New CardSpace Techie Blog

Caleb Baker, Ruchi Bhargava and a group of their colleagues on the CardSpace team have set up a new blog by techies for techies, called CardSpace: Behind the Code.  It warms my heart to see the team members reaching out to make direct contact with other developers and engineers who are adopting the technology or creating versions on other platforms.  So often developers in big companies are caught behind a wall of gauze.

They begin with a post that talks in depth about a change in CardSpace that I first announced in June here.  Basically, without in any way decreasing the security of high end sites, we have made it markedly easier for bloggers and others whose sites don't represent a financial honeypot to accept information cards:

“CardSpace in .Net Framework 3.0 required that sites deploying CardSpace always have a SSL certificate. This meant that every site that wanted to use CardSpace was forced to deploy an https site.

“Based on customer feedback, we have decided to relax this requirement for the next release of CardSpace (currently available in .NET Framework 3.5 Beta 2). We realize that there are some sites like blogs which would like to use CardSpace, but consider the SSL requirement to be a deployment blocker.

“Now, if you have a website that you want to add CardSpace support to, all you need to do is add the object tag to the page and you are done.

“In addition to requiring .Net Framework 3.5 beta 2 or later [on the windows client - Kim], a new version of icardie.dll is required to use this new feature. This will ship with Vista SP1 and an upcoming update to IE7.

“CardSpace does behave differently for http vs. https sites. When CardSpace is invoked from an http site, CardSpace will inform the user about the lack of an SSL connection and the security implication of this. (Also, note the new streamlined look of this window.)

CardSpace without SSL 

“In addition, managed card issuers can decide if the card they issued can be used on sites that do not support SSL. This can be done by adding the following element to the .crd file. If this element is specified then the card can only be used on a site that has a SSL certificate. The card will not ‘light up’ when the user is on an http site.

“A point to be noted is that cards that were issued for last release of CardSpace will light up on http sites as they will lack this new element. In that case, the IP STS can make a decision on whether to release a token based on the identity of the recipient sent in the RST message…”

[Continues with changes in algorithms here.]

In one of the posted comments, reader MathiasR tells the team:

“Great to hear that you are listening to our feedback :) . Thanks!”

Meanwhile, the MSDN blog site they're on doesn't yet seem to show any signs of supporting Information Cards for leaving comments.  Maybe I'm just missing it, or maybe Caleb can drum up some info on when that is going to be turned on.

MSN and Windows Live hook up InfoCard Beta

Video of Hotmail Beta of Information Cards

In this video of the Windows Live ID beta (1:20) we use Bandit's DigitalMe to register and log into Hotmail from a Mac.  If anyone has been concerned that Information Cards won't scale to handle large sites, they can relax now.  To see another version of the demo, this time using CardSpace, watch this (2:20). 

MSN and Windows Live CardSpace Beta

You can now use Information Cards at Hotmail and all the other MSN/Windows Live sites. 

Just go here to associate an Information Card with your existing account.   I found that both Windows CardSpace and the Mac DigitalMe information card selectors worked beautifully with the system.  Check out this video to see what it was like registering and logging in from my Mac using DigitalMe. 

It's worth taking a step back to think about what can go wrong when you add a feature of this importance to a site with 300 million accounts.  If things don't work, you don't have a software bug – you have a trainwreck.  So the Windows Live people have done a lot of thinking, planning and testing in order both to create a cool experience and keep from confusing their users.   

There are still some anomolies.  In the words of the Beta announcement: Continue reading

Start using DigitalMe for Mac

Over the weekend I installed “Digital Me for Mac” on my MacBook Pro and started using it with identityblog and other sites.  It's fast and totally does the trick.  I've made a micro video demo that gives you an idea of what it's like.

The install worked just as it should.  I ended up with a Bandit managed card - then went on to create a self-issued one so I wouldn't have to enter a password.  So now I can work on my site both from my Mac and my PCs.  I'm not sure if it works with Safari – I was using it with Firefox. Continue reading

Managed information cards for secure online purchasing

Here's news of an important technology demonstration from Ping Identity and ACI Worldwide at the upcoming DIDW Conference (just two weeks away in San Francisco in case you have forgotten to register).

To put this in context, ACI Worldwide is the world leader in retail payments – over half the plastic card transactions in the world (55 billion last year) go through ACI's software at banks, merchants and networks in over 85 countries. Continue reading

We need a spectrum

Stefan Brands runs off in the wrong direction in his recent treatise on OpenID.  Who really needs a “shock and awe” attempt to bonk the new OpenID “cryptographic primitives” back into the stone age?

It's not that you shouldn't read the piece; even though subtlety is not its strong suit, it brings together a lot of information about a threat model for OpenID.

The main problem is simply that it misses the whole point about why OpenID is of interest.
Continue reading