Docstoc

CardSpace Demo Script

Document Sample
CardSpace Demo Script Powered By Docstoc
					Windows CardSpace and Information Cards
Demo Script
Prepared by: [Demo/Script Owner(s)]                         Version: 1.1                       2007-10-02



                                                              Windows CardSpace is a Microsoft .NET Framework version 3.0 component that provides the
                                                              consistent user experience required by the identity metasystem. It is specifically hardened
                                                              against tampering and spoofing to protect the end user's digital identities and maintain end-
                                                              user control.




Key Messages:
    1.   Instead of typing information the user picks a card, so we no longer rely on user names and passwords.
    2.   Underlying that card we have public key cryptography. So instead of using a shared secret user name and password, we use what we’ve been using for
         a long time which is the ability to have public and private keys.
    3.       When we want to identify ourselves, rather than using user name and password, the identity provider (IP) generates a session key for us that is signed
             using a private key that only he has access to. So when we identify ourselves, only the owner of that private key can identify the user.
    4.       CardSpace will ensure that the key that identifies to a specific web site is different for each of every site that you go to. That means that if I go to a
             phishing site and I use my normal banking card at that site, because it’s a different site from my normal web site, they will get a completely different
             key to the one I use for my actual bank.
    5.       How do I identify myself against an IP? You have a relationship with your IP, your bank, your school, your government or whatever; it is pre-
             established. You go into your bank and say, I want to have an information card.


Key Technologies:
The following technologies are utilized within this demo:

 Technology / Product                                            Version                                                                   Link

        1.    Windows CardSpace                                  Included in .Net 3.0                                                      .NET Framework
                                                                                                                                           Runtime 3.0.




Setup and Configuration
Before starting the demo,
            Be sure that you have added some information cards to your system. You will use them to perform the demos.
            You need to create an information card and associate it to a user account to login to the following site:
                 o    http://sandbox.netfx3.com. To do this, click Join and provide the site with you Information Card.




                                                                                                                                                                     2
   CardSpace maintains a history of sites where a card has been presented. The UI presented to a user when visiting a site for the first time differs from
    that shown in subsequent visits, after an information card has already been presented.
        o    https://www.cardspacedemos.com/FriendsWithCards. You will use this site to show the UI displayed when visiting a CardSpace enabled web
             site for the first time. It is important that you do not send an information card to this site before you start this demonstration.




                                                                                                                                                              3
Opening Statement
CardSpace is a piece of software that sits on the client machine. It’s about authentication; the user takes advantage of Windows CardSpace to manage their
identity and to provide their identity to websites and to web services.
Windows CardSpace renders the user’s identity as a set of cards. So when they want to provide an identity to a site or service, they choose that card, and the
request goes off to the identity provider behind the card to ask for a token and the associated claims, that the user can pass on to that web site or web service.




Step-by-step Walkthrough
Estimated time for setting up and configuring the demo: 2 minutes.
Estimated time to complete the demo: 60 minutes.




                                                                                                                                                                4
Preview Card Details

                 The main goal of this demo is to introduce the audience to information cards. The content has plenty of
                 scripts and very few actions to perform.




Action                                            Script                                            Screenshot

1.   Navigate to Control Panel and run               Let’s open CardSpace and visualize all the
     “Windows CardSpace”                              cards we have already issued.
2.   Select one of the cards you have already        We will select an existing card and see
     created                                          what we have here.




                                                                                                                           5
3.   Click “Preview”                                 So you can see here, I have a whole bunch
                                                      of different fields. Can speak here by their
4.   Move the scrollbar to display all the card
                                                      absence, things like credit card number and
     fields
                                                      social security numbers.
                                                     These are non risk personal fields; I can put
                                                      my address here, my phone number. Of
                                                      course a bad guy could tempt me to use my
                                                      card and give him this information, but
                                                      quite honestly, it would be easier for him to
                                                      look me up in the phone book rather than
                                                      try to hack these things of me. It will take
                                                      them less time.
                                                     So the self issued claims, what we own in
                                                      our personal cards and self issued cards,
                                                      are only a very limited set of information.
                                                      When we deal with sensitive things like
                                                      credit card numbers, bank account
                                                      numbers, social security numbers and so
                                                      on, the people that issue that information
                                                      and provide the user with the card that
                                                      enables the user to select the card and get



                                                                                                      6
    that information, are the people that
    should be managing it. These are the
    banks, health providers, the government,
    schools, and employers.
   Then the information is locked away,
    probably safe in some datacenter within a
    wonderfully secure employer, where we
    know that they aren’t going to release all of
    our employment details to anybody that
    asks.
   So in the case of the self issued card, who is
    the CardSpace IP (Identity Provider)? The
    answer is the user. So who is going to trust
    you? Well like I’ve said, when you go and
    register in a site, it’s you that is providing
    your information, so implicitly the site
    trusts you.
    And that is good for ninety percent of the
    cases. It’s only when you get to the sharp
    end, when you are paying for something or
    like a bank account, where you physically
    have to go into the bank and say, yes it’s
    me. And they check that it’s you, and then
    you have an account. But for the vast
    majority of sites, self issued identities are
    perfectly acceptable.
   With a self issued card, whenever you
    choose a card the same thing conceptually
    happens. A request goes to an STS (Security
    Token Services) to create a token with a
    signature on it, and that information is
    typically encrypted to the recipient
    website.



