dacs_managed_infocard - create a managed Information Card

       dacs_managed_infocard [dacsoptions[1]]

       This program is part of the DACS suite.

       The dacs_managed_infocard web service is used to create and register a
       managed InfoCard so that it can be used for authentication or other
       purposes. InfoCard-based authentication is performed by
       local_infocard_authenticate[2], a DACS authentication module.

       A managed InfoCard must be registered by dacs_managed_infocard before it
       can be used by DACS. After registration, use dacs_infocard(8)[3] or
       dacsinfocard(1)[4] to administer self-issued or managed InfoCards.

       There are several operational modes, determined by the MODE argument. In
       a self-serve mode, an authenticated user requests a managed InfoCard
       (with various limitations imposed); the new InfoCard is either sent
       directly to the user's browser or written to a file that the user can
       access in a separate operation. In an administrative mode, a DACS
       administrator requests a managed InfoCard on behalf of a user and is
       responsible for directing it to the user in a separate, secure operation.

       There are many configuration directives[5] associated with managed
       InfoCards. One of the most important is INFOCARD_STS_AUTH_TYPE[6], which
       determines the authentication method ("credential type") used between an
       Identity Selector, such as CardSpace, and the managed InfoCard's Identity
       Provider/Secure Token Service (IP/STS), such as dacs_sts(8)[7]. The
       following authentication methods are prescribed by the InfoCard

           This is a username/password type of authentication. See
           INFOCARD_STS_PASSWORD_METHOD[8]. At present, only a global (but
           changeable) password is allowed, or no password at all. A future
           release might allow a per-InfoCard account password, or tie an
           InfoCard account to some other password-based account.

           In this authentication type, an SSL client certificate must be used
           with the request to dacs_managed_infocard for a managed InfoCard, and
           the same certificate must be used when the managed InfoCard is
           submitted to a Relying Party. A self-signed certificate may be used.

           In this authentication type, a self-issued InfoCard must be submitted
           with the request to dacs_managed_infocard(8)[9] for a managed
           InfoCard (more precisely, a secure token obtained from a self-issued
           InfoCard that is passed as the argument xmlToken) and the same
           self-issued InfoCard must be available to the user's Identity
           Selector when the managed InfoCard is submitted to a Relying Party.

           This is the Kerberos V5 credential type. This authentication
           credential type is currently unsupported.

           An Identity Selector will display all claim values returned to it by
           an Identity Provider. An Identity Provider must therefore employ
           cryptographic methods to obtain privacy or check authenticity with
           respect to claim values.

       Accounts are accessed through DACS's virtual filestore using item type
       infocards. It is assumed that file permissions on the account database
       are such that all access is limited to the administrator,
       local_infocard_authenticate, dacs_infocard(8)[3], and dacs_sts(8)[7].

       The following configuration variables are available:

           If INFOCARD_STS_AUTH_TYPE[6] is "card", this is used as the filename
           of the image to include with a new managed card, relative to the
           INFOCARD_CARD_IMAGE_BASE_URL[10] URI. The default value is the string
           "dacs_selfissued_credential.png" (or similar).

           If INFOCARD_STS_AUTH_TYPE[6] is "cert", this is used as the filename
           of the image to include with a new managed card, relative to the
           INFOCARD_CARD_IMAGE_BASE_URL[10] URI. The default value is the string
           "dacs_x509certificate_credential.png" (or similar).

           If INFOCARD_STS_AUTH_TYPE[6] is "passwd", this is used as the
           filename of the image to include with a new managed card, relative to
           the INFOCARD_CARD_IMAGE_BASE_URL[10] URI. The default value is the
           string "dacs_username_password_credential.png" (or similar).

           This string identifies the IP/STS and may be displayed on web pages
           and Identity Selector prompts, or in error messages. The default
           value is the string "DACS Managed InfoCard IP/STS" (or similar).

           This is a printf(3)[11]-type format string. It may contain at most
           one conversion specification, %s, which will interpolate the value of

   Web Service Arguments
       In addition to the standard CGI arguments[12], dacs_managed_infocard
       understands the following CGI arguments:

           This argument is required if INFOCARD_STS_AUTH_TYPE[6] is set to
           "card". The self-issued InfoCard is registered with the account
           associated with the new managed InfoCard and the user's Identity
           Selector must possess the self-issued InfoCard in order to use the
           managed InfoCard.

