Practical Guide To Certificate Installation for the Disinterested

It's a bit tricky to install certificates and keys, and harder still when you want to use the same certificate on both Windows and *NIX boxes.  Most of us don't have to install certificates very often (!), but that doesn't make it any easier! If you're like me you forget at least one of the annoying little essential details.

So partly in light of questions I've been receiving, and partly so next time I encounter these problems I remember how I answered them, I'm putting together what I hope might be a useful “Practical Guide to Certificate Installation for the Disinterested“.  In other words, I'm NOT discussing how to use certificates in production environments.

I'm kind of starting in the middle, but I've got three pieces ready so far.  If you're not familiar with this area, OpenSSL is an open source tool for managing certificates and IIS is Microsoft's Internet Information Server (i.e. Web server).  If you see problems with my instructions, please let me know.

Now for the pithy titles:

I'm also going to tackle the issue of creating InfoCard-compatible certs for testing and developing purposes.  If others want to add other sections let me know.

 

Configuring IIS to use the machine certificate

 Start up the IIS management console – for example by going to the Control Panel, opening “Administrative Tools”, and the opening “Internet Information Services”.

Double click on your local computer, then “Websites”, and highlight “Default Web Site”

Under the “Action” menu, select “Properties”, and then the “Directory Security” tab:

Click on the “Server Certificate” button and select “Next” when you see the wizard.  Then highlight the “Assign an existing certificate” radio button:

Click “Next”, highlight an appropriate certificate (e.g. the one you just installed), and press “Next” again.

You'll be shown certificate details, and on pressing “Next” one more time you'll be asked to “Finish”.

IIS is now configured to accept your machine certificate.

 

Converting OpenSSL PEM certificates and keys into a P12 format for IIS

Sometimes you want the same public key and certificate to operate on both *NIX and Windows machines. 

One way to do this is to create your key pair using openssl, obtain a certificate in PEM format, and then use openssl to convert the key and corresponding certificate into a P12 format that can be consumed by Windows.

PEM format is base64 encoded, meaning it is standard text that can be put into an ascii editor like Windows notepad.

Openssl needs you to give it a single file with a “.PEM” extension combining both your certificate and private key.  You do this by cutting and pasting the text from your certificate and private key files to produce a “.PEM” file like this:

Next, use openss to create a “p12” file using the combined “.PEM” file.  The command is shown below.  Assuming your private key is protected by a passphrase, you will first be asked for the passphrase to unlock your “.pem” key, and then asked for another to protect the newly created “p12” file.  (I use the same one to reduce prospects of insanity).

The result will be a “.p12” file that you can install into Windows.

 

Installing a machine certificate in the Windows certificate store

Our goal is to install a key and certificate that will act on behalf of your IIS server.  So the certificate must be stored in the “local machine” part of your certificate store (as opposed to that belonging to any one specific user)   Here's how do that:

  • Create a console by selecting “Start->Run” and entering “mmc” (or just type “start mmc” from a command prompt.
  • A console will be created, and under the File menu, select “Add/Remove Snap-in”.
  • Select Add, and the “Add Standalone Snap-in” screen appears
  • Select “Certificates” and press the related “Add” button

  • Select the “Computer account” radio button and press “Next”, then “Finish” with the next screen

  • Unwind the dialogs by pressing “Close” and “OK”
  • Open up “Personal” and the “Certificates” as shown here:

  • Then under the “Action” menu, select “All tasks” and then “Import…”
  • “Next” yourself past the first page of the wizard to get to the import menu.  You can just type the path, but if you browse, remember to change the “File Type” to “Personal Information Exchange” or you won't see anything.

  • Press “Next” and you will be asked for the file's passphrase.  Enter it, press “Next” and then accept the default Certificate store with another “Next”.

  • This takes you to the finish dialog, and you end up with a certificate that can be used by the IIS process. 

