.NET Framework Bookmark and Share   
 index > Claims based access platform (CBA), code-named Geneva > Can Identity be misused in CardSpace/InfoCard?
 

Can Identity be misused in CardSpace/InfoCard?
Hi All,
I have some queries in my mind regarding accessing InfoCard. I will take help of an example to ask you.
Let's say one XYZ company [ECommerce company] is there who has implemented InfoCard on there site & gave me one managed card. And I have installed that certificate backed managed card[both digital card & digital certificates] on my laptop.
NowI am using that laptop but in the middle I got some work to do & Ihaven't logged off that laptop. During that I have a friend of mine who wants to visit that particular ECommerce site. He will type that URL on the browser window of my laptop, CardTile will appear & when he will click on that CardTile....the managed card which was given to me will pop up. And if he will say OK.......he will be authenticated as me. And he can do anything....
Sorry if I have misunderstood anything. I will be more happy if anyone tell me I am missing something. Please provide me your thoughts.

Thanks,
Sanjay.

Sanjay Adsure
The scenario you describe is absolutely possible. But this is not an issue with cards but with how you protect the credential (the certificate in your case).

Either -

a) you should not leave you machine unlocked
b) you cert is on a smart card that requires a PIN
c) you use strong private key protection which requires a PIN equivalent for soft certs

and btw - your scenario would also work without cards - e.g. when the web site would require a SSL client cert (and you use an unprotected soft cert).

Dominick Baier | thinktecture | http://www.leastprivilege.com
Dominick Baier
Hi Dominick,
Thanks for reply.One more thing I want toconfirm myself.....do CardSpace "Geneva" provides PIN facility for cards? So that whenever any user will come & click on CardTile; cards will come up & ask for PIN...

Thanks,
Sanjay
Sanjay Adsure
Sanjay, why would you want it on the card as opposed to the credential. If the E-Commerce site cares about this, shouldn't they protect the soft cert with a PIN as in option (c) that Dominick mentions above?

Conceptually, we don't think of cards as credentials but merely loosely coupled metadata around token acquisition.

tx.
--Sam
Samuel Devasahayam "Geneva" team
Samuel Devasahayam - MSFT
Hi Dominick,
First of all let me thank you.
Just now I have created one certificate backed managed card & send it toone clientmachine. Then while installing this certificate on this client machine; I haveenabled strong key protection & set a password for that. Now whenever I am going to use this new card; it's asking me for that Key Protection Password......!!!
Sorry for that previous reply from me....actually I misunderstood what yousaid earlier.
Thank you very much for this valuablereply.

Hi Sam,
Yes, you are right. Thanks for your suggestion.


Thanks,
Sanjay
Sanjay Adsure

You can use google to search for other answers

Custom Search

More Threads

• Where can I download Beta 1?
• Geneva Server Configuration Wizard - Provider Load Faliure
• Fed Passive exception
• IDP-initiated Single Sign-On POST Binding
• Extend token lifetime in Geneva Server
• Compairing URI to get certificates from database in GetScope
• Using Geneva as IDP
• FederatedPassiveSignOut
• How to bypass Geneva Signin page in an Intranet environment
• Single Sign Out from Geneva Server
Home          Copyright 2009-2010 by netframeworkdev.com All rights reserved