Provided by: dacs_1.4.40-2_amd64 bug

NAME

       dacs_managed_infocard - create a managed Information Card

SYNOPSIS

       dacs_managed_infocard [dacsoptions[1]]

DESCRIPTION

       This program is part of the DACS suite.

       The dacs_managed_infocard web service is used to create and register a managed InfoCard so
       that it can be used for authentication or other purposes. InfoCard-based authentication is
       performed by local_infocard_authenticate[2], a DACS authentication module.

       A managed InfoCard must be registered by dacs_managed_infocard before it can be used by
       DACS. After registration, use dacs_infocard(8)[3] or dacsinfocard(1)[4] to administer
       self-issued or managed InfoCards.

       There are several operational modes, determined by the MODE argument. In a self-serve
       mode, an authenticated user requests a managed InfoCard (with various limitations
       imposed); the new InfoCard is either sent directly to the user's browser or written to a
       file that the user can access in a separate operation. In an administrative mode, a DACS
       administrator requests a managed InfoCard on behalf of a user and is responsible for
       directing it to the user in a separate, secure operation.

       There are many configuration directives[5] associated with managed InfoCards. One of the
       most important is INFOCARD_STS_AUTH_TYPE[6], which determines the authentication method
       ("credential type") used between an Identity Selector, such as CardSpace, and the managed
       InfoCard's Identity Provider/Secure Token Service (IP/STS), such as dacs_sts(8)[7]. The
       following authentication methods are prescribed by the InfoCard specification:

       UsernamePasswordCredential
           This is a username/password type of authentication. See
           INFOCARD_STS_PASSWORD_METHOD[8]. At present, only a global (but changeable) password
           is allowed, or no password at all. A future release might allow a per-InfoCard account
           password, or tie an InfoCard account to some other password-based account.

       X509V3Credential
           In this authentication type, an SSL client certificate must be used with the request
           to dacs_managed_infocard for a managed InfoCard, and the same certificate must be used
           when the managed InfoCard is submitted to a Relying Party. A self-signed certificate
           may be used.

       SelfIssuedCredential
           In this authentication type, a self-issued InfoCard must be submitted with the request
           to dacs_managed_infocard(8)[9] for a managed InfoCard (more precisely, a secure token
           obtained from a self-issued InfoCard that is passed as the argument xmlToken) and the
           same self-issued InfoCard must be available to the user's Identity Selector when the
           managed InfoCard is submitted to a Relying Party.

       KerberosV5Credential
           This is the Kerberos V5 credential type. This authentication credential type is
           currently unsupported.

           Note
           An Identity Selector will display all claim values returned to it by an Identity
           Provider. An Identity Provider must therefore employ cryptographic methods to obtain
           privacy or check authenticity with respect to claim values.

       Accounts are accessed through DACS's virtual filestore using item type infocards. It is
       assumed that file permissions on the account database are such that all access is limited
       to the administrator, local_infocard_authenticate, dacs_infocard(8)[3], and
       dacs_sts(8)[7].

   Configuration
       The following configuration variables are available:

       infocard_card_image_card
           If INFOCARD_STS_AUTH_TYPE[6] is "card", this is used as the filename of the image to
           include with a new managed card, relative to the INFOCARD_CARD_IMAGE_BASE_URL[10] URI.
           The default value is the string "dacs_selfissued_credential.png" (or similar).

       infocard_card_image_cert
           If INFOCARD_STS_AUTH_TYPE[6] is "cert", this is used as the filename of the image to
           include with a new managed card, relative to the INFOCARD_CARD_IMAGE_BASE_URL[10] URI.
           The default value is the string "dacs_x509certificate_credential.png" (or similar).

       infocard_card_image_passwd
           If INFOCARD_STS_AUTH_TYPE[6] is "passwd", this is used as the filename of the image to
           include with a new managed card, relative to the INFOCARD_CARD_IMAGE_BASE_URL[10] URI.
           The default value is the string "dacs_username_password_credential.png" (or similar).

       infocard_sts_title
           This string identifies the IP/STS and may be displayed on web pages and Identity
           Selector prompts, or in error messages. The default value is the string "DACS Managed
           InfoCard IP/STS" (or similar).

       infocard_sts_username_password_prompt_fmt
           This is a printf(3)[11]-type format string. It may contain at most one conversion
           specification, %s, which will interpolate the value of infocard_sts_title.

