Information Card
There are 17 entries for the tag
Information Card
Warning opinion follows :) A while back I blogged on the difference between self issued and managed information cards; which lead to an interesting comment from Aditya; I was wondering if you could further explain why a self-issued information card is not suitable for higher-risk transactions such as logging into a bank account. From what I gather, the advantage of a managed card would be that it could assert certain claims about a person (like the hair length example you mentioned). However, I'm not sure why managed cards are more secure just for logging in....
So yesterday Dare announced that Microsoft, via Live ID were becoming an OpenID provider. Big whoop. So why am I so ambivalent? Being an OpenID provider is meaningless for Microsoft unless they start to accept OpenIDs for their services. At the moment be it on Microsoft.com, the Microsoft forums, Channel9, MSDN subscriptions, anything Microsoft web site needs personalisation demands a Live ID. Exposing a Live ID via OpenID simply allows existing "subscribers" to spread the Live ID tentacles into other sites; it does nothing to open up Live's web sites to interoperability with other identity providers; and that...
A couple of weeks back I tried to login to signon.com, my preferred OpenID provider. I use signon.com because it accepts Information Cards for authentication, so that's one less password to remember. However it didn't work; which was strange. I noticed that blogs I had used Information Cards on before told me they couldn't recognise my card either. It appears that someone listened to the problems with SSL and PPIDs I blogged about in February and this has broken the login. The change isn't a bad thing, it removes the dependence on the SSL chain so when you renew...
The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution. One of the tenants of the "Laws of Identity" is minimal disclosure; so why are people ignoring this when they implement Information Cards? There are a three main uses (in my mind) for Information Cards; "form filling" (email address, name, etc.), authentication and authorisation via claims; all important as I try to write the last bit of SharpSTS and start to issue my own demonstration cards. These are separate functions in most web sites, form filling is used...
Hot on the heels of the OpenID phishing demonstration comes a proof of concept entitled "On the Insecurity of Microsoft’s Identity Metasystem Cardspace". Setting aside the valid concerns of DNS poisoning the proof of concept makes use of SSL certificates; the proof of concept requires a user to install and trust a new root certificate. The assumption is that a user will blindly do this, I am not so sure; especially as both IE7 and Firefox will throw full screen certificate errors before allowing a browser to proceed. The user would have to choose to proceed, install a new root...
Over the last few days I’ve been working what is basically a demonstration and debugging page for the SharpSTS site to allow people to dynamically build an Information Card object tag, then submit a card to it and see the results. It was problematic to say the least, with a major part of the problem being there is no real documentation about how the object tag is supposed to expose itself to a scripting environment. In order to detect information card support without Firefox bringing up its additional plugin required information bar you cannot embedded an information card object tag...
Last Tuesday I spent an hour on the phone over the Atlantic, and even further to record .NET Rocks. It’s on-line. As you can probably guess I’m talking about Information Cards again. (And I’m on a client site, so I can’t hear it. This may be a blessing ...) Technorati Tags: .NET Rocks,CardSpace,Information Card
Dominick and David beat me to the punch; last night I hit the "publish" button on codeplex for SharpSTS; a C# library to allow you to develop Information Card Security Token Services. As with all open source projects there is still a bunch of work to do; as it stands we have a command line STS which should allow you to get started. Well; if you can work out from the source code what you need to do :) Over the coming weeks and months I, as dictator, Dominick Baier and David Christiansen hope to deliver a stable,...
The archive of the episode is now available on Channel9; it’s rather quiet I’m afraid, probably due to the transatlantic phone lines. The resources I mentioned will eventually wind their way onto the geekSpeak blog; but I’ll put them here for the meantime. Kim Cameron’s web site is www.identityblog.com; including "The 7 laws of identity" whitepaper My own blog posts on cardspace/Information Cards; http://idunno.org/Tags/cardspace/default.aspx Extended Validation SSL certificates The difference between Managed cards and Self issued Dominick’s asp.net control for Information Cards The Simple STS; a simple demonstration security token service. Microsoft’s asp.net...
