I've heard many positive comments about Pam Dingle's talk on “InfoCard in the Enterprise” at the Directory Experts Conference in Vegas.  Unfortunately I couldn't get to Vegas – but here's her recent post.

Things went along just swimmingly last night at my “Infocard in an Enterprise Context” talk at the Directory Experts Conference. There were many insightful questions from the audience, and afterwards, it warmed my geeky little heart to see Stuart Kwan surrounded by crowds of administrators, all wanting to give feedback and have questions answered.

There were some very interesting topics brought up during the discussion, which I want to capture before I forget. The most discussed topics surrounded that of “card proliferation”. If you end up having as many different managed cards on your desktop as you do cards in your physical wallet, does that become easier or harder to use than regular username/password combinations?

It is a really good point. A great example was brought up, which was identification cards for gambling establishments. What if you have 20 membership cards for 20 casinos? There are two ways that those casinos might want to do the infocard thing: either they could give you a managed card with that information in it, or they could register your self-asserted card.

In the first case, you literally would end up with 20 different cards. Remember though, in that case the gambling establishment would be requiring an exact issuer, so ALL the cards in your wallet would be greyed out except the right one, and that the same card would always be used for transactions with that site, so it would always pop up at the top, with the “you used this card last time, would you like to use it again? message”. In the second case, you could create a “gambling card” that could be registered at as many sites as you wished. You could do this safely, because nothing in the information stored in the infocard is specific to any one of the gambling institutions, it is just personal contact information. Instead of you giving them your membership number, you are giving them your PPID, which is associated with your membership number at the gambling site. By doing so, you have completely removed any data from the card that would be of interest to steal, or that could be accidentally given away during the process of using the card at multiple sites. Remember that a PPI is a calculated identifier that is different for every Relying Party.

I think that at least in the beginning, that 2nd case will be more common. However, users themselves will not be able to choose what kind of card the Relying Party demands, and besides, the root point of the original question remains. How many cards do YOU have in your wallet? How many username/password combos have you, over the years, accumulated? If Infocard really takes off, there is no doubt that people will begin to accumulate infocards, even if they work hard to keep their cardsets small.

I can’t speak for MS of course, but I’m pretty sure that the Infocard team would be delighted to have this technology become so popular that they have to race to get rid of the currently existing card limit (I know there is one, can’t remember what it is) and implement mass-management tools for the interface sooner rather than later (-:

Another discussed topic was the idea of having cards that had some controlled fields and some open fields. That one is a topic for a whole other conversation, and a very interesting concept.

Lastly – Dave Kearns asked me what about my presentation was “user-centric”. I replied “nothing” as I was specifically addressing how the identity metasystem could be locked down and controlled/audited/managed centrally to satisfy business needs. I think that perhaps that answer was flippant — users still get to see what of their information is being passed in the enterprise, and they can also choose which corporate credentials they wish to use for what corporate resources — this is still an increase in choice and visbility to what they have now.

If you were there and if you are interested in trying this technology out, here is a uber-quick set of instructions and gotchas:

• Although infocard will run on both W2K3 and XP sp2, I suggest using XP sp2, as IE7 beta previews are not yet supported on W2K3
• Getting the right version of IE7 is *critical*. I don’t know all the version numbers, but the version I have works – IE7 Beta preview 2. There was another version following that which does NOT work, so be careful. If you can’t afford the time to be wrong, let me know and I’ll make sure you get a working version.
• Don’t use a host system that you have any attachment to. If you want to follow the CTPs as they come out, you will almost certainly have to start from scratch (for example, moving from the Jan CTP to the Feb CTP required a vanilla install). Use VMs if you can.
• Apparently (and I haven’t even tried it yet, it is that new), there are now TWO Relying Parties on the internet that you can go to with your new Infocard client, Kim Cameron’s Identity Blog and Chuck Mortimore’s Java-based Relying Party.

Thanks again to everyone who attended, I hope that y’all had fun.

Update: Jef comments that IE7 version 5335 fails, and that he got version 5299 to work. I also know that Rohan Pinto had trouble with version 5299 and had to resort to 5296. No matter what, it seems that 5335 is a no go, so I hope that helps! Thanks Jef.

