Monday, December 24, 2007

Welcome Rob

A happy Christmas present reached us just on time. Rob Richards is now an official member of the openinfocard team. Welcome, Rob, and happy committing.

Friday, December 21, 2007

id selector advertising

I just uploaded a new version (xmldap-0.9.9.200712212304.xpi) to the openinfocard's download area. This version allows you to change the value of the http header that advertises the id selector to the relying party.

You can choose between

  • no advertising
  • advertise existence
  • advertise id selector name


Please enlarge this picture to see the values in the preference dialog. The X-Id-Selector http header is visible in the left sidebar.



This version has now similar object handling code from digitalme as the id selector that was shortly known as CardSpace for Firefox.

Of course all of the id selector advertising stuff is preliminary and subject to change.

update: Rob Richards corrected my initial code that fills the menupopups in the preferences dialog so that only installed id selector extensions are added the popup's item list.

Friday, December 14, 2007

CardSpace for Firefox

In a few minutes I will upload the new version (1.0.5) of the identity selector hosted on the codeplex site. I always had problems with this name. At first it was called "Kevin's extension", later "the id selector selector".

From now on I will call it "CardSpace for Firefox" or CS4FF.


So... what is the reason for the new version? The folks from signon.com reported problems with the former version 1.0.4 and since the release of 1.0.4 Andrew Hodgkinson had improved the information card handling in his digitalme id selector. CS4FF uses Andrews code and today I put Andrew's new code into CS4FF. Hope that this fixes some of the issues. The results of a quick private interop is shown in this table below.


























xmldap.org
signon.com
pingidentitylabs.com
live idMike Jones says that this is working.
FriendsWithCardsA little window appears: "A problem occured.
undefined"
higgins

CardSpace could not validate the identity of this site. (this is a certificate problem.
IBM RP
IC-Ruby
IC-Java
Pamela Project
Ping Identity Simple RPnot reachable
Ping Identity Advanced RPnot reachable
CA Siteminder RP

CardSpace could not validate the identity of this site. (this is a certificate problem.
Bandit Trac
Oracle RP
Bandit Podcasts PW RP Word Presstbd
IC-Ctbd
Siemens DirX RPI am not willing to import all these certificates!
WSO2-IS Java RPtbd
MS RP for MS IdPnot reachable
MS Any Issuer RPnot reachable
MS no-SSL RPnot reachable


In the preferences you can now select between the three know id selectors availabe for Firefox: CardSpace, openinfocard and digitalMe!

I don't have digitalMe installed. Please test this.

Have fun!

XHTMLate your Work

I recommend this post by Shelley Powers not only to wordpress users, but especially to wordpress users.

I hope that some relyingparties will move to xhmtl compliance soon. Ashish Jain is doing great work not only in this regard. The relying party at https://www.pingidentitylabs.com/ has improved to only 4 errors. Great. Thanks.


wishlist

Wednesday, December 12, 2007

CardSpace getting FAT

The CardSpace team blogged about a new "feature" of .net 3.5. You can now work with CardSpace on a windows system that has its system drive formatted with the FAT filesystem...


They write:

We’ve received a surprising amount of feedback (some of the earliest from Pamela Dingle) that customers are still using FAT file systems and this is causing problems.


I am surprised too. What will be next? CardSpace running on windows95? Help!

Sure, the cardstore is still encrypted twice... but still...
I believe that this is a step back. Security sacrificed on the altar of (what?) laziness/stupidity/...

As a security auditor I would question the risk management of anyone who still uses FAT in 2007.

Monday, December 10, 2007

http header: X-ID-Selector

There is currently a discussion how and if a browser should indicate the presence of installed id selectors. I am against "polluting" the user-agent string.

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)

This indicates only that .NET3 is installed, it does not tell the relying party whether CardSpace is active or disabled.

I prefer that the id selector adds a HTTP header e.g. "X-ID-Selector" to the HTTP requests.

This is easy to implement; so I did it for the openinfocard id selector (xmldap-0.9.9-200712102230.xpi).

Here is a screenshot of the livehttpheaders recording of a visit to a relying party:



In the sidebar you can see the "X-ID-Selector: openinfocard" header.


BTW: Here follows a probably not very known description how to disable application/x-informationcard handling in IE7.

Open this preferences window and click "manage add-ons".

Next select "InformationCardSigninHelper Class" and disable or delete it. This does not change IE7's user-agent string.

xmldap paymentCard_sts certificate

Kim Cameron noted that the certificate of the xmldap paymentCard_sts was expired. This is/was my fault. I used the wrong key alias and selected the expired certificate instead of the current one.
I changed the application's configuration today. Now I am able to create a card and import it into CardSpace, which formerly complained about the expired certificate and refused to import the managed card.


