Wednesday, April 25, 2007
CardSpace and Enablement of an existing Site
I have been busy coming up to speed on CardSpace and Enablement of an existing site and have ran into the following issues:
1. As I understand, it is up to the relying party to determine which claims they require from a card and will use this to match an internal user store. If the card contained an email address, one could write code to match as follows:
This code tells me that you first have to trust that Cardspace software from MS or Java equivalents such as WSO2 have first validated the token's signature and validated it from a cryptographic perspective. What I don't understand is how many fields one should match on as a practical consideration?
2. It seems as if CardSpace can support claims-based security checks which is a little different than role-based security checks. Are there thoughts from the security community such as Gunnar Peterson on this?
3. Should Cardspace support roaming scenarios? For example I may want to take my card and use it at an upcoming conference in a one-time usage scenario at the conference provided computers.
4. Should Cardspace 2.0 somehow support the notion of a Turing test to prove that a user is a human? Was thinking about Dick Hardt example of going to a bar and knowing whether the person on the other end is really a person?
5. I would like to request Multivalued Attributes from my site as a claim where I specify specific values in terms of a list but can't figure out how to do this.
| | View blog reactions1. As I understand, it is up to the relying party to determine which claims they require from a card and will use this to match an internal user store. If the card contained an email address, one could write code to match as follows:
MembershipUser user = Membership.GetUser(this.User.Identity.Name);
if (user.Email == emailaddressClaim) {
user.Comment = ppidClaim;
Membership.UpdateUser(user);
}
This code tells me that you first have to trust that Cardspace software from MS or Java equivalents such as WSO2 have first validated the token's signature and validated it from a cryptographic perspective. What I don't understand is how many fields one should match on as a practical consideration?
2. It seems as if CardSpace can support claims-based security checks which is a little different than role-based security checks. Are there thoughts from the security community such as Gunnar Peterson on this?
3. Should Cardspace support roaming scenarios? For example I may want to take my card and use it at an upcoming conference in a one-time usage scenario at the conference provided computers.
4. Should Cardspace 2.0 somehow support the notion of a Turing test to prove that a user is a human? Was thinking about Dick Hardt example of going to a bar and knowing whether the person on the other end is really a person?
5. I would like to request Multivalued Attributes from my site as a claim where I specify specific values in terms of a list but can't figure out how to do this.