           This optional argument specifies the MIME media subtype (e.g., the
           image format, such as "jpeg") of the image file attached to the new
           InfoCard. By default, the subtype is derived from the extension on
           the end of the last path component of the image's URI. For example,
           if CARD_IMAGE_URL is /card_images/bob.tn.gif, then the extension .gif
           is used to obtain a media subtype of gif and a MIME media type of
           image/gif. It is sometimes necessary to give the image format
           explicitly, however. See INFOCARD_CARD_IMAGE_BASE_URL[10] for
           additional details. Only a DACS administrator may use this argument.

           This optional argument specifies the location (as a DACS VFS URI[13])
           of the image file to attach to the new InfoCard, overriding the
           default method that uses only INFOCARD_CARD_IMAGE_BASE_URL[10]. If a
           file is specified (i.e., the value begins with a '/' or uses the file
           scheme), the path is relative to the INFOCARD_CARD_IMAGE_BASE_URL,
           which must specify a directory. Only a DACS administrator may use
           this argument.

           By default, or if the value of the FORMAT argument[14] is FILE, the
           new card is sent directly to the user's browser (which should
           automatically invoke the user's Identity Selector); no copy is
           retained on the server. If FORMAT is HTML, the new managed InfoCard
           is stored in a file, replacing any existing card of the same name
           (see INFOCARD_CARD_OUTPUTDIR[15]). Output is emitted in HTML and
           includes a link to the file (see INFOCARD_CARDID_BASE_URL[16]). Only
           the owner of new card should be able to access it.

           Normally, this argument is omitted and the managed InfoCard is
           created on behalf of the identity that is invoking
           dacs_managed_infocard. This argument allows a DACS administrator to
           create a card for a specific identity.

           This optional argument is used to select how claim information[17] is
           stored and retrieved. Four values are recognized:

               In this usage mode, which is the default, claims are defined and
               filled depending on DACS configuration:

               •   if both INFOCARD_CARD_DEFS_URL[18] and
                   INFOCARD_CARD_FILL_URL[19] are configured, the former web
                   service is called (once, by dacs_managed_infocard) to define
                   the claims that will be assigned to the new managed InfoCard
                   and the latter web service is called (by dacs_sts(8)[7], each
                   time the InfoCard is used) to obtain the values of those
                   claims (or the requested and approved subset). The claim
                   definitions may not be modified, but claim values do not need
                   to be static.

               •   if neither of those web services are configured, a minimal
                   set of claims is automatically defined to facilitate

               •   any other configuration is invalid

               An identity is always associated with these InfoCards using a
               claim named dacs_identity in the DACS namespace
               (http://dacs.dss.ca/claims). By default, the identity used is
               that of the requestor. An administrator may instead specify the
               identity using the INFOCARD_IDENTITY argument, which need only be
               a syntactically valid DACS identity.

               In this mode, the caller of dacs_managed_infocard defines the
               claims and their values when the card is created; DACS is
               responsible for storing this information and producing secure
               tokens from it. Unlike the DACS mode, the values of these claims
               cannot be changed; a future release may implement this

               The caller may specify from zero to a compile-time maximum number
               of claims (MIC_MAX_STATIC_CLAIMS, 10). A
               privatepersonalidentifier (PPID) is always created automatically,
               so any user request for that claim is ignored. Only a DACS
               administrator may define the dacs_identity claim in the DACS
               namespace; if present, it must be a syntactically valid DACS
               identity. Therefore, only a DACS administrator may use this mode
               to create an InfoCard that can be used for DACS authentication.
               Similiarly, only a DACS administrator may define the dacs_roles
               claim in the DACS namespace; if present, it must be a
               syntactically valid role descriptor string[20].

               The claims are specified by up to MIC_MAX_STATIC_CLAIMS arguments
               (not counting any PPID claims) of the form CLAIM_num_type, where
               num starts at one and continues with consecutive integers and
               type is:

               •   NAME for the name of the claim, which must consist of between
                   one and MIC_MAX_STATIC_NAME_CLAIM_SIZE (32) characters valid
                   in a URI path segment.

               •   VALUE is the value associated with the claim and consists of
                   between one and MIC_MAX_STATIC_VALUE_CLAIM_SIZE (64)
                   printable characters.

