cardspace
There are 30 entries for the tag
cardspace
Warning opinion follows :) A while back I blogged on the difference between self issued and managed information cards; which lead to an interesting comment from Aditya; I was wondering if you could further explain why a self-issued information card is not suitable for higher-risk transactions such as logging into a bank account. From what I gather, the advantage of a managed card would be that it could assert certain claims about a person (like the hair length example you mentioned). However, I'm not sure why managed cards are more secure just for logging in....
A couple of weeks back I tried to login to signon.com, my preferred OpenID provider. I use signon.com because it accepts Information Cards for authentication, so that's one less password to remember. However it didn't work; which was strange. I noticed that blogs I had used Information Cards on before told me they couldn't recognise my card either. It appears that someone listened to the problems with SSL and PPIDs I blogged about in February and this has broken the login. The change isn't a bad thing, it removes the dependence on the SSL chain so when you renew...
The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution. One of the tenants of the "Laws of Identity" is minimal disclosure; so why are people ignoring this when they implement Information Cards? There are a three main uses (in my mind) for Information Cards; "form filling" (email address, name, etc.), authentication and authorisation via claims; all important as I try to write the last bit of SharpSTS and start to issue my own demonstration cards. These are separate functions in most web sites, form filling is used...
Hot on the heels of the OpenID phishing demonstration comes a proof of concept entitled "On the Insecurity of Microsoft’s Identity Metasystem Cardspace". Setting aside the valid concerns of DNS poisoning the proof of concept makes use of SSL certificates; the proof of concept requires a user to install and trust a new root certificate. The assumption is that a user will blindly do this, I am not so sure; especially as both IE7 and Firefox will throw full screen certificate errors before allowing a browser to proceed. The user would have to choose to proceed, install a new root...
You know where I’m going with this right? (I can see Robert holding his head in his hands right now) So eweek and others have reported that PayPal are going to stop the use of "unsafe" browsers, those that don’t include anti-phishing protection or support for EV certificates. Setting aside the kneejerk "They can’t do that" arguments on Slashdot (of course they can, it’s their web site) it would be interesting to see if Paypal stick to their guns as Safari users would get locked out. It makes sense; Paypal is one of the most commonly spoofed web sites with...
Over the last few days I’ve been working what is basically a demonstration and debugging page for the SharpSTS site to allow people to dynamically build an Information Card object tag, then submit a card to it and see the results. It was problematic to say the least, with a major part of the problem being there is no real documentation about how the object tag is supposed to expose itself to a scripting environment. In order to detect information card support without Firefox bringing up its additional plugin required information bar you cannot embedded an information card object tag...
Last Tuesday I spent an hour on the phone over the Atlantic, and even further to record .NET Rocks. It’s on-line. As you can probably guess I’m talking about Information Cards again. (And I’m on a client site, so I can’t hear it. This may be a blessing ...) Technorati Tags: .NET Rocks,CardSpace,Information Card
Dominick and David beat me to the punch; last night I hit the "publish" button on codeplex for SharpSTS; a C# library to allow you to develop Information Card Security Token Services. As with all open source projects there is still a bunch of work to do; as it stands we have a command line STS which should allow you to get started. Well; if you can work out from the source code what you need to do :) Over the coming weeks and months I, as dictator, Dominick Baier and David Christiansen hope to deliver a stable,...
The archive of the episode is now available on Channel9; it’s rather quiet I’m afraid, probably due to the transatlantic phone lines. The resources I mentioned will eventually wind their way onto the geekSpeak blog; but I’ll put them here for the meantime. Kim Cameron’s web site is www.identityblog.com; including "The 7 laws of identity" whitepaper My own blog posts on cardspace/Information Cards; http://idunno.org/Tags/cardspace/default.aspx Extended Validation SSL certificates The difference between Managed cards and Self issued Dominick’s asp.net control for Information Cards The Simple STS; a simple demonstration security token service. Microsoft’s asp.net...
<rant> One of the problems I have when extolling Information Cards is the severe lack of real world implementations, beyond those Vittorio has had a helping hand in. A common question is where does Microsoft use it themselves? The honest answer is "Nowhere, beyond a pathetic nod at it with Live ID™, using self issued cards to protect the Live ID login page, and only if you’re in Internet Explorer, oh and it’s beta support, and has been for over 6 months". A recent post by an EMEA Architect Evangelist is making me bang my head against the wall. One...
When I first started implementing security token services the documentation was minimal (ok, so that hasn’t changed much). The client wanted to log where their cards were being used, and allow specific claim access based on the identity of the relying party. When you create a managed card you can add the wsp:AppliesTo element to it which instructions the identity selector to send relying party information when requesting a token. A well behaved selector will warn users that the card provider is receiving this information(the screen shot to the left shows CardSpace and the warning it gives users). The...
