I believe cardspace is still quite painful to implement. I got this impression from the cardspace Q&A at teched. No one had a good story to tell about it. But if you want more information on it, dominick baier has blogged on www.leastprivilege.com about it.
DO NOT USE MD5. It is so broken. Use SHA256 or SHA512 as a minimum. See [1] which has good pointers on most things apart from MD5 (ignore those bits :) ) and this article [2] on why md5 iis broken. The second is a little emotional but accurate and [1] was updated to reflect it. For ease of user migration, you might want to consider allowing flagging "upgraded" users and give them some kind of enhanced security dialog to collect any additional information. This could smooth your migration process. To be honest, asking additional questions is not any more secure than a password. CardSpace gets around this problem by asking a third party to verify the user (this can be the user themselves with a self issued card). IIRC CardSpace requires one of the new security certs that take an age to get and involve the cert company verifying you. And currently breaks if the company owning the cert moves apparently. have you looked at threat modelling your application to see where you need mitigation and what it should be? If not, checkout the security blogs at microsoft ([3], [4]) Hope this helps a bit James References, watch for url wrap: [1] http://www.codinghorror.com/blog/archives/000953.html [2] http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/ [3] http://blogs.msdn.com/michael_howard/ [4] http://blogs.msdn.com/sdl/ On Nov 19, 2007 5:05 PM, Paul Cowan <[EMAIL PROTECTED]> wrote: > Hi all,We just had a meeting with one of our clients and they were not happy > with the level of security. > We use FormsAuthentication with the usual sort of set up. We use HTTPS > throughout the application and the passwords are stored as MD5 hashes in the > backend SQL Server database. > The question that I have is what can I do to increase this? > Is cardspace a viable answer or is it just too young? Does the client > machine have to have .NET 3.0 installed for cardspace or is IE7 good enough. > Would ActiveDirectory help or is that a massive undertaking.Any suggestions > what so ever appreciated? > Paul > [EMAIL PROTECTED] > _________________________________________________________________ > Get free emoticon packs and customisation from Windows Live. > http://www.pimpmylive.co.uk > =================================== > This list is hosted by DevelopMentor(R) http://www.develop.com > > View archives and manage your subscription(s) at http://discuss.develop.com > =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
