I have 3 questions about Infocard
1) The identity selector contacts the identity provider to obtain a
security token. Does he include in his messages to what relying party
he is going to send it, or does he only say: I need that kind of token
with those claims in it? --> has the identity provider any clue for
what the token will be used?
2) Does the identity provider (STS) create a new security token for
every request, or are they cached?
3) Isn't it a lot of work to always contact the identity provider (STS)
and ask him to give (and generate?) a new security token? Why can't the
user just have the security tokens at his own computer? Is this a