OPTIONS

   Web Service Arguments
       In addition to the standard CGI arguments[12], dacs_managed_infocard understands the
       following CGI arguments:

       xmlToken
           This argument is required if INFOCARD_STS_AUTH_TYPE[6] is set to "card". The
           self-issued InfoCard is registered with the account associated with the new managed
           InfoCard and the user's Identity Selector must possess the self-issued InfoCard in
           order to use the managed InfoCard.

       CARD_IMAGE_SUBTYPE
           This optional argument specifies the MIME media subtype (e.g., the image format, such
           as "jpeg") of the image file attached to the new InfoCard. By default, the subtype is
           derived from the extension on the end of the last path component of the image's URI.
           For example, if CARD_IMAGE_URL is /card_images/bob.tn.gif, then the extension .gif is
           used to obtain a media subtype of gif and a MIME media type of image/gif. It is
           sometimes necessary to give the image format explicitly, however. See
           INFOCARD_CARD_IMAGE_BASE_URL[10] for additional details. Only a DACS administrator may
           use this argument.

       CARD_IMAGE_URL
           This optional argument specifies the location (as a DACS VFS URI[13]) of the image
           file to attach to the new InfoCard, overriding the default method that uses only
           INFOCARD_CARD_IMAGE_BASE_URL[10]. If a file is specified (i.e., the value begins with
           a '/' or uses the file scheme), the path is relative to the
           INFOCARD_CARD_IMAGE_BASE_URL, which must specify a directory. Only a DACS
           administrator may use this argument.

       FORMAT
           By default, or if the value of the FORMAT argument[14] is FILE, the new card is sent
           directly to the user's browser (which should automatically invoke the user's Identity
           Selector); no copy is retained on the server. If FORMAT is HTML, the new managed
           InfoCard is stored in a file, replacing any existing card of the same name (see
           INFOCARD_CARD_OUTPUTDIR[15]). Output is emitted in HTML and includes a link to the
           file (see INFOCARD_CARDID_BASE_URL[16]). Only the owner of new card should be able to
           access it.

       INFOCARD_IDENTITY
           Normally, this argument is omitted and the managed InfoCard is created on behalf of
           the identity that is invoking dacs_managed_infocard. This argument allows a DACS
           administrator to create a card for a specific identity.

       MODE
           This optional argument is used to select how claim information[17] is stored and
           retrieved. Four values are recognized:

           DACS
               In this usage mode, which is the default, claims are defined and filled depending
               on DACS configuration:

               •   if both INFOCARD_CARD_DEFS_URL[18] and INFOCARD_CARD_FILL_URL[19] are
                   configured, the former web service is called (once, by dacs_managed_infocard)
                   to define the claims that will be assigned to the new managed InfoCard and the
                   latter web service is called (by dacs_sts(8)[7], each time the InfoCard is
                   used) to obtain the values of those claims (or the requested and approved
                   subset). The claim definitions may not be modified, but claim values do not
                   need to be static.

               •   if neither of those web services are configured, a minimal set of claims is
                   automatically defined to facilitate authentication.

               •   any other configuration is invalid

               An identity is always associated with these InfoCards using a claim named
               dacs_identity in the DACS namespace (http://dacs.dss.ca/claims). By default, the
               identity used is that of the requestor. An administrator may instead specify the
               identity using the INFOCARD_IDENTITY argument, which need only be a syntactically
               valid DACS identity.

