Windows CardSpace empowers organizations to prevent identity theft and systematically address a broad spectrum of security and privacy challenges. Understanding Windows CardSpaceis the first insider’s guide to Windows CardSpace and the broader topic of identity management for technical and business professionals. Drawing on the authors’ unparalleled experience earned by working with the CardSpace product team and by implementing state-of-the-art CardSpace-based systems at leading enterprises, it offers unprecedented insight into the realities of identity management: from planning and design through deployment.

Part I introduces the fundamental concepts of user-centered identity management, explains the context in which Windows CardSpace operates, and reviews the problems CardSpace aims to solve. Next, the authors walk through CardSpace from a technical standpoint, describing its technologies, elements, artifacts, operations and development practices, and usage scenarios. Finally, they carefully review the design and business considerations associated with architecting solutions based on CardSpace or any other user-centered identity management

system. Coverage includes

• The limitations of current approaches to authentication and identity management

• Detailed information on advanced Web services

• The Identity Metasystem, the laws of identity, and the ideal authentication system

• Windows CardSpace: What it is, how it works, and how developers and managers can use it in their organizations

• CardSpace technology: user experience, Information Cards, private desktops, and integration with .NET 3.5 and Windows Vista

• CardSpace implementation: from HTML integration through federation, Web services integration, and beyond

• Adding personal card support to a website: a detailed, scenario-based explanation

• Choosing or becoming an identity provider: opportunities, business impacts, operational issues, and pitfalls to avoid

• Using CardSpace to leverage trust relationships and overcome phishing

Whether you’re a developer, security specialist, or business decision-maker, this book will answer your most crucial questions about identity management, so you can protect everything that matters: your people, your assets, your partners, and your customers.

Foreword xv

Preface xviii

Part I Setting the Context

Chapter 1: The Problem 3

  The Advent of Profitable Digital Crime 4

  Passwords: Ascent and Decline 29

  The Babel of Cryptography 36

  The Babel of Web User Interfaces 79

  Summary 84

Chapter 2: Hints Toward a Solution 87

  A World Without a Center 89

  The Seven Laws of Identity 92

  The Identity Metasystem 110

  Trust 115

  WS-* Web Services Specifications: The Reification of the Identity Metasystem 136

  Presenting Windows CardSpace 161

  Summary 164

Part II THE TECHNOLOGY

Chapter 3: Windows CardSpace 169

  CardSpace Walkthroughs 169

  Is CardSpace Just for Websites? 175

  System Requirements 176

  What CardSpace Provides 177

  A Deeper Look at Information Cards 184

  Features of the CardSpace UI 204

  Common CardSpace Management Tasks 210

  User Experience Changes in .NET Framework 3.5 218

  Summary 221

Chapter 4: CardSpace Implementation 223

  Using CardSpace in the Browser 224

  Federation with CardSpace 248

  CardSpace and Windows Communication Foundation 252

  CardSpace Without Web Services 262

  Summary 268

Chapter 5: Guidance for a Relying Party 269

  Deciding to Be a Relying Party 270

  Putting CardSpace to Work 274

  Privacy and Liability 299

  Summary 302

Part III PRACTICAL CONSIDERATIONS

Chapter 6: Identity Consumers 305

  Common Misconceptions about Becoming an Identity Provider 306

  Criteria for Selecting an Identity Provider 309

  Relying on an IP 315

  Migration Issues 320

  Summary 321

Chapter 7: Identity Providers 323

  Uncovering the Rationale for Becoming an Identity Provider 324

  What Does an Identity Provider Have to Offer? 334

  Walking a Mile in the User’s Shoes 338

  An Organization’s Identity 341

  Summary 342

Index 343

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 4 Ratings

limited efficacy against phishing - 2008-03-12
Reviewer Rating:
CardSpace is an interesting offering from Microsoft that improves on their earlier, much unlamented Passport. Essentially a refactoring of user information. So that instead of a website asking for it and keeping it, especially where this is the (username, password), it can seek out an authoritative site on the Internet that has what information about the user is relevant. There's more to CardSpace. But one gist is to minimise the effort by users to maintain username and password across many websites.

Another motivator is to reduce the danger of phishing. In part by letting a user detect if a website is pretending to be a good website which she has visited before. This is done through her having several Cards, and having earlier chosen a particular Card to use at that good website. A fake website [pharm] simply won't have this information, and the lack of it can be a telltale warning to her.

Indeed, phishing appears in many parts of the text. A driving force in explaining why we should adopt CardSpace.

Unfortunately, efficacy is limited. Much phishing consists of emails, with links to pharms controlled by the phisher. Nothing in CardSpace attacks those emails directly, giving the recipient or her email provider a lightweight and objective means of detecting phishing messages and deleting or disabling them. Absolutely zero discussion of this in the text.

Nor does CardSpace attack another type of phishing. Instead of the message pretending to be from a bank at which you already have an acount, it asks you to submit an application to open an account at a bank. Or to apply for a credit card, say. In these cases, the pharm is not pretending to be a place you've been to before. So you don't have any Card history usage there. How can you tell if the website is really run by a real financial institution? Here, the intent of the pharm is to harvest your personal information, for later use in identity fraud. This phishing modality sidesteps entirely the abovementioned protection.