Please note that the paymentCards are importable into CardSpace but not usable with CardSpace, because the claims can not match.
The card has the claim "http://schemas.xmlsoap.org/PaymentCard/trandata?", while the relying party requires the claim e.g. "http://schemas.xmlsoap.org/PaymentCard/trandata?price=2700EUR". These claims do not match and thus CardSpace marks the paymentCard as not applicable.

Here is the same card, that I previously imported into CardSpace, used in the openinfocard id selector:


Please note that the value of the variable claim is displayed to the user.

Thursday, December 06, 2007

shortening the wishlist

A new version of the openinfocard id selector (0.9.9.20071206) is in the download area of the project.
The oldest card that was once sent to a relying party is now ensured to be visible by scrolling it into view.

Here a picture after using the infocard login at signon.com:

wishlist

openinfocard

GUI

  • Drag&Drop for card import and export.
  • Drag&Drop for card selection. E.g.: Firefox sidebar displays the cards and I can drag it on the infocard icon to use it.
  • Tree/list view of my information cards, sortable by issuer, token type, ...
  • More flexible display of claims; one column, two columns...
  • Store window position and size.
  • Ensure that card that was used the last time at this RP is visible.
  • ...

Features

  • Key generation for self-issued cards from masterkey; to be compatible to CardSpace.
  • Export compatible to CardSpace.
  • Information card backed by X509 certificate and self-issued card.
  • Make the definition of a default card per RP possible in the preferences. This card will automatically by selected and used when the selector is invoked for a specific RP.
  • Support for symmetric binding.
  • Support for SAML 2; between the id selector and the IdP.
  • Security token store. If I already have an applicable security token then give the user the choice to reuse it.
  • ...

Relying Parties


CardSpace

  • "standard" cardstore interface to support cardstores on e.g. hardware tokens and webservers.
  • RoamingCardstore format that keeps all the metadata and all the generated keypairs for relyingparties.
  • EncryptedStore format that tells the algorithms and parameters used. xmlsec and xmlsig allow to specify all this. The current format restricts us to "know" what was used.
  • winlogon with CardSpace. Mainly to make the user experience known to a broader audience.
  • Open/define the interface to replace icardie.dll by e.g. openinfocardIE.dll or digitalmeIE.dll to make it possible to use "alternative" id selectors from Internet Explorer.
  • Security token store. If I already have an applicable security token then give the user the choice to reuse it.
  • ...


Many more... Some wild and futuristic ;-)
Have fun.

Tuesday, December 04, 2007

openinfocard gui improvements

When I tried the openinfocard id selector on a new laptop I noticed that the GUI truncated some labels and icons. The same selector looks ok on my other laptop...

I changed the CSS to remove some restrictions regarding font size and label heights.
The "cancel" button is now triggered when the ESC-key is pressed. The "new card" button is now triggered when the "insert"-key is pressed. Information cards are now selected and send to the relyingparty when the card is double-clicked.

I tested this with Firefox 2.0.0.11 in both the english version and the version localized to german.
Regarding the changes to the cardstore location: The preferences dialog needs translations for the other supported languages... Please look here for supported languages and text that needs translations.



The new version (xmldap-0.9.9.20071204.xpi) can be downloaded here.



Monday, December 03, 2007

xmldap / openinfocard paymentCards

At DIDW 2007 I heard Sid Sidner talk about variable claims and how they could be used for online payment. Kim Cameron, who sat next to me during Sid's talk, suggested that I should include this into the openinfocard id selector.

Today I uploaded two new applications to xmldap.org.

You can use the STS to create a paymentCard and import it into the openinfocard id selector:


Next go to the paymentCard relying party. You can change the price to see that the claim can be changed by the merchant. Type a new price into the input field and press enter. Next click on the paymentCard icon to start the openinfocard id selector:

Select a paymentCard using the openinfocard id selector:

The result looks something like this:

Please note the "trandata?" claim. This is the one that is modifiable by the relying party. It can contain anything. Sid suggested to base64 encode the data needed for 3D-secure. I just use the variable claim to transport price information from the merchant to the STS.

The basic principle: If a claim contains a '?' then the matching of the claim against the claims in a information card stops; that is the claim "matches" and the whole claim is send to the STS in the RST.

Of course this does not work with the current version of CardSpace.
Some newer version of the openinfocard id selector should do it. Update:ThisThe variable claim matching functionality is inside it since end of October (I think). The relyinparty and the STS are in the version control system since the same time. I did not find time to blog about this feature earlier.