           STATIC
               In this mode, the caller of dacs_managed_infocard defines the claims and their
               values when the card is created; DACS is responsible for storing this information
               and producing secure tokens from it. Unlike the DACS mode, the values of these
               claims cannot be changed; a future release may implement this capability.

               The caller may specify from zero to a compile-time maximum number of claims
               (MIC_MAX_STATIC_CLAIMS, 10). A privatepersonalidentifier (PPID) is always created
               automatically, so any user request for that claim is ignored. Only a DACS
               administrator may define the dacs_identity claim in the DACS namespace; if
               present, it must be a syntactically valid DACS identity. Therefore, only a DACS
               administrator may use this mode to create an InfoCard that can be used for DACS
               authentication. Similiarly, only a DACS administrator may define the dacs_roles
               claim in the DACS namespace; if present, it must be a syntactically valid role
               descriptor string[20].

               The claims are specified by up to MIC_MAX_STATIC_CLAIMS arguments (not counting
               any PPID claims) of the form CLAIM_num_type, where num starts at one and continues
               with consecutive integers and type is:

               •   NAME for the name of the claim, which must consist of between one and
                   MIC_MAX_STATIC_NAME_CLAIM_SIZE (32) characters valid in a URI path segment.

               •   VALUE is the value associated with the claim and consists of between one and
                   MIC_MAX_STATIC_VALUE_CLAIM_SIZE (64) printable characters.

               •   URI is the URI namespace with which NAME is associated; for convenience,
                   "standard" signifies the self-issued InfoCard namespace
                   (http://schemas.xmlsoap.org/ws/2005/05/identity/claims), and "dacs" is short
                   for the DACS namespace (http://dacs.dss.ca/claims); any other non-empty string
                   can be any syntactically valid URI of up to MIC_MAX_STATIC_URI_CLAIM_SIZE
                   (128), and an empty string indicates that the default URI should be used.

                       Note
                       The DACS namespace is reserved for use by DACS and identifies claim types
                       with semantics that are defined by DACS.

               •   LABEL is a string that an Identity Selector should display with the claim and
                   consists of between one and MIC_MAX_STATIC_LABEL_CLAIM_SIZE (20) printable
                   characters.

               •   DESC is a string that an Identity Selector should display with the claim and
                   consists of between one and MIC_MAX_STATIC_DESC_CLAIM_SIZE (40) printable
                   characters; if missing or the empty string, the value of the corresponding
                   LABEL argument is used.

               The optional argument CLAIM_URI has the same syntax as a CLAIM_num_URI argument
               and establishes a default URI that will be used if any CLAIM_num_URI argument is
               missing or is the empty string.

               The optional argument CARD_NAME assigns a name to the InfoCard, which will be
               displayed by an Identity Selector.

               The first missing or null-string-valued CLAIM_num_NAME or CLAIM_num_VALUE argument
               indicates the end of the list. For example, if two claims are defined, the
               following arguments might be passed: CLAIM_1_NAME, CLAIM_1_VALUE, CLAIM_1_URI,
               CLAIM_1_LABEL, CLAIM_1_DESC, CLAIM_2_NAME, CLAIM_2_VALUE, CLAIM_2_URI,
               CLAIM_2_LABEL, and CLAIM_2_DESC. Any syntactical or length violation causes a
               fatal error.

           ISTATIC
               This mode is identical to the STATIC mode except that if it is used by an identity
               other than a DACS administrator, a dacs_identity claim in the dacs namespace is
               automatically added with the value of the caller's identity. The InfoCard may be
               used for DACS authentication.

           DYNAMIC
               The caller of dacs_managed_infocard provides URLs for two web services: one to
               define claims and another to fill claims. The caller is responsible for managing
               claim definitions and values. These web services are expected to behave exactly
               the same as those that are specified by INFOCARD_CARD_DEFS_URL[18] and
               INFOCARD_CARD_FILL_URL[19]. This mode is not implemented.

