Can anyone tell me if the link to a site’s privacy statement from the ‘First time at a site’ CardSpace screen (picture below) can be set by relying parties who don’t have an EV certificate? Finding documentation on this feature is ugly, since most Microsoft -based pages have a link at the bottom of the page entitled ‘privacy statement’ (referring to the site policy) — which horribly dilutes the search pool.

Update:  see the comments for the answer to my question (thanks Mark)

Here’s what I know. The ‘first time’ screen can be shown to a user for (at least) four reasons:

• It really is the first time that CardSpace has seen the site.
• If the user selects the “learn more about this site link” during regular use.
• Any of the certificate details for that site change.
• If “The site states that it has changed its privacy statement” (reference here).

How does that last bullet work? Does CardSpace detect a change in the privacy statement because the privacy statement is encoded in the EV certificate? If so, it sounds like a maintenance nightmare; do you have to re-install your certificate every time your privacy policy changes? If not, how exactly does a site “state” that it has changed its privacy statement? For that matter, how does a site state that it has one in the first place?

It is worth finding out, because if you as a site owner don’t have anything behind that privacy statement link, a user who clicks on the link will be told:

The site has declined to provide a privacy statement.

I hope there is a way for us peasant-cert types to populate the link – I can’t say that I’m excited about having my (potential) users thinking that I have declined to provide a privacy statement if the case happens to be that I am in reality unable to provide a privacy statement.

Thanks in advance to anyone who can help with this :)