When I was a small boy (hush at the back, I know a lot of you think I still act like one) two friends and myself had a secret club, with handshakes, codes and membership cards we spent a day one and which were left in back packets and destroyed when mothers washed jeans. Information Cards come in two flavours, self issued and managed. Self issued cards are ones you can created yourself, just like we did with our club membership cards. They contain what is referred to as "Phone Book" information; data that a user creates themselves and can...
As I’ve been developing an STS code library I’ve noticed a few inconsistencies around how people assume PPIDs work. If you’ve never read the interoperability specification now is a good time to start. If you’ve implemented Information Card support on your web site you’ll be aware of the Personal Private Identifier (PPID) claim. It’s generally described as a unique ID that identifies a combination of an information card and the relying party the claims are being sent to. Vittorio, as ever, has more details. On the surface the usual description indicates that each relying party gets an individual PPID, and...
I know, it really should be implementing an Information Card Security Token Service but lets not scare people! It’s something new for me anyway; webcasting to a global audience, voice only so you needn’t worry about that. You can submit questions though the geekSpeak blog and register for the event on msevents. What is 10am PST in "proper" time anyway? <g> What:MSDN geekSpeakIn this installment of MSDN geekSpeak, Barry Dorrans talks about problems and solutions when implementing a Windows CardSpace identity provider in the real world. If you have a question or comment you would like us to address during...
Andrew Westgarth has published the 4th VBug podcast which he did with me just before I jetted out to TechEd where I ramble on about CardSpace, identity management, women in IT (oh dear) and other bits and pieces. Poor Andy had to beep out the phrase "community whore" when I described myself; not my description of myself, that was Sarah’s description. Technorati tags: CardSpace, Podcast
I’m making a flying appearance at TechEd this year talking about Infomation Card security token services and their implementation; for those interested the session is Windows CardSpace Case Study 1: Identity Providers – Experian (SBP05-IS) 8 November; 10:45 - 12:00 Room 131 I’ll be joining Steve Plank and Jim Lound from Experian on stage. The abstract for the session is as follows; Experian is in the Identity Business in a big way. Banks, Building Societies, Financial Institutions and governments use their identity validation services to validate the identities of potential customers. Experian will be one...
Whilst I was rejigging my presentation for the VBUG conference last week I give a quick nod to the different in language Information Cards and SAML use when talking about the information they transport. Normally identity systems and the applications that use them, WebSphere, WebLogic, PKI et al. talk in terms of asserting identity. SAML and Information Cards talk in terms of claims. There’s a subtle difference; assert : insist on one’s rights, declare one’s views forcefullyclaim : to assert or maintain as a fact: She claimed that he was telling the truth.dictionary.com Unabridged (v 1.1). Retrieved October 25,...
Another conference outing for my CardSpace presentation, this time at the VBUG Conference in October. What:VBUG Conference 2007When:Wednesday, October 17, 2007 9:00 AM to Thursday, October 18, 2007 5:00 PMWhere:Microsoft UK CampusThames Valley ParkReading, West Berkshire RG6 1WG I see my stalking colleague Gary is also appearing (ever since he started he’s been talking at the same conference I have .... hmmm .....) This time we don’t clash either so I can finally attend one of his presentations! Technorati tags: Cardspace, VBUG
Last Thursday Craig Murphy was down in London (in a tie!) and we met up in the White Hart pub in Dury Lane and out came his recorder and we meandered through social networking (FaceBook, Twitter and so on), identity, security, CardSpace, trust in managed card providers and other security topics that popped into my head as I brain dumped. This was my first full podcast (Dave & Rich from nxtgen have mugged me for slots before of course) I believe at 38:04 minutes it’s the longest podcast Craig has ever recorded (the beep censoring my language included but I was...
If you missed DDD altogether or couldn't decide between my own and the other presentations on during that slot (and decided wrongly ;)) I'll be giving the presentation at the following events; What:VBUG Technical SeminarWhen:Thursday, July 26, 2007 7:00 PM to 9:00 PMWhere:New Horizons8th Floor, 207 Old StreetLondon, EC1V 9NR England What:nxtgenug "It came from outer CardSpace"When:Monday, September 17, 2007 7:00 PM to 9:00 PMWhere:Coventry Flying ClubRowley RoadCoventry, CV3 4FR England As you can see Richard Costall's naming strategy has been used for the nxtgen event. If you're not a member of either of these fine groups then I highly...
