Information Cards – Page 7 – Kim Cameron's Identity Weblog

Apache Authentication Module for CardSpace

Yesterday I referred to a mind-altering announcement from Ping Identity Corporation. I think it's a key piece of the identity puzzle. Since it's obvious that this is a big accomplishment and that he's played a major role in it, I'll quote Ashish Jain's Identity TIcker blog:

Thanks to the efforts of our labs team, we finally have the â€˜Apache Authentication Module for CardSpaceâ€˜ available for download .

Here is the product description from the SourceID website:

â€œThe Apache Authentication Module for CardSpace is an open source module that allows applications using an Apache server for hosting or proxy to use Information Cards as an additional authentication mechanism. It allows the Apache applications to act as CardSpace relying parties (RP) by means of simple configuration. The module is responsible for decrypting the tokens submitted by CardSpace, retrieving the claims and making them available for the applicationsâ€™ use.â€

The idea behind this is simple. If you have an application that is deployed on an Apache server and you want to CardSpace-enable it, drop in the module (along with the dependencies), change the httpd.conf and your application should have access to the claims in the infocard.

The post includes proof that these guys were coding twenty-four hours a day.

To my mind this is really huge. I wonder if one day we'll see it become a part of Apache, just like the password and digest authentication modules.

The whole cardspace processing can be a black box for the administrators

The module puts the attributes in the session. So if you have a PHP application, you can do the following to retrieve the attributes

$email = $_ENV[‘auth_infocard_env_emailaddress’]
$ppid = $_ENV[‘auth_infocard_env_privatepersonalidentifier’]

The same thing works in any other programming language, since they all give you access to your environment variables.

So this is pretty much as simple as it gets. I hope everyone with a product that runs on Apache will look at this.

But wait! There's more! When I wrote to Ashish to congratulate him on this development, he added:

We also have a .jar file for java that serves the similar purpose (we internally refer it as the cardspace-magic.jar and we will open source some day). Same ideaâ€¦drop the .jar file in, then:

xmltoken in -> attributeâ€™s map out

So if you use Java, you can go that way too.

But wait! There's still more!!

Yes, folks, Ping Identity is actually showing a demo at RSA of some of the very ideas we've been discussing over the last couple of days. Namely, use of CardSpace to log in to OpenID sites. I'll do another post to sow you some screen shots.

CardSpace / OpenID Collaboration Announcement

As an outcome of the discussions that have been taking place here in the Blogosphere – and in-person meetings – it is exciting to convey the following joint announcement by JanRain, SXIP Identity, VeriSign and Microsoft:

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpaceâ„¢ to make the Internet safer and easier to use. Specifically:

As part of OpenIDâ€™s security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.

Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure. Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.

JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users. Information Cards, based on the open WS-Trust standard, are available though Windows CardSpaceâ„¢.

JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.

JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.

Microsoft plans to support OpenID in future Identity server products

The four companies have agreed to work together on a “Using Information Cards with OpenID” profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Dick Hardt, Sxip Identity
Kim Cameron, Microsoft
Michael Graves, VeriSign
Scott Kveton, JanRain

Ping will show OpenID / CardSpace integration

According to this post, Ashish Jain at Ping has a new prototype of how CardSpace / OpenID integration will work in their evolving product. It seems to be a continuation of the work they've already done with SAML / CardSpace integration – only now, the OpenID protocol has been added to the metasystem mix.

Come to think of it, isn't Dick Hardt's Whobar pretty close to having this capability as well? So I think a number of us have wanted to integrate this work for some time, but recently it has become more obvious what the advantages are.

Anyway, if you haven't read Ashish's piece:

Kim posted a pretty good description of how CardSpace and OpenID can interact. This has been talked about for a while and Kim did a great job of describing it.

In short, I agree. In fact, if you want to see a demo of what Kim describes, please stop by Ping Identityâ€™s booth next week at the RSA Conference and you will get to see exactly that. An OpenID IdP Server that uses CardSpace for runtime authentication.

Itâ€™s not done by any means. There are still some unresolved items. For instance, If the user already has a profile registered with the OP, at runtime should the server use the persisted attributes or the claims as provided by the card? And the support for multiple cards. But you will get the idea.