Have fun.

Saturday, November 24, 2007

openinfocard 0.9.8 relying party test results





















xmldap.org
live id
FriendsWithCards
higgins (left button)
IBM RP
Selector does not start when icon is clicked. Though the debug output of the selector shows that the object is found.
IC-Ruby
Could not login with information card.

The selector starts, I choose a card, then the error message is displayed. No reason for failure is given. Selector debug output looks ok.

IC-JavaThis works. I don't feel like registering right now, so the error message is correct.
Pamela Project
Ping Identity Simple RPtbd
Ping Identity Advanced RPtbd
CA Siteminder RPtbd
Bandit Tractbd
Oracle RPtbd
Bandit Podcasts PW RP Word Presstbd
IC-Ctbd
Siemens DirX RPFirewall problems. Can not access port 9443.
WSO2-IS Java RP
MS RP for MS IdP

symmetric binding is not supported by the openinfocard id selector.

MS Any Issuer RP
MS no-SSL RP

Good-Bye XBL

I just uploaded a new version (0.9.8) of the openinfocard id selector. You can find it in the project's download area.

Finally we got rid of the XBL code. There are several problems with XBL; the most notable beeing that bindings are not applied to objects in the head section of the html code on the relying party.

Andrew Hodgkinson had the idea to replace the XBL by a progress listener. The progress listener gets every event while the html code is parsed and the page constructed. Clever!

I tweeked Andrew's code a little bit, but all credit goes to him. Thanks.

Further new but somewhat experimental features in this release:
- the cardstore can now be where ever the user chooses it to be (as long as Firefox can treat it like a nsILocalFile). Everything that looks like a file-system should work.
- the cardstore is now encrypted with the Firefox master password (if one is set)
- the cardstore can be on a webserver (GET and POST). This is not tested.

BTW: There is a new version (1.0.4) of the CardSpace4Firefox extension.

Special thanks to Rob Richards too. Rob was the first to adapt Andrew's code for the openinfocard selector and he tested it againt many relying parties. He built a selector selector Firefox extension that calls the actual id selector. The id selectors implement Kevin Miller's API.
I think this is a good idea but somewhat inconvenient for the user because this concept requires two extensions to be installed.
I choose another way and implemented the selector selector in both extensions: openinfocard and CardSpace4Firefox. This way each selector is self contained and does not depend on other extensions. Each extension is programmed to be "friendly" to the other extensions that use the same progress listener scheme.

My plan for the next days is to integrate DigitalMe into the selector selector. Then we have all three id selectors in one instance of Firefox. Nice.

Tuesday, November 20, 2007

Corrupted Card Collection for CardSpace

After installing .NET3.5:

Corrupted Card Collection for CardSpace
So if you *really* need your cards then make a backup before installing .NET3.5.

The new - polluted - IE7 user agent string:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 
.NET CLR 1.1.4322; .NET CLR 2.0.50727;
InfoPath.1; .NET CLR 3.0.04324.17; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

I copied it from the latest xmldap.org relyingparty. It outputs the user agent string to make documenting the interop tests easier.

xmldap.org relyingparty no-SSL

Please notice that this is no-SSL.

Downloading The New Version Of CardSpace


Right after I saw Mike Jones' post that a new version of CardSpace is available I started to download "it". Well, first a download for dotNetFx35setup.exe of about 3MB size started and I thought: "Hey, they really boiled this down from the over 50MB to a manageable size". But then the disappointment… The setup application does not setup .NET35 but downloads another 67MB of hopefully useful and necessary code.
Probably it is still to early in the morning and my skepticism is still sleeping... Call me naive.
Maybe I am an eternal optimist...

Anyway; I think that Microsoft should split this up so that I can get only what is needed for CardSpace and only that code that is not already on my machine. Maybe this will all be already installed in Windows8?!

Sunday, November 11, 2007

xmldap.org RP XHTML 1.0 strict

The xmldap.org relyingparty is XHTML compliant. This is important because triggering the id selector is hard enough with "legal" HTML.

And: Always nice to see the site and/or cards issued by the xmldap STS in other posts:

Wednesday, November 07, 2007

Sea of Change

Paul Madsen found this periodic table of diagrams.
Which reminded me (somehow) of this map of Online Communities:

Tuesday, November 06, 2007

New Versions for Firefox 2.0.0.9

Please find the new version of the openinfocard id selector for Firefox 2.0.0.9 in the project's download area.
It is best used with the new version of the identity selector selector which can be downloaded from this project's download area.

