Security problem about the certificate
Hi,
I think there may be a problem with the smartcard . This is because when the smartcard is inserted, the X.509 certificate is extracted from the smartcard and installed into the local machine/personal store. By this way, the certificate can be used for sending to the STS.
However, the certificate is not removed even when the smart card is not present. Subsequently, when other users, who are trying to cheat the system, log in using the previous user's smartcard infocard, they are able to send the info card successfully. This occurs simply because the certificate is present after use.
I would recommend the next version CardSpace will perform deletion of the certificate after use. I believe this way would give the use more sense of security.
Apart from that, I find it very strange that the CardSpace Identity Selector does not prompt me for the password, in order to extract the private key. I am not sure is it because I amusing "AnonymousForCertificate" security binding. This makes me very confused, whether the user has signed the message to the STS.
<securityauthenticationMode="AnonymousForCertificate"/>
Please enlighten me.
Cheers!
Ronghwa.