I still have a few questions though. AFAIK OpenID Authentication 2.0 considers authentication out of scope.. Soâ€¦.to prevent phishing and to build userâ€™s confidence, I can use CardSpace. Or anything on the likes of PassMarkâ€™s mutual auth. To provide more confidence to the RP, I can use OTP, device finger printing, biometric, certificates, KBA whatever. However there doesnâ€™t seem to be the SAML AuthnContext equivalent to convey this to the RP. Therefore RP has no way to determine the type of OP authentication or if the authentication ever happened.

Even if there is way to communicate the authentication type, there is no trust or relationship between the OP and the RP. Soâ€¦.RP (who as a service provider has everything to loose) has no reason to believe that the OP isnâ€™t lying and may have to employ their own safety measures.

Iâ€™m still coming up the curve so I may be wrong, but something seems missing. Iâ€™ll keep looking.

Ashish makes an interesting point about conveying the authentication type in the protocol. I certainly agree with him.

I also like his question about trust. It's one others have asked and which I scratched my head about at first. So I'll put in my two cents worth.

In all identity protocols, you have an authority that makes claims about a subject, and the relying party decides whether or not to believe them. As computer nerds we have called that “trust”, though in real business environments it's usually more a matter of reducing risk to the point that, on balance, it's better to do a transaction than not to do it.

But what is “the trust” (risk analysis) based on? Usually on business relationships. For example, we trust a bank to make assertions of various sorts. And we trust a partner or customer to make other assertions. So the trust is rooted in our experience – in a relationship.

This is where OpenID does something different: the authority is simply the behavior of the internet, and the trust only pertains to an identifier (one could layer other capabilities on top of this).

Basic Tenets

Every person has a URL to which they lay claim.
Every URL has an identity provider that “speaks for” it.

When I go to a relying party I tell it which URL I claim. Then it sends me to the identity provider that speaks for that URL to get a token saying I really control it.

I give that token to the relying party, which then contacts the identity provider to verify the token is valid (the actual protocol includes optimizations).

To believe the claim, the Relying Party (RP) needs to trust that the URL has not been tampered with (an evil party could alter it to say an evil identity provider speaks for it). The RP also has to believe it really contacted the URL when finding out who spoke for it (I could have been misdirected through a DNS attack). And it needs to believe it really contacted the identity provider when getting token validation (again trusting DNS). The last two issues can be mitigated by using https, but that complicates it, and even then, the system has different characteristics than one based on cryptographic tokens.

All in all, the closest analogy is to using an email address as an identifier by asking what email address you own, sending you the email, and getting you to click a link showing you own the email. In this case the relying party depends on the underlying mail system, DNS, and all that. OpenID replaces email with web URLs. So it's a lot more direct.

Proving control

How does an identity service know you really control some URL? Many approaches are possible. Let me give the example of Yahoo's system (it's not OpenID but uses the same general idea). You log into their identity provider and it gives you a key (a couple of lines or random gook). You must then paste the key into your html page and press a button back at Yahoo. This causes their system to open your page and see if the key is there. If so, the service deems that you own the URL. Having done this you can get rid of the key and the Yahoo identity provider is willing to “speak for” your control of the URL. The whole process just takes five minutes.

As simple as possible – but no simpler

Gunnar Peterson recently showed me a posting by Andy Jaquith (securitymetrics.org and JSPWiki) that combines coding, wiki, identity, Cardspace, cybervandals, and OpenID all into one post – a pretty interesting set of memes. Like me, he finally actually shut off anonymous commentary because he couldn't stand the spam workload, and is looking for answers:

Last week's shutoff of this website's self-registration system was something I did with deep misgivings. I've always been a fan of keeping the Web as open as possible. I cannot stand soul-sucking, personally invasive registration processes like the New York Times website. However, my experience with a particularly persistent Italian vandal was instructive, and it got me thinking about the relationship between accountability and identity.

Some background. When you self-register on securitymetrics.org you supply a desired “wiki name”, a full name, a desired login id, and optionally a e-mail address for password resets. We require the identifying information to associate specific activities (page edits, attachment uploads, login/log out events) with particular members. We do not verify the information, and we trust that the user is telling truth. Our Italian vandal decided to abuse our trust in him by attaching pr0n links to the front page. Cute.

