Roger, reversing your statements in the conclusion leads to the following natural question: Is the requirement on "the in-depth help of the user" to keep Microsoft's Windows Vista secure a sign of higher responsibility?

Relying on user's ability to protect own system has never been a serious argument in favor of a secure software. Moreover, it is rather the security unawareness of naive users that caused many successful attacks in the past.

Although attacks against DNS and Trusted Root are needed to breach the security of CardSpace, they are not directly related to the security concept of CardSpace itself. Sure, Windows Vista is a complex operating system in which each security component is responsible for the prevention of particular threats. Nevertheless, we all know that "a chain is only as strong as its weakest link", and the demonstrated attack clearly shows that the component CardSpace itself is insecure. Hoping that the chain still holds, is probably not the best strategy that should be applied by Microsoft in this case.

Cardspace is hard to understand (at least for me) and most examples cover only Self-Issued Cards. There are no  examples out there using Managed Cards so I built out a full end-to-end claims federation scenario involving Username/Password backed Managed Cards and the Cardspace Identity Selector.

Let me know what you think: http://francisshanahan.com/cardspace