Browse by Tags

• .net 3.5
• certificate chain
• ie
• No SSL
• security
• SSL

• CardSpace Certificate Chain Validation Issue with Intermediate Certificates

  One problem with the original version of CardSpace was that it seemed to reject some legitimate SSL sites, but like all tricky bugs, it didn’t happen consistently enough to be caught in the first release. What was going on was that sometimes CardSpace couldn’t validate the intermediate certificates in the certificate chain because of a disconnect with the browser’s certificate store. If intermediate certificates aren’t installed on a user’s computer, most browsers use the certificate obtained from the site to reconstruct the whole chain and show the user they are at an SSL site. CardSpace, as it turns out, was not able to get the missing certificates. Since, this bug could make a legitimate site appear to be fraudulent in CardSpace and because the behavior is intermittent, it might be missed by a web developer adding support for Information Cards to their site. We asked the IE team and the maintainers of the browser add-on for Firefox to enable CardSpace to retrieve the correct certificate, and they did. The update to IE was included in the October 2007 IE Security Update and the updated Firefox add-on can be downloaded here (thanks Axel !). Implementers of other Identity Selectors should consider whether this issue is present in their code as well. I’ll hand off now to Shan to explain more details about the problem and the fix. Rob Franco Lead Program Manager CardSpace ======== Introduction – How the recipient certificate & its intermediates Read More... Posted Friday, March 21, 2008 2:46 AM from CardSpace: Behind The Code | 1 Comments Filed under: CardSpace, security, orcas, SSL, https, certificate chain

• All the bits to employ CardSpace without an SSL certificate are now available

  Hi, my name is Tariq Sharif and I am a program manager in the CardSpace team. After we released CardSpace V1 we received feedback from hobbyists, early technology adapters and site owners that getting/setting up a SSL certificate is hard and it is not needed for some set of their scenario and that this is blocking them from accepting information cards on their sites. Based on this feedback, the feature team decided to remove this requirement for the .Net Framework 3.5 release. In order to invoke Cardspace from a page that does not have an SSL connection you need two updated components. First you will need to install an updated browser specific extension that will work at an HTTP site . You can download the IE extension from here or if you have IE7 you probably already have it as part of the October security update . Second you will need to install an updated version of Cardspace that does the right thing when a website, the relying party, does not have a certificate. Latest version of Cardspace can be downloaded as part of .Net Framework 3.5 . You can read more technical details about this new functionally here in this post that Ruchi made a couple of weeks ago. Please feel free to drop us any comments on this, as we are always looking for feedback to help us refine this emerging technology. Thanks, Tariq Sharif Program Manager Read More... Posted Friday, October 26, 2007 2:24 AM from CardSpace: Behind The Code | 1 Comments Filed under: CardSpace, .net 3.5, orcas, ie, SSL, https, No SSL