Is the WCS Privacy Statement for EV folks only?

Can anyone tell me if the link to a site’s privacy statement from the ‘First time at a site’ CardSpace screen (picture below) can be set by relying parties who don’t have an EV certificate? Finding documentation on this feature is ugly, since most Microsoft -based pages have a link at the bottom of the page entitled ‘privacy statement’ (referring to the site policy) — which horribly dilutes the search pool.

Update:  see the comments for the answer to my question (thanks Mark)

Here’s what I know. The ‘first time’ screen can be shown to a user for (at least) four reasons:

  • It really is the first time that CardSpace has seen the site.
  • If the user selects the “learn more about this site link” during regular use.
  • Any of the certificate details for that site change.
  • If “The site states that it has changed its privacy statement” (reference here).

How does that last bullet work? Does CardSpace detect a change in the privacy statement because the privacy statement is encoded in the EV certificate? If so, it sounds like a maintenance nightmare; do you have to re-install your certificate every time your privacy policy changes? If not, how exactly does a site “state” that it has changed its privacy statement? For that matter, how does a site state that it has one in the first place?

It is worth finding out, because if you as a site owner don’t have anything behind that privacy statement link, a user who clicks on the link will be told:

The site has declined to provide a privacy statement.

I hope there is a way for us peasant-cert types to populate the link – I can’t say that I’m excited about having my (potential) users thinking that I have declined to provide a privacy statement if the case happens to be that I am in reality unable to provide a privacy statement.

Thanks in advance to anyone who can help with this :)

2 thoughts on “Is the WCS Privacy Statement for EV folks only?

  1. In
    “A Guide to Supporting Information Cards within Web Applications and Browsers as of Windows CardSpace v1.0”

    there is

    4.2.6 privacyUrl (optional)

    This parameter specifies the URL of the human-readable privacy policy of the site, if provided.


    4.2.7 privacyVersion (optional)

    This parameter specifies the privacy policy version. This must be a value greater than 0 if a privacyUrl is specified. If this value changes, the UI notifies the user and allows them review the change to the privacy policy.

    Is this what you were looking for?

    There are analogous parameters in the WS-SecurityPolicy
    spec documenting CardSpace over WS-*.

  2. Thanks Mark, that is exactly what I was looking for!

    I obviously did not go through that document in enough detail, I’ll have to go back and see what other juicy detail I missed.

    Ask and ye shall receive :) Merci.


Comments are closed.