CardSpace
WS* at your service.
Vittorio has a new starring role in a shampoo and conditioner commercial Channel9 show, The ID Element. The first episode has Stuart Kwan, the Federated Identity PM talking about Geneva in all its glory, server, framework and client. I know, none of you aside from Dominick and Travis will care, but you should. Honestly. (because it’ll give me another presentation to do at DDDs if nothing else!) Technorati Tags: Geneva,Federated Identity,Big Hair
Warning opinion follows :) A while back I blogged on the difference between self issued and managed information cards; which lead to an interesting comment from Aditya; I was wondering if you could further explain why a self-issued information card is not suitable for higher-risk transactions such as logging into a bank account. From what I gather, the advantage of a managed card would be that it could assert certain claims about a person (like the hair length example you mentioned). However, I'm not sure why managed cards are more secure just for logging in....
A couple of weeks back I tried to login to signon.com, my preferred OpenID provider. I use signon.com because it accepts Information Cards for authentication, so that's one less password to remember. However it didn't work; which was strange. I noticed that blogs I had used Information Cards on before told me they couldn't recognise my card either. It appears that someone listened to the problems with SSL and PPIDs I blogged about in February and this has broken the login. The change isn't a bad thing, it removes the dependence on the SSL chain so when you renew...
The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution. One of the tenants of the "Laws of Identity" is minimal disclosure; so why are people ignoring this when they implement Information Cards? There are a three main uses (in my mind) for Information Cards; "form filling" (email address, name, etc.), authentication and authorisation via claims; all important as I try to write the last bit of SharpSTS and start to issue my own demonstration cards. These are separate functions in most web sites, form filling is used...
Hot on the heels of the OpenID phishing demonstration comes a proof of concept entitled "On the Insecurity of Microsoft’s Identity Metasystem Cardspace". Setting aside the valid concerns of DNS poisoning the proof of concept makes use of SSL certificates; the proof of concept requires a user to install and trust a new root certificate. The assumption is that a user will blindly do this, I am not so sure; especially as both IE7 and Firefox will throw full screen certificate errors before allowing a browser to proceed. The user would have to choose to proceed, install a new root...
You know where I’m going with this right? (I can see Robert holding his head in his hands right now) So eweek and others have reported that PayPal are going to stop the use of "unsafe" browsers, those that don’t include anti-phishing protection or support for EV certificates. Setting aside the kneejerk "They can’t do that" arguments on Slashdot (of course they can, it’s their web site) it would be interesting to see if Paypal stick to their guns as Safari users would get locked out. It makes sense; Paypal is one of the most commonly spoofed web sites with...
After bashing my head against WCF for a few weeks; and attempting to be too clever for my own good I swallowed my pride and took the lazy route to enabling IIS hosting of SharpSTS. Of course now I have massive guilt about the breaking changes I had to make, but such is the price for being cutting edge. So if you want to add a security token service to your web site, without having to host it inside a windows service or command line application you can. Well, it works for me anyway .... Technorati Tags: SharpSTS
Over the last few days I’ve been working what is basically a demonstration and debugging page for the SharpSTS site to allow people to dynamically build an Information Card object tag, then submit a card to it and see the results. It was problematic to say the least, with a major part of the problem being there is no real documentation about how the object tag is supposed to expose itself to a scripting environment. In order to detect information card support without Firefox bringing up its additional plugin required information bar you cannot embedded an information card object tag...
Last Tuesday I spent an hour on the phone over the Atlantic, and even further to record .NET Rocks. It’s on-line. As you can probably guess I’m talking about Information Cards again. (And I’m on a client site, so I can’t hear it. This may be a blessing ...) Technorati Tags: .NET Rocks,CardSpace,Information Card
Dominick and David beat me to the punch; last night I hit the "publish" button on codeplex for SharpSTS; a C# library to allow you to develop Information Card Security Token Services. As with all open source projects there is still a bunch of work to do; as it stands we have a command line STS which should allow you to get started. Well; if you can work out from the source code what you need to do :) Over the coming weeks and months I, as dictator, Dominick Baier and David Christiansen hope to deliver a stable,...