                                                     7
                                                   A self issued card is exactly the same as
                                                   what we call a managed card, which is
                                                   given to you by a third party IP. Only that in
                                                   the former the STS, rather than being some
                                                   web service at my bank, is a web service on
                                                   my local machine.




Navigating Sandbox website
Action                                         Script                                               Screenshot

1.   Launch Internet Explorer 7, set it full      So to give you an example, here is a public
     screen                                        website you can all go to, and play around
                                                   with information cards.
2.   Navigate to the
     http://sandbox.netfx3.com web site




                                                                                                                 8
3.   Click “Sign In” (Sign In with your           We can sign in using user name and
     Information Card)                             password or with my information card.
                                                   Once I click sign in, it shows me the cards
                                                   that I’ve used in this site before.




4.   Provide an Information Card and click        I can choose one of them and click send. So
     “Send”                                        this is a self issued card and up there it says
                                                   I am signed in.
5.   Notice that in the top right menu you
     appear as “Signed in” with the user you      That’s the experience, no user name, no
     provided in the information card              password, I just choose my card and log in.




                                                                                                     9
Navigating CardSpaceDemos website
Action                                             Script                                                Screenshot

1.   Switch to the browser window. Go to the          So when you first access a website, you get
     https://www.cardspacedemos.com/Frien              this dialog, and you choose whether to
     dsWithCards site                                  send your information, if you trust the site,
                                                       or back out.
2.   Click on the “Sign In with your Information
     Card” button. The CardSpace card selector        So indeed if I’m going to bank of America
     window will pop up                                every single week, I don’t get prompted
                                                       with this dialog, or I do get it the first time
                                                       but not subsequently. Basically, what it is
                                                       saying is: this is the site information, it’s
                                                       just basic SSL, and so it hasn’t been
                                                       verified.




                                                                                                                      1
                                                                                                                      0
     Note: If you have already presented and           And I get this special warning: “the site
     information card to a site, the dialog             information cannot be verified. Banks or
     displaying site information is not shown. A        major Internet businesses usually choose to
     similar dialog can be displayed if you click       better identify themselves for your
     the “Learn More about this site”                   protection.”
     hyperlink. This will show a dialog that is
                                                       So this is to do with high assurance
     similar to the one displayed the first time
                                                        certificates (HAC).
     you enter a site.
                                                        If the recipient is using an HAC, you don’t
                                                        get this warning. But this is just basically
                                                        warning you that the recipient of the
                                                        information you are about to send is not
                                                        using HAC, it is using a normal SSL
                                                        certificate.




3.   In Internet Explorer, go to                       Let’s choose another one, let’s go to the
     https://sandbox.netfx3.com/Login.aspx              sandbox site.
4.   Click on the sign-in link, below the big          So in here, for example, the dialog again is
     CardSpace logo. The login box will pop up.         this. Again, this is just an SSL site. Again,
     Click on “Learn More About this Website”           site information. So this is just an URL, the


                                                                                                        1
                                                                                                        1
    DNS name behind it, the issuer, in this case
    Equifax. I get my little warning that it is just
    an SSL (not an HAC) certificate, and then
    I’m going to choose which card to send.
    That would pop the first time I get to a site
    and try to choose a card.
   If a certificate doesn’t change, then it will
    not prompt you with this screen. But if any
    of the certificate information changes, such
    as privacy statement, or if any of the other
    information that is important for that site
    changes, then you will get prompted again.




                                                       1
                                                       2
Submit a card without encryption (HTTP)


             Use this section only for internal events or presentations.



Action                                             Script                                             Screenshot

1.   Switch to the browser window and go to            So this website, as you can see, is using
     http://infocard/site                               HTTP (point to the protocol, in the address
                                                        bar). It’s no longer HTTPS.
2.   Click on the “Submit a card” button. The
     card selection dialog will appear                 If I submit a card, it gives me a warning:
3.   Choose a card to send and click on the             “The information that you will send is not
     Send button. The dialog will close                 protected with encryption and can be
                                                        viewed by others. Do not send a card that
                                                        includes sensitive information”. So you are
                                                        warned.




                                                                                                                   1
                                                                                                                   3
   So I can send a card, and I can authenticate
    to the site. And it tells me who issued the
    card; in this case it’s a self-issued card. The
    token was not encrypted, and the
    information in the token was just the
    personal private identifier.
   This is the human readable version, and
    this is the actual value.




                                                      1
                                                      4
Summary

          The metasystem is this consistent experience regardless of which underlying technology you
          might choose to use. You can federate very easily, and the user centric digital identity is going
          to be everywhere.
          Actually adding information card support to your site or service is extremely easy. You just
          express the policy, you retrieve the token and you process it.




                                                                                                              1
                                                                                                              5

				
DOCUMENT INFO