At this point, I think the best thing to do is get the MIX06 bits if you want to experiment with the InfoCard sites.  I'm definitely publishing my PHP sample code and tutorials this week, so stay tuned.

 

Jimmy Atkinson has written to tell us about a series he's involved in at Credit Card Blog  “that may interest readers of Identity Weblog. It's the Top Five Credit Card Scams. Each day this week, we're covering a different scam and providing tips to consumers as to how they can protect themselves against identity theft and credit card fraud.” 

The site will definitely give you things to think about.  I don't know a lot about findcreditcards.org.  Maybe Jimmy can help us to understand more.

Anyway, here is a sample – the recent posting on “skimming”:

One of the most insidious forms of credit card fraud occurs with a little device known as a skimmer. Skimmers are the size of a pager and can be carried by a scam artist to swipe your credit card and steal the information needed to create a counterfeit card with your name on it. Here’s how it works: You pay at a restaurant or other business and the clerk takes your card. In the back, the clerk swipes your card for the purchase and then swipes it secretly into the skimmer, which records the name and numbers.

The numbers in the skimmer can be downloaded into a computer and emailed anywhere across the globe. They are then used to make fake credit cards that are used by thieves in Europe, Asia, Latin America, and the US. Skimming is responsible for over $1 billion in losses each year.

Skimmers can also be placed on some older ATMs so that when you swipe your own card, the information is stored in the tiny bug and then retrieved at a later date by the scammer. To protect yourself, keep an eye on your credit card bills. Watch for any unusual activity and report it immediately. Also shred all your statements so that the numbers cannot be stolen.

When out and about, keep a close eye on your credit card as well, and report any suspicious activity to the Federal Trade Commission.

It all just shows how hard it is to change an infrastructure once it's in, no matter how many flaws it has.  It's the problem of exposing your secret (as happens with north american credit cards) rather than using your secret to prove something.  InfoCards give us a way to fix this in the online environment.  The payment identity provider does not need to release a long-term credit card number – just a one-time approval (potentially modelled as a credit card number for compatibility purposes).

 

At identityblog I accept pretty much any infocard – on condition that you demonstrate ownership of your email address.

Going forward, I hope to hook up with organizations like sxore who can do the necessary verification and reputation gathering, and people who present infocards from these organizations won't even have to go through email validation.

 

Click on the movie below to see how infocards work.

 

 

Welcome to identityblog…

Please bear with me as I check out your email address.

It's great to see your interest in identityblog.  I look forward to receiving comments and links from you.

Since you are using a self-issued identity, I hope you won't mind responding to an email that contains a link back to my site.  It helps convince me you are not a spam robot.  Currently its not a very demanding test – you just need to click on the link!

Until then, your login here doesn't do anything for you.  Please watch for the email, then log in again. 

Having done that, you'll be able to leave comments here without going through the moderation queue.

 

