http://www.codeplex.com/informationcardruby/WorkItem/List.aspxinformationcardruby Work Item Rss Descriptionhttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=1013Reminder to investigate the logging strategy for information card ruby.<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:48:05 GMTCLOSED TASK: Logging strategy 20070625064805Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=1012As a user, it'd be nice if the fields (ex. username, email address) would populate from the claims in the information card (if present).<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:48:04 GMTCLOSED FEATURE: Auto-populate user fields on registration with information card 20070625064804Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=471This is a reminder to review the performance - epescially when it comes to parsing & examing the encrypted and SAML tokens.<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:48:04 GMTCLOSED TASK: Performance Review 20070625064804Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=470Examine the security vulnerabilities to exercise due diligence when providing a plugin/library that performs user authentication for sites.<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:48:03 GMTCLOSED TASK: Security Review / Threat Model 20070625064803Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=469Should the SAML document be validated against a schema?<br/><br/>Also, the schema does not allow "colons" in the AssertionID, yet the SAML tokens generated have "colons."<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:48:01 GMTCLOSED TASK: Validate SAML Schema 20070625064801Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=458As a developer, I would like to support both http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p and http://www.w3.org/2001/04/xmlenc#rsa-1_5 algorithms for decrypting the incoming information card token.<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:48:00 GMTCLOSED TASK: Support encryption algorithms 20070625064800Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=457As a developer, I would like the library to support scenarios where the public key of the identity provider uses x509 certificates.<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:47:59 GMTCLOSED TASK: Support x509 certificates in SAML KeyInfo 20070625064759Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=456As a developer, I would like the library to protect the end user from replay attacks (ensure that the assertion id has not been used within the same window before).<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:47:58 GMTCLOSED TASK: Protect against replay attacks 20070625064758Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=453s a developer, I would like a mechanism for detecting if the user is using an information card enabled browser.<br/><br/>Script code can detect browser support for Information Cards within Internet Explorer by testing the userAgent string to determine whether the browser version is greater than or equal to "MSIE 7.0". A second issue with Internet Explorer 7 is that the Information Card support might not be installed (because Microsoft .NET Framework 3.0 is not installed on the machine). This can be detected within the browser by using the "isInstalled" property on the Information Card OBJECT from scripting code. .NET 3.0 installation can be detected on web servers by testing whether the userAgent string contains ".NET CLR 3.0".<br/><br/>For example, the userAgent string on a Windows XP machine using IE 7 and .NET 3.0 will contain at least these elements:<br/><br/>MSIE 7.0; Windows NT 5.1; .NET CLR 3.0.04506.30<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:47:58 GMTCLOSED FEATURE: Detect for information card enabled browser 20070625064758Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=452As a developer, I would like the option of specifying the security policy via XHTML syntax (as opposed to OBJECT tags) to handle the scenarios where OBJECT tags are not supported.<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:47:57 GMTCLOSED FEATURE: Specify policy via XHTML Syntax 20070625064757Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=451As a developer, I would like to specify the security policy via WS-SecurityPolicy.<br/><br/>The most straight forward way to specify the policy is via HTML extensions which signal to the browser when to invoke the Identity Selector.<br/><br/>http://msdn2.microsoft.com/en-us/library/aa480726.aspx<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:47:57 GMTCLOSED FEATURE: Specify policy via WS-SecurityPolicy 20070625064757Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=450As a developer, I would like to have a guideline as to how to support information cards on my rails site.<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:47:56 GMTCLOSED FEATURE: Guideline for integrating library / plugin to your rails site 20070625064756Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=432As a developer, I would like for the SAML token to provide me a unique ID such that I can identify this user in the database.<br/><br/>To identify a user, a unique id will be generated from the received SAML token. This could be generated from as hash of the Issuer's key + PPID (Identification Claim type).<br/><br/>A question that is up for discussion is what happens if the PPID is not a required claim? What would the uniqueID resolve to?<br/>Comments: Migrating off of CodeplexjoepoonMon, 25 Jun 2007 18:47:53 GMTCLOSED TASK: Generate unique ID from SAML token 20070625064753Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=454As a developer, I would like the user to be redirected to https:// in the case they enter http://, as information cards require SSL.<br/>Comments: Moved from deleted structure information_card_authentication 0.2.0joepoonMon, 25 Jun 2007 18:32:14 GMTCOMMENTED FEATURE: Redirect user to SSL 20070625063214Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=450As a developer, I would like to have a guideline as to how to support information cards on my rails site.<br/>Comments: Moved from deleted structure information_card_authentication 0.2.0joepoonMon, 25 Jun 2007 18:32:14 GMTCOMMENTED FEATURE: Guideline for integrating library / plugin to your rails site 20070625063214Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=451As a developer, I would like to specify the security policy via WS-SecurityPolicy.<br/><br/>The most straight forward way to specify the policy is via HTML extensions which signal to the browser when to invoke the Identity Selector.<br/><br/>http://msdn2.microsoft.com/en-us/library/aa480726.aspx<br/>Comments: Moved from deleted structure information_card_authentication 0.2.0joepoonMon, 25 Jun 2007 18:32:14 GMTCOMMENTED FEATURE: Specify policy via WS-SecurityPolicy 20070625063214Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=452As a developer, I would like the option of specifying the security policy via XHTML syntax (as opposed to OBJECT tags) to handle the scenarios where OBJECT tags are not supported.<br/>Comments: Moved from deleted structure information_card_authentication 0.2.0joepoonMon, 25 Jun 2007 18:32:14 GMTCOMMENTED FEATURE: Specify policy via XHTML Syntax 20070625063214Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=453s a developer, I would like a mechanism for detecting if the user is using an information card enabled browser.<br/><br/>Script code can detect browser support for Information Cards within Internet Explorer by testing the userAgent string to determine whether the browser version is greater than or equal to "MSIE 7.0". A second issue with Internet Explorer 7 is that the Information Card support might not be installed (because Microsoft .NET Framework 3.0 is not installed on the machine). This can be detected within the browser by using the "isInstalled" property on the Information Card OBJECT from scripting code. .NET 3.0 installation can be detected on web servers by testing whether the userAgent string contains ".NET CLR 3.0".<br/><br/>For example, the userAgent string on a Windows XP machine using IE 7 and .NET 3.0 will contain at least these elements:<br/><br/>MSIE 7.0; Windows NT 5.1; .NET CLR 3.0.04506.30<br/>Comments: Moved from deleted structure information_card_authentication 0.2.0joepoonMon, 25 Jun 2007 18:32:14 GMTCOMMENTED FEATURE: Detect for information card enabled browser 20070625063214Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=456As a developer, I would like the library to protect the end user from replay attacks (ensure that the assertion id has not been used within the same window before).<br/>Comments: Moved from deleted structure information_card_authentication 0.2.0joepoonMon, 25 Jun 2007 18:32:14 GMTCOMMENTED TASK: Protect against replay attacks 20070625063214Phttp://www.codeplex.com/informationcardruby/WorkItem/View.aspx?WorkItemId=469Should the SAML document be validated against a schema?<br/><br/>Also, the schema does not allow "colons" in the AssertionID, yet the SAML tokens generated have "colons."<br/>Comments: Moved from deleted structure information_card_authentication 0.2.0joepoonMon, 25 Jun 2007 18:32:14 GMTCOMMENTED TASK: Validate SAML Schema 20070625063214P