               •   URI is the URI namespace with which NAME is associated; for
                   convenience, "standard" signifies the self-issued InfoCard
                   (http://schemas.xmlsoap.org/ws/2005/05/identity/claims), and
                   "dacs" is short for the DACS namespace
                   (http://dacs.dss.ca/claims); any other non-empty string can
                   be any syntactically valid URI of up to
                   MIC_MAX_STATIC_URI_CLAIM_SIZE (128), and an empty string
                   indicates that the default URI should be used.

                       The DACS namespace is reserved for use by DACS and
                       identifies claim types with semantics that are defined by

               •   LABEL is a string that an Identity Selector should display
                   with the claim and consists of between one and
                   MIC_MAX_STATIC_LABEL_CLAIM_SIZE (20) printable characters.

               •   DESC is a string that an Identity Selector should display
                   with the claim and consists of between one and
                   MIC_MAX_STATIC_DESC_CLAIM_SIZE (40) printable characters; if
                   missing or the empty string, the value of the corresponding
                   LABEL argument is used.

               The optional argument CLAIM_URI has the same syntax as a
               CLAIM_num_URI argument and establishes a default URI that will be
               used if any CLAIM_num_URI argument is missing or is the empty

               The optional argument CARD_NAME assigns a name to the InfoCard,
               which will be displayed by an Identity Selector.

               The first missing or null-string-valued CLAIM_num_NAME or
               CLAIM_num_VALUE argument indicates the end of the list. For
               example, if two claims are defined, the following arguments might
               be passed: CLAIM_1_NAME, CLAIM_1_VALUE, CLAIM_1_URI,
               CLAIM_2_URI, CLAIM_2_LABEL, and CLAIM_2_DESC. Any syntactical or
               length violation causes a fatal error.

               This mode is identical to the STATIC mode except that if it is
               used by an identity other than a DACS administrator, a
               dacs_identity claim in the dacs namespace is automatically added
               with the value of the caller's identity. The InfoCard may be used
               for DACS authentication.

               The caller of dacs_managed_infocard provides URLs for two web
               services: one to define claims and another to fill claims. The
               caller is responsible for managing claim definitions and values.
               These web services are expected to behave exactly the same as
               those that are specified by INFOCARD_CARD_DEFS_URL[18] and
               INFOCARD_CARD_FILL_URL[19]. This mode is not implemented.


       The program exits 0 if everything was fine, 1 if an error occurred.

       It is currently not possible to just register a managed InfoCard (you
       must create and register it), so you cannot import a card.

       This functionality should probably be integrated with dacs_infocard(8)[3]
       (and dacsinfocard(1)[4]).

       Once a managed InfoCard is created, most of its characteristics cannot be
       changed. There should be a way to "refresh" a managed InfoCard that has
       expired or otherwise become invalid.

       The various constraints on claim types should probably be run-time
       configurable, or possibly done away with altogether. The specification
       imposes no limits on them.

       There should be a web service and utility to allow creation of a
       self-issued InfoCard (which may then be imported into a user's Identity

       In 2011, Microsoft announced[22] that Windows CardSpace 2.0 will not be
       shipped and they will offer a new technology called U-Prove.

       dacsinfocard(1)[4], dacs.conf(5)[23], dacs_authenticate(8)[24],
       dacs_infocard(8)[3], dacs_mex(8)[25], dacs_sts(8)[7], Using InfoCards
       With DACS[26]

       Distributed Systems Software (www.dss.ca[27])

       Copyright © 2003-2018 Distributed Systems Software. See the LICENSE[28]
       file that accompanies the distribution for licensing information.

        1. dacsoptions

        2. local_infocard_authenticate

        3. dacs_infocard(8)

        4. dacsinfocard(1)

        5. configuration directives


        7. dacs_sts(8)


        9. dacs_managed_infocard(8)


       11. printf(3)

       12. standard CGI arguments

       13. VFS URI

       14. FORMAT argument



       17. claim information



       20. role descriptor string

       21. dacs_managed_infocard.css

       22. announced

       23. dacs.conf(5)

       24. dacs_authenticate(8)

       25. dacs_mex(8)

       26. Using InfoCards With DACS

       27. www.dss.ca

       28. LICENSE

DACS 1.4.40                        02/19/2019            DACS_MANAGED_INFOCAR(8)