I’m receiving a lot of questions about the CRD file format, that is to say the format used by CardSpace for defining managed cards. I am rather sure that sooner or later we will publish an official reference for it, however I thought it could be interesting to take a closer look to it already today. Special thanks to Garrett <\/A>that allowed me to use an early version of his tool for generating the samples! If you want to know more keep reading \ud83d\ude42<\/FONT><\/SPAN><\/P> First of all, here’s a managed card crash course. A managed card<\/EM>, or provider card<\/EM>, is an information card issued by an identity provider. It lists <\/FONT><\/SPAN><\/P> a) details about the entity that issues the card: name, certificate, STS and MEX endpoints, etc<\/FONT><\/SPAN><\/P> b) the list of claims about the user that the card issuer can corroborate<\/FONT><\/SPAN><\/P> c) details about how the user will authenticate with the STS of the card issuer in order to have his information card populated with the needed claim values. This is the famous second authentication factor, that in v1 can be in form of a certificate, or a kerberos token, of a selfissued card or, in extreme cases, in an old fashion username\/password pair.<\/FONT><\/SPAN><\/P> The CRD format is, in extreme simplification, just an XML document that contains the above information: it is used by the card issuer to express all those in concise form, and it is used by the user for importing the card into his\/her collection. First thing I notice: the root element is an enveloping signature, here marked in gray<\/FONT>. That should not surprise anyone, once the card has been issued nobody should be able to tamper it: the signature prevents exactly that. There’s more: it gives me the cryptographic certainty that it’s really from my hairdresser, since it shows off usage of his private key. The two X509Certificate elements contain 1) the certificate of the hairdresser and 2) the certificate of the CA that issued the certificate to the hairdresser.<\/FONT><\/SPAN><\/P> When I get past the signature, I finally get to the meat: there’s an element called InformationCard, which contains all the remainder of the file. Will the namespace change before RTM? I have no idea. InformationCardReference<\/SPAN><\/SPAN><\/FONT><\/SPAN> contains the card ID and the version; useful in subsequent import operations, so that cards can be updated or overwritten. <\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> CardName<\/FONT><\/SPAN> contains the mnemonic card name, the only thing that will be possible to modify after the import.<\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> CardImage<\/SPAN><\/FONT> contains the base64 of the card background graphic, so that the issuer can push the appearance he prefers without depending on the capability of resolving links.<\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> TimeIssued<\/FONT><\/SPAN> and TimeExpires<\/FONT><\/SPAN> contain the time of the issuing operation and the card expiration date, respectively. <\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> SupportedClaimTypeList<\/SPAN><\/SPAN> contains the list of claims that will be supported by the card. Single claims are described by the SupportedClaimType<\/SPAN><\/FONT> element, whose subelements are selfexplanatory. Notice that in this card we use both claims available in the selfissued set (such as http:\/\/schemas.microsoft.com\/ws\/2005\/05\/identity\/claims\/givenname<\/A><\/FONT><\/SPAN>) and completely custom claims (like the improbable http:\/\/schemas.maseghepensu.it\/claims\/HairLenght<\/A><\/FONT><\/SPAN>). <\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> Finally we get to the “tough” part, the issuer. <\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> Issuer<\/FONT><\/SPAN> represents the URI of the STS: this is the address to which we will send our Request Security Token (RST) messages every time we’ll use the managed card. IssuerName<\/FONT><\/SPAN> is simply the menmonic name associated to it.