News Stay informed about the latest enterprise technology news and product updates.

.NET 3.0 Roadshow: An introduction to Windows CardSpace

At Dr. Dobbs' .NET 3.0 Roadshow, Michele Leroux Bustamante offered a look inside Microsoft's new identity metasystem, in which users create "cards" containing personal information. It promises better security that the username and password method of identity management.

End users can have a rough time managing their identity. They use passwords that are too simple, they use complex passwords but write them on notes taped to their machines, they forget passwords and lock themselves out of important applications, and so on.

It's an identity metasystem, independent of technology or platform.
Michele Leroux Bustamante
chief architectIDesign

In the upcoming .NET 3.0 and IE 7, Microsoft hopes to put an end to this. The company has introduced Windows CardSpace, which lets users store different forms of their identity and deploy them when needed. "It's an identity metasystem, independent of technology or platform," Michele Leroux Bustamante, chief architect at IDesign, told attendees at the .NET 3.0 Roadshow, a Dr. Dobbs seminar that came to the Boston area last week. Code samples from her presentation are available here.

CardSpace offers two types of cards. Users can create personal cards for tasks like playing games online or giving someone a business card. On the other hand, managed cards are issued by an associated identity provider, like a bank or credit card company. With managed cards, Leroux Bustamante said, a user's information stays with the identity provider.

Each card represents a set of claims about a person, a company or even an application itself -- stuff like name, date of birth and phone number. The actual claims are not on the card, she said. Instead, the card indicates which identity provider must be accessed to retrieve the claim.

To retrieve the claim, a card requests a security token from the identity provider. That token, which is an XML-based token called a SAML token, contains the actual claims and is signed with the identity provider's private keys.

Once the request for a token is made, the GetToken call locks down the entire process, Leroux Bustamante said: "Users can only interact with the CardSpace UI. Other code cannot run." The token is encrypted, so it must be decrypted, and its signature validated, before its claims can be extracted.

More on this topic
Tip: What's up with Windows CardSpace

CardSpace can be used in both browser- and client-based applications. In the former case, developers can trigger the CardSpace UI with OBJECT or XHTML tags. Only IE 7 supports CardSpace, so an application with potential users in IE 6, Firefox, Safari and Opera should also support the standard username and password system, Leroux Bustamante said.

As for smart clients, Windows Communication Foundation services can trigger CardSpace, she said. Claims-based authorization is not part of WCF v1.0 but should be included in future versions.


Dig Deeper on Windows Vista security and .NET Framework 3.0

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.