Inicio Library Aprendizaje Code Descarga Soporte Comunidad Foros
Microsoft Developer Network >
self-issued identity provider and security

Bloqueada self-issued identity provider and security

  • lunes, 25 de enero de 2010 17:47
     
     
    Inicie sesión para votar
    0
    Hi,

    I can't seem to still understand how safe using a card via a self-issued identity provider, basically, if I create a card myself, and now I can submit the card to a relying provider, my question is, now that the relying provider depend only on the user name I send as a claim, cant some one who knows my user name and other claims create a card and then submit it that web site and then the web site would recogninxe the hacker as me?
       

    Todas las respuestas

    • lunes, 25 de enero de 2010 21:52
       
       
      Inicie sesión para votar
      0
      Selfissued cards are meant to be used in "low value" identity scenarios only. The "recipient"/website is not expected to do a high value transaction/authorization based on a self issued token. Sample scenarios where such data is taken at face value include comments at a blog, simple personalization (like a news site), etc..

      Usually when a site accepts the self-issued card, it will also get some cryptographic information inside the token. This key material will be different even if some malicious user tries to create another card on their machine with the same values. Infact, the key material  will be different even if you create another card with same data values on your machine. Our recommendation is to use such cryptographic information too when creating a identifier in the website's database.

      See http://blogs.msdn.com/vbertocci/archive/2007/01/15/uniqueid-and-ppid.aspx for some more details.
         
      • martes, 26 de enero de 2010 1:22
         
         
        Inicie sesión para votar
        0
        Thank you for the reply,

        The link really helped, but I have a few questions...

        1) This would mean if we export of our cards from one machine to another, the keys of the local provider has to be copied as well, but now the machine we are going to import this card might already have a key pair that is being used.

        2) How is the private key protected ?...by the user password?...then again we have a problem when exporting right?

        3) from point 1 and 2 looks like if the public key of the provider is stored in the RP website for authentication, then 1 and 2 has to be rectified.

        Please corret me if I am worng here...
           
        • martes, 26 de enero de 2010 1:58
           
           Respondida
          Inicie sesión para votar
          0

          Exporting/backing up your cards to a crds file (password protected) can be used to roam your cards to another machine. This crds file has all the information needed to recreate the key. The key is specific to a card and so no problems as you mentioned. You can find more details at http://self-issued.info/?p=80 in the documentation.

             
          • jueves, 28 de enero de 2010 1:51
             
             
            Inicie sesión para votar
            0

            Tx for the reply that answers my question...
            But some thing that I am researching on these days, is how the card selector functionality can be moved into the "cloud"..that is storing the card itself in the cloud so that users can access there cards from anywhere without the need to be dependent on there local card selector.

            Do you know any current work going in this area?...I would like to purpose something for my final year Msc project...would be great if you can provide me with something on this.


            Thanx

               
            • jueves, 28 de enero de 2010 19:19
               
               
              Inicie sesión para votar
              0

              You might know that we are working on CardSpace v2. We currently have released beta 2. More details at http://blogs.msdn.com/card/archive/2009/12/18/announcing-the-ad-fs-2-0-release-candidate-and-more.aspx

              Cardspace v2 beta does not support self-issued cards. The emphasis is on managed cards and as long as you can retreive the managed card (CRD file), things are good. Due to these reasons, there is no "roaming of cards" functionality.

                 
              • viernes, 29 de enero de 2010 10:16
                 
                 
                Inicie sesión para votar
                0
                Tx Bilaney,

                are there any reasons to why that the cards cannot be hosted in an online service and the selector becomming a browser plugin?


                As I mentioned earlier in the post I want to do something like that for my final theses, can you give me some pointers?...we can take the discussion offline, can you mail me your suggestion to nairooz001@gmail.com


                thanx in advance.
                   
                • jueves, 27 de mayo de 2010 13:39
                   
                   
                  Inicie sesión para votar
                  0

                  Hi,

                  You should take a look at Azigo 2.0 . Azigo is a CardSpace-compatible Information Card selector that stores the cards in the cloud, letting you roam between windows and Mac OSX machines. It includes an Adobe-AIR based client as well as browser plugins for IE and FireFox.

                  Azigo is a commercial version of the open-source AIR_Selector_1.1 that is in the Higgins Project at Eclipse.

                     
                  © 2013 Microsoft. Reservados todos los derechos.
                  |
                  Comentario del sitio