FileSpace: an alternative to CardSpace that supports multiple token authorisation and portability between devices

Abstract

This paper describes a federated identity management system based on long lived encrypted credential files rather than virtual cards and short lived assertions. Users obtain their authorisation credential files from their identity providers and have them bound to their public key certificates, which can hold any pseudonym the user wishes. Users can then use these credentials multiple times without the identity providers being able to track their movements and without having to authenticate to the IdP each time. The credentials are worthless to an attacker if lost or stolen, therefore they do not need any special protection mechanisms. They can be copied freely between multiple devices, and users can use multiple credentials in a single transaction. Users only need to authenticate to their private key store in order for it to produce a signed token necessary for the service provider to authenticate the user and decrypt the authorisation credentials. The signed token is bound to the service provider and is short lived to prevent man in the middle attacks.