Zend PHP Information Cards

Dr. Dobb's Journal is dear to my heart.  My wife Adele Freedman, an architecture critic, always used to point to the copies I left lying around and tell our friends, “Check it out.  It's amazing to watch him read it.  No two words fit together.”

But to me it was like candy.  So it was exciting to read the following article today on Dobb's Portal:

Microsoft and Zend Technologies have announced a collaboration to enable support for information cards by PHP developers through a component built for Zend Framework. Using this as a stand-alone component or as part of the Framework, PHP developers will be able to specify a Web site's security policy and accept information cards from trusted third parties.

“Microsoft and Zend are making a commitment to deliver information card support to PHP developers, which will reduce development costs and help make the Web safer and more secure for people,” said Vijay Rajagopalan, principal architect for Platform & Interoperability Strategy at Microsoft.

The cooperative work on information cards extends Microsoft's previous interoperability efforts in this area. Microsoft, in collaboration with Fraunhofer Institute FOKUS and ThoughtWorks, has developed open source interoperability projects on information cards for systems based on Java and Ruby.

“Web sites developed on ASP.NET can already accept information cards,” Rajagopalan explained. “With this work, a Java-based Web site, for example, built on the Sun Java System Web Server, Apache Tomcat or IBM WebSphere Application Server can now accept a digital information card for security-enhanced identity. A Web site built on Ruby on Rails can accept an information card. There is also an open source information card library project implemented in C, developed by Ping Identity Corp.”

Information about Microsoft open source interoperability identity card projects can be found at:

When support for information cards within the Zend Framework (an open source PHP application framework for developing Web applications and Web services) is enabled, users who access PHP-enabled Web sites will receive consistent user control of their digital identities and improved confidence in the authentication process for remote applications, all with greater security than password-based Web logins offer. Zend Technologies’ implementation of information cards lets users provide their digital identities in a familiar, security-enhanced way. They are analogous to business cards, credit cards or membership cards that people use every day.

I guess everyone familiar with this blog knows I've developed a deep affection for PHP myself, so I'm very happy to see this.

Burton Group goes to Mainstreet

In this cogent article, the New York Times’ Denise Caruso distinguishes herself with a compelling treatment of complex identity and privacy issues.  For instance, her characterization of Mint.com is enough to turn the Flying Nun into a paranoid: 

“In exchange for customers uploading their account information and allowing sponsors to offer them specialized services, Mint will connect nightly to their credit-card providers, banks and credit unions. Then it automatically updates transactions and accounts, balances their checkbooks, categorizes their transactions, compares cash with debt and, based on their personal spending habits, shops for better rates on new accounts and credit cards.”

I sure would like to know more about how mint.com protects itself, who oversees it, how it protects me, and most important, what it does and doesn't and will never do with the massively detailed personal information it collects.  Today, not even my accountant or my wife scrutinizes my credit card spending.

To the rescue

Just as the reader is losing all hope, in rides – are you ready? – Mike Neuenschwander from the Burton Group.   He puts forward the ideas all of us in the community are working on, but with a twist that is very novel – and perhaps even “American”:

“We’re in a situation where business holds all the cards…  â€œBusinesses put the deal in front of the consumer, they control the playing field and the consumer doesn’t have any say in how the deal plays out.”

ONE way to change this, he said, is to make people more like organizations.

To this end, Mr. Neuenschwander and his colleagues have floated the intriguing concept of the L.L.P.: the Limited Liability Persona. This persona would be a legally recognized virtual person in which users could “invest” the financial or identity resources of their choosing.

Once their individual personas are created, consumers would be able to use them as their legal “alter ego,” even in financial transactions. “My L.L.P. would have its own mailing address, its own tax ID number, and that’s the information I’d give when I’m online,” Mr. Neuenschwander said. Other benefits include the ability for “personas” to limit their financial exposure in ways that individuals cannot. Continue reading Burton Group goes to Mainstreet

EPIC opposes Google / Doubleclick merger

Last week the Electronic Privacy Information Center (EPIC) made an agenda-setting intervention on the newest dangers in digital privacy.  EPIC is perhaps the world’s most influential privacy advocacy group,  and presented its brief to a US Senate hearing looking into Google’s proposed acquisition of Doubleclick

According to USA Today,

“The Federal Trade Commission is already reviewing whether the Google-DoubleClick combination would violate antitrust law.  Consumer groups are pressing the agency to also scrutinize Google's privacy practices.  Marc Rotenberg, executive director of the Electronic Privacy Information Center, told the Senate committee that Google should be required to strengthen its privacy practices as a condition of the acquisition.”