The software we use here on securitymetrics.org has decent audit logs. It was a simple matter of identifying the offending user account. I know which user put the porn spam on the website, and I know when he did it. I also know when he logged in, what IP address he came from, and what he claimed his “real” name was. But although I've got a decent amount of forensic information available to me, what I don't have any idea of whether the person who did it supplied real information when he registered.

And therein lies the paradox. I don't want to keep personal information about members â€” but at the same time, I want to have some degree of assurance that people who choose to become members are real people who have serious intent. But there's no way to get any level of assurance about intent. After alll, as the New Yorker cartoon aptly put it, on the Internet no-one knows if you're a dog. Or just a jackass.

During the holiday break, I did a bit of thinking and exploration about how to address (note I do not say “solve”) issues of identity and accountability, in the context of website registration. Because I am a co-author of the software we use to run this website (JSPWiki), I have a fair amount of freedom in coming up with possible enhancements.

One obvious way to address self-registration identity issue is to introduce a vetting system into the registration process. That is, when someone registers, it triggers a little workflow that requires me to do some investigation on the person. I already do this for the mailing list, so it would be a logical extension to do it for the wiki, too. This would solve the identity issue â€” successfully vetting someone would enable the administrator to have much higher confidence in their identity claims, albeit with some sacrifice

There's just one problem with this â€” I hate vetting people. It takes time to do, and I am always far, far behind.

A second approach is to not do anything special for registration, but moderate page changes. This, too, requires workflow. On the JSPWiki developer mailing lists, we've been discussing this option quite a bit, in combination with blacklists and anti-spam heuristics. This would help solve the accountability problem.

A third approach would be to accept third-party identities that you have a reasonable level of assurance in. Classic PKI (digital certificates) are a good example of third-party identities that you can inspect and choose to trust or not. But client-side digital certificates have deployment shortcomings. Very few people use them.

A promising alternative to client-side certificates is the new breed of digital identity architectures, many of which do not require a huge, monolithic corporate infrastructure to issue. I'm thinking mostly of OpenID and Microsoft's CardSpace specs. I really like what Kim Cameron has done with CardSpace; it takes a lot of the things that I like about Apple's Keychain (self-management, portability, simple user metaphors, ease-of-use) and applies it specifically to the issue of identity. CardSpace‘s InfoCards (I have always felt they should be called IdentityCards) are kind of like credit cards in your wallet. When you want to express a claim about your identity, you pick a card (any card!) and present it to the person who's asking.

What's nice about InfoCards is that, in theory, these are things you can create for yourself at a registrar (identity provider) of your choice. InfoCards also have good privacy controls â€” if you don't want a relying party (e.g., securitymetrics.org) to see your e-mail identity attribute, you don't have to release that information.

So, InfoCards have promise. But they use the WS-* XML standards for communication (think: big, hairy, complicated), and they require a client-side supplicant that allows users to navigate their InfoCards and present them when asked. It's nice to see that there's a Firefox InfoCard client, but there isn't one for Safari, and older versions of Windows are still left out in the cold. CardSpace will make its mark in time, but it is still early, methinks.

OpenID holds more promise for me. There are loads more implementations available (and several choices for Java libraries), and the mechanism that identity providers use to communicate with relying parties is simple and comprehensible by humans. It doesn't require special software because it relies on HTTP redirects to work. And best of all, the thing the identity is based on is something “my kind of people” all have: a website URL. Identity, essentially, boils down to an assertion of ownership over a URL. I like this because it's something I can verify easily. And by visiting your website, I can usually tell whether the person who owns that URL is my kind of people.

OpenID is cool. I got far enough into the evaluation process to do some reasonably serious interoperability testing with the SXIP and JanRain libraries. I mocked up a web server and got it to sucessfully accept identities from the Technorati and VeriSign OpenID services. But I hit a few snags.

