http://blogs.technet.com/rhalbheer/archive/2008/06/02/the-successful-attack-on-cardspace.aspxI guess you read it as it was pretty wide-spread in the press in the last few days: On the Insecurity of Microsoft's Identity Metasystem CardSpace . Well, is there any official Microsoft reaction to it? No, not yet and if you look a little bit more inen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/rhalbheer/archive/2008/06/02/the-successful-attack-on-cardspace.aspx#3068539Tue, 10 Jun 2008 00:59:24 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3068539Mark M.<p>Roger, reversing your statements in the conclusion leads to the following natural question: Is the requirement on &quot;the in-depth help of the user&quot; to keep Microsoft's Windows Vista secure a sign of higher responsibility?</p> <p>Relying on user's ability to protect own system has never been a serious argument in favor of a secure software. Moreover, it is rather the security unawareness of naive users that caused many successful attacks in the past.</p> <p>Although attacks against DNS and Trusted Root are needed to breach the security of CardSpace, they are not directly related to the security concept of CardSpace itself. Sure, Windows Vista is a complex operating system in which each security component is responsible for the prevention of particular threats. Nevertheless, we all know that &quot;a chain is only as strong as its weakest link&quot;, and the demonstrated attack clearly shows that the component CardSpace itself is insecure. Hoping that the chain still holds, is probably not the best strategy that should be applied by Microsoft in this case.</p> http://blogs.technet.com/rhalbheer/archive/2008/06/02/the-successful-attack-on-cardspace.aspx#3068776Tue, 10 Jun 2008 07:53:53 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3068776rhalbh<p>Hi Mark,</p> <p>I would like to take up your first point: A multi-purpose operating system is here to help the user to do the job he wants to - wihtout knowing which applications/jobs they want to in advance.</p> <p>Therefore, the OS has to be able to do a lot of stuff and the user wants the abilitiy to do that. With this in mind, this leads us to a challenging situation: How do you want to make sure that the user is able to do what he wants without letting the bad thing happen? If you think that through, you will (at least partly) have to rely on the user - at some point in time. We definitely can improve the OS in this respect but still, the user is needed in this equation</p> <p>Roger</p> http://blogs.technet.com/rhalbheer/archive/2008/06/02/the-successful-attack-on-cardspace.aspx#3221066Wed, 01 Apr 2009 18:03:13 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3221066Francis Shanahan<p>Cardspace is hard to understand (at least for me) and most examples cover only Self-Issued Cards. There are no &nbsp;examples out there using Managed Cards so I built out a full end-to-end claims federation scenario involving Username/Password backed Managed Cards and the Cardspace Identity Selector.</p> <p>Let me know what you think: <a rel="nofollow" target="_new" href="http://francisshanahan.com/cardspace">http://francisshanahan.com/cardspace</a></p>