 

Bill Barnes is CardCarrying

Bill  Barnes is more responsible for crafting the Cardspace user experience than anyone on our team.  Now, he's not only working on next generation Cardspace, but tackling the user experience issues that arise when integrating InfoCards into web sites (e.g. “how to build a relying party?”.  Of course, this is an on-going project and – great news – he'll be using his new CardCarrying blog to express his thinking and develop ideas.  For those interested in InfoCards, this is a “must-subscribe”.  Here's his take on what he's doing: 

Information Cards are a new approach to digital identity. So new that I’ve noticed an interesting phenomenon – in the hundred or so times I’ve presented our idea, to audiences of all kinds, it always takes the better part of an hour to convey. Sometimes more. And I’m a good speaker.

This shouldn't be surprising. They’re new, and one would expect the concepts to take a while to sink in. I remember the first time I saw the World Wide Web, then just a few months old. I just didn’t get it. My friend did a very admirable job as visionary, but it didn’t click. Same thing with TiVo. Again, I’m not dumb, not that dumb anyway, but new ideas take a while to filter in.

And Information Cards have it worse. They’re not just new, they’re different, and different is harder. You don’t just have to learn, you have to unlearn. This helps explain why security experts often take the longest to grasp what we’re doing – we’re forcing them to go back to first principles, and for many of them that’s a long way back. But even my mom has to unlearn passwords, and that won’t happen instantly.

I love to talk, I do. So I don’t mind speaking for the better part of an hour if that’s what it takes to get someone up to speed. But I have two jobs. My busy schedule simply won’t allow me to teach Information Cards to every man, woman, and child on the Internet today. How are we going to educate them? More to the point, how will website X, which thinks supporting Information Cards will garner more customers from increased security and convenience, educate them?

The good news is, not everyone needs to understand the end-to-end meta-architecture. They just need to understand what they need to make it work. One of the reasons we adopted the Card metaphor was that it brings with it some intuition. Hopefully, then, a given website won’t have to do very much explanation.

Here’s what I think they need to know, in language that I am continuing to develop. My hope is that, with these few key concepts under their belt, the flow of the website plus the user experience of their identity selector, be it Windows CardSpace or a competitor, will be clear enough to take them the rest of the way. So, without further ado:

Information Cards are like digital versions of the cards in your wallet. You can make personal cards for signing in to websites – they are like passwords but are much harder to steal. Personal cards are stored on your computer, and you can use a single card to sign into multiple websites.

You can also download managed cards from organizations like banks, associations, and businesses. When you want to prove something about yourself to a website, for instance “I am a member of club X” or “I work for company Y”, show that website a managed card. A managed card is stored on your computer, but the information it conveys is not.

These are the key points I think people need to understand. And the second part, managed cards, isn’t necessary if your site doesn’t take managed cards, and that’s most of them out of the gate. So really it’s one paragraph, three sentences, four or five concepts.

Don’t get me wrong, I think four or five concepts is a lot, and I don’t expect everyone to get it right away. I think inevitably what will happen is that a small group of geeks will learn these concepts deeply, and start to evangelize them in the blogosphere, in media, and to their parents. A good analogy here is RSS. My experience in that hardly anyone outside the technorati knows what it is yet, and very few people will bootstrap themselves simply by seeing that magic orange square. Conversions happen one at a time, from one satisfied (and informed) customer to another. My mom will use Information Cards because I tell her why she should.

I have heard some other great ideas about educating people. More on these later. Meanwhile, let me know how you would educate a user at your website on what Information Cards are, and why they should use them at your website. Would you use my language or a variant thereof? Share the love.

Oh, one more thing. I’m not speaking in an official capacity here, but I don’t think it’s reasonable to expect Microsoft or anyone else to mount a giant P.R. education campaign on Information Cards, any more than you would expect them or anyone else to convince you to use RSS. If it’s really a good technology (and I think it is) it will succeed because it is in everyone’s benefit when it is used. So I think everyone shares the educational burden. So get teaching.

This won't hurt much

The following piece from the Canadian Broadcasting Corporation has led me to start a “Believe it or not” tag for my blog. 

A Winnipeg dentist has adopted a system that allows patients to announce their arrival with a touch of their fingers — which has raised the eyebrows of some privacy experts.

Tim Dumore started fingerprinting his orthodontic patients about six months ago.

