Archive for the 'Windows CardSpace' Category

June 24, 2008
A Personal Perspective on the Information Card Foundation Launch

Information Card Foundation banner

In May 2005, when I wrote the whitepaper “Microsoft’s Vision for an Identity Metasystem”, these sentences were aspirational:

Microsoft’s implementation will be fully interoperable via WS-* protocols with other identity selector implementations, with other relying party implementations, and with other identity provider implementations.

Non-Microsoft applications will have the same ability to use "InfoCard" to manage their identities as Microsoft applications will. Non-Windows operating systems will be able to be full participants of the identity metasystem we are building in cooperation with the industry. Others can build an entire end-to-end implementation of the metasystem without any Microsoft software, payments to Microsoft, or usage of any Microsoft online identity service.

Now they are present-day reality.

This didn’t happen overnight and it wasn’t easy. Indeed, despite it being hard, the identity industry saw it as vitally important, and made it happen through concerted, cooperative effort. Key steps along the way included the Laws of Identity, the Berkman Center Identity Workshops in 2005 and 2006, the Internet Identity Workshops, the establishment of OSIS, the formation of the Higgins, Bandit, OpenSSO, xmldap, and Pamela projects, publication of the Identity Selector Interoperability Profile, the Open Specification Promise, the OSIS user-centric identity interops (I1 rehearsal, I1, I2, I3, and the current I4), the OpenID anti-phishing collaboration, the Information Card icon, and of course numerous software releases by individuals and companies for all major development platforms, including releases by Sun, CA, and IBM.

Of course, despite all the groundwork that’s been laid and the cooperation that’s been established, the fun is really just beginning. What most excites me about the group of companies that have come together around Information Cards is that many of them are potential deployers of Information Cards, rather than just being producers of the underlying software.

The Internet is still missing a much-needed ubiquitous identity layer. The good news is that the broad industry collaboration that has emerged around Information Cards and the visual Information Card metaphor is a key enabler for building it, together in partnership with other key technologies and organizations.

The members of the Information Card Foundation (and many others also working with us) share this vision from the conclusion of the whitepaper:

We believe that many of the dangers, complications, annoyances, and uncertainties of today’s online experiences can be a thing of the past. Widespread deployment of the identity metasystem has the potential to solve many of these problems, benefiting everyone and accelerating the long-term growth of connectivity by making the online world safer, more trustworthy, and easier to use.

In that spirit, please join me in welcoming all of these companies and individuals to the Information Card Foundation: founding corporate board members Equifax, Google, Microsoft, Novell, Oracle, and PayPal; founding individual board members Kim Cameron, Pamela Dingle, Patrick Harding, Andrew Hodgkinson, Ben Laurie, Axel Nennker, Drummond Reed, Mary Ruddy, and Paul Trevithick; launch members Arcot Systems, Aristotle, A.T.E. Software, BackgroundChecks.com, CORISECIO, FuGen Solutions, Fun Communications, Gemalto, IDology, IPcommerce, ooTao, Parity Communications, Ping Identity, Privo, Wave Systems, and WSO2; associate members Fraunhofer Institute and Liberty Alliance; individual members Daniel Bartholomew and Sid Sidner.

May 26, 2008
Gone Phishing

Fun Communications’ site idtheft.fun.de lets you mount your very own man-in-the-middle based phishing attack against the OpenID provider of your choosing. Rather than redirecting you to the OpenID provider you specify, it instead redirects you to a page impersonating the OpenID provider, created using content scraped from the real site behind the scenes.

This is the same kind of attack shown in Kim’s phishing video. idtheft.fun.de lets you have the fun of doing it yourself!

I tried it myself with several OpenID providers I use. Predictably, I was typically able to “steal” the passwords for OpenIDs when logging into them with passwords and hijack the resulting logged-in sessions. “Protecting” an account with a one-time-password (OTP) device did nothing to stop this; my “attack” still succeeded in hijacking the session established using a password in combination with an OTP value.