The archive of the episode is now available on Channel9; it’s rather quiet I’m afraid, probably due to the transatlantic phone lines. The resources I mentioned will eventually wind their way onto the geekSpeak blog; but I’ll put them here for the meantime. Kim Cameron’s web site is www.identityblog.com; including "The 7 laws of identity" whitepaper My own blog posts on cardspace/Information Cards; http://idunno.org/Tags/cardspace/default.aspx Extended Validation SSL certificates The difference between Managed cards and Self issued Dominick’s asp.net control for Information Cards The Simple STS; a simple demonstration security token service. Microsoft’s asp.net...
<rant> One of the problems I have when extolling Information Cards is the severe lack of real world implementations, beyond those Vittorio has had a helping hand in. A common question is where does Microsoft use it themselves? The honest answer is "Nowhere, beyond a pathetic nod at it with Live ID™, using self issued cards to protect the Live ID login page, and only if you’re in Internet Explorer, oh and it’s beta support, and has been for over 6 months". A recent post by an EMEA Architect Evangelist is making me bang my head against the wall. One...
When I first started implementing security token services the documentation was minimal (ok, so that hasn’t changed much). The client wanted to log where their cards were being used, and allow specific claim access based on the identity of the relying party. When you create a managed card you can add the wsp:AppliesTo element to it which instructions the identity selector to send relying party information when requesting a token. A well behaved selector will warn users that the card provider is receiving this information(the screen shot to the left shows CardSpace and the warning it gives users). The...
When I was a small boy (hush at the back, I know a lot of you think I still act like one) two friends and myself had a secret club, with handshakes, codes and membership cards we spent a day one and which were left in back packets and destroyed when mothers washed jeans. Information Cards come in two flavours, self issued and managed. Self issued cards are ones you can created yourself, just like we did with our club membership cards. They contain what is referred to as "Phone Book" information; data that a user creates themselves and can...
As I’ve been developing an STS code library I’ve noticed a few inconsistencies around how people assume PPIDs work. If you’ve never read the interoperability specification now is a good time to start. If you’ve implemented Information Card support on your web site you’ll be aware of the Personal Private Identifier (PPID) claim. It’s generally described as a unique ID that identifies a combination of an information card and the relying party the claims are being sent to. Vittorio, as ever, has more details. On the surface the usual description indicates that each relying party gets an individual PPID, and...
I know, it really should be implementing an Information Card Security Token Service but lets not scare people! It’s something new for me anyway; webcasting to a global audience, voice only so you needn’t worry about that. You can submit questions though the geekSpeak blog and register for the event on msevents. What is 10am PST in "proper" time anyway? <g> What:MSDN geekSpeakIn this installment of MSDN geekSpeak, Barry Dorrans talks about problems and solutions when implementing a Windows CardSpace identity provider in the real world. If you have a question or comment you would like us to address during...
Andrew Westgarth has published the 4th VBug podcast which he did with me just before I jetted out to TechEd where I ramble on about CardSpace, identity management, women in IT (oh dear) and other bits and pieces. Poor Andy had to beep out the phrase "community whore" when I described myself; not my description of myself, that was Sarah’s description. Technorati tags: CardSpace, Podcast
I’m making a flying appearance at TechEd this year talking about Infomation Card security token services and their implementation; for those interested the session is Windows CardSpace Case Study 1: Identity Providers – Experian (SBP05-IS) 8 November; 10:45 - 12:00 Room 131 I’ll be joining Steve Plank and Jim Lound from Experian on stage. The abstract for the session is as follows; Experian is in the Identity Business in a big way. Banks, Building Societies, Financial Institutions and governments use their identity validation services to validate the identities of potential customers. Experian will be one...
