Monday, December 24, 2007

Welcome Rob

A happy Christmas present reached us just on time. Rob Richards is now an official member of the openinfocard team. Welcome, Rob, and happy committing.

Friday, December 21, 2007

id selector advertising

I just uploaded a new version (xmldap- to the openinfocard's download area. This version allows you to change the value of the http header that advertises the id selector to the relying party.

You can choose between

  • no advertising
  • advertise existence
  • advertise id selector name

Please enlarge this picture to see the values in the preference dialog. The X-Id-Selector http header is visible in the left sidebar.

This version has now similar object handling code from digitalme as the id selector that was shortly known as CardSpace for Firefox.

Of course all of the id selector advertising stuff is preliminary and subject to change.

update: Rob Richards corrected my initial code that fills the menupopups in the preferences dialog so that only installed id selector extensions are added the popup's item list.

Friday, December 14, 2007

CardSpace for Firefox

In a few minutes I will upload the new version (1.0.5) of the identity selector hosted on the codeplex site. I always had problems with this name. At first it was called "Kevin's extension", later "the id selector selector".

From now on I will call it "CardSpace for Firefox" or CS4FF.

So... what is the reason for the new version? The folks from reported problems with the former version 1.0.4 and since the release of 1.0.4 Andrew Hodgkinson had improved the information card handling in his digitalme id selector. CS4FF uses Andrews code and today I put Andrew's new code into CS4FF. Hope that this fixes some of the issues. The results of a quick private interop is shown in this table below.

live idMike Jones says that this is working.
FriendsWithCardsA little window appears: "A problem occured.

CardSpace could not validate the identity of this site. (this is a certificate problem.
Pamela Project
Ping Identity Simple RPnot reachable
Ping Identity Advanced RPnot reachable
CA Siteminder RP

CardSpace could not validate the identity of this site. (this is a certificate problem.
Bandit Trac
Oracle RP
Bandit Podcasts PW RP Word Presstbd
Siemens DirX RPI am not willing to import all these certificates!
WSO2-IS Java RPtbd
MS RP for MS IdPnot reachable
MS Any Issuer RPnot reachable
MS no-SSL RPnot reachable

In the preferences you can now select between the three know id selectors availabe for Firefox: CardSpace, openinfocard and digitalMe!

I don't have digitalMe installed. Please test this.

Have fun!

XHTMLate your Work

I recommend this post by Shelley Powers not only to wordpress users, but especially to wordpress users.

I hope that some relyingparties will move to xhmtl compliance soon. Ashish Jain is doing great work not only in this regard. The relying party at has improved to only 4 errors. Great. Thanks.


Wednesday, December 12, 2007

CardSpace getting FAT

The CardSpace team blogged about a new "feature" of .net 3.5. You can now work with CardSpace on a windows system that has its system drive formatted with the FAT filesystem...

They write:

We’ve received a surprising amount of feedback (some of the earliest from Pamela Dingle) that customers are still using FAT file systems and this is causing problems.

I am surprised too. What will be next? CardSpace running on windows95? Help!

Sure, the cardstore is still encrypted twice... but still...
I believe that this is a step back. Security sacrificed on the altar of (what?) laziness/stupidity/...

As a security auditor I would question the risk management of anyone who still uses FAT in 2007.

Monday, December 10, 2007

http header: X-ID-Selector

There is currently a discussion how and if a browser should indicate the presence of installed id selectors. I am against "polluting" the user-agent string.

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)

This indicates only that .NET3 is installed, it does not tell the relying party whether CardSpace is active or disabled.

I prefer that the id selector adds a HTTP header e.g. "X-ID-Selector" to the HTTP requests.

This is easy to implement; so I did it for the openinfocard id selector (xmldap-0.9.9-200712102230.xpi).

Here is a screenshot of the livehttpheaders recording of a visit to a relying party:

In the sidebar you can see the "X-ID-Selector: openinfocard" header.

BTW: Here follows a probably not very known description how to disable application/x-informationcard handling in IE7.

Open this preferences window and click "manage add-ons".

Next select "InformationCardSigninHelper Class" and disable or delete it. This does not change IE7's user-agent string.

xmldap paymentCard_sts certificate

Kim Cameron noted that the certificate of the xmldap paymentCard_sts was expired. This is/was my fault. I used the wrong key alias and selected the expired certificate instead of the current one.
I changed the application's configuration today. Now I am able to create a card and import it into CardSpace, which formerly complained about the expired certificate and refused to import the managed card.