He has installed a biometrics system that allows his patients, most of whom are children, to sign in without telling a receptionist. On arriving, they touch their finger to a pad at the front desk and a computer sends a message to staff workstations.

While Dumore says most of his patients and their parents have willingly co-operated, he admits some have been reluctant.

“It can seem Big Brotherish,” he said. “But we can reassure them that we're using proper security protocols.”

The University of Manitoba's faculty of dentistry also fingerprints its patients.

A Winnipeg dentist has adopted a system that allows patients to announce their arrival with a touch of their fingers — which has raised the eyebrows of some privacy experts.

Tim Dumore started fingerprinting his orthodontic patients about six months ago.

He has installed a biometrics system that allows his patients, most of whom are children, to sign in without telling a receptionist. On arriving, they touch their finger to a pad at the front desk and a computer sends a message to staff workstations.

While Dumore says most of his patients and their parents have willingly co-operated, he admits some have been reluctant.

“It can seem Big Brotherish,” he said. “But we can reassure them that we're using proper security protocols.”

The University of Manitoba's faculty of dentistry also fingerprints its patients.

Continue Article

Michael Lasko, registrar of the Manitoba Dental Association, thinks it could be the way of the future for identifying patients in dentistry and medicine.

“It's probably the easiest and most secure method of maintaining patient privacy,” said Lasko.

He said fingerprints help patients maintain their anonymity by eliminating the need for conversations about personal health information at the reception desk.

Biometrics are being used to identify patients in medical and dental practices around the world.

But for Winnipeg privacy lawyer Brian Bowman, it raises all sorts of red flags. He worries that fingerprints, especially those of children, are being used simply for convenience.

“I think a lot of people are going to be asking the question: ‘Why do you need to be collecting such sensitive data, and is it really necessary?’ ” he said.

Bowman says the practice could run afoul of privacy laws and there's the potential that those who refuse to provide their fingerprints might not receive treatment.

Dumore says his fingerprinting program is strictly optional.

But given the initial response, he expects he will soon have almost all his patients’ fingerprints on file.

 

World's leading identity politician

When it comes to dealing with identity, Australia has already “been there, done that.”  In 1987 there was a massive public revolt against a proposed national ID card that imprinted several of the Laws of Identity on the psyche of the nation.

None the less, the country faces the same challenges around health care and social benefits as every other: the need to streamline benefits processing, reduce fraud, and improve information flow where it is vital to the health and safety of individual citizens.

Over the last few years this had led a whole cohort of Australians to think extensively about how identity, privacy and efficiency can all be served through new paradigms and new technology. 

On its second try, Australia went in a fundamentally different direction than it did with its 1987 proposal (reminiscent of others that have hit the wall of public opinion recently in other countries).  This time, Australia started out right – bringing privacy advocates into the center of the process from day one. 

The cabinet minister responsible for all of this has been Joe Hockey, who seems to have a no-nonsense approach based on putting users in control and minimizing disclosure.

Finally!  Our first glimpse of a government initiative that is, at least in its inception, fully cognisant of the Laws of Identity.  Beyond this, instead of swimming with dull proposals based on Berlin-wall technology,  Australia is leading the way by benefiting from new inventions like smartcards with advanced processors and web services that can together put information ownership in the hands (and wallets) of the individuals concerned.

Here's the story from The West Australian

Police, State governments and banks will not be able to demand access to the new $1.1 billion smartcards under new laws aimed at stopping them becoming de facto national identity cards.

Responding to a report to be released today by Access Card task force chairman Allan Fels, Human Services Minister Joe Hockey will announce changes to ensure individual cardholders have legal ownership over them.

In a speech to be delivered to the National Press Club today he says most government and bank-issued cards remain the property of the issuer but in what may be a world first, the new laws will ensure the cards cannot be demanded for ID purposes.

Professor Fels foreshadowed the legislation in June when he warned consumers needed to be given as much control over the card as possible, and that the Government faced major security concerns if it did not protect cardholders from having to produce the card as identification.

Mr Hockey says the legislation will be introduced next year.

The Government will be able to turn off access to health and welfare benefits if the owner of the card is no longer entitled to them.