Two things did defeat these attacks. Because Information Cards generate site-specific sign-in information and the attacker’s site is different than the authentic site, even when I was “tricked” into submitting an Information Card to the imposter site, it didn’t give the imposter the ability to log into the real site. No shared secret was present to steal and no session was established to hijack.

The other thing that defeated this specific attack was the use of JavaScript in the sign-in process by the OpenID provider. While a slightly more sophisticated attack could almost certainly get past this obstacle, idtheft.fun.de apparently doesn’t correctly mimic JavaScript site features like “Sign In” buttons invoking an onclick method.

This ability to both phish passwords and hijack the resulting logged-in sessions is exactly why I and others are working on finishing the OpenID Provider Authentication Policy Extension (PAPE) extension. As I wrote when the first draft was published, PAPE enables “OpenID relying parties to request that a phishing-resistant authentication method be used by the OpenID provider and for providers to inform relying parties whether a phishing-resistant authentication method, such as Windows CardSpace, was used.” It’s time for PAPE to become an OpenID standard.


What follows are screen shots from a successful phishing attack and a thwarted one – both against the same OP. The difference is whether passwords or Information Cards were used to log in.

Figure 1: idtheft start

Figure 1: About to mount my attack against my OpenID at myopenid.com. I’ve typed the URL of my OpenID into the relying party.

Figure 2: idtheft signin

Figure 2: Next, I’m logging in with a password. An observant user could notice several things wrong: the address bar shows the imposter’s URL, the imposter’s URL is present in the “You must sign in to authenticate to …” message, and the “Your Personal Icon” space is blank. Unfortunately, there is strong evidence that users are not observant.

Figure 3: idtheft allow

Figure 3: Phishing already accomplished. Same cues are present that something’s amiss. Of course, a more sophisticated attack could replace the imposter’s URL in the page with the “real one” in both of these screens, eliminating the most obvious cue. I scroll down and click “Allow Once”.

Figure 4: idtheft accomplished

Figure 4: Result after being redirected back to the “relying party”. Yes, that was my real password.

Next, I tried to attack my account again but was surprised that I wasn’t asked to log in this time. Of course – the attacker’s session was already logged in! So I signed out as the man-in-the-middle (that was weird), enabling me to try again.

My next steps looked just like Figures 1 and 2, except instead of typing a password I clicked the purple Information Card button. This brought me to:

Figure 5: idtheft cardspace

Figure 5: CardSpace informs me that I’ve never sent a card to this site before. An observant user would realize that they don’t normally see this screen and might decline. But then, we’ve already discussed how observant users aren’t. I click “Yes”, choose the card I normally use to log into myopenid.com, and send it.

Figure 6: idtheft prevented

Figure 6: Phishing prevented. “Error processing Information Card token” isn’t the most informative error message I’ve ever seen but behind it is great news: the phishing attack failed because the token constructed for the imposter site wasn’t usable at the real site.

And thanks to idtheft.fun.de, you can try this at home!

May 4, 2008
The Certificate Odyssey

I was just reading Ryan Janssen’s post Becoming an RP with the Pamela Project (pt. 1) and when I got to the end where he wrote “Since it’s going to take a few hours to get my SSL cert issued and installed, I think I’ll post this and go outside for a break!” it reminded me of the certificate odyssey I went through in April last year. After eventually getting the certificate created and installed, I wrote this about it at the time to Stuart Kwan (hip Internet terminologist):

Getting and installing the certificate was an unbelievable odyssey. It was an *incredibly complicated* process, that in my case, involved many visits to Network Solutions’ and GoDaddy’s support sites, several hours of my afternoon on Saturday, using cryptic openssl commands on Linux to create a key pair and a cert signing request (and later to strip the password off the key pair so Apache would start without the password), lots of help on IM from Pam Dingle, and the creation or use of 6 different passwords. Oh, and the cert wasn’t even installed by that point!