Continue reading EPIC opposes Google / Doubleclick merger

New CardSpace Techie Blog

Caleb Baker, Ruchi Bhargava and a group of their colleagues on the CardSpace team have set up a new blog by techies for techies, called CardSpace: Behind the Code.  It warms my heart to see the team members reaching out to make direct contact with other developers and engineers who are adopting the technology or creating versions on other platforms.  So often developers in big companies are caught behind a wall of gauze.

They begin with a post that talks in depth about a change in CardSpace that I first announced in June here.  Basically, without in any way decreasing the security of high end sites, we have made it markedly easier for bloggers and others whose sites don't represent a financial honeypot to accept information cards:

“CardSpace in .Net Framework 3.0 required that sites deploying CardSpace always have a SSL certificate. This meant that every site that wanted to use CardSpace was forced to deploy an https site.

“Based on customer feedback, we have decided to relax this requirement for the next release of CardSpace (currently available in .NET Framework 3.5 Beta 2). We realize that there are some sites like blogs which would like to use CardSpace, but consider the SSL requirement to be a deployment blocker.

“Now, if you have a website that you want to add CardSpace support to, all you need to do is add the object tag to the page and you are done.

“In addition to requiring .Net Framework 3.5 beta 2 or later [on the windows client – Kim], a new version of icardie.dll is required to use this new feature. This will ship with Vista SP1 and an upcoming update to IE7.

“CardSpace does behave differently for http vs. https sites. When CardSpace is invoked from an http site, CardSpace will inform the user about the lack of an SSL connection and the security implication of this. (Also, note the new streamlined look of this window.)

CardSpace without SSL 

“In addition, managed card issuers can decide if the card they issued can be used on sites that do not support SSL. This can be done by adding the following element to the .crd file. If this element is specified then the card can only be used on a site that has a SSL certificate. The card will not ‘light up’ when the user is on an http site.

“A point to be noted is that cards that were issued for last release of CardSpace will light up on http sites as they will lack this new element. In that case, the IP STS can make a decision on whether to release a token based on the identity of the recipient sent in the RST message…”

[Continues with changes in algorithms here.]

In one of the posted comments, reader MathiasR tells the team:

“Great to hear that you are listening to our feedback :). Thanks!”

Meanwhile, the MSDN blog site they're on doesn't yet seem to show any signs of supporting Information Cards for leaving comments.  Maybe I'm just missing it, or maybe Caleb can drum up some info on when that is going to be turned on.

Start using DigitalMe for Mac

Over the weekend I installed “Digital Me for Mac” on my MacBook Pro and started using it with identityblog and other sites.  It's fast and totally does the trick.  I've made a micro video demo that gives you an idea of what it's like.

The install worked just as it should.  I ended up with a Bandit managed card – then went on to create a self-issued one so I wouldn't have to enter a password.  So now I can work on my site both from my Mac and my PCs.  I'm not sure if it works with Safari – I was using it with Firefox. Continue reading Start using DigitalMe for Mac

Grab them eyeballs! Any cred at all!

Want to deeply understand how OpenID would make our lives better on social networks? Check out this piece by Dare Obasanjo, a program manager within Windows Live.  But be prepared to be jolted.  According to Dare, there is indeed a promised land, but we won't be allowed into it.

Dare is responding to Wired's Slap in the Facebook:  It's Time for Social Networks to Open Up.  He talks about the common-sense economics of identity, then asks why “there seem to be more OpenID providers than there are consumers”, concluding:

Why would Facebook implement a feature that reduced their user growth via network effects? Why would MySpace make it easy for sites to extract user profile information from their service? Because openness is great? Yeah…right.

Openness isn’t why Facebook is currently being valued at $6 Billion…

Dare's explanation of how the big web properties see things is spot on.  But are they right? 
Continue reading Grab them eyeballs! Any cred at all!

Linkage with CardSpace in Auditing Mode

As we said here, systems like SAML and OpenID work without any changes to the browser or client – which is good.  But they depend on the relying party and identity provider to completely control the movement of information, and this turns out to be bad. Why? Well, for one thing, if the user lands at an evil site it can take complete control of the client (let's call this “extreme phishing”) and trick the user into a lot of evil.

Let’s review why this is the case.  Redirection protocols have two legs.  In the first, the relying party sends the user’s browser to the identity provider with a request.  Then the identity provider sends the browser back to the relying party with a response.   Either one can convince the user it's doing one thing while actually doing the opposite.

It’s clear that with this protocol, the user’s system is “passive”. Services are active parties while the browser does what it is told.  Moreover, the services know the contents of the transaction as well as the identities and locations of the other service involved.  This means some classes of linkage are intrinsic to the protocol, even without considering the contents of the identity payload.

What changes with CardSpace?

CardSpace is based on a different protocol pattern in which the user’s system is active too.  Continue reading Linkage with CardSpace in Auditing Mode

Burton Group reports on user-centric interop

The Burton Group has posted its evaluation of the user-centric interopathon held at this year's Catalyst. The analyst is Bob Blakley, now with Burton and previously chief scientist for Security and Privacy at IBM Tivoli Software. 