The high-tech cards, to be rolled out across Australia from 2008, will replace 17 health and social services cards, including the Medicare card, healthcare cards and veterans’ cards.

They will include a digital photo and name but not the holder’s address and date of birth, and the microchip will store certain health information and emergency contact details.

The Government says it will not be compulsory, but has admitted it will be hard to avoid because it will be required for all government services.

Nearly every Australian will need to carry a smartcard by 2010.

In his speech, Mr Hockey will argue that Australia has been a “complacent comfort zone” when it comes to aspects of card technology and security.

“Many other countries, particularly in Europe, replaced the magnetic strip with a microchip long ago,” he says.

He denies the scheme will result in one giant data base.

“Your information will stay where it presently is, the agency relevant to that information, the agency you deal with,” he says.

The Government hopes the scheme will wipe out $3 billion in welfare fraud a year.

Shadow human services minister Kelvin Thomson said the Government had engaged in precious little public debate about the card.

“Concerns include the threat to privacy from surveillance by corporations and governments, as well as the financial plausibility of a Government-run $1.1 billion IT project,” he said.

“In the United Kingdom, the Blair Government has been forced to put their proposed smartcard on hold due to overwhelming public opposition.”

If Joe Hockey's proposal is as enlightened as it appears to be, I hope every technologist will help explain that our current systems are far from being ideal.  We mustn't get too hung up on simply preventing deterioration of privacy through absurdist proposals, because the current bar is already too low for safety. 

We need to follow Australia in being proactive about strengthening the fabric of privacy while achieving the goals of business and government.

Virtual gardens with real-world walls

Here is a fascinating piece from OZYMANDIAS that oozes with grist for the User Centric mill.  This seems to be about walled gardens with barbed wire.  Please don't take what I'm saying as being critical of Sony in order to puff some other company (like, er, my own).  I'm talking about the general problem of identity in the gaming world, and the miserable experience much of the current technology gives us.  I think I should be able to represent my gaming personas as Information Cards – just as I would represent other aspects of my identity – and use them across games (and one day, even platforms) – without linkage to my molecular identity. 

News on the web today is that Xfire is suing GameSpy for how their GameSpy Comrade “Buddy Sync” feature creates friends lists. To quote:

Now Battlefield 2142 is caught up in a legal tangle between rival in-game instant messaging programs Xfire and GameSpy Comrade. On October 16, Viacom-owned Xfire filed suit against News Corp subsidiary IGN Entertainment over its GameSpy Comrade program, which comes on the Battlefield 2142 disc. IGN Entertainment also owns IGN.com, a GameSpot competitor.   

Xfire is claiming that GameSpy Comrade's “Buddy Sync” feature illegally infringes on its copyrights. Buddy Sync retrieves users’ friends lists from other instant messaging programs like AOL Instant Messenger and Xfire, and gives players the option of automatically inviting those friends who have GameSpy accounts to join the users’ friends lists on Comrade.

If you read a bit deeper you find that what's basically being challenged is GameSpy's use of information (friends lists) that has been publicly published by Xfire on their website. Xfire claims that GameSpy's reading of that data is to enable GameSpy to bolster their own friends lists:

In a filing in support of the restraining order, Xfire CEO Michael Cassidy specified how his company believes the Comrade program works. First, Cassidy said it reads the user's Xfire handle from the XfireUser.ini file, then visits a formulaic URL on the Xfire site to get a list of the user's friends (for instance, to find the friends list of Xfire user Aragorn, Comrade would go to http://www.xfire.com/friends/aragorn). The names on that friends list are then compared with a central IGN database of Comrade users’ Xfire handles, and if any matches turn up, the user is asked if they want to invite those people to their Comrade buddy lists.

I am not a lawyer, and can't definitively comment on whether information that's made public in this fashion can or cannot be harvested. My gut is that it's probably kosher – we have plenty of website scraping applications in the wild today that do just this, including best price searching sites. What does fascinate me is how this suit highlights how busted Sony's PS3 online network is, and how companies are fighting to position themselves to take advantage of this financially. Bet that seemed to come out of right field. Wink But here's where I'm coming from.