<saml:Assertion MajorVersion="1" MinorVersion="1"
        AssertionID="uuid:a5ca5dd2-f2b1-47c9-b3be-c9aa6e47d37f"
        Issuer="http://schemas.microsoft.com/ws/2005/05/identity/issuer/self"
        IssueInstant="2006-03-05T17:51:18.473Z"
        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2006-03-05T17:51:18.473Z"
            NotOnOrAfter="2006-03-05T18:51:18.473Z" />
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
                </saml:ConfirmationMethod>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                        </e:EncryptionMethod>
                        <KeyInfo>
                            <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/
                                    wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                                <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/
                                    oasis-wss-soap-message-security-1.1#ThumbprintSHA1"
                                    EncodingType="http://docs.oasis-open.org/wss/2004
                                    /01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
                                        +PYbznDaB/dlhjIfqCQ458E72wA=
                                </o:KeyIdentifier>
                            </o:SecurityTokenReference>
                        </KeyInfo>
                        <e:CipherData>
                            <e:CipherValue>Zp9GQJBEuo4UZYxVh/QM3y8LzqVh2aium82nCsozh4
                                HwSK5NDIRfK/qKInUL8J7f+IrIQS1jpVkwlztUpoP4dkdaAAu9
                                A/EBzEuCGL/uz9wcD4HxxVAGrvV71H9gaAhgmvR561yaBLjaJC
                                rrnSNaji/4pAGUq23oIDxHF3IhHfk=
                            </e:CipherValue>
                        </e:CipherData>
                    </e:EncryptedKey>
                </KeyInfo>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Attribute AttributeName="GivenName"
                AttributeNamespace="http://schemas.microsoft.com/ws/2005/05/identity/claims">
            <saml:AttributeValue>William</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeName="Surname"
                AttributeNamespace="http://schemas.microsoft.com/ws/2005/05/identity/claims">
            <saml:AttributeValue>Shakespeare</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeName="EmailAddress"
                AttributeNamespace="http://schemas.microsoft.com/ws/2005/05/identity/claims">
            <saml:AttributeValue>william@avon.org</saml:AttributeValue>
        </saml:Attribute>
     </saml:AttributeStatement>
     <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
         <SignedInfo>
             <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
             <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
             <Reference URI="#uuid:a5ca5dd2-f2b1-47c9-b3be-c9aa6e47d37f">
                 <Transforms>
                     <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                 </Transforms>
                 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                 <DigestValue>E8fLZ1moCpnDYlLlX39Ooc2n+ec=</DigestValue>
            </Reference>
         </SignedInfo>
         <SignatureValue>nmRwWM/WjYlMK8v/bVBHOQeS+hBj603lxCcAcoD0GmxCKhm+c5O7X7X+iTj3qb
                   DGQrFQSu/zqRadJRlFGS3N0O5hapGuDXrmP85ac7KeDVBQ90PrDDigeYZQU5Lw6NK1iG
                   .
                   .
                   .
                   pXlT1vAG7Snvu6DAJQpAL+gqeO2afJg==
         </SignatureValue>
         <KeyInfo>
             <KeyValue>
                 <RSAKeyValue>
                     <Modulus>xmJx9eJQYln5r8eR7X2XPcwcSS5C8fBjlLdv/rBsgfNA+KeAKx6Z7speFJp
                         CmeNOe8v3nUldfYlvN9jWcKFn3AF4ddgMHw5e1M0TpPzQlBtcMTm12Uslg3ANFw0zM0h
                         .
                         .
                         IqNDrzJGDU1fuLRSkNT/Q==
                     </Modulus>
                     <Exponent>AQAB</Exponent>
                 </RSAKeyValue>
             </KeyValue>
         </KeyInfo>
     </Signature>
</saml:Assertion>

Alex Barnett has been pushing his postcasting to the edge and I've found a number of his conversations both helpful and enjoyable.  I suggest people try them out:

 Microformats Podcast, March 31, 2006

“Here's a great podcast for you. All about microformats…”

Guests: Tantek Çelik, Dan Connolly and Rohit Khare. I think it's safe to say these guys know a thing or two about the web and microformats

Here's an OPMLish podcast for you, March 10, 2006

“It's all about the draft OPML 2.0 spec and a few other things thrown in such as structured blogging, OPML tools, namespaces and microformats.”

Guests: Joshua Porter, Adam Green and John Tropea.

Reading Lists (OPML) podcast: Danny Ayers and Adam Green, Feb 12, 2006

“Last year Dave Winer started to push the idea of Reading Lists for RSS. More recently, the idea of Dynamic Reading Lists and Feed Grazing (or Grazing Lists / Glists) has been kicking around.

Its likely that Reading Lists support will become a common feature of Feed Readers / Aggregators.”

Guests: Danny Ayers, Adam Green and Joshua Porter

Attention podcast : Attention with Steve Gillmor, Feb 08, 2006

“Steve has been leading Attention conversation for some time now. In 2003 he, along with David Sifry (CEO of Technorati), initiated the attention.xml efforts and has since taken on the role as president of the non-profit Attention Trust.”

Guests: Steve Gillmor and Joshua Porter

MSN Search Champs podcast – Privacy conversation Jan 26 2006

“I attended the MSN Search Champs today….and what a day.  Given the recent news and concerns around the data MSN Search, Yahoo and AOL provided to the government, there was a session set up where the 57 bloggers / online experts at MSN Search Champ were invited to discuss the topic with senior MSN management (Senior VP Yusuf Mehdi and VP Chris Payne).”

