Personal Information Cards Under the Hood

Personal Information Cards provide a way where you can use them to register yourself with a web site and further use it to authenticate yourself.

This eliminates the burden of typing all your personal information each and every time you register with a new web site.

Once you have a personal information cards with the required claim values, the same card can be used at different websites for the purpose of registration and authentication.

This raises a question...

How come a given web site identifies you as a unique idenity based on your information card ?

Each and every information card has a non-editable claim value - known as Private Personal Identifier [PPID]. This is generated by the CardSpace it self.

For each personal information card you create, CardSpace generates a master key and a Card ID. Master key is 32 bytes of random data and Card ID is a GUID. This makes each card created unique from the rest of the cards.

PPID is not just unique for the information card it self.

It is a unique value for the Information Card + Relying Party combination.

PPID is generated with the CardID and with some properties from the RP certificate.

In case RP does not have a certificate, then it's the domain name from the site url is used along with the Card ID.

Apart from the PPID, CardSpace also creates a public/private key pair for the personal information card.

CardSapce uses the master key of the card along with some properties from the RP certificae to generate this public/private key pair.

Relying Party can retrieve the public key and the PPID from the Information card submitted to it and the user information can be stored against the PPID.

All the information sent with the card will be signed by the private key corresponding to that card.

So, once an RP gets a Card for authentication - it can verify the uniqueness of the user with the PPID and check the integrity with the public key.

The PPID generated by the CardSpace is a Base64 encoded SHA1 hash. This looks something like;

2QLepiNor3AfYCJ2tN9m3IlNXKNA/iwpVV+FCU1ZhxQ=

That is never readable and to avoid that there is a way you can generate a much readable site-specific id from it.