I wrote earlier about why Sony's enabling of Xfire for PS3 games wasn't as exciting as it might seem. Take a read, and then let's talk about just what the experience of being an online user on PS3 is likely to be like.

So I buy my PS3, bring it home, and go online. The first thing I'm going to be asked to do is create some sort of Sony Network ID. That “Sony ID” will apparently bring basic presence and communication features via the crossbar interface. So far so good. Now I decide to play Insomniac's Resistance, which recently stated the following:

Insomniac's Ted Price: “The buddy list is specific to Resistance. And we decided not to bother people in-game with messages. If you have a new message sent to you while you're in a game, you'll see your “buddy list” tab flashing when you re-enter the lobby after playing a game. The buddy list tab is where you can access your friends, ignore list, messages, etc.”  

1Up (to reader): “Does this mean there's a system-wide friend's list, but you have to compile game-specific friends lists for each online game you participate in? That doesn't make much sense, and hopefully today's event will clear up the situation.”

Yes Virginia, that's exactly what this means. Even though I already have a “Sony ID”, I may have to create a new “Resistance ID” to play. And then start thinking about just how broken the experience is when you try to invite someone to a game. Do you send it via the Resistance UI? What screenname do I send it to? If I want to add you to my “Sony ID” friends list, do I need to send you an in-game message to ask you what your real “Sony ID” name is? What about game invites? How does that work across even just these two IDs?

You think that's bad? Now let's open up a few more games from different publishers. Each of these publishers had to make a choice of what online interface to use – again, because Sony's online network just isn't ready. So they'll choose between writing their own (as did Insomniac for Resistance), or perhaps licensing Xfire, or GameSpy, or Quazal, or Demonware. So now we have five potential networks with different namespaces, and an inherent  lack of ability to communicate (chatting, voice, invites, finding friends, etc.) between them, and even across to just the “Sony ID” namespace. Think we're done? Nope… what happens if each publisher doesn't stick with the same online solution for all of their games? This is very likely as most publishers use different developers – so even across a single publisher, you may find fragmented communities.

The only consistent tie all of these different community fragments has is that a user should always have their Sony ID. That gives you a lifeline to be see friends when they are online… but only in the crossbar UI. Will you even be able to see what game they're playing? What about what network that game uses, and whether that friend is logged into it? How will you get messages in a timely manner? Remember Ted Price's quote above? “And we decided not to bother people in-game with messages. If you have a new message sent to you while you're in a game, you'll see your “buddy list” tab flashing when you re-enter the lobby after playing a game.” Doesn't sound like a user-centric design decision to me.

So… back to Xfire and GameSpy. I said earlier this suit is a direct result of how busted Sony's online network appears to be, and I just described some of the issues you'll likely be facing later this month. Yes, it's targeted at a PC title right now (Battlefield 2142), but that's just noise. What we're really seeing with this suit are online middleware companies trying to position themselves to become the eventual defacto solution that publishers will use. Just as with web search and instant messaging, these companies are trying to get momentum and user base that will cause them to be the “PS3 online” solution of choice. And this suit is simply one of many battles we'll see in this space, especially as PC and console crossplatform connectivity becomes more important in the coming years.

When my role as a player is really valued, I will be seen as owning my own buddy list.  Using zero knowledge technology, it will be possible for me to hook up with any of my buddies’ personas – across various games and without committing sins of privacy.

 

Podleaders Interview for those new to the Laws

Tom Raftery at http://www.podeladers.com/ interviewed me recently for his PodLeaders show (42 mins 15 secs).  Here is his description of what we talked about:

My guest on the show this week is Kim Cameron. Kim is Microsoft’s Identity Chief and as such is responsible for developing CardSpace – Microsoft’s successor to the much reviled Passport. Kim elucidated the Seven Laws of Identity and is developing CardSpace to conform to those laws. If he manages this, he will have changed fundamentally how Microsoft deals with people.

Kim is also responsible for Microsoft recently releasing 35 pieces of IP and promising to never charge for them.

