
| list help copy as XML edit |
| Information Card Identity Selector Ability to select which optional claims to send - Maturity: Emerging | |||
|---|---|---|---|
| In the interface used to send a card, allow the user to see what optional claims are sent for the card and to choose whether or not to send any or all optional claims | Invoke the Selector against an RP advertising optional claims with a card that populates those claims – attempt to choose not to send optional claims | Ability to not send optional claims, either as a group or individually | No choice of whether to send optional claims. |
Tests
Feature-Differentiate Extended Validation certificates from regular SSL certificates
| list help copy as XML edit |
| Information Card Identity Selector Differentiate Extended Validation certificates from regular SSL certificates - Maturity: Emerging | |||
|---|---|---|---|
| When viewing certificate information for an IdP, ensure that users can tell the difference between sites protected by EV SSL and sites protected by Regular SSL Certificates | Compare the certificate details page for a card from an IdP protected by an EV SSL Certificate to the certificate details page for a card from an IdP protected by a regular SSL Certificate | Can tell which site is EV-SSL and which site is Regular SSL | No difference |
Tests
Feature-Display Identity Provider Extended Validation certificate image during Card import if image is present
| list help copy as XML edit |
| Information Card Identity Selector Display Identity Provider Extended Validation certificate image during Card import if image is present - Maturity: Emerging | |||
|---|---|---|---|
| During import of a managed card protected by an Extended Validation Certificate with an image associated, display the image to the user. | Access an RP Site known to use an EV certificate with an image | Image shown | Image not shown or error |
Tests
Feature-Display issuer information contained in Card
| list help copy as XML edit |
| Information Card Identity Selector Display issuer information contained in Card - Maturity: Emerging | |||
|---|---|---|---|
| Support display of the issuer information contained in the card as per http://blogs.msdn.com/card/archive/2007/10/24/providing-custom-data-in-an-information-card.aspx | Import a card containing issuer information and view the card details | Issuer information displayed | Issuer information not displayed |
Tests
Feature-Notify user on Card import if Card is already installed in Identity Selector
| list help copy as XML edit |
| Information Card Identity Selector Notify user on Card import if Card is already installed in Identity Selector - Maturity: Emerging (I3 ) | |||
|---|---|---|---|
| During import of an information card, check that the card is not already present – if the card is present, notify the user | Attempt to install an already present managed card | Notification occurs | No notification or error |
Tests
I3:FeatureTest-Selector preserves MasterKey when overwriting card