Recall that the point of all of this fooling around is to figure out a way to balance privacy and authenticity. By “privacy”, I mean that I do not want to ask users to disgorge too much personal information to me when they register. And correspondingly, I do not want the custodial obligation of having to store and safeguard any information they give me. The ideal implementation, therefore, would accept an OpenID identity when presented, dyamically collect the attributes we want (really, just the full name and websute URL) and pull them into our in-memory session, and flush them at the end of the session. In other words, the integrity of the attributes presented, combined with transience yields privacy. It's kind of like the front-desk guard I used to see when I consulted to the Massachussetts Department of Mental Health. He was a rehabilitated patient, but his years of illness and heavy treatment left him with no memory for faces at all. Despite the fact I'd visited DMH on dozens of occasions, every time I signed in he would ask “Have you been here before? Do you know where you are going?” Put another way, integrity of identity + dynamic attribute exchange protocols + enforced amnesia = privacy.

By “authenticity” I mean having reasonable assurance that the person on my website is not just who they say they are, but that I can also get some idea about their intentions (or what they might have been). OpenID meets both of these criteria… if I want to know something more about the person registering or posting on my website, I can just go and check ’em out by visiting their URL.

But, in my experiments I found that the attribute-exchange process needs work… I could not get VeriSign's or Technorati's identity provider to release to my relying website the attributes I wanted, namely my identity's full name and e-mail addresses. I determined that this was because neither of these identity providers support what the OpenID people call the “Simple Registration” profile aka SREG.

More on this later. Needless to say, I am encouraged by my progress so far. And regardless of the outcome of my investigations into InfoCard and OpenID, my JSPWiki workflow library development continues at a torrid pace.

Bottom line: once we have a decent workflow system in place, I'll open registrations back up. And longer term, we will have more some open identity system choices.

Hmmm. Interesting thoughts that I want to explore more over the next while.

Before I get to the nitty-gritty, please note that Cardspace and InfoCards do NOT require a client-side wiki or web site to use WS-* protocols.

The system supports WS-*, which gives it the ability to handle upper-end scenarios, but doesn't require it and can operate in a RESTful mode!

So the actual effort required to implement the client side is on the same order of magnitude as for OpenID. But I agree there are not very many open-source options out there for doing this yet – requiring more creativity on the part of the implementor. I'm trying to help with this.

It's also true that InfoCards require client software (although there are ways around this if someone is enterprising: you could build an infocard selector that “lives in the cloud”).

But the advantages of InfoCard speak clearly too. Andy Jaquist would find that release of user information is built right in, and that “what you see is what you get” – user control. Further, the model doesn't expose the user to the risk that personal information will become public by being posted on the web. This makes it useful in a number of applications which OpenID can't handle without a lot of complexity.

But what's the core issue?

InfoCards change the current model in which the user can be controlled by an evil site. OpenID doesn't.

if a user ends up at an evil site today, it can pose as a good site known to the user by scooping the good site's skin so the user is fooled into entering her username and passord.

But think of what we unleash with OpenID…

It's way easier for the evil site to scoop the skin of a user's OpenID service because – are you ready? – the user helps out by entering her honeypot's URL!

By playing back her OpenID skin the evil site can trick the user into revealing her creds. But these are magic creds, the keys to her whole kingdom! The result is a world more perilous than the one we live in now.

If that isn't enough, evil doers armed with identifiers and ill-gotten creds can then crawl the web to see where the URL they have absconded with is in play, and break into those locations too.

The attacks on OpenID all lend themselves to automation…

One can say all this doesn't matter because these are low-value identities, but I think it is a question of setting off on the wrong foot unless we build the evolution of OpenID into it.

It will really be a shame if all the interest in new identity technology leads to security breaches worse than those that currently exist, and brings about a further demoralization of the user.

I'd like to see OpenID and InfoCard technologies come together more. I'll be presenting a plan for that over the next little while.

Practical Guide To Certificate Installation for the Disinterested

It's a bit tricky to install certificates and keys, and harder still when you want to use the same certificate on both Windows and *NIX boxes. Most of us don't have to install certificates very often (!), but that doesn't make it any easier! If you're like me you forget at least one of the annoying little essential details.

So partly in light of questions I've been receiving, and partly so next time I encounter these problems I remember how I answered them, I'm putting together what I hope might be a useful “Practical Guide to Certificate Installation for the Disinterested“. In other words, I'm NOT discussing how to use certificates in production environments.

I'm kind of starting in the middle, but I've got three pieces ready so far. If you're not familiar with this area, OpenSSL is an open source tool for managing certificates and IIS is Microsoft's Internet Information Server (i.e. Web server). If you see problems with my instructions, please let me know.