Bob writes, “Prior to the event, there were some specifications, one commercial product, and a number of open-source projects.  After the event, it can accurately be said that there is a running identity metasystem.” Continue reading Burton Group reports on user-centric interop

Boys scrap over Facebook

 Jason Calacanis, CEO of Weblogs  and Master of New Media, took the lid off a noisy can of worms this week when he declared Facebook Bankruptcy, exhausted by his facebook chores of responding to endless invitations, requests and guilt trips.  In sum, he says, “Folks have just opted in to another out of control inbox…. I'm opting out.”

This was all too much for Scoble,  whose river of crocodile tears led to “Calacanis can't keep up with Facebook“.  Scoble apparently manages more than 4,000 Facebook friends (including me – I'm down here somewhere) compared to Jason's mere 395, saying, “More of the best names in tech are on Facebook than any other social network I’m on.” and “Facebook is the new business card”.  He sees Facebook as new age marketing.  (Is this why half my homepage consists of Scoble videos? Just kidding…) 

Nestled between the extremes is a piece by Rex Hammock, who I think gets it right when he says, “Facebook is a sandbox I’m playing in — but it has a long way to go before it can hope to be the world I live in.”  Continue reading Boys scrap over Facebook

News on the Australian “Access Card”

Here is a report from The Australian about the issues surrounding Australia's Human Services Access Card.  Some of the key points: 

“By this time next year, the federal Government hopes to be interviewing and photographing 35,000 Australians each day to create the nation's first ID databank. Biometric photos, matched with names, addresses, dates of birth, signatures, sex, social security status and children's details, would be loaded into a new centralised database. Welfare bureaucrats, ASIO, the Australian Federal Police and possibly even the Australian Taxation Office would have some form of access to the unprecedented collection of identity data.

“Within three years, all Australians seeking benefits such as Medicare, pensions, childcare subsidies, family payments, unemployment or disability allowances – about 16.5 million people – would have joined the databank. They would be given a photographic access card to prove who they are and show their eligibility for social security.

“This week, however, the billion-dollar project hit a bump when Human Services Minister Chris Ellison revealed that legislation due to go before federal Parliament this month had been delayed…

“How will Australians’ privacy be protected? How will the database and cards be kept secure? Who can see information on the card? What identity documents will Australians need to acquire a card, and what will happen to the estimated 600,000 people without a birth certificate, passport or driver's licence?

“The Government's mantra is that this is not an ID card because it does not have to be carried, but users will have to show it to prove their identity when claiming welfare benefits…

“The Government claims the new system will stem between $1.6 billion and $3 billion in welfare fraud over the next decade…

“A key Government adviser, Allan Fels – a former chairman of the Australian Competition and Consumer Commission and now head of the Government's Access Card Consumer and Privacy Taskforce – is at loggerheads with Medicare, Centrelink and the AFP, who all want the new card to display the user's identification number, photograph and signature…

“The photo would be stored in a central database, as well as in a microchip that could be read by 50,000 terminals in government offices, doctors’ surgeries and pharmacies…

“Despite his official role as the citizens’ watchdog, Fels still has not seen the draft bill…

“‘The law should be specific about what is on the card, in the chip and in the database,’ he says. ‘If anyone in future wants to change that they would have to do nothing less than get an act of parliament through. We don't want a situation where, just by administrative decisions, changes can be made…’

“‘There will be no mega-database created that will record a customer's dealings with different agencies,” the minister [Ellison] told the conference…

“Cardholders may be able to include sensitive personal information – such as their blood type, emergency contacts, allergies or illnesses such as AIDS or epilepsy – in the one-third of the microchip space that will be reserved for personal use. It is not yet clear who would have access to this private zone.

“Hansard transcripts of Senate committee hearings into the access card legislation reveal that police, spies and perhaps even the taxman will be able to glean details from the new database. The Department of Human Services admits the AFP will be able to obtain and use information from the databank and card chip to respond to threats of killing or injury, to identify disaster victims, investigate missing persons, or to ‘enforce criminal law or for the protection of the public revenue’.

“Australia's super-secretive spy agency, the Defence Signals Directorate, will test security for the new access card system…

“The Australian Privacy Foundation's no-ID-card campaign director, Anna Johnston, fears future governments could “misuse and abuse” the biometric databank…

(Full story…)

ID Cards can be deployed in ways that increase, rather than decrease, the privacy of citizens, while still achieving the goals of fraud reduction.  It's a matter of taking advantage of new card and crypto technologies.  My view is that politicians would be well advised in funding such products rather than massive centralized databases.

As for the Defense Signals Directorate's access to identity data, what has this got to do with databases offering generalized access to every curious official?  You would think they were without other means.