Quoted from Kim Cameron’s Identity blog:

Gemalto collaborated closely with the CardSpace team on a prototype of CardSpace in which Information Cards and the associated metadata and secret keys are all kept on a smartcard or dongle.

Here’s the user experience:

You arrive at a machine, and insert your smart card.

CardSpace asks for a password, and when you enter it, you see your CardSpace cards as usual – except they marterialize from the smart card.  The system supports both self-issued and managed cards.

Then, when you remove your smart card, all the CardSpace cards go away.

In other words, the system completely solves the roaming and “kiosk” problem.  You take your Information Cards with you, and use them wherever you go.  A single smart card can transport a whole set of unrelated cards – the “Fist full of dongles” problem is solved.

The Gemalto folks have a demo that makes the ideas completely clear here.   Much of the work was done by Kapil

SignOn.com is an OpenID identity provider that supports Windows CardSpace authentication. Check out the walk through on vibro.net to see how you can authenticate on websites with OpenID and CardSpace without the need for entering usernames/passwords.

https://www.signon.com

Something I read today on the MSDN forums for troubleshooting cardspace: “turn WCF logging on, to see if the request is hitting the MEX endpoint. You can get the service trace viewer from the .net3/Vista SDK“

The ToolBox provides an easy way to use Windows CardSpace in your ASP.NET 2.0 Web-Application to register and validate your users. It�s also possible to use the controls to receive a SAML token and get the decrypted values of provided claims. The token decrypting process is build based on the community sample.

http://www.codecomplete.de/blogs/digitalidentity/archive/2007/03/18/22.aspx

The Pamela Project is focused on the adoption and use of information cards in the wild. You can read more about it here

Official website: http://pamelaproject.com/

Currently they only host identities, but do not accept third-party-hosted identities.

More info: http://faq.wordpress.com/2007/03/06/what-is-openid/

Here is the description of the problem were are stuck with in our smartcard implementation with CardSpace:

- We try to authenticate on a relying party website supporting our homemade managed InfoCard supporting smartcard authentication

- We select our InfoCard in CardSpace. CardSpace prompts to enter the smartcard. We enter the smartcard, and press OK

- CardSpace interacts with the smartcard middleware to enter the PIN code that is protecting the certificates on the smartcard. We enter the PIN code, and press OK

- CardSpace prompts us an “Internal CardSpace error”

Below some screenshots of the situation:

Below are the 2 error records dumped by Window CardSpace in the Windows logs:

An error occurred when communicating with the Windows CardSpace service. Exception of type ‘Microsoft.InfoCards.CommunicationException’ was thrown.

Inner Exception: Not implemented

Additional Information:

Microsoft.InfoCards.CommunicationException: Exception of type ‘Microsoft.InfoCards.CommunicationException’ was thrown. —> System.ComponentModel.Win32Exception: Not implemented

at Microsoft.InfoCards.NativeMcppMethods.RpcCryptoDispatchRequest(IntPtr hIdl, String contextKey, String requestName, Byte[] buffer, Int32 index, Int32 length)

at Microsoft.InfoCards.RpcCryptoRequest.Process()

— End of inner exception stack trace —

An error occurred when communicating with the Windows CardSpace service. Exception of type ‘Microsoft.InfoCards.CommunicationException’ was thrown.

Inner Exception: Bad UID

Additional Information:

Microsoft.InfoCards.CommunicationException: Exception of type ‘Microsoft.InfoCards.CommunicationException’ was thrown. —> System.ComponentModel.Win32Exception: Bad UID

at Microsoft.InfoCards.NativeMcppMethods.RpcCryptoDispatchRequest(IntPtr hIdl, String contextKey, String requestName, Byte[] buffer, Int32 index, Int32 length)

at Microsoft.InfoCards.RpcCryptoRequest.Process()

— End of inner exception stack trace —

The communication between the relying party and the STS intercepted by a HTTP proxy:

http://www.voipsec.eu/troubleshooting/mex_comm3.xml

I linked my personal blog site to an OpenID identity. I made myself a profile on Opinity.com , an identity provider where you can establish trust relationships and reputation. You can login to opinity with a personal InfoCard from CardSpace or with OpenID. I established trust relationships by linking my openID identity to my Opinity profile, and by linking my Sxipper profile to my Opinity profile.

I authenticated at the i-names website with my sxipper profile and tried to register an i-names as well, but you have to pay for that :S

Great, I now have different identity providers so I can authenticate on different website without having to enter or remember username / passwords anymore! Credits for Identity 2.0 !

At softwaremaker.net a discussion is going on about how to display the claims in the CardSpace identity selector. The SimpleSTS sample provided by Microsoft lacks this ability. If you want to know how to implement this, take a look here at softwaremaker.net

- In IIS, create a CSR

- At Cacert.org, request a server certificate, and add your CSR you have prepared previously with IIS

- Save the certificate cacert has generated as c:\response.cer

- In IIS, process the pending request, and add the path c:\response.cer . You now configured IIS successfully with a cacert certificate.

- Add the Cacert root CA certificate in Internet Explorer

- Test the configuration by browsing with Internet Explorer to your SSL website

-Check your certificate with findprivatekey.exe

findprivatekey.exe my localmachine -t “62 47 27 7b ce 53 66 17 a0 0f 81 3d 13 7c 3c da 92 08 f8 72″

- Configure access control permission on the certificate with cacls.exe to allow ASPNET and NETWORK SERVICE to be able to access the certificate

cacls �16394861286f7e4cfb55314841a39249_27df5bfe-b98d-49d6-9f26-d788c1d19675??? /G �NETWORK SERVICE???:R

- Double check your access control permissions by browsing to the folder and go it the GUI way

- Configure your certificate on the MEX endpoint with httpcfg:

httpcfg delete ssl -i 0.0.0.0:7001

httpcfg set ssl -i 0.0.0.0:7001 -h “6247277bce536617a00f813d137c3cda9208f872″

- Add the thumbprint of your certificate in app.config from the STS

You will find a step by step description how to generate a Certificate Signing Request (CSR), submit it at CaCert.org for generating a certificate, and how to install in certificate in Microsoft Internet Information Server (IIS) at the following location: http://www.cacert.org/help.php?id=3

This is also a nice link for troubleshooting your SSL and IIS configuration.

Click here if you want to import the root certificate into Microsoft Internet Explorer

Download the Root Certificate (PEM Format)

Download The Root Certificate (DER Format)

Source: http://www.cacert.org/index.php?id=3

I obtained some free SSL certificates from CAcert.org, because I do not want to pay for a certificate. I want to put them on this web hosting… now I have to pay 5 � extra each month for a fixed IP address before I can use SSL certificates on my webhosting? Not to mention that this 5 � is to pay for each domainname you want to use an SSL certificate on, because a fixed IP per domainname is required… rediculous