Here are the questions I asked Kim and the times I asked them:

Kim, I introduced you as Microsoft’s Identity Chief, what is your official title in Microsoft? – 0:35

What does the Chief Architect of Identity do in Microsoft? – 01:02

Why is it necessary to have identity products in software? – 01:29

How do I know who I am dealing with on the internet? How is that problem being solved? – 03:56

And you as Microsoft’s Identity Architect are coming up with a way to resolve this called CardSpace… – 07:08

You were saying CardSpace is to be platform independent, I run a Mac, will it run on the Mac? – 15:26

You mentioned a couple of companies, are the offerings from these companies going to interoperate or are we going to have another version of the VHS/BetaMax wars? – 17:45

Audience questions
Rob Burke

Perhaps more than any of the other Vista-era technologies, in order to really catch on, CardSpace requires broad cross-platform adoption. Kim personally is doing a lot to showcase the use of CardSpace’s open standards. What does the broader effort to engage with other platforms and communities look like, and how is CardSpace being received? – 21:10

CardSpace uses an intuitive wallet-and-credit-card metaphor. One of the features of a wallet is that it’s portable – I several pieces of identity with me at all times. I tend to move between computers a lot. What provisions are there in CardSpace for helping me keep mobile (in a secure way)? – 25:07

What happens if your laptop containing your InfoCards gets lost and/or stolen? – 28:00


Dennis Howlett

What’s cooking on the identity managemnt front at MSFT? We’ve been hearing about this on and off for a while – we need progress if we’re not to be weighed down byt having to remember so many usernames and passwords for the servics we consume. – 30:35


My questions again:

Will there be a lot of re-engineering of web apps required to roll out these technologies? – 34:03

And finally you mentioned that this is the first version what can we expect in the next versions and when will they be released? – 39:58

Download the entire interview here
(19.3mb mp3)
Let me make one thing clear about Microsoft's Open Specification Promise: many people were involved, and Microsoft's legal people, along with their colleagues representing open source thinkers aned companies, deserve all the credit. 

Check out the other interviews on the site (I think I'm number 48).  Doug Kaye was number 47, and there are lots of good things to listen to while on the treadmill (physical or metaphorical).

 

Information Cards supported on Community Server

Armand du Plessis at Impersonation Falure writes about his work to add Information Card support to his Community Server:

A couple of days ago I enabled experimental Windows Cardspace support on http://dotnet.org.za/. I mentioned that I'll post the source code and controls but with Tech-Ed Africa and some other work I never got around to posting it.

So now the updated Community Server files is available here and the source code for both the Community Server controls and the underlying ASP.NET controls available here.

To enable Community Server to make use of Information Cards for authentication the following steps are required :

  • Install and configure your site with a SSL certificate. (Make sure it's a certificate issued by a Certification Authority trusted by popular browsers so you don't make the same mistake as me. See this post for more info)
  • Grant access to the certificate's private key to your application pool user. Easiest method to do this is using the winhttpcertcfg.exe utility.
    • winhttpcertcfg -g -c CertLocation -s SubjectStr -a Account
  • Add your certificate's thumbprint to your web.config appSettings section so the Token processor helper class can find it :
    • The thumbprint can be obtained through the MMC Certificates snap-in.
  • Unzip the updated Community Server files over the CS web files. The following files will be replaced so make sure you've backed them up before this step :
    • \Themes\default\Masters\master.ascx
    • \Themes\default\Skins\Skin-EditProfile.ascx
    • \login.aspx

How it works is relatively straigth forward, kudos to the design of the Cardspace web integration and the Community Server SDK. A quick explanation :

The source consists of four core controls :

  1. Adp.CardSpace.InformationCardRequest – A very basic ASP.NET control that takes care of rendering the < object > element used to engage the Identity Selector with the desired claims the Relying Party wants from the Identity Provider. This can either be placed in the head of the page when working together with the InformationCardSubmit control, or as a standalone in a form body.
  2. Adp.CardSpace.InformationCardSubmit   Another basic ASP.NET control that renders the required script and a button that can be used to engage the Identity Card Selector. It is meant for consumption by higer-level controls that can subscribe to it's OnTokenReady event which is fired when a postback triggered by the ICS happens.
  3. Adp.CommunityServer.Controls.Association – A Community Server control used in the profile section to allow a user to associate an Information Card with his/her account.
  4. Adp.CommunityServer.Controls.CardSpaceLogin – A Community Server control used to authenticate the user using his Information Card instead of the usual username/password.

