Microsoft fixes CardSpace validation flaw

Microsoft says it has fixed a certification chain validation issue with CardSpace. In his blog, Rob Franco, lead program

manager of CardSpace writes that the original version of CardSpace reject some legitimate SSL sites. "Sometimes CardSpace couldn’t validate the intermediate certificates in the certificate chain because of a disconnect with the browser’s certificate store. If intermediate certificates aren’t installed on a user’s computer, most browsers use the certificate obtained from the site to reconstruct the whole chain and show the user they are at an SSL site. CardSpace, as it turns out, was not able to get the missing certificates," he explained. Franco says the issue has been fixed for IE (the update was included in the October 2007 IE security update and a fix for the Firefox add-on is available here.

Recent CardSpace news:

Microsoft's Credentica purchase helps it sprint ahead of OpenID

Why won't Microsoft commit to identity management standards?

More Micronet blog posts:

Users complain of problems downloading Windows Vista SP1

Apple Fixes Open Source Vulnerabilities

Hyper-V Leaves Linux Out In The Cold

Microsoft, Intel pump $20M into parallel computing initiative with universities

The 20 most useful Microsoft sites for IT pros

Troubleshooting IP Networks for Microsoft exams

An insider's look at Microsoft Systems Management

Tips, tools and advice for Microsoft VoIP

Microsoft PowerShell and security, under the hood

Enterprise deployment guides for Vista SP1

What you can and cannot do in Server Core

Windows Server 2008 Management and Maintenance tips

Mitchell Ashley's Converging on Microsoft blog

Mitchell Ashley's Converging on Microsoft podcast

Marvelous March giveaways from Microsoft Subnet and Cisco Subnet

All Micronet blog posts

Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.