Kapil Sachdeva, author of SmartCard Serenity, is an identity blogger from Axalto, which Gartner has called the world's leading supplier of microprocessor cards. These are innovative folks, who seemed to have no trouble at all putting full featured Java and .NET implementations into a credit card form factor… I find that sort of stuff amazing. So it will be interesting to see what they do with the Identity Metasystem.
Kapil has raised a couple of questions recently:
There is a nice blog from Andy Harjanto on InfoCard System so do not want to explain here the basic concepts. He has done a great job describing with some sample code all the elements of InfoCard system.
By the way, unfortuntately for us (but fortunately for Andy) he's gone to the (metaphorical) beach for a few weeks… He wanted to stay and work, of course, but what could he do? Anyway, Kapil continues:
I was recently playing with the Avalon and Indigo BETA SDK to see the InfoCard systems in action. There is something which may be confusing (seems like today I am going to talk only about confusions 🙂 ) to some people. With Indigo comes a Windows service called Microsoft Digital Identity service (InfoCard system) which displays a GUI where you could create sets of attributes. These sets are called “Cards”. Lot of people will take this to be “InfoCards”.
Yes, the user is really editing a set of claims forming a self-asserted digital identity that is then represented by an associated InfoCard. Our naming isn't clear enough yet.
Kapil continues:
An InfoCard is just a metadata which says what is the authentication mechanism to be used at STS .. what are supported claims at STS etc. It does not contain the data or attributes about user.
This is exactly right.
Microsoft InfoCard 1.0 Beta 1 GUI displays digital identities of user and not the Info cards. Wish there is a better word MSFT can use for these set of attributes instead of “Cards” to avoid possible confusion.
Well, the question is, does the user have to know about the metadata connecting the InfoCard to the Identity Provider? I don't think so. Therefore we “dereference” the metadata and show the underlying identity information. Developers might find this confusing at first, but what do developers like better than a level of indirection????
Here's our thinking. The InfoCards contain “metadata” just as Kapil says. But when a user looks at an InfoCard, we don't show her the metadata (which would be meaningless to her). Instead, we use the metadata to procure a token, and show the information the identity provider is capable of releasing (in other words the set of claims that go along with that identity).
The user experience is that when they examine the InfoCard they see the contents of the token it is capable of releasing (expressed as a set of attributes).
In the case of self-asserted InfoCards, not only can the user see the related attributes – she can also edit those attributes.
Those who understand the details of the technology will know that the InfoCard is itself metadata, and the user is really examining and even editing the set of claims pointed to by the InfoCard. In the old ‘C’ days we would have said:
userView = *InfoCard;
Does this help?