Now for the pithy titles:

I'm also going to tackle the issue of creating InfoCard-compatible certs for testing and developing purposes. If others want to add other sections let me know.

Information Cards supported on Community Server

Armand du Plessis at Impersonation Falure writes about his work to add Information Card support to his Community Server:

A couple of days ago I enabled experimental Windows Cardspace support on http://dotnet.org.za/. I mentioned that I'll post the source code and controls but with Tech-Ed Africa and some other work I never got around to posting it.

So now the updated Community Server files is available here and the source code for both the Community Server controls and the underlying ASP.NET controls available here.

To enable Community Server to make use of Information Cards for authentication the following steps are required :

Install and configure your site with a SSL certificate. (Make sure it's a certificate issued by a Certification Authority trusted by popular browsers so you don't make the same mistake as me. See this post for more info)

Grant access to the certificate's private key to your application pool user. Easiest method to do this is using the winhttpcertcfg.exe utility.

winhttpcertcfg -g -c CertLocation -s SubjectStr -a Account

Add your certificate's thumbprint to your web.config appSettings section so the Token processor helper class can find it :

The thumbprint can be obtained through the MMC Certificates snap-in.

Unzip the updated Community Server files over the CS web files. The following files will be replaced so make sure you've backed them up before this step :

\Themes\default\Masters\master.ascx

\Themes\default\Skins\Skin-EditProfile.ascx

\login.aspx

How it works is relatively straigth forward, kudos to the design of the Cardspace web integration and the Community Server SDK. A quick explanation :

The source consists of four core controls :

Adp.CardSpace.InformationCardRequest – A very basic ASP.NET control that takes care of rendering the < object > element used to engage the Identity Selector with the desired claims the Relying Party wants from the Identity Provider. This can either be placed in the head of the page when working together with the InformationCardSubmit control, or as a standalone in a form body.

Adp.CardSpace.InformationCardSubmit – Another basic ASP.NET control that renders the required script and a button that can be used to engage the Identity Card Selector. It is meant for consumption by higer-level controls that can subscribe to it's OnTokenReady event which is fired when a postback triggered by the ICS happens.

Adp.CommunityServer.Controls.Association – A Community Server control used in the profile section to allow a user to associate an Information Card with his/her account.

Adp.CommunityServer.Controls.CardSpaceLogin – A Community Server control used to authenticate the user using his Information Card instead of the usual username/password.

The claim requirements is expressed through the Claims property on the Adp.Cardspace.InformationCardRequest control. This can be done programmatically or declaratively and the control added either to the page head or to a form body. Adding the control to the page head as done in the Community Server integration allows for fine grained control over when the Identity Selector is invoked without interfering with other form submit buttons on your page.

Below is an extract from master.ascx which embeds a request for two claims, email and PPID, into the page. (By default self-issued cards are accepted but this can be configured through the Issuer property on the control)
< CS:Head runat="Server">
< meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
< CS:Style id="UserStyle" runat="server" visible = "true" />
< CS:Style id="s2" runat="server" visible = "true" Href="../style/Common.css" />
< CS:Style  runat="server" Href="../style/common_print.css" media="print" />
< CS:Script id="s" runat="server"  />
< ADP:InformationCardRequest ID="_xmlToken" runat="server" Claims-Capacity="4">
< ADP:ClaimDto ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Required="true" />
< ADP:ClaimDto ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Required="true" />
ADP:InformationCardRequest>
CS:Head>
Where the Identity Selector trigger is required the Adp.Cardspace.InformationCardSubmit control is placed. The sole responsibilty of this control is to invoke the Identity Selector and raise an OnTokenReady event which can be consumed by other interested parties. Below is an extract from the Skin-CardspaceLogin.ascx (a Community Server control which uses the InformationCardSubmit control to obtain the encrypted token)
< ADP:InformationCardSubmit CssClass = "CommonTextButtonBig" runat="server" id="csSubmit" />
That's all that's required to invoke the ICS. To decrypt and extract the token using the very useful TokenProcessor from the Microsoft samples the following code is required to hookup and handle the OnTokenReady event. (This code is in the above mentioned CardSpaceLogin control, a composite control utilizing the InformationCardSubmit control and other default Community Server Controls)
protected override void  AttachChildControls()
{
submit = FindControl("csSubmit") as InformationCardSubmit;
message = FindControl("csMessage") as StatusMessage;
 
submit.OnTokenReady += new EventHandler(submit_OnTokenReady);
if ((submit == null) || (message == null))
throw new CSException(CSExceptionType.SkinNotSet);
}
The Token helper class takes care of decrypting and extracting all the tokens from the postback. (The token helper class is available in the samples on http://wcs.netfx3.com)

