I was on my way up to Glasgow today to talk at an MSDN event about Framework V3.0 and it meant that I had to dredge my memory a little bit yesterday as to how CardSpace works.
Generally, I'm not bad on this stuff in that I tried to follow the WS-* for quite a while and that meant that CardSpace wasn't too much of a shock but there was one thing that was really nagging me yesterday as I was thinking about CardSpace and it was really the often quoted scenario of using a PPID as a way of authenticating a user.
The thing that I kept scratching my head over was the issue of "What happens if someone steals your PPID (e.g. from a backend store) or just so happens to duplicate it by some other means and creates a fake card with your PPID in it". Essentially, the PPID is just a shared secret and I was really struggling to remember how you were protected from it being leaked.
In truth, you're not really protected from it and so the advice offered here;
is good stuff (essentially don't just store the PPID, make a note of the public key as well).
There's also the follow-up post here;
with code that does the "right thing" for you in terms of verifying the signature on the SAML assertion and also check that the public key hasn't changed since the last time that you "saw it".
this is interesting stuff - I'll admit that I haven't fully digested it at this point but I did find a paragraph in the conclusions section that really resonated for me (quoted below);
"rich web interfaces and mashup concepts themselves have been cobbled together. The Web programming community has stretched the existing technology well past its original purposes, so it is not surprising that we occasionally encounter an unexpected side-effect"...
Tue, Apr 3 2007 5:51 AM