Saturday, November 17, 2007

After you send data on a card...

A colleague of mine noticed something interesting in the Cardspace help text (click to enlarge)...
Important: The data that is retrieved and viewed may or may not be the same as the data that is being sent to the requesting site. A managed card is encrypted so that it can only be opened only by the requesting site. When you retrieve a version of the requested data, it is the responsibility of the managed card provider to send an accurate copy of what the card provider will send to the site. If you do not want to send the retrieved data, you can choose another card or you can exit Windows CardSpace.

There's no guarantee that what you think you are transmitting is really what you are transmitting.
After you send data on a card, you cannot control what the site does with your data. Use caution when deciding what data you will send and to whom you will send it.

These aren't my words - they are Microsoft's (at least in the version of Vista I have). See for yourself! Open up your Windows control panel, then look for "Windows Cardspace". Open this, and set up a new card; create a personal card, and enter in some data. In the upper right of the window (under the Tasks heading) select the "What data should I include on my card". You'll find the text there.

I guess user-centricity will actually happen in a future release. Some new identity policy standards might have something to do with that.

2 comments:

Eric Norman said...

The obversation about managed cards is nothing new. See here.

http://blogs.msdn.com/vbertocci/archive/2007/10/31/on-displaytoken.aspx.

However, as far as I can tell, the quesion hasn't been addressed yet. Can someone come up with a use case where users should not be able to inspect what's being said about them?

Phil Hunt said...

I'm not sure there really is a valid case. But keep in mind there are 3 parties involved now. So it would be unwise to say there should never be one.

One thing I can think of is a pointer that appears to be meaningless (like a GUID). It might be suspected of concealing something but in reality it is protecting user-privacy. E.g. a courier could give me a pointer that I can share with a web vendor. That vendor can use that pointer to ship my order without knowing my address. I can't understand the information being transferred, but it is actually working for my benefit.

Post a Comment