Guests: Fred Oliveira, Dion Hinchcliffe, Joshua Porter, Chris Pirillo, Thomas Vander Wal and Brady Forrest.

Attention podcast: RSS feedreaders and aggregators Jan 22, 2006

“I asked two of the RSS industry's leading lights to join me for a call and share their perspective on the question of where Attention is going with respect to RSS feedreaders and aggregators: Nick Bradbury creator FeedDemon, part of Newsgator (Nick also developed Homesite – sold to Macromedia – and Topstyle) and Kevin Burton of Tailrank (also co-founder Rojo).”

Guests: Nick Bradbury, Joshua Porter and Kevin Burton

Structured Blogging podcast with Marc Canter and Joe Reger, Dec 16, 2006

“You might have heard of the Structured Blogging initiative announced earlier this week by Marc Canter and others…there was certainly plenty of buzz and reaction to the news, but not all the reaction was rosy.”

Guests: Marc Canter and Joshua Porter

Attention and Identity with Dick Hardt and Kim Cameron, Podcast, Dec 09, 2006

“A couple of weeks ago Joshua and I had a conversation about attention data (as podcasts). In that conversation we kept touching on the topic of online identities and their management, so we thought we'd invite two pioneers of the identity space, Dick Hardt and Kim Cameron, to a podcast session and discuss how they saw the connections between these two related topics: attention and identity.”Guests: Dick Hardt, Kim Cameron and Joshua PorterGuests:

OPML = Attention Data, Attention Engines and Tailrank, Nov 12, 2005“Although we met briefly last week, Kevin Burton and I didn't manage to get enough time to discuss some of the things on our mind at the time, so we got a Skype call together and posted it as a podcast (.mp3, 42mb).

We focused the discussion around what he calls Meme Engines and I call Attention Engines, Tailrank (Kevin's latest project), OPML, RSS and Attention.xml”

Guests: Kevin Burton

Attention podcast with Joshua Porter, Nov 26, 2006

“About OPML, Attention, and empowering people.”

Guest: Joshua Porter

Web 2.0 podcast, July 01, 2006

“Richard MacManus of Read/WriteWeb and I had a Skype chat this evening and recorded the call   Talked about Web 2.0, attention.xml, a bit about RSS, APIs and more.”

Guest: Richard MacManus

Here's a piece by Marcus Lasance that appeared recently in European Communications, an interesting web site oriented around telecom and originating from Europe.  Marcus is Managing Director of MaXware UK, and for those who may not know MaXware, it's a European company with a sterling reputation that has long built identity-related software.

Marcus makes a number of interesting points.  One of my key take-aways is that the shift toward user-centricity is hardly limited to North America, as some have thought, but has independent and reinforcing components emerging all over the world.

 The IEC’s 21st Century World Forum will, next year, be renamed the “C5” Conference: “Customer-Centric Converged Communications & Content”. With this snappy title the IEC is picking up on an emerging trend that tries to put individuals, ie ‘The Customer’ back in charge, when it comes to managing and controlling access to the very important resource that is their personal data, their public and private identities and associated profiles. It should be the individual user who decides what parts of their digital identity they want to share or do not want to make available to others in their interactions with strangers, friends and family, companies and governmental organisations. So, how will IMS cope with this fundamental human right?

The seven laws of identity

When Microsoft's Kim Cameron formulated his seven laws of identity in May 2005, he put at the top of his list ‘User Control and Consent’. Any Identity Management metasystem must be designed to put the user in control – both of what digital identities are used, and what information is released. Kim warns us: “A system that does not put users in control will – immediately or over time – be rejected”. Kim also practices what he preaches at Microsoft. Possibly the most important design rationale behind ‘Infocard’ – Microsoft software that aims to help consumers deal with the plethora of Internet logins – is “to enable users to simply and consistently make informed and positive authentication decisions on their own behalf,” says Cameron. Infocard will be released as part of the new Vista operating system from Microsoft. “We're laying the foundation for what we need,” Bill Gates said in a speech at the recent RSA Conference in San Jose.

4891 – Project iDNA

4891 – Project iDNA promotes an even more radical paradigm shift in this respect. iDNA is the brainchild of Dutchman Paul Jansen, who shows that not only does this trend make sense from a privacy perspective but that it also has enormous commercial potential. Those organisations that understand and act on the opportunity to work with individuals to enable a better, cheaper use of their data, will gain significant competitive advantage.

