It seems that I have to make up for not posting while my new house was build... Here is another post for today in the series ( 1 , 2 , 3 ) of posts around things you always wanted to know about Information Cards but never had the heart to ask. Did you know that CardSpace does not use the Identity information in an identity enabled EndpointReference? Shocking. Here is what I heard... When you import a managed card from a .crd file there is something inside the file that is called the TokenServiceList

A while ago two students, Xuan Chen and Christoph Löhr, from Ruhr University Bochum claimed to have "broken" CardSpace. There were some blog reactions to this claim. The authoritative one of course is from Kim . Today I browsed through a magazine lying on the desk of a colleague of mine. This magazine with the promising title "IT-Security" repeats the false claim and reports that the students proved that CardSpace has severe security flaws... Well, when you switch off all security mechanism

The Ruhr Uni Bochum claims that they can steal the security token in a CardSpace scenario.... The experts from the German computer magazine c't could not verify the attack... After reading the paper that describes the attack I must say that I find it very unrealistic. The attack is described for managed cards. The browser is tricked to load malicious code and then the real RP's code is loaded and presented to the user. The malicious code then loads the root certificate for the malicious RP's SSL

One problem with the original version of CardSpace was that it seemed to reject some legitimate SSL sites, but like all tricky bugs, it didn’t happen consistently enough to be caught in the first release. What was going on was that sometimes CardSpace couldn’t validate the intermediate certificates in the certificate chain because of a disconnect with the browser’s certificate store. If intermediate certificates aren’t installed on a user’s computer, most browsers use

The CardSpace team blogged about a new "feature" of .net 3.5. You can now work with CardSpace on a windows system that has its system drive formatted with the FAT filesystem... They write: We’ve received a surprising amount of feedback (some of the earliest from Pamela Dingle ) that customers are still using FAT file systems and this is causing problems. I am surprised too. What will be next? CardSpace running on windows95? Help! Sure, the cardstore is still encrypted twice... but still... I believe

The version of Windows CardSpace that shipped in .NET Framework 3.0 will not run when installed on a FAT file system. We’ve received a surprising amount of feedback (some of the earliest from Pamela Dingle ) that customers are still using FAT file systems and this is causing problems.  This was done because FAT doesn’t provide ACLs and therefore the files CardSpace uses for storing cards can be deleted or corrupted by malicious code running as the user. Since the store files are

I have working with, writing about and presenting on CardSpace for over 2.5 years now...and in the process refining how I describe to people the benefits of information cards for improving security for end-users. In particular, end-users that are not like us developers...every day people that don't know how to choose which sites are unsafe, which links to click in email, and so on. Consider the following malicious PayPal email: You can see that the "Click here to verify your information" link is

I have working with, writing about and presenting on CardSpace for over 2.5 years now...and in the process refining how I describe to people the benefits of information cards for improving security for end-users. In particular, end-users that are not like us developers...every day people that don't know how to choose which sites are unsafe, which links to click in email, and so on. Consider the following malicious PayPal email: You can see that the "Click here to verify your information" link is

As some of you may know, several of us at IDesign (Juval, Brian and myself) are in the midst of a two-week .NET 3.5 Roadshow - six cities in two weeks where we collectively cover WCF, WF, WPF, CardSpace, federated and claims-based security concepts, and some key aspects of .NET 3.5 such as new C# 3.0 language features and ADO.NET 3.5 including LINQ and the Entity Framework. I'm personally covering WCF security, federated and claims-based security, C# 3.0 and ADO.NET 3.5. For those of you attending

As some of you may know, several of us at IDesign (Juval, Brian and myself) are in the midst of a two-week .NET 3.5 Roadshow - six cities in two weeks where we collectively cover WCF, WF, WPF, CardSpace, federated and claims-based security concepts, and some key aspects of .NET 3.5 such as new C# 3.0 language features and ADO.NET 3.5 including LINQ and the Entity Framework. I'm personally covering WCF security, federated and claims-based security, C# 3.0 and ADO.NET 3.5. For those of you attending