After breaking out the tokens we can access them through the indexed Claims property. All the claims we expressed in the InformationCardRequest control above is available for use in your code. In the sample below the token's unique id is extracted and assigned to an extended profile attribute in Community Server.
void submit_OnTokenReady(object sender, TokenEventArgs e)
{
try {
Token token = new Token(e.TokenValue);
if(context.User.Email !=
token.Claims[System.IdentityModel.Claims.ClaimTypes.Email]) {
DisplayMessage(ResourceManager.GetString("Association_EmailMismatch",
CSUtil.CsResourceFilename), false);
return;
}
 
context.User.SetExtendedAttribute(CSUtil.CsExtendedAttributeName,
token.UniqueID);
Users.UpdateUser(context.User);
 
DisplayMessage(
ResourceManager.GetString("Association_Success",
CSUtil.CsResourceFilename),true);
 
}
catch (Exception e1) {
string displayMessage = ResourceManager.GetString("Association_GenericException",
CSUtil.CsResourceFilename);
 
CSException e2 = new CSException(CSExceptionType.UnknownError,
displayMessage, e1);
e2.Log();
 
DisplayMessage(displayMessage, false);
}
}
Some limitations in this implementation is that it currently don't detect whether or not the browser supports Infocards. Also triggering the Identity Selector through script currently don't seem to be supported by the Firefox Identity Selector plug-in.

Currently the implementation on dotnet.org.za still suffers from the use of the Starfield SSL certificate which requires users to first import the Intermediate Certificate as a trusted issuer before Cardspace will accept it. This will be rectified soon.

Links:

Community Server

Windows Cardspace

Seems we agree

I have to answer Kveton's response to my last posting just because he answered my answer as fast as I answered his!

Kim: youâ€™re officially the fastest person in the world at responding to blog posts â€¦ 🙂

Yes, could this be a problem you create when it gets too easy to log in?

But wait, Kveton continues:

Iâ€™ve always said Iâ€™m for interoperability â€¦ heck, Iâ€™ve made a living at it. Choice for the user is always a good thing.

My answer? You build interfaces and test them. You look at the numbers. You test phishing approaches on a wide assortment of people. You find out what works and doesnâ€™t, and keep evolving the interface. If we take this as a starting point, weâ€™ll all end up agreeing.

The problem with redirection within the conventional browser is there is no way to know for sure where youâ€™ve ended up – especially if you arenâ€™t a network engineer.

I actually think weâ€™re in agreement here; we both want to find the best experience for end-users and its going to require their involvement to make that happen. Just as InfoCard may not be the end-all-be-all, so too could be the same for OpenID. Either way, both move the ball forward and conversations are happening to make sure interoperability occurs.

There is wisdom in this. But if Kvelton is against giving the InfoCard visual metaphor a try, then I donâ€™t get it. It does nothing to undermine OpenID.

Iâ€™m all for trying InfoCard visual metaphor. Iâ€™m just trying to figure out how you drive adoption of such a different paradigm, hence my comments on iterative development and the OpenID process.

Those are all legitimate concerns. I'm trying to do a lot in one go. I realize it is “somewhat ambitious”. But what have personal computers been about since the get-go? Haven't they always seemed ambitious?

Meanwhile Pamela Dingle posted another comment to which I subscribe as well:

Heaven forbid we ever end up with only one solution anyways â€” how dead boring would that be?

Iâ€™m glad there is choice & competition in this area – it means that nothing is being shoved down anyoneâ€™s throat, and that the field is still open for further improvement. It also means that nobody is taking the direction for granted, which I think is a healthy thing. Not to mention, it makes identity conferences ever so much more exciting

Agreed. And there's lots of room to keep innovating for a long time.