Both Jansen and Cameron observe that in today's e-commerce world, enterprises, for example, see their relationships with customers and employees as key assets, and are fiercely protective of them. However, from an economic perspective, it makes no sense that organisations in aggregate spend billions of dollars maintaining the same duplicate personal information about their ‘customers’, which 99 per cent of the time, in any case, soon becomes obsolete.

Reversing this idiotic process requires the acceptance of a paradigm shift. Organisations should all stop wasting their resources by trying to centralise and monopolise the storage of personal information, and find a more logical place to manage this – namely by putting the individual back in charge. Paul introduces at this point the concept of the iDNA key (for which he has a patent pending), which has some resemblances to Infocard.

An iDNA-key can be any kind of hardware token consisting of a combination of a few well known and robust technologies, such as: Data-storage in Flash-memory; PIN-code (software) technology; Biometrics; and Chip/ROM data identification.

A USB token with built in biometrics

Software integrating this technology in a hand held device, acting as an IMS terminal, makes imminent sense. The UICC SIM card used in 3GPP networks already knows an application called ISIM, which can store private and public user identities, not unlike the principle of the Infocard and iDNA.

The display of modern hand-held communication devices is even more suitable for facilitating user interaction, when it comes to allowing or disallowing the transmission of privacy sensitive personal information to and from applications on the converged network.

But will the user be bothered, every time he/she makes a phone call, to press an ‘OK’ button before being connected to an unknown IMS subscriber? Probably not. If, however. the user was made aware that during his call a whole stream of location data was being captured and stored in a location server, he might have second thoughts.

PRIME: Privacy and identity in Europe

The European commission was so concerned about the whole issue of privacy, that on March 1st, 2004 it launched a 16 Million Euro R&D Project on Privacy and Identity Management called “PRIME – Privacy and Identity Management for Europe”.

PRIME aims to contribute to the development of voluntary standards for privacy enhancing technologies. The European level gives PRIME the necessary weight to do this, and enables the research organisations of major IT vendors and major universities to co-operate on this topic. Prime has worked out a provisional high-level component architecture of the PRIME IDM system. How successful it will be is another matter. For starters, PRIME seems to violate Cameron's 5th law of Identity advocates: “Pluralism of Operators and Technologies”

“Today many governments are thinking of operating digital identity services. It makes sense (and is clearly justifiable) for people to use government-issued identities when doing business with the government. But it will be a cultural matter whether, for example, citizens agree it is “necessary and justifiable” for government identities to be used in controlling access to a family wiki – or connecting a consumer to her hobby or vice,” Cameron says.

Paul Jansen also does not see a leading role for government in being an arbitrator of what is and what isn't allowed, shared, or divulged in our privacy sensitive information transactions.

When interacting with governments, he sees a role for trusted third parties, very much like the BACS and Interpay clearing services, which we implicitly trust when we do very similar financial transactions.

So we'd have some emerging ‘Information Banks’, where we would store a back-up of our valuable information assets, combined with a secure network like Visa's to handle privacy sensitive data transactions.

In economic terms, the value of such an identity meta system could one day rival that of the world banking system, according to Jansen.

AAA in the IMS

While attending last year's 21st Century Communications World Forum, it struck me how little we, as engineers, have learned from the criminalisation of the Internet. Scholars like Zouhair Ghazzal of the History Department of Loyola University in Chicago already pointed out that the rise of the Mafia can be directly attributed to the failures of nascent and weak state institutions, and the lack of/need for a well trained and “clean” police force, judiciary, fencing and guarding techniques, etc.

So the mafia emerges as a de facto group that actually functioned as the “guardian” of physical property. Are we first to see the same kind of lawlessness on the emerging converged networks of Internet and IMS?

Sometimes it seems that our industry is too clever for its own good. VPN tunnelling on the Internet and ESP (Encapsulating Security Payload) are all fair and well, but the same technology that protects our privacy from prying eyes can, at the same time, hide a stream of kiddie pornography or hide the fact that important identity information is being hijacked and forwarded without our knowledge.

