March 23rd, 2008, 11:09 PM
|
 |
Very Frequent Poster
|
|
Join Date: Mar 2006
Location: Cymru
Posts: 2,642
|
|
Re: windows CardSpace
A lot of users may have seen this thing in Control Panel and wondered where the hell did this come from and what is it? - For most it was sneaked in by Microsoft one day in Windows Updates!
What is CardSpace?
Quote:
What is CardSpace?
CardSpace is a new feature of Windows that gives individuals unprecedented control of their digital identities, while also helping users to manage their privacy. Users can install managed information cards from identity providers such as their bank, employer, government agency, or membership organization, and they can create their own self-issued information cards. When a website or web service requests a user’s credentials, CardSpace will be invoked and allow the user to select a card. CardSpace then retrieves a verifiable credential in the form of a signed security token from the selected identity provider, or the self-issuing authority as the case may be, utilizing interoperable protocols. It then returns the token to the requesting application. This provides users with a simple, secure and familiar sign-on experience that is consistent across websites and web services.
How is CardSpace used?
CardSpace helps consumers reduce the need to remember long lists of usernames and passwords, and helps prevent the theft of personal information through phishing schemes. Consumers use their information cards to identify themselves to applications, websites and online services. It is the first step in enabling millions of Web sites to provide a safer, more secure experience to customers.
|
Introducing Windows CardSpace whitepaper.
Quote:
The most common kind of security token on the Internet today is just a username. The most common way to prove that a username is really yours is by providing the password associated with it. Sometimes the username and password are assigned to you by the site you're accessing, although more commonly you choose both yourself. Because sites that do this typically use SSL for communicating with your browser, this approach has been seen as reasonably secure. SSL ensures that the entire communication is encrypted, and therefore attackers can't steal your password by listening in on the communication.
Yet password-based schemes like this are vulnerable to another kind of attack: phishing. By sending deceptive e-mail messages, attackers attempt to trick users into logging in to spurious copies of real sites, revealing their passwords and perhaps other personal information. If passwords weren't the dominant authentication mechanism on the Web, however, this kind of phishing would be less of a threat—there would be no passwords to steal. To make this possible, and to improve the security of Web login in general, CardSpace allows replacing password-based Web login with a stronger mechanism.
Rather than authenticating users with passwords, a relying party such as a website might instead authenticate users with security tokens. For example, a company providing a family of websites might also offer an identity provider, running on some machine and accessible from any client, that is capable of issuing tokens that are accepted by all of the sites in that family. This approach minimizes the use of passwords, and it's certainly an option that can be used with CardSpace. Still, it's applicable only for a specific set of sites, since there's no single identity provider that all websites would accept in order to issue security tokens.
|
Further reading - wiki, Windows CardSpace Sandbox
As with anything stored on and used by a machine it could be open to abuse.
|