BBAuth and OpenID

From commented.org, here's a thoughtful piece by Verisign's Hans Granqvist on Yahoo's BBAuth:

Yahoo! released its Browser-based authentication (BBAuth) mechanism yesterday. It can be used to authenticate 3rd party webapp users to Yahoo!â€™s services, for example, photo sharing, email sharing.

Big deal, huh?

The kicker is this though. You can use BBAuth for simple single sign-on (SSO). Most 3rd party web app developers would love to have someone deal with the username and password issues. Not storing usersâ€™ passwords mean much less liability, much less programming, much less problem.

Now Yahoo! gives you a REST-based API to do just that.

It will be interesting to see how this plays out against OpenID.They are both very similar. Granted there is some skew: OpenID is completely open, both for consumers and providers of identity.

However, from my own experience, OpenID consumers (a.k.a. relying parties) seem to want only one thing, perhaps two or three:

have someone deal with your usersâ€™ passwords,

retrieve name and email address for a user

And now Yahoo! does the first, and the second is available. At the same time theyâ€™re making your app reachable to 257 million+ users. Hereâ€™s an example.

Seems a pretty big reason to implement it for the web app developer, especially since it is such an easy API you can integrate it in an hour or two.

And yet someone has added a sobering comment to Hans’ blog:

It will be interesting to see how long it takes for adoption to reach the point that no one thinks twice when a yahoo login pops up on another site. They'll be nice and ripe for password harvesting via fake yahoo login forms then. 🙂

Sadly, if I had written this comment I would not have included the happy face. Until the security concerns are addressed, despite Yahoo's very laudible openness, this is not a happy face moment.

But through Yahoo-issued InfoCards BBauth would avoid the loss of context that will otherwise lead to password harvesting. It's a good concrete example of how the various things we're all working on are synergistic if we combine them.

Identityblog and your identity information

Matt, a reader who downloaded Ian Brown's early version of Information Cards for Safari, wrote to me with the following question:

I just signed up to your identity blog using the Safari CardSpace selector you mentioned on your blog.

I'm interested to know whether the (genuine) identity data in my CardSpace selector (populated out of my Address Book entry I think) is transmitted to you, if it is where it is stored, and what is done with it and to protect it.

Matt is unclear about what information he has sent to Identityblog because the Safari and Firefox user interfaces don't yet deal with displaying what subset of the information in a card is being asked for by the site he is visiting.

That's because the current versions are very much prototypes and works in progress. As Ian says on his blog:

This is currently still at the proof of concept stage, and is lacking most of the features found in the official CardSpace selector from Microsoft.

This being said, I have verified that the demo Firefox selector only releases required claims, and I'm pretty sure the Safari selector follows suit.

The current Cardspace interface design was refined through ongoing “usability work” in which we encountered this kind of confusion and explored (and measured the efficacy of) different alternatives for avoiding it.

As a result, when you release any new information to a site within Cardspace you see a screen like this one:

It doesn't matter whether a user has filled out other fields in their chosen Information Card. Only the fields asked for by the site will be presented for approval. Then the user can decide whether to proceed or not.

On subsequent visits to a site, the information release screen is not shown by default. The thinking is that once information has been released once, it forms part of the “contract” between the user and the site. If we were to ask the user to “approve” the release time after time, the release page would become nothing more than a “click through page” – meaning the user wouldn't even “see” it.

As for what I store, my approach is to ask for as little information as I can.

I request an email address so I can verify that you are not a spammer, and so you can change your infocard by using the email address as an “alternate authentication channel” (more on this in a future post). I'm working with some friends on a version where we won't store the actual email address – we will use a hash of it instead so we can recognize you but not expose your address to possible breaches.

I also store what you've given me as a first and last name because WordPress uses that to show who has written posts and comments. I will eventually change this so I only store your names once you have written a post or comment (i.e. done something ‘public’).

Identityblog effect

It seems like I ended up sending too many people to Chuck Mortimore's server at once. At 11:40 am he wrote:

Looks like Kim's two new posts have melted my server. He's the slashdot of the Identity world.

Sorry – the crack sys-admin team has been deployed. Hopefully we're back up soon!

By 1:00 pm he added:

Thanks to Ian, Ebe, and a new router, xmldap.org is back online.

Kim – you owe us $65.00 🙂

One of the mysterious things about RSS is the “publication effect”.