Whilst I was rejigging my presentation for the VBUG conference last week I give a quick nod to the different in language Information Cards and SAML use when talking about the information they transport. Normally identity systems and the applications that use them, WebSphere, WebLogic, PKI et al. talk in terms of asserting identity. SAML and Information Cards talk in terms of claims. There’s a subtle difference; assert : insist on one’s rights, declare one’s views forcefullyclaim : to assert or maintain as a fact: She claimed that he was telling the truth.dictionary.com Unabridged (v 1.1). Retrieved October 25,...
Another conference outing for my CardSpace presentation, this time at the VBUG Conference in October. What:VBUG Conference 2007When:Wednesday, October 17, 2007 9:00 AM to Thursday, October 18, 2007 5:00 PMWhere:Microsoft UK CampusThames Valley ParkReading, West Berkshire RG6 1WG I see my stalking colleague Gary is also appearing (ever since he started he’s been talking at the same conference I have .... hmmm .....) This time we don’t clash either so I can finally attend one of his presentations! Technorati tags: Cardspace, VBUG
Just to tease Gary, who posted his DDD feedback scores I can’t let that past, especially as it looks like he’s trying to overtake my role as main speaker and work (Gary, there’s only room for one overfed ego my boy!) Overall Knowledge Presentation Content 4.3 4.8 4.4 4 To those who fed back my thanks; but there is a point to this rather than teasing Gary, the detailed feedback is useful. Three people filled in comments section; Well presented, useful, filled in some gaps in my knowledge. Good style, good level of detail. I have...
Last Thursday Craig Murphy was down in London (in a tie!) and we met up in the White Hart pub in Dury Lane and out came his recorder and we meandered through social networking (FaceBook, Twitter and so on), identity, security, CardSpace, trust in managed card providers and other security topics that popped into my head as I brain dumped. This was my first full podcast (Dave & Rich from nxtgen have mugged me for slots before of course) I believe at 38:04 minutes it’s the longest podcast Craig has ever recorded (the beep censoring my language included but I was...
If you missed DDD altogether or couldn't decide between my own and the other presentations on during that slot (and decided wrongly ;)) I'll be giving the presentation at the following events; What:VBUG Technical SeminarWhen:Thursday, July 26, 2007 7:00 PM to 9:00 PMWhere:New Horizons8th Floor, 207 Old StreetLondon, EC1V 9NR England What:nxtgenug "It came from outer CardSpace"When:Monday, September 17, 2007 7:00 PM to 9:00 PMWhere:Coventry Flying ClubRowley RoadCoventry, CV3 4FR England As you can see Richard Costall's naming strategy has been used for the nxtgen event. If you're not a member of either of these fine groups then I highly...
One thing I briefly touched on in yesterday's talk was the need for your web site to have read access to your SSL certificate. The token delivered to your information card accepting site is encrypted with an asymmetric key, as part of the conversation. This means that the identity selector, be it CardSpace or another selector cannot look inside or change it, nor can any spyware installed on the user's machine sniff the traffic. The asymmetric key is encrypted using the public key of the relying party's (your accepting web site) SSL certificate. Thus, in order to decrypt the conversation key and...
Today saw DDD5 and deliver of my updated presentation on InfoCard CardSpace Information Card, which was rapidly updated this morning to include the new Information Card logo, and the ASP.NET Kit, as announced by Mike Jones a couple of days back. I did look at the HTML kit as well, but, err, the documentation is somewhat lacking. I think I know what parts of it down, but I'm still at a loss to explain why I need a toast style popup. The reaction to the logo was rather muted by developers and also derision from a designer in the...
Since I started presenting about CardSpace I've been bemoaning the lack of a logo. Finally, via an announcement on Richard Turner's blog it's here; We’re delighted to announce the immediate availability of the Information Card Logo. You’re free to use this logo (in accordance with the accompanying guidelines) to provide a clear, consistent visual cue to your users that your sites and applications support Information Cards. This will make it easier for users to recognize how and where to sign-in to your site and enjoy the ease-of-use and safety of Information Cards. The branding is available in the "Information...