And it would have been *so easy* to get any of the steps wrong and have a cert request that was incorrect or to obtain a cert that didn’t do what I wanted it to. I understand the value that certificates provide (and it’s substantial). But we, as an industry, haven’t exactly made it easy for people to obtain and use them…

I’m tempted to blog about that, but I won’t… :-)

But seeing that Ryan is about to go through the same odyssey, I’ve reconsidered, hence this post. I’m now eagerly awaiting part two of his description to see how his experience compares to mine.

Of course, now that CardSpace and other identity selectors have support for no-SSL sites, hopefully this will be an optional odyssey soon – employed only when the security benefits of SSL certificates are called for. I know that Pamela plans to add no-SSL support to PamelaWare for WordPress soon, so after that, the pain that I went through and that Ryan’s in the midst of during a beautiful sunny day on the Lower East Side can be a thing of the past.

April 1, 2008
User-Centric Identity Interop at RSA in San Francisco

33 Companies…
24 Projects…
57 Participants working together to build an interoperable user-centric identity layer for the Internet!

Come join us!

Tuesday and Wednesday, April 8 and 9 at RSA 2008, Moscone Center, San Francisco, California
Location: Mezzanine Level Room 220
Interactive Working Sessions: Tuesday and Wednesday, 11am – 4pm
Demonstrations: Tuesday and Wednesday, 4pm – 6pm
Reception: Wednesday, 4pm – 6pm

Logos of RSA 2008 Interop Participants

March 30, 2008
The History of Tomorrow’s Internet

Ryan JanssenI recently encountered Ryan Janssen’s insightful series entitled “The History of Tomorrow’s Internet” and immediately read the whole thing in one sitting. Among other gems, I found in it the clearest explanation of the value and promise of XRI/XDI that I’ve ever read. Great stuff!

The most recent installment detailed his experiences of “how it feels for a regular person to use Cardspace”. In particular, he documented his experience of using CardSpace for the first time to leave a comment on this blog. He introduced his narrative with:

… as someone who’s business it is to build great software, I KNOW how hard good UI is. Believe me, I work with a GREAT product team and we try REALLY hard to make intuitive software and we fail EVERY day. Having said that, this post isn’t going to paint a real pretty picture.

I’ll let each of you read his blow-by-blow narrative yourself. He closes with:

So what’s the final analysis? Well, as I stated in the beginning, the purpose of this post isn’t to bash Microsoft or Cardspace. Like I said, I build software and when I actually see a normal person use it for the first time, I’m inevitably embarrassed at how difficult it is. Software is hard and Cardspace is brand new. Nonetheless, this does show how far the technology has to go before Mom and Dad are going to be using it. Usernames and Passwords are UBIQUITOUS. We’ve been trained on the visual metaphors for at least a decade. Replacing that with ANY other paradigm is going to rough. To have any chance of success, the Cardspace workflow will need to be much improved.

Because I’m a member of the CardSpace team, I can say that as much as the team is understandably proud of what they accomplished in V1, they’re also pragmatic realists who are fully aware of the issues that Ryan documents so well and the vital importance of addressing them in our future releases. It’s exciting participating in that very process on the fifth floor of Microsoft building 40, day in, day out, as the team defines and refines what the next release will contain. Greatly improved usability is certainly one of our highest-priority goals.

I know that Ryan has also motivated Pamela and me to take a look at how the flow on the blog can be improved. PamelaWare for WordPress isn’t even yet a V1 release (it’s at v0.9 currently) and I know Pamela has lots of ideas on how to improve it. Ryan’s experiences will certainly help inform the next release.

Also, I’ll remark on these excellent observations:

Ready to post? Not yet. Since my iCard is self-issued, Mike’s site (yes, the site is called self-issued.info ironically enough) doesn’t trust me and has now decided that I need to verify my email address. This is obviously a little annoying, but it brings up a good use-case for the first Claim Provider–one that has verified my email address, home address, and phone numbers, so I NEVER have to respond to an email or text message like this again.

