I've added an introduction to my InfoCard PHP Tutorial and Demo. It explains how things fit together, and you'll also find a link to an updated (v2) zip of the code samples.
[Please note – these samples are here for historical purposes and are outmoded since there are now nice production code libraries available – Kim]
A SELF-ISSUED INFOCARD TUTORIAL AND DEMO
This tutorial includes a demo, an explanation of how Self-Issued InfoCard identity tokens work, and sample PHP code allowing you to accept these tokens at a web site.
One of the key goals of InfoCard and the Identity Metasystem is to put the release of identity information under the direct control of computer users. At the same time, the system respects the right of a web site to say what information it requires to grant entry. The accompanying demo shows how InfoCards help bring the two sides of this equation together in a way that accords with the Laws of Identity.
Information Card technology can be used to manage the exchange of any kind of token. CardSpace's self-issued tokens use the SAML format. With this format, identity information sent to a site is “signed” to guarantee that it really comes from whoever originates the “claims” in the identity token. Then, to protect the user's information during release, it is encrypted so only that site can get at it.
How can the identity provider encrypt the information destined for your web site? You need a public key and certificate. In the current version of InfoCard this has to be an SSL certificate (mine cost me under $20), and your web server needs to be able to support https. Identity tokens sent to you will be encrypted under the same key your system uses for https. If people need help with this, let me know and I'll add instructions to this tutorial.
I wrote my sample code in PHP 5 (I had a 4.2 version running at one point, but didn't want to keep two versions going). If you wonder why I chose PHP, I wanted it to be clear that InfoCards are not Windows-specific. You need to make sure your version of PHP has the mcrypt and openssl libraries enabled. (By way of example, these libraries are part of the default environment at TextDrive, my excellent web site host.)
You can download the sample PHP files here (I updated them to V3 in June 2007 to make the code compatible with the shipping version of Vista, and at the same time embrace the new OASIS claims names.)
I'll be evolving this work over the next little while, so let me know about anything that is unclear or not pitched at the right level.
People have asked if I'll be putting this tutorial into .pdf format. I will, once I've received a bit more feedback. In particular, I'm hoping some PHP gurus will look things over – this is my first PHP project.
I've also been asked what intentions I have for this code. My only goal is to share information as widely as possible.
Check out this amazing piece at Computerworld. It boggles the mind. To whet your appetite:
APRIL 12, 2006
Broward County, Fla., Maricopa County, Ariz., Fort Bend County, Texas. Three counties separated by hundreds of miles with something in common: They’re among potentially hundreds of counties in several states that in recent years have made Social Security numbers, driver's license information, bank account numbers and a variety of other personally sensitive data belonging to residents available to anyone in the world with Internet access.
The exposure follows the failure to redact sensitive information from land records and other public documents posted on the Internet and makes county Web sites a veritable treasure trove of information for identity thieves and other criminals, according to a number of privacy advocates.
“These sites are just spoon-feeding criminals the information they need,†said B.J. Ostergren, a privacy advocate based in Richmond, Va. “But no one appears to be seeing it and nobody’s changing the laws,†she said.
Among the pieces of personally identifiable information from county Web sites made available to Computerworld by Ostergren and other privacy advocates were: Rep. Tom Delay’s Social Security number on a tax lien document; the Social Security numbers for Florida Gov. Jeb Bush and his wife on a quit claim deed from 1999; driver’s license numbers, addresses, vehicle registration information, height and race of individuals arrested for traffic violations; names and dates of birth of minors from final divorce decrees and family court documents; and even complete copies of death certificates with Social Security numbers, dates of birth and cause of death. (The Social Security numbers for Bush and his wife have been redacted and are no longer available online.)
“All of this information is available to anyone sitting in a cafe in Nigeria or anywhere else in the world,†said David Bloys, a retired private investigator who publishes a newsletter called “News for Public Officials” in Shallowater, Texas. “It’s a real security threat.â€
The article includes a calming quote from Darity Wesley, CEO of Privacy Solutions, a privacy consultancy for the real estate industry based in San Diego.
“There’s a real need to keep the information flowing,†Wesley said, adding that while there’s a real need to protect data “at all costs,†there’s little evidence so far that the public availability of personal information on government sites has contributed to identity theft. For most identity thieves, the effort involved in sifting through millions of public records for sensitive information is simply not worth it, she said.
“There’s a lot of value in public records, and shutting down access to them†over privacy concerns would be a step backward, she said. “Rather than wrap a lot of fear and sensationalism†around the issue, what is needed is an informed discussion of the issue by legislators and privacy advocates.
This is a good example of how simply transfering a manual process to the virtual world can result in a whole new level of invasiveness and threat.
“I understand people’s concerns, but a lot of this information has been freely available for public inspection since Plymouth Rock,†said Carol Fogelsong, the assistant comptroller for Orange County, Fla.
Even so, privacy advocates say the move to post public records on the Web without removing personally identifiable information has greatly broadened access to sensitive data and the potential for misuse. “The simple truth is these records were safe in the courthouse for 160 years,†Bloys said. Now, all it takes is Internet access and a very rudimentary idea of how to look for data to find all sorts of information, he said.
Ostergren, for instance, claims to have harvested more than 17,000 Social Security numbers simply by “messing around†in county Web sites over the past two years. Among the countless nuggets Bloys turned up was the complete medical history of a terminally ill county official.
Finally, if you worry that this type of attack seems like too much work for an identity thief, console yourself:
It is not always necessary to search for data, since online records often can be purchased in bulk for a fraction of what it would cost to buy them from a courthouse, Bloys said. One example: Fort Bend County, Texas, last year sold to a Florida company every document ever filed with the county clerk’s office — estimated to be around 20 million — for roughly $2,500. Bloys wrote about the transaction in his newsletter in December. Fort Bend County officials did not immediately return a call seeking comment.
