Security token without authentication  
Author Message
guiguigui





PostPosted: Windows CardSpace ("InfoCard"), Security token without authentication Top

Hello,

I would like to know if it is possible for the user to use a managed card (get a security token) without requiring the user to authenticate himself

Thanks for your help,



Software Development for Windows Vista10  
 
 
Caleb Baker - MSFT





PostPosted: Windows CardSpace ("InfoCard"), Security token without authentication Top

Hi,

All managed cards in CardSpace v1 require some authentication. We’ve had some discussions about being able to do token retrieval w/out authentications, but haven’t come up with a very compelling usage scenario, since it would allow anybody to retrieve the token from the endpoint, thus losing any association with a particular user.

The easiest auth mechanism (from a usability perspective) is to use a self-issued card to back the managed card. The self-issued card is automatically selected, so just needs to select the managed card.

If you (or others) have scenarios where you think no-auth is useful, I’d be happy to hear them.

Thanks,

Caleb



 
 
guiguigui





PostPosted: Windows CardSpace ("InfoCard"), Security token without authentication Top

Dear Caleb,

Thank you for your answer.

Cardspace supports a few authentication methods only, and you can see that in other threads of this forum, some of us are asking how we can implement another authentication method.

Getting a managed card and its attributes without authentication could allow the RP to process the authentication method it wants. I mean that the managed card could contain information about how the RP should authenticate the user. I mean that the authentication could be done by something else than the STS, after the card's retrieval.

The card, in this case, is not an authentication mean anymore.

I hope it helps,