I tested both with most of the relying parties in the table "I2 Relying Party results with Identity Selectors". First the id selector selector with CardSpace 1.0, then with the latest openinfocard id selector.
I did not test RPs that bugged me with certificate issues.
The ping identity advanced RP is Firefox unfriendly as ever, but it worked.
I did not test the no-SSL Microsoft RP with CardSpace 1.x because I don't have that installed. I tested the no-SSL xmldap relyingparty with the openinfocard id selector which works fine!



You might want to know what changed...
Well, to bad I did not take notes. I noticed that Firefox 2.0.0.9 works with IdentitySelector-1.0.1.xpi! From there I - very carefully and slowly - redid all the changes and feature integration again. In the end it worked. This is not really satisfying from a software engineering and quality assurance point of view... but who cares?!
<update>
The major change with the id selector selector is that is now leaves the type of the object untouched. Formaly the type was set to "" to remove the dreaded browserNotification "Addidional plugins are required ...". I think changing the type of the object is dangerous and yields unpredictable results.</update>.
The major change with the openinfocard id selector is that it now detects the id selector selector and leaves the 'object type="application/x-informationcard"' handling to it. The id selector selector was better in handling the objects since it exists.

Next steps regarding object handling:

  • I would like have the DigitalMe id selector integrated into the id selector selector. And I would like the openinfocard id selector to handle the objects alone if the id selector selector is not installed, but currently I don't know how to achieve both goals simultaneously.
  • Test RPs with multiple objects outside of forms.

Thanks to Andrew Hodgkinson and especially to Boris Zbarsky (Mozilla guru) who asked the right questions.

Sunday, November 04, 2007

Supporting Information Cards with Browsers as of the Information Card Profile V1.0

While investigating the issues described in my former post I began to wonder why this all has ever worked... You had this feeling in your computer science life too now and then, right?

My personal history regarding this is: Chuck designed the code of the openinfocard id selector in a way that it worked with early relying parties according to the examples given in THE GUIDE. Our relying party at xmldap.org is designed excactly along the examples from the guide. When I joined the team I did not have to bother with the particular code that did the HTML-object handling. I changed this code several times but I was only adding code needed for e.g. correct/better PPID computation and lately no-SSL support. The major workings of the code were not changed because it handled the examples given in the guide ok. Later new relying parties appeared with javascript triggering and I used Kevin Miller's extension because it handled most of these cases correctly.

After having spent some hours to find the reason why the id selectors stopped to work in some cases I began to think that the behavior of IE7 might not be standard HTML (what ever that is). I think that the examples given in the guide expect the browser to retrieve the value of the object when it is inside a form and pass this value to the RP in the post data. Is this HTML standard behavior expected from browsers?

The Microsoft relying parties listed in OSIS - Relying Party results with Identity Selectors currently use another approach.


function InformationCard1OnClick(doNotSubmit) {
try {
var token = icardInformationCard1.value;
if (!token) {
throw 'ID5006: No token is returned from InformationCard.';
}
document.getElementById('InformationCard1_TokenId').value = encodeURIComponent(token);
} catch (ex) {
document.getElementById('InformationCard1_ErrorId').innerText = encodeURIComponent(ex.number + '::' + ex.description);
}
if (!doNotSubmit) {
formInformationCard1.submit();
}
}

THIS MAKES SENSE!
  • get the object value
  • copy it to the form field
  • and submit

Not only does it make sense it still works with Firefox 2.0.0.[8|9]!



My suggestion: Somebody should write a new version of the guide and change the code of relying parties to this scheme!

I consider some of the other schemes currently in use just tricky/wrong/complex/false.
One relying party, which can not find anymore, changes the object parameters in the submit function. What sense does this make???!!!

To sum it up: It would be nice if having the object inside the form and having the browser add the object's value to the posted data would work, but I am not sure whether this is _standard_. Requiring javascript is maybe not _friendly_, but maybe inevitable. I think that HTML object was invented to handle media types and this does not imply that a parent form should submit the object's value. Doing this explicitly might be better.
Just my 0.2 cent.

Friday, November 02, 2007

Firefox 2.0.0.[8|9] xbl problem

There seems to be a bug/problem with the DigitalMe id selector, the openinfocard id selector and the perpetual-motion id selector selector and Firefox 2.0.0.[8|9]. Others report problems too.

If you want to use our id selector extensions please use Firefox 2.0.0.7 for now.

Curious what is going on inside the extensions? Then you should configure Firefox to show you. Please follow the instructions given here: Setting up extension development environment. Setting the preferences is easy. Just enter about:config into the address bar and go for it.
The current xbl problem is not visible here though, but sometimes a lot of warnings regarding faulty css .