The booking site for DDD#5 is now live (amusingly someone discovered the URI and its spreading virally; there's there wasn't even a public agenda at the time; it appeared about an hour later). I had booked a space just in case but was delighted to discover that I will be speaking again, on CardSpace. So my collection of DDD speaker shirts grows again, one for every DDD (excluding the first one where we didn't have any); now I need to start planning for DDD#6 .... Technorati tags: DDD, DDD5 DDD#5, Developer Day, Cardspace
You can now vote on sessions you want to see at the next Developer Day. It's rather funny to see an entire Security section manned by my colleague, Chris Seary, and myself, I should have submitted more than one session just to try to catch up with Chris I hope to cover CardSpace, a talk I originally gave at WebDD except this time I won't be up against ScottGu <g> Richard Costall described the session from WebDD thus; I ended up being lured into a talk on CardSpace by Barry Dorrans. His session was described as the Overflow room for Scott's...
CardSpace errors. CardSpace has a lot of potential errors, 31 at the current count, but how to you catch them on the client? The CardSpace samples don't illustrate this, and end up submitting a null token to the relying party. This isn't particularly friendly to the user, or to the relaying party; ideally you'd be able to detect that a user canceled the CardSpace dialog and not submit your form. If you examine the error list you will see there is a specific HRESULT, IDS_E_ICARD_USERCANCELLED which is returned when the user cancels the CardSpace UI, but the question remains how do you access the...
Last Thursday saw Chris Seary and myself presenting at the Microsoft offices in sunny (yes, really) Edinburgh for the Scottish Developers Group. Thanks must go to Craig and John for organising. I presented an updated (trendy white on black) "Hacking Websites for Fun & Profit", "Securing ASP.NET Websites and Applications" and "An Introduction to Windows CardSpace". An audience member (sorry, I didn't catch your name) asked me to put together some resource links on SQL Injection, XSS and so on. Probably the best breakdown of SQL Injection is Chris Anley's PDF, "Advanced SQL Injection In SQL Server Applications". The XSS FAQ is...
ScottGu just pushed out an article on Self-Signed certificates on IIS 7.0 which reminded me to blog about certificates and CardSpace. One of the problems in getting started with CardSpace is it's reliance on certificates. The relaying party needs an SSL certificate and the STS needs a certificate. MS distribute their test certificates for Fabrikam and Adatum in the CardSpace samples, but what if you don't want to pretend to be Fabrikam.com? You end up making your own. However there's a problem. The STS sample as delivered checks the CRL when it decrypts the RST. Generally self signed certificates, such as...
If you missed my Introduction to CardSpace at WebDD, can't make the Scottish Developers Security Day or wanted to see it at the canceled VBug Cambridge session I will be presenting it at VBug London on the Wednesday 18th July. The session covers both accepting cards and issuing your own managed cards and how to write an STS.
Technorati tags: cardspace, vbug
After the last Developer Day John from the Scottish Developers Group approached myself and my colleague Chris Seary about taking our knowledge (and my unorthodox presenting style) north of the border. It took a little organisation but it's finalised. On the 12th April, at the Microsoft Offices in Edinburgh we will be presenting the "Web Security Conference Day for Windows Developers".
Attendees get a full Barry morning experience, with the now infamous "Hacking Websites for fun and profit" session at 9:00 (what a way to start the day); and "Securing ASP.NET Communications and Applications" at 11:00.
The afternoon sees Chris presenting "Code Access...
So I presented "An Introduction to CardSpace" earlier today at WebDD, with poor Pat acting as a foil in my attempts to get the audience to laugh.
The more I attempted to draw the presentation materials together the more I am coming to view CardSpace as unfinished. Aside from crashing when I cancel sending an information card the CardSpace paradigm leaves open questions. The main sticking point for me is around managed cards. It's all very well saying that trusted parties will issue managed Information Cards, but how do you measure the trust you should apply to those cards? Passport failed...