Asking the user to verify his or her e-mail address is a way of obtaining a backup means of authentication that can be used in the case where user has lost his Information Card. Just like many accounts backed by passwords use e-mail in the “lost password” flow, PamelaWare uses e-mail to the user in the “lost card” flow and verifies ownership of the e-mail address at account creation time. Ryan correctly points out that if I had received a verified e-mail address as a claim there’s several steps we could have skipped. Making this scenario a reality is one of my personal goals for the Identity Layer we’re all building together.

There’s nothing like real user data to inform what needs to happen next. Thanks, Ryan, for taking the time to provide it to all of us. I look forward to reading the next installment of the series!

March 28, 2008
JavaScript Kung Fu Fighting!

Firefox logoThanks and congratulations to Axel for his new release of the Firefox Information Card add-on that tames all that JavaScript Kung Fu with ease! I’ve updated the pertinent OSIS interop results page from “Issues” to “Works”.

March 6, 2008
Welcoming Credentica’s People and Privacy Technology to Microsoft

Stefan BrandsI’m writing today to publicly welcome Stefan Brands, Christian Paquin, and Greg Thompson, of Credentica to Microsoft’s Identity and Access Group. I’m looking forward to working with them and to us adding their fantastic minimal disclosure technology to our identity products. Like Kim, I’m excited!

I urge people to check out Stefan’s announcement, Kim’s detailed write-up about the significance of this technology (I love the phrase “Need-to-Know Internet”), and Brendon Lynch’s post on Microsoft’s Data Privacy blog.

Welcome to Microsoft!

February 19, 2008
Re: OpenID kills Windows CardSpace?!

The thing that immediately came to mind when I read the subject of Christian’s post was Mark Twain’s famous remark, upon learning about rumors of his own demise: “The report of my death is an exaggeration”.

Apparently the German press hasn’t been following my blog (I’m hurt but not totally shocked :-)) or Kim’s or JanRain’s or VeriSign’s or Ping Identity’s or Andy’s or Dick’s or David’s or Drummond’s or Scott’s or Paul’s or so many others where we’re all talking about the valuable ways that Information Cards and OpenID work well together. And there’s more than just talk. For instance, the OpenID providers LinkSafe.name, MyOpenID.com, PIP.VeriSignLabs.com, and SignOn.com all enable account creation and login with Information Cards. Is this good for OpenID? Yes! Is it good for CardSpace (and other Identity Selectors)? Yes!

But lest anyone has the perception that Microsoft’s participation in OpenID somehow lessened our commitment to CardSpace, I’ll respond plainly: That is simply not true. I work in the corridors where the CardSpace team is actively building the next version (which incorporates lots of the great feedback we’ve received from users and partners on our present versions) and down the hall from where our server product is being built that will make it easy to issue and accept Information Cards. I can honestly report that both teams are excited, executing on their mission, and moving full speed ahead!

In answer to Christian’s question “Why didn’t Microsoft explain the whole picture in the moment of releasing such news?”, I’ll respond pointing out that the news of February 7th was about Microsoft and others joining the OpenID Foundation board – not about CardSpace, and we were comfortable with that. We are confident enough of the value that CardSpace brings to the table to also openly embrace other identity technologies where they make sense, without feeling that the existence of one diminishes the other. We are confident that others (including many of the leaders in the OpenID community) share this view.

So to our great partners like Christian who are out there rocking, building innovative identity solutions that are part of the “Identity Big Bang” with Information Cards and CardSpace I say this: Congratulations on your fantastic work! We’re fully behind you!

And to our great partners who are also helping create the “Identity Big Bang” by employing OpenID where it makes sense: We salute you too!