What if, in response, you as a Card user, say you'll only hand over information to an unknown website via CardSpace, instead of typing it into that website's page? Still doesn't work. The pharm can implement CardSpace, acting as a Relying Party. So it fools you into letting it get information about you from an Identity Provider. If it's acting as a financial site, then it is natural to ask you for such things as your TaxID (SSN for Americans), date of birth, etc. Whether you type it in or it gets this from an IP is the same to the pharm. In fact, it might even prefer that you use an IP to give it data. Because that is more likely to be correct.

At this point, someone says, "Easy. The IP will only divulge to a reliable RP". Well, what defines "reliable"? Is it possibly that the RP has an Extended Validation Certificate? (The book makes repeated reference to EV.) While these are more expensive and harder to get than current Certificates, the level of scrutiny here can be defeated. A phisher can enrol as an employee at an existing IP that has an EV. (Or bribe an employee.) Or even set up a company that will get an EV. Remember, in general an EV holder does not have the same level of internal checks that a bank has, on its employees, to guard against subversion. Most EV holders will be merchants with websites. Merchants of varying sizes and sophistication.

This phishing modality is currently relatively infrequent, compared to normal phishing. Perhaps because phishers find it more lucrative to focus on accessing existing bank accounts, which they drain. (Whereas identity fraud is more effort.) But if this popular form of phishing were to fade, for whatever reason, including for the sake of argument, the widespread use of CardSpace, then the other modality can be expected to rise.

CardSpace's main virtue is convenience, in reducing the duplication of personal data on the Internet. Yes, to the extent that this happens, it does improve personal privacy and safety. But against phishing, it really only has, or promises to have, an indirect impact. Worse, and ironically, the very convenience of extensive CardSpace usage might actually increase the incidence of personal data leakage.

Identity Metasystems are the future - 2008-03-11
Reviewer Rating:
I am sick and tired of collecting passwords for each website I register: a password manager is making my life easier but deep inside myself I was wondering how long we have to live with the current system.
Then I got to know about this effort about building an identity meta-system started by Kim Cameron; the topic is not easy so that is why I followed Kim's suggestion and I bought this book. It is great! I now understand more and I'm just hoping that more Companies would start implementing this new technology on their systems (especially websites).
The book if full of technical details but also very easy to understand: do yourself a favor by not skipping the first "historical" part which explains why are we "here" and what are now the options.
Highly recommended.

Excellent reference at just the right level of detail - 2008-03-26
Reviewer Rating:
The Foreword is by Identity luminary Kim Cameron and if I'm keeping it real, rather than describe the book's contents, I wish he'd shared more thoughts around the problem space, the approach to the solution and the roadmap BEYOND cardspace.

The book itself is an easy read. Not a tome by an means. Easy to pickup as a reference or to sit with and read chapter by chapter.

It succeeds at describing Identity Federation from a conceptual level as well as from a technical level (as it pertains to Cardspace). It even addresses some of the less obvious issues such as the notion of auditing and non-auditing IdPs.

Be warned, this book focuses on Cardspace fairly exclusively. There isn't a lot on interoperability here between things like OpenID and Cardspace for example. That's a topic for another book and could not easily be incorporated without devoting a lot of pages to OpenID.

The technical section is navigated through use cases that tackle things from an end-user experience as well as from the developer angle. This is effective as often it's hard to understand one without the other. At every point the reasoning behind the solution is presented also. This worked well.

For me personally, I wish they'd spent a little more time on things like GetToken() although using this directly will likely not be of interest to 90% of folks out there.

Unique to books of this type is a section devoted to Practical Considerations. Why one would want to setup an IdP or simply play the role of Identity Consumer for example. In today's environment the business value of establishing yourself as an IdP is questionable and I was glad to see this point addressed head on.

Vittorio, Garrett and Caleb have done an terrific job of describing and grounding one of the most compelling and abstract problems faced by the internet today. This an excellent book and for many will serve as a one-stop-shop for all your Cardspace questions.

Why Cardspace matters and how to implement it - 2008-03-09
Reviewer Rating:
The 'identity problem' is one of the more challenging areas for developers - particularly web developers. The book echoes what I have found when presenting information about CardSpace to developer communities. That is, a larger-than-normal amount of context is needed, prior to delving into the technical implemenation details. The book includes an appropriate amount of technical detail as well.

Even if you are familiar with the scope of the problem, I encourage you to be patient with the first section of the book - it will add to your arsenal of context - which you will find useful when 'explaining' the business reasons for moving toward the CardSpace identity selector and the greater Identity 2.0 space (including Identity Providers and Relying Parties).

The identity problem is important, if you haven't taken a look at CardSpace, this book is very useful start for you. The book also gives useful context arount the greater Identity 2.0 space.

Browse Similar Topics

Top Level Categories:
Networking
Security

Sub-Categories:
Networking > Security
Security > Networking