<\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> TokenServiceList<\/SPAN>\/<\/SPAN><\/FONT>TokenService<\/SPAN><\/SPAN> contains the data for obtaining the STS metadata, for contacting it securely and for authenticating incoming requests. <\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> EndpointReference<\/SPAN> <\/SPAN><\/FONT> is a ws-addressing endpointreference, which contains again the STS endpoint; the Metadata<\/FONT><\/SPAN> section contains the address of the ws-MetadataExchange endpoint. Note the use of HTTPS: I explained the rationale behind it here<\/A>. <\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> Identity<\/FONT><\/SPAN> contains the certificate associated to the STS, typically the same as the one used in the initial signature. <\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> The UserCredential<\/SPAN><\/SPAN> is especially interesting. The element X509V3Credential<\/FONT><\/SPAN> presence determines the fact that this managed card is backed by an X509 certificate; the KeyIdentifier<\/FONT><\/SPAN> element contains a sure mean to unambiguoausly identify what is the certificate I want to use (I think it should be the base64 of the hash of the certificate). The DisplayCredentialHint<\/FONT><\/SPAN> element actually influences the way in which the user is prompted by the Identity Selector when the managed card is used: in thi case the issuer knows that the certificate will live on a smartcard, so the prompt text is designed accordingly. <\/FONT><\/SPAN><\/FONT><\/SPAN><\/P> <\/SPAN><\/FONT><\/SPAN> <\/P> <\/SPAN><\/FONT><\/SPAN> <\/P> <<\/SPAN>Signature<\/SPAN> <\/SPAN>xmlns<\/SPAN>=<\/SPAN>“http:\/\/www.w3.org\/2000\/09\/xmldsig#<\/SPAN>“><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN> <\/SPAN><<\/SPAN>SignedInfo<\/SPAN>><\/SPAN><\/SPAN><\/P> <\/SPAN><<\/SPAN>CanonicalizationMethod<\/SPAN> <\/SPAN>Algorithm<\/SPAN>=<\/SPAN>“http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#<\/SPAN>“ \/><\/SPAN><\/SPAN><\/SPAN><\/P> <\/SPAN><<\/SPAN>SignatureMethod<\/SPAN> <\/SPAN>Algorithm<\/SPAN>=<\/SPAN>“http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1<\/SPAN>“ \/><\/SPAN><\/SPAN><\/SPAN><\/P> <\/SPAN><<\/SPAN>Reference<\/SPAN> <\/SPAN>URI<\/SPAN>=<\/SPAN>“#_Object_InfoCard<\/SPAN>“><\/SPAN><\/SPAN><\/SPAN><\/P> <\/SPAN><<\/SPAN>Transforms<\/SPAN>><\/SPAN><\/SPAN><\/P> <\/SPAN><\/SPAN><<\/SPAN>Transform<\/SPAN> <\/SPAN>Algorithm<\/SPAN>=<\/SPAN>“http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#<\/SPAN>“ \/><\/SPAN><\/SPAN><\/SPAN><\/P> <\/SPAN><\/<\/SPAN>Transforms<\/SPAN>><\/SPAN><\/SPAN><\/P> <\/SPAN><<\/SPAN>DigestMethod<\/SPAN> <\/SPAN>Algorithm<\/SPAN>=<\/SPAN>“http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1<\/SPAN>“ \/><\/SPAN><\/SPAN><\/SPAN><\/P> <\/SPAN><<\/SPAN>DigestValue<\/SPAN>><\/SPAN>5TuCvlZNa6Jh2NGZZpxCDlGoS9c=<\/<\/SPAN>DigestValue<\/SPAN>><\/SPAN><\/SPAN><\/SPAN><\/P> <\/SPAN><\/<\/SPAN>Reference<\/SPAN>><\/SPAN><\/SPAN><\/P> <\/SPAN><\/SPAN><\/<\/SPAN>SignedInfo<\/SPAN>><\/SPAN><\/SPAN><\/P>
\n
\n
\n
\n
\n
In our example we assume that an hairdresser is issuing me a card that certifies that I have long hair, so that I can access the long hair club or have discounts for prog metal concerts (ah, would not be marvelous if it would be true? :-)). Since I have a smartcard, that I got from the same hairdresser, I will be asked to use it as second authentication factor whenever I will use my managed card. Since I’m a very curious person, as soon as I receive the file I open it with an XML editor and I take a look. You can find it later in the post text.<\/FONT><\/SPAN><\/P>
\n
\n
The content of InformationCard is not especially “hierarchical”, however it can be subdivided in categories that I color-coded: data about the card itself<\/FONT>, list of supported claims<\/FONT> and data about the issuer<\/FONT> which contains details about the II authentication factor<\/FONT>.
Let’s take a closer look at the elements in the various sections.<\/FONT><\/SPAN><\/P>
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n