The Internet Identity Layer is still very much a work in progress. I’m thrilled to be part of making it happen and to be in a community that is collaborating and building upon one another’s work. And if I were on the outside watching, I certainly wouldn’t be holding my breath wondering if one of these identity technologies is going to “kill” the other one – especially when the truth is that they’re both stronger because of the other.

January 10, 2008
Come ’n get it!

Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital IdentitiesUnderstanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities by Vittorio Bertocci, Garrett Serack, and Caleb Baker, is now in print!. As I wrote for the “praise page” of the book:

Chock full of useful, actionable information covering the “whys”, “whats”, and “hows” of employing safer, easier-to-use, privacy-preserving digital identities. Insightful perspectives, on topics from cryptography and protocols to user interfaces and online threats to businesses drivers, make this an essential resource!

Come ’n get it!

December 15, 2007
Firefox Information Card Add-on Collaboration

Firefox logoThe new release of the Firefox Information Card add-on recently announced by Axel Nennker is notable not only for its features, but also because it incorporates contributions by Andy Hodgkinson of the Bandit Project that make it work with the DigitalMe Identity Selector. This means that the same Firefox add-on can now be used with at least three Identity Selectors – openinfocard, DigitalMe, and Windows CardSpace.

The benefits of sharing this core piece of Information Card infrastructure became apparent when some recent releases of Firefox broke the add-on in some scenarios. Because several copies of the code were in use by different projects by then, all the projects had to make their own fixes in their copies, both duplicating effort, and increasing the chances that different selectors would behave differently in quirky and non-obvious ways. I’m really pleased that Andy pitched in and contributed his fixes to the add-on project and that Axel incorporated them in a way that I believe means that DigitalMe won’t have to use a separate add-on anymore. Hopefully the other identity selectors will also follow suit soon, eliminating any unnecessary forking in this key project.

One nit with Axel’s post though… While he suggested calling the add-on “CardSpace for Firefox”, even though I’m a fan of CardSpace, the add-on is intended to work with any Identity Selector – not just CardSpace. Therefore I’d prefer selector-neutral names for the project like “Firefox Information Card add-on”, “Firefox Identity Selector add-on”, “Information Cards for Firefox”, etc. What selector-neutral term for the project do others prefer?

November 19, 2007
New Version of CardSpace Available

.NET 3.5 Default Card ImageI’m pleased to announce that the .NET Framework 3.5, which includes a new version of Windows CardSpace, is now available for download. The CardSpace team has been blogging about the new features and usability improvements at the team blog CardSpace: Behind the Code. I highly recommend reading it to understand the details of what the team has included in this release.

I did choose a picture for this post, however, that is emblematic to me of the many usability improvements, large and small, that have been made since the initial CardSpace release in the .NET Framework 3.0. The colored image is the new default self-issued card graphic. The previous default image was sepia-toned, making it difficult to visually distinguish between “full-color” and grayed-out versions of the image (which are shown when the card does not meet the requirements of a relying party). Based on customer feedback, we changed the default image so that it’s now easy to tell the two apart. This is but one example of the numerous improvements we’ve made to CardSpace based on feedback from actual use.

Like its predecessor, the new version runs on Windows XP, Windows Server 2003, and Windows Vista. Download it and give it a whirl!

November 18, 2007
Sites Using Information Cards

Percentage of Computers with an Identity SelectorI’ve been inspired by Kim’s Information Card Thermometer to start tracking sites using Information Cards. If you know of sites using Information Cards that that I don’t have on my list, please send me a note or leave a comment on this post and I’ll add them. I’ll know that we’re reaching the tipping point when maintaining this list becomes completely impossible. Can’t wait…!

November 4, 2007
New Release of Firefox Information Card Add-on

Firefox logoI wanted to call your attention to the new release of the Firefox Information Card add-on that Axel Nennker posted this week. Axel’s changes address a number of issues identified during the Interop at Catalyst in Barcelona. Among other things, with this add-on, Firefox now supports:

  • privacyUrl and privacyVersion, which enable privacy policies to be shown,
  • issuer and issuerPolicy, which enable the use of Relying Party STSs, and
  • sites that don’t use SSL certificates (which use http rather than https).

