Hey, I hope someone is still monitoring this thread... There seems to be precious little information about the life-cycle of an InfoCard. From what I have seen/read the life-cycle of an InfoCard seems strikingly simlar to a digital certificate and implementing digital certificate life-cycle solutions is notoriously difficult and expensive. Is there any information on this aspect of the solution? - provisioning, renewal, revokation and roll-over of credentials in the InfoCard framework doesn't seem to be discussed anywhere... I also see the, not very talked about, step of user authentication to the Identity Provider as critical to the usability of the solution. At this point the user is asking the Identity Provider to generate a security token for the Relying Party. The user has to prove they are who they say they are somehow. Password and Acive Directory have been mentioned very briefly. How do developers of this class of security component plug into the framework to build enhanced solutions? It seems that InfoCard is all about authentication of the user and the provisioning of information that the Identity Provider holds. Can InfoCard be used when I want someone to authenticate to gain access to my service then (this is the critical bit) I want them to prepare some ad-hoc data and deliver it to me in a way that I can rely on. I know I can use public key cryptography (sign and/or encrypt the data) right now, but does InfoCard provide me with any new tools to achieve the same outcome? I certianly don't want the user to send the data to the Identity Provider so that it can be packaged in a security token. Thanks. T