<rant> One of the problems I have when extolling Information Cards is the severe lack of real world implementations, beyond those Vittorio has had a helping hand in. A common question is where does Microsoft use it themselves? The honest answer is "Nowhere, beyond a pathetic nod at it with Live ID™, using self issued cards to protect the Live ID login page, and only if you’re in Internet Explorer, oh and it’s beta support, and has been for over 6 months". A recent post by an EMEA Architect Evangelist is making me bang my head against the wall. One...
When I first started implementing security token services the documentation was minimal (ok, so that hasn’t changed much). The client wanted to log where their cards were being used, and allow specific claim access based on the identity of the relying party. When you create a managed card you can add the wsp:AppliesTo element to it which instructions the identity selector to send relying party information when requesting a token. A well behaved selector will warn users that the card provider is receiving this information(the screen shot to the left shows CardSpace and the warning it gives users). The...
When I was a small boy (hush at the back, I know a lot of you think I still act like one) two friends and myself had a secret club, with handshakes, codes and membership cards we spent a day one and which were left in back packets and destroyed when mothers washed jeans. Information Cards come in two flavours, self issued and managed. Self issued cards are ones you can created yourself, just like we did with our club membership cards. They contain what is referred to as "Phone Book" information; data that a user creates themselves and can...
As I’ve been developing an STS code library I’ve noticed a few inconsistencies around how people assume PPIDs work. If you’ve never read the interoperability specification now is a good time to start. If you’ve implemented Information Card support on your web site you’ll be aware of the Personal Private Identifier (PPID) claim. It’s generally described as a unique ID that identifies a combination of an information card and the relying party the claims are being sent to. Vittorio, as ever, has more details. On the surface the usual description indicates that each relying party gets an individual PPID, and...
I know, it really should be implementing an Information Card Security Token Service but lets not scare people! It’s something new for me anyway; webcasting to a global audience, voice only so you needn’t worry about that. You can submit questions though the geekSpeak blog and register for the event on msevents. What is 10am PST in "proper" time anyway? <g> What:MSDN geekSpeakIn this installment of MSDN geekSpeak, Barry Dorrans talks about problems and solutions when implementing a Windows CardSpace identity provider in the real world. If you have a question or comment you would like us to address during...
I’m making a flying appearance at TechEd this year talking about Infomation Card security token services and their implementation; for those interested the session is Windows CardSpace Case Study 1: Identity Providers – Experian (SBP05-IS) 8 November; 10:45 - 12:00 Room 131 I’ll be joining Steve Plank and Jim Lound from Experian on stage. The abstract for the session is as follows; Experian is in the Identity Business in a big way. Banks, Building Societies, Financial Institutions and governments use their identity validation services to validate the identities of potential customers. Experian will be one...
If you missed DDD altogether or couldn't decide between my own and the other presentations on during that slot (and decided wrongly ;)) I'll be giving the presentation at the following events; What:VBUG Technical SeminarWhen:Thursday, July 26, 2007 7:00 PM to 9:00 PMWhere:New Horizons8th Floor, 207 Old StreetLondon, EC1V 9NR England What:nxtgenug "It came from outer CardSpace"When:Monday, September 17, 2007 7:00 PM to 9:00 PMWhere:Coventry Flying ClubRowley RoadCoventry, CV3 4FR England As you can see Richard Costall's naming strategy has been used for the nxtgen event. If you're not a member of either of these fine groups then I highly...
Today saw DDD5 and deliver of my updated presentation on InfoCard CardSpace Information Card, which was rapidly updated this morning to include the new Information Card logo, and the ASP.NET Kit, as announced by Mike Jones a couple of days back. I did look at the HTML kit as well, but, err, the documentation is somewhat lacking. I think I know what parts of it down, but I'm still at a loss to explain why I need a toast style popup. The reaction to the logo was rather muted by developers and also derision from a designer in the...