FILES

       dacs_managed_infocard.css[21]

DIAGNOSTICS

       The program exits 0 if everything was fine, 1 if an error occurred.

BUGS

       It is currently not possible to just register a managed InfoCard (you must create and
       register it), so you cannot import a card.

       This functionality should probably be integrated with dacs_infocard(8)[3] (and
       dacsinfocard(1)[4]).

       Once a managed InfoCard is created, most of its characteristics cannot be changed. There
       should be a way to "refresh" a managed InfoCard that has expired or otherwise become
       invalid.

       The various constraints on claim types should probably be run-time configurable, or
       possibly done away with altogether. The specification imposes no limits on them.

       There should be a web service and utility to allow creation of a self-issued InfoCard
       (which may then be imported into a user's Identity Selector).

       In 2011, Microsoft announced[22] that Windows CardSpace 2.0 will not be shipped and they
       will offer a new technology called U-Prove.

SEE ALSO

       dacsinfocard(1)[4], dacs.conf(5)[23], dacs_authenticate(8)[24], dacs_infocard(8)[3],
       dacs_mex(8)[25], dacs_sts(8)[7], Using InfoCards With DACS[26]

AUTHOR

       Distributed Systems Software (www.dss.ca[27])

COPYING

       Copyright © 2003-2018 Distributed Systems Software. See the LICENSE[28] file that
       accompanies the distribution for licensing information.

NOTES

        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. local_infocard_authenticate
           http://dacs.dss.ca/man/dacs_authenticate.8.html#local_infocard_authenticate

        3. dacs_infocard(8)
           http://dacs.dss.ca/man/dacs_infocard.8.html

        4. dacsinfocard(1)
           http://dacs.dss.ca/man/dacsinfocard.1.html

        5. configuration directives
           http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_prefixed

        6. INFOCARD_STS_AUTH_TYPE
           http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_STS_AUTH_TYPE

        7. dacs_sts(8)
           http://dacs.dss.ca/man/dacs_sts.8.html

        8. INFOCARD_STS_PASSWORD_METHOD
           http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_STS_PASSWORD_METHOD

        9. dacs_managed_infocard(8)
           http://dacs.dss.ca/man/dacs_managed_infocard.8.html

       10. INFOCARD_CARD_IMAGE_BASE_URL
           http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARD_IMAGE_BASE_URL

       11. printf(3)
           https://www.freebsd.org/cgi/man.cgi?query=printf&apropos=0&sektion=3&manpath=FreeBSD+10.3-RELEASE&format=html

       12. standard CGI arguments
           http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args

       13. VFS URI
           http://dacs.dss.ca/man/#VFS

       14. FORMAT argument
           http://dacs.dss.ca/man/dacs.services.8.html#FORMAT

       15. INFOCARD_CARD_OUTPUTDIR
           http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARD_OUTPUTDIR

       16. INFOCARD_CARDID_BASE_URL
           http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARDID_BASE_URL

       17. claim information
           http://dacs.dss.ca/man/dacs_infocard.8.html#about_claims

       18. INFOCARD_CARD_DEFS_URL
           http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARD_DEFS_URL

       19. INFOCARD_CARD_FILL_URL
           http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARD_FILL_URL

       20. role descriptor string
           http://dacs.dss.ca/man/dacs.1.html#roles

       21. dacs_managed_infocard.css
           http://dacs.dss.ca/man//css/dacs_managed_infocard.css

       22. announced
           http://blogs.msdn.com/b/card/archive/2011/02/15/beyond-windows-cardspace.aspx

       23. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html

       24. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html

       25. dacs_mex(8)
           http://dacs.dss.ca/man/dacs_mex.8.html

       26. Using InfoCards With DACS
           http://dacs.dss.ca/man/using-infocards-with-dacs.html

       27. www.dss.ca
           http://www.dss.ca

       28. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE