3rd International ICST Symposium on Information Assurance and Security

Research Article

Addressing privacy issues in CardSpace

  • @INPROCEEDINGS{10.1109/IAS.2007.12,
        author={ Waleed  A. Alrodha and Chris  J. Mitchell},
        title={Addressing privacy issues in CardSpace},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        keywords={Authentication  Credit cards  Cryptography  Identity management systems  Information security  Large-scale systems  Performance analysis  Privacy  Web and internet services},
  • Waleed A. Alrodha
    Chris J. Mitchell
    Year: 2007
    Addressing privacy issues in CardSpace
    DOI: 10.1109/IAS.2007.12
Waleed A. Alrodha1,*, Chris J. Mitchell1,*
  • 1: Royal Holloway, University of London, Egham, Surrey, TW20 0EX, United Kingdom
*Contact email: W.A.Alrodhan@rhul.ac.uk, C.Mitchell@rhul.ac.uk


CardSpace (formerly known as InfoCard) is a Digital Identity Management system that has recently been adopted by Microsoft. In this paper we identify two security flaws in CardSpace that may lead to a serious privacy violation. The first flaw is the reliance on Internet user judgements of the trustworthiness of service providers, and the second is the reliance of the system on a single layer of authentication. We also propose a solution designed to address both flaws. Our solution is compatible with the currently deployed CardSpace identity metasystem, and should enhance the privacy of the system with minor changes to the current CardSpace framework. We also provide a security and performance analysis of the proposed solution.