lunes, 25 de enero de 2010 17:47Hi,
I can't seem to still understand how safe using a card via a self-issued identity provider, basically, if I create a card myself, and now I can submit the card to a relying provider, my question is, now that the relying provider depend only on the user name I send as a claim, cant some one who knows my user name and other claims create a card and then submit it that web site and then the web site would recogninxe the hacker as me?
Todas las respuestas
lunes, 25 de enero de 2010 21:52Selfissued cards are meant to be used in "low value" identity scenarios only. The "recipient"/website is not expected to do a high value transaction/authorization based on a self issued token. Sample scenarios where such data is taken at face value include comments at a blog, simple personalization (like a news site), etc..
Usually when a site accepts the self-issued card, it will also get some cryptographic information inside the token. This key material will be different even if some malicious user tries to create another card on their machine with the same values. Infact, the key material will be different even if you create another card with same data values on your machine. Our recommendation is to use such cryptographic information too when creating a identifier in the website's database.
See http://blogs.msdn.com/vbertocci/archive/2007/01/15/uniqueid-and-ppid.aspx for some more details.
martes, 26 de enero de 2010 1:22Thank you for the reply,
The link really helped, but I have a few questions...
1) This would mean if we export of our cards from one machine to another, the keys of the local provider has to be copied as well, but now the machine we are going to import this card might already have a key pair that is being used.
2) How is the private key protected ?...by the user password?...then again we have a problem when exporting right?
3) from point 1 and 2 looks like if the public key of the provider is stored in the RP website for authentication, then 1 and 2 has to be rectified.
Please corret me if I am worng here...
martes, 26 de enero de 2010 1:58
Exporting/backing up your cards to a crds file (password protected) can be used to roam your cards to another machine. This crds file has all the information needed to recreate the key. The key is specific to a card and so no problems as you mentioned. You can find more details at http://self-issued.info/?p=80 in the documentation.
jueves, 28 de enero de 2010 1:51
Tx for the reply that answers my question...
But some thing that I am researching on these days, is how the card selector functionality can be moved into the "cloud"..that is storing the card itself in the cloud so that users can access there cards from anywhere without the need to be dependent on there local card selector.
Do you know any current work going in this area?...I would like to purpose something for my final year Msc project...would be great if you can provide me with something on this.
jueves, 28 de enero de 2010 19:19
You might know that we are working on CardSpace v2. We currently have released beta 2. More details at http://blogs.msdn.com/card/archive/2009/12/18/announcing-the-ad-fs-2-0-release-candidate-and-more.aspx
Cardspace v2 beta does not support self-issued cards. The emphasis is on managed cards and as long as you can retreive the managed card (CRD file), things are good. Due to these reasons, there is no "roaming of cards" functionality.
viernes, 29 de enero de 2010 10:16Tx Bilaney,
are there any reasons to why that the cards cannot be hosted in an online service and the selector becomming a browser plugin?
As I mentioned earlier in the post I want to do something like that for my final theses, can you give me some pointers?...we can take the discussion offline, can you mail me your suggestion to email@example.com
thanx in advance.
jueves, 27 de mayo de 2010 13:39
You should take a look at Azigo 2.0 . Azigo is a CardSpace-compatible Information Card selector that stores the cards in the cloud, letting you roam between windows and Mac OSX machines. It includes an Adobe-AIR based client as well as browser plugins for IE and FireFox.
Azigo is a commercial version of the open-source AIR_Selector_1.1 that is in the Higgins Project at Eclipse.