One item from my relying party wishlist: Please adhere to standards XHTML, HTML, CSS! Sometimes it is hard to see the debug messages in all the warnings caused by the relying party code.

Wednesday, October 31, 2007

Codeplex IdentitySelector 1.0.2

I just uploaded a new version 1.0.2 of the identity selector selector Firefox extension.

Firefox


You can find the XPI and the source code zip-archive on the Codeplex IdentitySelector release page. Please click the "IdentitySelector-1.0.2.xpi" link to install this extension into Firefox.

So, what's new?
  • issuerPolicy is now supported
  • no-SSL should now be supported. Not tested. You need .NET 3.5 (CardSpace 1.x) to test this.
  • report errors to javascript console
  • tokenType may be null
  • requiredClaims may be null
  • javascript errors in InformationCard.xml are fixed


Here are two pictures showing Microsoft's ageSTS before and after login using this new version of the Firefox extension with CardSpace 1.0 as the identity selector:




This needs more tests and sometimes shows the dreaded "Additional plugins are required to display all the media on this page" status bar.



Please try it and report issues to me.

Tuesday, October 30, 2007

openinfocard no-SSL


I just uploaded a new version with initial no-SSL support to the openinfocard download area.

The relyingparty at xmldap.org is not yet updated but this will happen soon.

Monday, October 29, 2007

ID Selector Beta Version Regression

How and when to trigger the id selector is --- complicated ---.
Two beta versions back I introduced primilary code to handle javacript triggering better. Well, since then the openinfocard id selector started to dislike our own xmldap.org relyingparty, which uses the plain old style recommended in "A Guide to Supporting Information Cards within Web Applications and Browsers as of the Information Card Profile V1.0". Thanks Pamela for notifying me.
After two nights of fruitless tries to fix this I decided today to go back two steps.
I made a backup of my current local code repository and retrieved a fresh copy from the public google code repository to build a "working" version again.
You can download it (xmldap-0.9.8.200710291053.xpi) here.

As I am considering myself as an eternal optimist... here a small outlook which features might make it into the next (sans-micro-)version.
- no-SSL support
- better javascript id selector triggering

Friday, October 26, 2007

information card web integration complexity

During the interop id selectors were, among many others, tested against this relying party: MS no-SSL RP.

As you can see in the results table every other than the CardSpace selectors failed. At first glance this is no wonder because the no-SSL feature was just resently introduced.
BUT there are other reasons why this failures occur. One thing that really annoys me: Somebody found it cool to put the object element of type application/x-informationcard into the head part of the html document!
Well this may be perfectly legal, but why don't "they" adhere there own "A Guide to Supporting Information Cards within Web Applications and Browsers as of the Information Card Profile V1.0"?
Keep it simple! What is the reason to do this? Please enlighten me!

We all want information cards to be a success but doing all kind of possible tricks does not help. Giving guidelines to relying parties is good, but maybe this should not be just guidelines but a "standard"?!

Thursday, October 25, 2007

Interop I2

There has been some blogging about the interop event at Burton Group's Catalyst Conference EU07 already.


It has been a lot of work to test all this. For me I tested the openinfocard id selector against all IdPs and all RPs. Next the result tables for the xmldap IdP and the xmldap RP waited to be filled. Some server's even needed to be tested several times because issues were found. Specials thanks from me to Microsoft's Age STS team. It took us some time to notice that they use the 'issuerPolicy' parameter which caused the trouble.
My opinion is: don't use issuerPolicy except you have good reason. And don't use symmetric binding except you have good reason. I would prefer it if we would concentrate on the "standard" use cases for now.

Another point: One thing I missed during the interop. We forgot to create tables for the handling of privacy statements. I put this feature into the openinfocard id selector just recently...


This leaves us some work for the next interop. If you think that this an id selector feature and not an interop issue, then try to view the privacy statement from xmldap's relyingparty using CardSpace.

A final word: Alles wird gut.

Tuesday, October 23, 2007

Card Import Issue

I just uploaded a new version of the openinfocard id selector to
http://code.google.com/p/openinfocard/downloads/list

The XML library of Firefox's javascript seems to dislike xml processing instructions.
Now I remove them before importing the card...

They did it again ;-)

The interop event at Burton Group's Catalyst Conference Europe 07 in Barcelona just started and guess who has no nice poster provided by Burton Group? All the other participants have one, but xmldap's / openinfocard's is missing again.

They did this to us in the first interop too.

Update: Somebody brought the xmldap sign later. Thanks.

Here is a picture (courtesy of Charles Andres) showing me and Steffen Konegen from the jinformationcard team. (Still without the sign)