Today saw DDD5 and deliver of my updated presentation on InfoCard CardSpace Information Card, which was rapidly updated this morning to include the new Information Card logo, and the ASP.NET Kit, as announced by Mike Jones a couple of days back. I did look at the HTML kit as well, but, err, the documentation is somewhat lacking. I think I know what parts of it down, but I'm still at a loss to explain why I need a toast style popup. The reaction to the logo was rather muted by developers and also derision from a designer in the...
Since I started presenting about CardSpace I've been bemoaning the lack of a logo. Finally, via an announcement on Richard Turner's blog it's here; We’re delighted to announce the immediate availability of the Information Card Logo. You’re free to use this logo (in accordance with the accompanying guidelines) to provide a clear, consistent visual cue to your users that your sites and applications support Information Cards. This will make it easier for users to recognize how and where to sign-in to your site and enjoy the ease-of-use and safety of Information Cards. The branding is available in the "Information...
Next Tuesday I will be giving my "Introducing CardSpace" presentation to NIMTUG (the Northern Ireland Microsoft Technologies User Group) at the Wellington Park Hotel. There's even a reception afterwards; I wonder if this means beer :) The event is free to NIMTUG members, and membership of NIMTUG is free. Details and registration can be found on the event page. Technorati tags: CardSpace, nimtug
The booking site for DDD#5 is now live (amusingly someone discovered the URI and its spreading virally; there's there wasn't even a public agenda at the time; it appeared about an hour later). I had booked a space just in case but was delighted to discover that I will be speaking again, on CardSpace. So my collection of DDD speaker shirts grows again, one for every DDD (excluding the first one where we didn't have any); now I need to start planning for DDD#6 .... Technorati tags: DDD, DDD5 DDD#5, Developer Day, Cardspace
You can now vote on sessions you want to see at the next Developer Day. It's rather funny to see an entire Security section manned by my colleague, Chris Seary, and myself, I should have submitted more than one session just to try to catch up with Chris I hope to cover CardSpace, a talk I originally gave at WebDD except this time I won't be up against ScottGu <g> Richard Costall described the session from WebDD thus; I ended up being lured into a talk on CardSpace by Barry Dorrans. His session was described as the Overflow room for Scott's...
CardSpace errors. CardSpace has a lot of potential errors, 31 at the current count, but how to you catch them on the client? The CardSpace samples don't illustrate this, and end up submitting a null token to the relying party. This isn't particularly friendly to the user, or to the relaying party; ideally you'd be able to detect that a user canceled the CardSpace dialog and not submit your form. If you examine the error list you will see there is a specific HRESULT, IDS_E_ICARD_USERCANCELLED which is returned when the user cancels the CardSpace UI, but the question remains how do you access the...
Last Thursday saw Chris Seary and myself presenting at the Microsoft offices in sunny (yes, really) Edinburgh for the Scottish Developers Group. Thanks must go to Craig and John for organising. I presented an updated (trendy white on black) "Hacking Websites for Fun & Profit", "Securing ASP.NET Websites and Applications" and "An Introduction to Windows CardSpace". An audience member (sorry, I didn't catch your name) asked me to put together some resource links on SQL Injection, XSS and so on. Probably the best breakdown of SQL Injection is Chris Anley's PDF, "Advanced SQL Injection In SQL Server Applications". The XSS FAQ is...
ScottGu just pushed out an article on Self-Signed certificates on IIS 7.0 which reminded me to blog about certificates and CardSpace. One of the problems in getting started with CardSpace is it's reliance on certificates. The relaying party needs an SSL certificate and the STS needs a certificate. MS distribute their test certificates for Fabrikam and Adatum in the CardSpace samples, but what if you don't want to pretend to be Fabrikam.com? You end up making your own. However there's a problem. The STS sample as delivered checks the CRL when it decrypts the RST. Generally self signed certificates, such as...
If you missed my Introduction to CardSpace at WebDD, can't make the Scottish Developers Security Day or wanted to see it at the canceled VBug Cambridge session I will be presenting it at VBug London on the Wednesday 18th July. The session covers both accepting cards and issuing your own managed cards and how to write an STS.
Technorati tags: cardspace, vbug
The call for submissions for Developer Developer Developer 5 are open. I've already put my first submission in (can I beat Oliver & I think Benjamin who last time around, if my memory serves submitted rather a lot). More importantly, was I first to submit again? I plan to talk on CardSpace again; extending the presentation I gave at WebDD to cover managed cards and writing your own security token service. Yummy. [Edit: 29-Mar 07:30] Yes I was the first to submit yet again. I think that's 3 times in a row now. Vote for my session; I promise...