WinFX June CTP

http://sts.labs.live.com/ does not presently support the June CTP of WinFX, we are working on an update to the site that should be released in the near future.

There are also a couple of known issues with CardSpace (was InfoCard) in the June CTP:

• There is a known bug that affects X.509 certificate CRL checking and results in CardSpace thinking that the certificate is not trusted. It has been fixed in later builds of the product. In the meantime, the workaround is to install the site / service certificate into your CurrentUser / Trusted People store.
  
• If you experience problems launching the CardSpace UI, it's always worth checking the event log for additional information. If the error indicates that the UI could not be initialized and you also see multiple instances of the icardagt.exe process on your machine, then you've run into another known process management bug. This has also been fixed in later builds. The workaround for this issue is to kill all the running icardagt.exe processes using, for example, the Task Manager, then do "net stop idsvc" from a command prompt and try again.
  

InfoWorld Discovers the STS

InfoWorld has discovered the Microsoft Live Labs STS. This wasn't by design, we're keeping a low-profile at the moment while we work through early teething problems.

Speaking of which, we posted a Known Issues page today that covers some of the problems that you might experience when working with the site and the STS itself. We also tweaked the site a little to handle Windows Live ID authentication problems in a more graceful fashion.

Microsoft Live Labs STS

We've opened the doors on our experimental Security Token Service today, you can find all the details here.

For the moment, the focus of the STS is on using the InfoCard technology in WinFX Beta 2 to enable authentication with the STS and to obtain a security token from it (SAML 1.1).

Of course, an STS isn't much use without sites or services that use it for authentication, so we've also enabled the Microsoft Live Labs Relay Service to use the STS. Better still, we allow you to register your own site or service and federate with the STS yourself.

Over the coming weeks and months, we are planning a series of incremental feature releases for both the STS and the Relay service.

The official blog for the STS is here; the blog for the Relay is here.

WSE 3.0 RTM

WSE 3.0 will be available on MSDN for download this Monday, 7th November to coincide with the Visual Studio 2005 launch. This also includes two completely re-written Hands on Labs, a swath of samples in C# and VB along with updated whitepapers.

Congratulations to the team!

Identity Backgrounders

A couple of documents worth reading to get some context on what we're doing in the Identity space:

The Identity MetaSystem
The Laws of Identity

Moving On...Federation Calls...

I've been silent the last few months on WSE topics, the reason is actually simple: at the turn of the year I changed roles (was he pushed or did he jump?) to work on Active Directory Federation Server (ADFS) and InfoCard.

ADFS will ship as part of the Windows Server 2003 R2 release and implements the WS-Federation Passive Profile, over time ADFS will evolve to become a full-blown WS-Federation / WS-Trust Security Token Service. InfoCard, a system for managing your identities, will be part of Indigo.

Whilst I'm a little sad to have left WSE behind, I'm sure that Mark will do a good job of herding the cats for the next release.

SHA-1 Broken?

Bruce Schneier is reporting that SHA-1 has been broken. Interesting.

UsernameToken Security

Matt Powell links to an article by Keith Brown on UsernameToken security. Worth reading.

WSE 2.0 Hands On Lab Updated

The Hands On Lab materials for WSE have been updated for the WSE 2.0 SP2 release and now include VB.NET code as well as C#. If you're looking to get started with WSE 2.0, these provide some great grounding material.

WSE 2.0 SP2 Golden

Service Pack 2 is final and available on MSDN.

There was one additional fix between the Pre-Release and the final build involving policy processing for clients that do not send the WS-Addressing headers. In this case, request policy was being applied correctly but response policy would not be applied.

Please report any issues you find on the product to wsefeed.