Monday, July 30, 2007

Issuer Logo

The Firefox id selector (0.9.4) now displays the issuer logo from the relying party's X509 certificate again. I had added that code last autumn but the code calling this code was lost when Chuck redesigned the GUI in preparation of an IIW. I never cared much to put it back in, because I was kind of frustrated with EV certificates. I tried really hard to generate an EV certificate; I generated a CA certificate and put in the "trusted" store. Next I used that to generate a SSL server certificate which had everything in it what is required to comply to the Certificate Guidelines. But neither IE7 nor Cardspace accepted this as an EV certificate. Then I learned that being an EV certificate is not a matter of the certificate but a matter of the certificate store. Microsoft developers have a custom tool to turn a certificate inside the store into an EV certificate :-{
Well, this weekend I put the code back in. Here are two pictures of the Firefox id selector displaying the issuer logo from my own local relying party

and the issuer logo from verisign's PIP relying party.

The logotype ASN.1 stuff is here. The java code to generate my own SSL server certificate with logotype support is here in
Example code how to use the code is in the JUNIT test

Friday, July 27, 2007

jinformationcard improved minishop

In yesterdays post I wrote that the jinformationcard minishop does not accept the security tokens generated by the Firefox id selector.
Today Steffen Konegen sent me an email that he fixed this in the jinformationcard relyingparty. Cool.

Wednesday, July 25, 2007

Microsoft CardSpace Demo Site is not working with Firefox Id Selector

I just tried to login using my self-issued informationcard

All your base are belong to us
at Fabrikam Friends. But it throws an error page at me.

My guess is that Fabrikam Friends can only handle bearer tokens not holder-of-key tokens. I noticed the same behaviour at the jinformationcard demo shop.
The internal STS in Windows CardSpace issues bearer tokens

while the Firefox ID selector issues holder-of-key tokens.

Kim's Identityblog is still accepting my tokens. Good.

Though I won't rule out that something is wrong with the Firefox id selector tokens. When 's the next interop?

Tuesday, July 24, 2007

New Version of the Firefox ID Selector

Today I committed new code to the openinfocard repository.
This has the version number 0.9.3.

  • It improves support for managed claims in the Firefox ID selector

  • It implements a sample relying party and STS for geopriv claims (civic address)

First a managed cards is created, that holds the civic address of my office:

Then the relying party is visited:

The managed card is chosen:

Here are the provided claims:

The managed claims url's are "inspired" by rfc4119.
Besides serving static addresses the new geopriv_sts could issue a security assertion that is based on the current location of the requestor. For this the STS should be operated by the access provider. The authentication to the STS should be by self-issued information card and/or IP-Address (The usual NAT/STUN problems/solutions have to be considered, of course). The client could be a VoIP phone.
In my opinion many topics in the ECRIT mailing list could be addressed by this kind of STS.

Monday, July 23, 2007

FireFox Identity Selector Selector

"This is not the Firefox Identity Selector, I used" I heard this morning and not for the first time. People try Kevin Miller's Firefox extension to get CardSpace support in the best available browser on their Windows PC and come to think that this extension is the identity selector. Well, Kevin never made the claim that his extension is the identity selector. He wrote: "The FireFox Identity Selector extension implements support for CardSpace on Windows". Which means: it handles the embedded html object and calls the Windows CardSpace identity selector. Kevin continues: "Additionally, the extension provides the ability to plug-in other Identity Selectors".
This is true. THE Firefox identity selector can be found here:

So, if your Firefox identity selector does not look something like this, then you are not using the Firefox identity selector. Try it:

Friday, July 20, 2007

Firefox ID Selector and J-Informationcard RP

Today I noticed that the demo site of the Microsoft sponsored project J-Informationcard did not work with the Firefox ID selector. I suggested to Steffen Konegen to use the HTML Kit provided by Microsoft to detect CardSpace support and he promptly did. The image shows their login page.
Nice to have new relyingparty.

Wednesday, July 18, 2007

Proof Pudding: Identity Metasystem and CardSpace Interop in Action

Proof Pudding: Identity Metasystem and CardSpace Interop in Action
I missed this video because I was on vacation when it was released.
Great stuff about the Bandit-Project ID-selector interoperating with CardSpace and a nice demo of CardSpace on a mobile phone (Windows operating system, of course).

Saturday, July 14, 2007

eCards and CardSpace

Yesterday, Friday 13th July 2007, I attended a workshop "Biometrics and eCards".

My main interesst was the "eCard API" which is currently standardized in Germany. This API is intendet to standardize the access of applications to the cards issued by the German government. My first impression of the eCard API was that it is quite (!) complex. Building a complying smartcard, reader and dll/jar/so looks challenging.
Several participants from the industry complaint that the standardization process is not open enough, to late and that the dead-lines are too short. My impression was that everybody exept delegates from the BMI and BSI seemed to agree.

Why am I blogging about this here? Because I was happy to learn that Identity Management and Privacy could be found everywhere. It was certainly not the main focus of many talks but CardSpace and SAML and WS-* etc popped up here and there and people I talked to during the breaks all had profound knowledge of this.
This gave me the thought that current and future projects envolving smartcards are not doomed from the beginning.
Germany was one of the first countries to have laws regarding electronic/digital signatures, but all projects (e.g. e-Vergabe) trying to utilize this and/or to make money from it (eCommerce/eGovernment) currently live in the dark and remote parts of public attention and economic success. By which I don't want to say that this projects are not necessary. They are important projects but people and companies are reluctant to use them until they are forced to by law.

One new project I found especially interessting. Mr. Thomas Biere (BSI) gave a talk about "B├╝rgerportale" (citizen portal). One of the functions of the portal is that of a identity/attribute/claims provider. The federal government plans to have these portals be operated by private companies which are certified by the government. Interessting. Mr. Biere said, that they are talking to major ISPs about this.
I am curious how this will work out in the end. Will the Id/STS primarily issuing the claims _it_ knows about a subject or will the main focus be on the usage of government issued/asserted claims. Id/STS interoperability is planned to be left to the operators... Interoperabilty to the portals of germany's states is an open issue too. Integration of emerging other solutions like openElster are open too.

There is a lot of work to do to make the identity revolution happen ;-)
But we will certainly by part of it. (Hm. Don't interprete this post too much in term s of what subsidiaries of Deutsche Telekom will do. These posts are _my_ posts)

Wednesday, July 11, 2007

identity.xsd glitch

While applying xmlbeans to identity.xsd I noticed that an imported schema could not be found. "" does not exist.

My guess was that this is like the claims URL-change. does exist.
This looks similar to the URL-change CardSpace enthusiasts had to endure when the claims where changed from e.g. "" to "". This introduced some work in the openinfocard project.

Microsoft says:
"The schema location for namespace should be

The schema at will be fixed."

A quick search using Eclipse throug the openinfocard source code found 12 matches for the current URL...

It seems we need to introduce a new constant:
static final String WSA_NAMESPACE_06_03 = "";
static final String WSA_NAMESPACE_04_08 = "";
static final String WSA_NAMESPACE_05_08 = "";
static final String WSA_PREFIX = "wsa";