The claim requirements is expressed through the Claims property on the Adp.Cardspace.InformationCardRequest control. This can be done programmatically or declaratively and the control added either to the page head or to a form body. Adding the control to the page head as done in the Community Server integration allows for fine grained control over when the Identity Selector is invoked without interfering with other form submit buttons on your page.

Below is an extract from master.ascx which embeds a request for two claims, email and PPID, into the page. (By default self-issued cards are accepted but this can be configured through the Issuer property on the control) 

< CS:Head runat="Server">
< meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
< CS:Style id="UserStyle" runat="server" visible = "true" />
< CS:Style id="s2" runat="server" visible = "true" Href="../style/Common.css" />
< CS:Style  runat="server" Href="../style/common_print.css" media="print" />
< CS:Script id="s" runat="server"  />
< ADP:InformationCardRequest ID="_xmlToken" runat="server" Claims-Capacity="4">
< ADP:ClaimDto ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Required="true" />
< ADP:ClaimDto ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Required="true" />
ADP:InformationCardRequest>
CS:Head>

 Where the Identity Selector trigger is required the Adp.Cardspace.InformationCardSubmit control is placed. The sole responsibilty of this control is to invoke the Identity Selector and raise an OnTokenReady event which can be consumed by other interested parties. Below is an extract from the Skin-CardspaceLogin.ascx (a Community Server control which uses the InformationCardSubmit control to obtain the encrypted token)

< ADP:InformationCardSubmit CssClass = "CommonTextButtonBig" runat="server" id="csSubmit" />

 That's all that's required to invoke the ICS. To decrypt and extract the token using the very useful TokenProcessor from the Microsoft samples the following code is required to hookup and handle the OnTokenReady event. (This code is in the above mentioned CardSpaceLogin control, a composite control utilizing the InformationCardSubmit control and other default Community Server Controls) 

protected override void  AttachChildControls()
{
submit = FindControl("csSubmit") as InformationCardSubmit;
message = FindControl("csMessage") as StatusMessage;
 
submit.OnTokenReady += new EventHandler(submit_OnTokenReady);

if ((submit == null) || (message == null))
throw new CSException(CSExceptionType.SkinNotSet);
}

The Token helper class takes care of decrypting and extracting all the tokens from the postback. (The token helper class is available in the samples on http://wcs.netfx3.com)

After breaking out the tokens we can access them through the indexed Claims property. All the claims we expressed in the InformationCardRequest control above is available for use in your code.  In the sample below the token's unique id is extracted and assigned to an extended profile attribute in Community Server.

void submit_OnTokenReady(object sender, TokenEventArgs e)
{
try {
Token token = new Token(e.TokenValue);

if(context.User.Email !=
token.Claims[System.IdentityModel.Claims.ClaimTypes.Email]) {

DisplayMessage(ResourceManager.GetString("Association_EmailMismatch",
CSUtil.CsResourceFilename), false);
return;
}
 
context.User.SetExtendedAttribute(CSUtil.CsExtendedAttributeName,
token.UniqueID);

Users.UpdateUser(context.User);
 
DisplayMessage(
ResourceManager.GetString("Association_Success",
CSUtil.CsResourceFilename),true);
 
}
catch (Exception e1) {
string displayMessage = ResourceManager.GetString("Association_GenericException",
CSUtil.CsResourceFilename);
 
CSException e2 = new CSException(CSExceptionType.UnknownError,
displayMessage, e1);

e2.Log();
 
DisplayMessage(displayMessage, false);
}
}

Some limitations in this implementation is that it currently don't detect whether or not the browser supports Infocards. Also triggering the Identity Selector through script currently don't seem to be supported by the Firefox Identity Selector plug-in.

Currently the implementation on dotnet.org.za still suffers from the use of the Starfield SSL certificate which requires users to first import the Intermediate Certificate as a trusted issuer before Cardspace will accept it. This will be rectified soon.

Links: