Browse by Tags

• CardSpace
• FAT
• https
• ie
• No SSL
• NTFS
• orcas
• security
• SSL

• CardSpace on FAT File Systems

  The version of Windows CardSpace that shipped in .NET Framework 3.0 will not run when installed on a FAT file system. We’ve received a surprising amount of feedback (some of the earliest from Pamela Dingle ) that customers are still using FAT file systems and this is causing problems.  This was done because FAT doesn’t provide ACLs and therefore the files CardSpace uses for storing cards can be deleted or corrupted by malicious code running as the user. Since the store files are still double encrypted by both the user’s and the system’s keys, even on a FAT drive, user code cannot access the contents of the file and read the secret card information. Given the feedback we received, and that the cards are still protected against theft, we decided to make the changes and enable CardSpace (shipped with .NET Framework 3.5) on FAT File Systems. This change doesn’t have any side effect on the rest of the product so running CardSpace on partitions formatted with FAT or NTFS produces the same results. This is a change intended to meet some customers’ demands but we still recommend the use of NTFS because it’s a more secure environment not only for CardSpace but also for all other files in the computer.   Rafael Windows CardSpace Team Read More... Posted Monday, December 10, 2007 9:07 PM from CardSpace: Behind The Code | 1 Comments Filed under: CardSpace, FAT, security, .net 3.5, NTFS

• CardSpace support for Oasis WS-SX standards

  The OASIS Web Services Secure Exchange (WS-SX) technical committee has published specifications for WS-Security extensions and policies to enable the trusted exchange of SOAP messages. Their effort resulted in the WS-SX specifications that include WS-Trust , WS-Security policy and WS-Secure conversation. This standardization of WS-Trust is good news. Gartner says that: OASIS's ratification of two key standards means that Web services security has finally reached a level of maturity acceptable to many enterprises. This is a positive development for vendors and customers alike. The ratification happened in March 2007 and support for these standards was one of the main changes included in the .NET Framework 3.5 release of CardSpace. Overview of new WS-Trust specification The OASIS WS-Trust is very similar to the one people have been using. The main differences are: 1. Returning the security token: a RequestSecurityTokenCollection element is used to return a security token in the final response. 2. SecondaryParameters: When a requestor inserts parameters into an RST request that come from a third party, for example a relying party policy, there is a potential for an attack. In the contributed request, both requestor RST parameters and third party RST parameters are mixed together as direct children of the wst:RequestSecurityToken element. This prevents an STS from differentiating between the RST parameters based on their source. Therefore, the STS trusts both kinds of RST parameters Read More... Posted Wednesday, November 21, 2007 10:40 PM from CardSpace: Behind The Code | 1 Comments Filed under: CardSpace, .net 3.5, orcas

• All the bits to employ CardSpace without an SSL certificate are now available

  Hi, my name is Tariq Sharif and I am a program manager in the CardSpace team. After we released CardSpace V1 we received feedback from hobbyists, early technology adapters and site owners that getting/setting up a SSL certificate is hard and it is not needed for some set of their scenario and that this is blocking them from accepting information cards on their sites. Based on this feedback, the feature team decided to remove this requirement for the .Net Framework 3.5 release. In order to invoke Cardspace from a page that does not have an SSL connection you need two updated components. First you will need to install an updated browser specific extension that will work at an HTTP site . You can download the IE extension from here or if you have IE7 you probably already have it as part of the October security update . Second you will need to install an updated version of Cardspace that does the right thing when a website, the relying party, does not have a certificate. Latest version of Cardspace can be downloaded as part of .Net Framework 3.5 . You can read more technical details about this new functionally here in this post that Ruchi made a couple of weeks ago. Please feel free to drop us any comments on this, as we are always looking for feedback to help us refine this emerging technology. Thanks, Tariq Sharif Program Manager Read More... Posted Friday, October 26, 2007 2:24 AM from CardSpace: Behind The Code | 1 Comments Filed under: CardSpace, .net 3.5, orcas, ie, SSL, https, No SSL

• How Identity Providers can show custom error messages in CardSpace

  Wouldn’t you like to show your users a custom error message instead of this generic one? Now you can with the latest .Net Framework 3.5 release (Beta 2 as of this blog). Your Identity Provider can simply return a SOAP fault and CardSpace will display the Fault Reason Text. This feature is great because it enables you to present the user with help and support information such as phone numbers or URLs. Your error message can now look like this: Your fault reason text can also be language specific. CardSpace will display the correct fault reason text based on the UI locale. Frequently Asked Questions What is the format of a SOAP message? < s:Envelope xmlns:a = " http://www.w3.org/2005/08/addressing " xmlns:s = " http://www.w3.org/2003/05/soap-envelope " > < s:Header > < a:Action s:mustUnderstand = " 1 " > http://www.w3.org/2005/08/addressing/soap/fault </ a:Action > </ s:Header > < s:Body > < s:Fault > < s:Code > < s:Value > s:Sender </ s:Value > </ s:Code > < s:Reason > < s:Text xml:lang = " en " > In English … </</ s:Text > < s:Text xml:lang = " es-ES " > In Spanish … </ s:Text > </ s:Reason > </ s:Fault > </ s:Body > </ s:Envelope > Note that this SOAP message must be secured just like a typical application message. That is, it must contain the necessary Security headers (with all the necessary signature and encryption requirements based on the binding). CardSpace Read More... Posted Thursday, October 04, 2007 1:47 PM from CardSpace: Behind The Code | 1 Comments Filed under: .net 3.5, orcas