CardSpace (InfoCard) replay and thoughts

InfoCard (i.e. CardSpace) has been out for a bit, but does not get much joy yet. I think probably cause a lot people just don’t know about it or don’t care yet.  But the other day I created a OpenID and started using it for identi.ca.  identi.ca is a good example of a site that uses OpenID well and makes it easy.  That got me thinking all sites should use OpenID.  Then I rediscovered CardSpace because OpenID also always you to attach an InfoCard to your id.  So that got me thinking more about CardSpace and using it for my web site.

In general, I am starting to think InfoCard (or the idea of InfoCard) is almost the perfect security model for the following reasons:

1) You control your cards locally. You don’t have various names and password strung out all over the INET.

2) You can use same card on multiple sites.

3) You only share the info you want in the card.

4) You get to pick your card at login using a picture and named card.  This makes it easy to remember what card you used at what site. Vista actually has a nice CardSpace control for this and it works well (can download for XP).

5) People can’t hack your password on a site using normal hash tables (rainbow) or brute force.  I am not sure yet if it is possible to brute force an InfoCard.

6) It moves the security model to a standard and tested model.  Today, each site may (or may not) protect your password with all kinds of good or no good hash and/or encryption methods.  Point it, you don’t know what method is used – it could be stored in the clear!  InfoCard removes many of the server side variants and acts almost like an agent on your behalf.

7) The framework it there where in the future you can time limit your card and revoke it from use.

Given the upsides and the fact that I am in control of the card, I am starting to wonder if OpenID is the right model.

That said, AFAICT, there is one primary down side – you have to have your card on each machine you use.  That means if you are on some random machine, you need to figure our how to get your card and have to worry about removing it from the machine when you done.  Maybe what we need is password protected Temp Proxy Card.  When you are at a "public" PC, you create a Proxy Card that includes the URL of your real card (stored at a public URL that is encrypted AES with your known password).  Then browse to web site that requires a card, the Card selector will popup and you select your Proxy card.  The framework will download and decrypt your real card and use that and cache it in memory only in encrypted form using your same password as your proxy card.  Maybe it also has a time limit on it.

Make your web site InfoCard enabled.  I have looked at a couple solutions, but found Dominick’s control the best fit and ease of use.  It also supports non-SSL mode, as many web sites (i.e. blogs) do not use SSL.  Having the option is nice.

Dominick Baier’s IC Selector at: http://www.codeplex.com/InfoCardSelector/Release/ProjectReleases.aspx?ReleaseId=12626

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

7 Responses to CardSpace (InfoCard) replay and thoughts

  1. Unknown says:

    ダッチワイフ

    まつげエクステ

    アダルトグッズ

    英語 勉強

    競馬予想

    フラワーアレンジ

    ブリザーブドフラワー

    バラ

    供花

    誕生花

    誕生日プレゼント 花

    北欧家具

    ローズオイル

    ブライダル エステ

    大人のおもちゃ通販

    結婚式

    結婚式準備

    結婚式の髪型

    ウェディングドレス

    av サンプル 動画

    アダルト
    ダウンロード

    熟女
    アダルト

    巨乳
    アダルト

    素人
    アダルト

    ニューハーフ
    アダルト

    FX ランキング

    FX 比較

    キャッシング 申込

    債務整理

  2. Unknown says:

    探偵 調査

    素行調査

    身辺調査

    妻浮気

    悩み相談

    探偵紹介

    探偵事務所

    行動調査

    追跡調査

    結婚式

    電話占い

    アダルト通販

    オナホール

    TENGA

    バイブ

    コスプレ

    大人のおもちゃ

    アダルトグッズ

    アダルトグッズ

    大人のおもちゃ

    アダルトグッズ

    エアコン工事

    ガーデンファニチャー

    システムキッチン

    洗面化粧台

    洗面台

    アロマオイル

    医学翻訳

    大人のおもちゃ

    アダルトショップ 

    エネマグラ

    オナホール 

    仮性包茎

    アナル

    電マ

  3. Unknown says:

    Serena Williams and the season of her contentwow gold,world of warcraft gold,buy wow gold,wow power leveling,cheap wow gold,world of warcraft power
    leveling,world of warcraft gold,buy wow
    gold,ffxi gil,buy
    wow gold,wow power
    leveling,ffxi gil,world
    of warcraft power leveling,sell wow gold,wow power
    level,wow gold for
    sale,power leveling,wow
    power level,wow power level,power leveling,wow gold for
    sale,buy cheap wow gold.Indian brides confront gold bears, again

  4. Unknown says:

    laptop battery
    battery for DELL Inspiron 1420 FT080 WW116 NEW laptop battery
    Dell 1720 1721 1520 Vos 1500 1700 Battery FK890 UW280 laptop battery

    NEW battery fits P N 7012P Dell Latitude CS CSi CSx laptop battery
    Battery fits HP Pavilion zt3000 zt3010US 337607-001 laptop battery
    8.8ah GENUINE HP 381373-001 383510-001 HSTNNIB12 PB991A laptop battery
    laptop battery for HSTNN-OB53 447649-321 B1216TU laptop battery
    HP COMPAQ Compaq Presario B3000 B3800 Series laptop battery
    NEW Battery for HP ZD7000 NX7900 NX9500 12-cell PP2182D laptop battery

    Battery for HP COMPAQ B1900 HSTNN DB35 new laptop battery
    Battery for Compaq hp 405231-001 407672-001 HSTNN-CB25 laptop battery
    New Compaq 2510p NC2400 Laptop Extended Battery EH768AA laptop battery
    Laptop Battery 02K6928 02K7055 for IBM Thinkpad R32 R40 laptop battery
    Battery For Packard Bell EasyNote BP-8050(P) 40006487

Comments are closed.