Please note that the paymentCards are importable into CardSpace but not usable with CardSpace, because the claims can not match.
The card has the claim "", while the relying party requires the claim e.g. "". These claims do not match and thus CardSpace marks the paymentCard as not applicable.

Here is the same card, that I previously imported into CardSpace, used in the openinfocard id selector:

Please note that the value of the variable claim is displayed to the user.

Thursday, December 06, 2007

shortening the wishlist

A new version of the openinfocard id selector ( is in the download area of the project.
The oldest card that was once sent to a relying party is now ensured to be visible by scrolling it into view.

Here a picture after using the infocard login at




  • Drag&Drop for card import and export.
  • Drag&Drop for card selection. E.g.: Firefox sidebar displays the cards and I can drag it on the infocard icon to use it.
  • Tree/list view of my information cards, sortable by issuer, token type, ...
  • More flexible display of claims; one column, two columns...
  • Store window position and size.
  • Ensure that card that was used the last time at this RP is visible.
  • ...


  • Key generation for self-issued cards from masterkey; to be compatible to CardSpace.
  • Export compatible to CardSpace.
  • Information card backed by X509 certificate and self-issued card.
  • Make the definition of a default card per RP possible in the preferences. This card will automatically by selected and used when the selector is invoked for a specific RP.
  • Support for symmetric binding.
  • Support for SAML 2; between the id selector and the IdP.
  • Security token store. If I already have an applicable security token then give the user the choice to reuse it.
  • ...

Relying Parties


  • "standard" cardstore interface to support cardstores on e.g. hardware tokens and webservers.
  • RoamingCardstore format that keeps all the metadata and all the generated keypairs for relyingparties.
  • EncryptedStore format that tells the algorithms and parameters used. xmlsec and xmlsig allow to specify all this. The current format restricts us to "know" what was used.
  • winlogon with CardSpace. Mainly to make the user experience known to a broader audience.
  • Open/define the interface to replace icardie.dll by e.g. openinfocardIE.dll or digitalmeIE.dll to make it possible to use "alternative" id selectors from Internet Explorer.
  • Security token store. If I already have an applicable security token then give the user the choice to reuse it.
  • ...

Many more... Some wild and futuristic ;-)
Have fun.

Tuesday, December 04, 2007

openinfocard gui improvements

When I tried the openinfocard id selector on a new laptop I noticed that the GUI truncated some labels and icons. The same selector looks ok on my other laptop...

I changed the CSS to remove some restrictions regarding font size and label heights.
The "cancel" button is now triggered when the ESC-key is pressed. The "new card" button is now triggered when the "insert"-key is pressed. Information cards are now selected and send to the relyingparty when the card is double-clicked.

I tested this with Firefox in both the english version and the version localized to german.
Regarding the changes to the cardstore location: The preferences dialog needs translations for the other supported languages... Please look here for supported languages and text that needs translations.

The new version (xmldap- can be downloaded here.

Monday, December 03, 2007

xmldap / openinfocard paymentCards

At DIDW 2007 I heard Sid Sidner talk about variable claims and how they could be used for online payment. Kim Cameron, who sat next to me during Sid's talk, suggested that I should include this into the openinfocard id selector.

Today I uploaded two new applications to

You can use the STS to create a paymentCard and import it into the openinfocard id selector:

Next go to the paymentCard relying party. You can change the price to see that the claim can be changed by the merchant. Type a new price into the input field and press enter. Next click on the paymentCard icon to start the openinfocard id selector:

Select a paymentCard using the openinfocard id selector:

The result looks something like this:

Please note the "trandata?" claim. This is the one that is modifiable by the relying party. It can contain anything. Sid suggested to base64 encode the data needed for 3D-secure. I just use the variable claim to transport price information from the merchant to the STS.

The basic principle: If a claim contains a '?' then the matching of the claim against the claims in a information card stops; that is the claim "matches" and the whole claim is send to the STS in the RST.

Of course this does not work with the current version of CardSpace.
Some newer version of the openinfocard id selector should do it. Update:ThisThe variable claim matching functionality is inside it since end of October (I think). The relyinparty and the STS are in the version control system since the same time. I did not find time to blog about this feature earlier.

Have fun.