I believe that this brings Firefox up to feature parity with the Information Card support in IE7 when used with CardSpace, as well as enabling the use of Firefox with additional identity selectors such as the openinfocard selector and others. Thanks for the great work Axel!

October 31, 2007
Understanding Windows CardSpace Book

Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital IdentitiesI highly recommend the new book Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities by Vittorio Bertocci, Garrett Serack, and Caleb Baker. As I wrote for the “praise page” of the book after reading the current draft:

Chock full of useful, actionable information covering the “whys”, “whats”, and “hows” of employing safer, easier-to-use, privacy-preserving digital identities. Insightful perspectives, on topics from cryptography and protocols to user interfaces and online threats to businesses drivers, make this an essential resource!

A must-have for anyone deploying or considering deploying Information Cards. And if you can’t wait for the book to be published, you can also purchase a first draft of the book from Rough Cuts. Enjoy!

October 24, 2007
User-Centric Identity Interop at Catalyst in Barcelona

Logos of Barcelona Interop Participants 2007

Last night OSIS and the Burton Group held the third in a series of user-centric identity Interop events where companies and projects building user-centric identity software components came together and tested the interoperation of their software together. Following on the Interops at IIW in May and Catalyst in June, the participants continued their joint work of ensuring that the identity software we’re all building works great together.

This Interop had a broader scope along several dimensions than the previous ones:

An excerpt from Bob Blakley’s insightful-as-always commentary on the Interop is:

The participants have posted their results on the wiki, and a few words are in order about these results. The first thing you’ll notice is that there are a significant number of “failure” and “issue” results. This is very good news for two reasons.

The first reason it’s good news is that it means enough new test cases were designed for this interop to uncover new problems. What you don’t see in the matrix is that when testing began, there were even more failures – which means that a lot of the new issues identified during the exercise have already been fixed.

The second reason the “failure” and “issue” results are good news is that they’re outnumbered by the successes. When you consider that the things tested in Barcelona were all identified as problems at the previous interop, you’ll get an idea of how much work has been done by the OSIS community in only 4 months to improve interoperability and agree on standards of component behavior.

Be sure to read his full post for more details on what the participants accomplished together. And of course, this isn’t the end of the story. An even wider and deeper Interop event is planned for the RSA Conference in April 2008. Great progress on building the Internet identity layer together!

October 23, 2007
Information Card Icon Usage Guidelines Updated

Information Card IconDuring Catalyst in San Francisco we announced the now-familiar Information Card icon and its accompanying usage guidelines. Since then we’ve received community feedback on clarifications we could make to the guidelines. In response, we’ve publish an updated version of the guidelines addressing that feedback and an accompanying updated complete icon zip file during Catalyst in Barcelona.

Specifically, we were asked if we could be clearer that the icon can be used in contexts discussing and promoting Information Cards, not just in software, and some felt that the spacing guidelines were overly restrictive. My favorite feedback along these lines came from Dale Olds, in his wonderful Fashions in information card beachware post, where he wrote:

Thanks to Mike for the information card shirt. I try to wear it in compliance with the logo usage guidelines, but I think I probably sometimes stand too close to other images and I spilled some salsa on it. I’ll keep working on it.

So don’t worry Dale… I’m glad you’re enjoying your shirt and displaying the icon to the world. Heck, you can even print some cool new ones of your own using it if you want. (And if you do, it’d love it if you saved one for me!)

October 18, 2007
Strong Authentication to Healthcare Portal through CardSpace

myhealth cardThis week the public pilot of the healthcare portal myhealth.sg launched in Singapore, enabling individuals to manage their health, nutrition, and fitness information online. I’m writing about this because access to the site is secured by managed Information Cards backed by hard tokens. These USB form-factor tokens are issued in the context of the National Authentication Infrastructure initiative of the Singapore Government.

