An answer to a CardSpace (aka InfoCard) question

At the beginning of June, I worked at the realDevelopment ‘06 tour stop in Toronto as one of the MVP experts. Half of the day is devoted to Web security and a great deal of attention is paid to CardSpace. If you’re not familiar with CardSpace, try remember way back to when it was called InfoCard. If that still doesn’t click, think of it as a mechanism for maintaining all of the credentials that you use when you log into various web sites. Unlike Passport, it’s not necessarily the same email/user id for every site. Each site can be provided with a distinct set of information about you.

But that’s not the question that was left sitting there. At the question and answer session after the talk, a number of people were asking about exporting CardSpace cards so that they can be imported onto, say, their machine at work. It’s quite simple, as it turns out. But, the conversation goes, if it’s easy to export the cards, what’s to stop someone from walking up to your unattended machine and exporting your cards.

First off, the possibility that you leave your machine, complete with all of the credentials to access your bank account, unattended is the beginning of the problem. But fortunately, CardSpace is willing to deal with this.

One of the fun parts of TechEd is that you get meet people who know things. That’s what happened last night. I ended up talking with Rich Turner, the Product Manager for CardSpace. Who better to ask this question? As it turns out, it was the perfect person to ask.

The trick is to use a PIN to protect the cards before they get exported. By doing so, you can ensure that, even if they are exported, they cannot be used unless the PIN code is provided. This isn’t an unbreakable solution, but what is? It does, however, alleviate the problem that seemed to be on the forefront of most people’s mind.