Microsoft CardSpace

Windows CardSpace (formerly InfoCard ) is part of the Microsoft .NET Framework . CardSpace is an identity management technology and can be used for authentication and / or identification with regard to websites and web services. It was never able to assert itself on a broad front and ultimately had to give in to the spread of other procedures. Microsoft stopped development work on the successor version 2.0 on February 15, 2011. Under Windows Vista and Windows 7 CardSpace is included in Windows XP can be installed later by updating to the latest .NET framework version. For other operating systems such as Apple's Mac OS X or Unix derivatives, there are alternative implementations, which are usually referred to with the term Information Card or InfoCard.

The CardSpace technology should make it easier for the end user (and also employees in companies ) to insure their own identity against third parties ( relying party ). So far it has usually been the case that one z. B. logs on to a website with a user name and password (e.g. with a webmail provider). This method is error-prone and insecure, as the majority of users use insecure passwords or the passwords are sent over an unencrypted, i.e. insecure line.

Areas of application

CardSpace relies on the analogy to the cards ( EC card , membership card in a sports club, ...) in the wallet . The wallet cannot contain any money. Windows CardSpace , as you can find it under Windows in the system settings, functions here as a purse ( Identity Selector ) and is the collection of your own cards. If you want to log on to a website that supports CardSpace ( often referred to as Information Card in the open source area ), you click on a specific link and you will be asked to select and submit one of your own cards. If the process is successful and everything is in order with the transmitted card, you are now logged on to the website without having to enter a password (CardSpace also allows you to store your wallet with a password, fingerprint or smart card locally on your computer protect).

cards

There are two different types of cards:

self-issued cards ( self-issued card , even self-asserted card called)
managed Cards ( managed card )

A card generally always consists of:

a unique identifier
own information ( claims ) such as postal address
a PKI certificate for the local account ( self-signed )
a certificate signed by the certification authority

In the first versions of CardSpace, the service could only be used with SSL certificates. However, since certificates for private use in weblogs and online communities are too big (often also economical) a hurdle, from version 3.5 it is now possible to use CardSpace without an SSL certificate.

Self-issued cards

You can make your own issued cards yourself. The self-issued cards contain a fixed set of attributes ( called claims ) such as: B. (first and last name, e-mail address, postal address, ...).

In most cases, self-issued cards are sufficient. The analogy to the username / password combination is also obvious here, since this is usually freely chosen. In companies, however, you might want to ensure that only employees have access to certain areas, for this case there are managed cards.

Managed cards

Managed cards can contain any attributes ( claims ). This defines the issuing authority ( identity provider , e.g. a company or an authority). For example, a company can define the claim "Department" so that only the HR department has access to the applications area within a company. Also conceivable would be cards of a state that assure you of the date of birth and, derived from it, the age of the owner. B. could order films in the online shop without having to provide additional proof of age (compare Postident procedure ).

Web links

Information Card Foundation (ICF)
Information Card DACH Initiative (ICF German Chapter)
Microsoft Windows Cardspace
CardSpacet with Tom Köhler, Head of Security Strategy at Microsoft Germany ( Webcast )
OSIS
Microsoft InfoCard: Universal identity for web users - Article on golem.de
Article in MSDN Magazine on CardSpace - provides a detailed introduction to the technology using the example of ASP.NET and WCF
Kim Camerons Identityblog (Main responsible for CardSpace at Microsoft)
Windows Card Space - Basic Introduction and Usage Scenarios ( Webcast )

Individual evidence

↑ Press release at the end of the development work on CardSpace 2.0

↑ OutOfCoffeeException Blog ( Memento of the original from December 24, 2007 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Blog entry by Mathias Raacke, former Microsoft senior student partner, on the subject of CardSpace without SSL certificate @1@ 2
↑ Information Card Profile V1.0 Claims , December 2006

[1] Press release at the end of the development work on CardSpace 2.0