Like custom smart card applications, accessing the portal requires possession of both the physical token and the passphrase for the token, providing true multi-factor authentication. But because the token is accessed via an Information Card by CardSpace, no custom application is needed on the user’s PC. This is a concrete example of a service taking advantage of the ability to employ multi-factor authentication through Information Cards. Read all about it in Vittorio’s detailed description.

October 9, 2007
More Open Source Information Card Relying Party Software Projects

Today at the ZendCon conference in San Francisco, Microsoft announced two additional open source Information Card Relying Party software projects. These projects for the PHP and C languages complement those that were previously announced for Ruby and Java. All make it easy for web sites to add the ability to accept and create accounts with Information Cards.

The PHP software is being built by Zend Technologies. It can be used either as a stand-alone component or in combination with the Zend Framework. The C software has been built by Ping Identity. It implements core crypto and SAML token processing code for accepting Information Cards that can be utilized from any development environment.

See these sites for details on the projects:

C Relying Party code:
http://www.codeplex.com/InformationCard

PHP Relying Party:
http://www.codeplex.com/InformationCardPHP

Ruby on Rails Relying Party:
http://rubyforge.org/projects/informationcard/
http://www.codeplex.com/informationcardruby

Java Relying Party:
http://sourceforge.net/projects/informationcard/
http://www.codeplex.com/informationcardjava

October 2, 2007
Ashish Jain’s Open Letter to the CardSpace Team

Today Ashish Jain posted an “Open Letter to the CardSpace Team” that I’d highly encourage everyone interested in Information Cards to read. As I replied to Ashish, this is fabulous feedback. These are exactly the kinds of issues we’re going to need to nail, both as the Microsoft CardSpace team, and as an industry, to get to seamless, ubiquitous use of Information Cards. Thanks for the great input!

As we’re planning future versions of CardSpace, it’s incredibly valuable to be hearing this and other constructive feedback from the community based on real deployment experiences. Keep it coming!

Towards that end, please permit me to be so bold, Ashish, as to ask you to write a second installment of your Open Letter. You did a tremendous job in the first capturing things that we could do better on. In the second it would be cool if you could capture the things that you believe that we already got right. Why? To hear you heap on the praise? No (although we’ll never refuse that when offered :-) ). I’m asking so that as we change things to make future versions better, we also have community input in some areas saying “This aspect of CardSpace is already working well for me – please keep it working at least that well in the future!”

And of course, my request doesn’t only apply to Ashish. The more concrete feedback we receive about what’s working well for you with CardSpace and what isn’t, the more data we’ll have to base our future decisions upon. Drop me a note when you post feedback and maybe also leave a blog comment on this post pointing to your feedback as well so I and others will be sure to see it.

Finally, as you know, the CardSpace team now has a voice at CardSpace: Behind The Code where you can expect to hear both posts both about things we’ve already improved in the upcoming the .Net Framework 3.5 release and also questions from the team and community dialog. So be sure to tune in to the discussion there as well.

Thanks again for the great letter, Ashish!

September 25, 2007
New CardSpace Team Blog, New CardSpace Features

I’m pleased to announce two great developments. First, the CardSpace team just established a team blog. The blog will provide a direct voice for the team members to communicate about their work.

Second, on the blog they’ve started a series of posts about new features to come in the .Net Framework 3.5, which will ship with Windows Vista Service Pack 1 and be available as a free download for Windows XP and Windows Server 2003. The first post in the series describes the ability to use Information Cards at relying parties over http connections, without requiring a SSL certificate. This was a feature a number of you had asked for and the team responded.

Subscribe to the blog and read the series! Also, check out Vittorio Bertocci’s useful commentary on the no-SSL feature.

« Prev - Next »