What is the future of IMS networks? Big dumb pipes, where anything goes, or closely monitored ‘information super highways’ where state troopers can stop every IP packet and demand to know what lays encrypted inside? The dilemma between privacy and piracy is one we need to solve. Big brother may be watching, but so are the crooks! In the end we probably prefer the devil we know.

The British web site The Register has a new developer section, and journalist Mary Branscombe has written a piece in it on InfoCard and the Identity Metasystem.  She gets many deep points about the system across in very few words, again amazing me.   

InfoCard is more than the replacement for Microsoft's Passport; in some ways it’s the antidote.

Identity architect Kim Cameron (read his paper on The Laws of Identity here) joined Microsoft when it bought the metadirectory he developed at Zoomit to turn into Active Directory, and stayed because he thought Microsoft was the best place to be to try to solve the internet’s identity problem.

He’s very clear on what Passport got wrong: “It did not make sense to most non-MSN sites for Microsoft to be involved in their customer relationships,” he says. “Nor were users clamouring for a single Microsoft identity service to be aware of all their internet activities. Passport was positioned as a candidate for or something ready to be the identity system for the internet. Nobody used it as that identity system; it doesn't take a rocket scientist to see that doesn't fly.”

InfoCard isn’t trying to be the identity system for the internet, and it isn’t just a password management system like Opera’s Magic Wand or the Password Manager in Firefox. It’s intended to be a consistent and secure way to choose the identity you want to use for a website or an application – like picking a card from your wallet – and to find out who you’re dealing with and what they’re asking for.

Users will have multiple InfoCards, each of them an XML description of the information about you that each identity supplies. But the information –name, age, email address, credit card number, membership number or whatever else is on the card – isn’t in the InfoCard or even on your PC (unless it’s a card you’ve issued yourself).

Instead, when you use an InfoCard it retrieves that information from the identity provider – VeriSign, your bank, the airline you have a frequent flyer card with and so on – and passes it to the site you want to access. This is done using a new class of “higher-value” X.509 site certificates that Microsoft is developing with VeriSign and other certificate authorities, which include digitally-signed company logos to show who you’re giving your details to.

InfoCard works with an identity metasystem that allows different identity systems to interact. Each identity provider runs a Security Token Server (STS) using WS-Trust to securely exchange claims with other identity systems (negotiations between systems use WS-MetadataExchange and WS-SecurityPolicy and messages are secured with WS-Security). It doesn’t have to be a Microsoft STS; Ping Identity’s PingTrust is the first third-party STS for the identity metasystem but several identity providers support WS-Trust and the other WS-* web services.

Authentication is based on unique keys generated each time you use an InfoCard. You get a new key pair even if you use the same card on the same site. And the information sent doesn’t have to be everything in that InfoCard; a site asking you to prove you’re over 18 won’t get your birth date, just the confirmation you’re a legal adult. Your credit card company can supply a one-time transaction authorisation rather than your card number.

What is on your PC is configuration information telling InfoCard how to contact the identity provider. That’s encrypted in a Metadata Store with no programmatic interface so nothing but InfoCard can access it. In version 1, this stays on your PC, unless you export it by hand to copy to another computer. In the future it could be on your phone, on a smartcard or a USB stick – or even supplied by a web service.

InfoCard works with smartcards and security fobs; you could use biometric sensors to protect especially confidential information. VeriSign’s Identity Protection Network will use InfoCard and one-time passwords generated by security fobs, USB keys, or certain mobile phones to login to sites like eBay, PayPal and Yahoo!.

InfoCard runs on a separate secure desktop under a different user account. Malware will have to run with administrative privileges to see the InfoCard process; something Windows Vista aims to make less common.

Supporting InfoCard

On a website InfoCard uses the same HTTP/HTTPS GET and POST, and writes the same client-side browser cookie as a username and password login. The login link is either an OBJECT tag or XHTML, to support multiple browsers (although Microsoft is talking to other browser developers about adding InfoCard support, at this stage only IE 7 has it).

This link details the information the site wants from the user (such as name, email address or age8). If you’re using an STS of your own (or specifying a third-party STS) to authenticate users, the details of that go in the link. You also need the code to log the user in once the credentials have been supplied; the rest of your website works as before.

To add InfoCard support to Windows applications, you need to use the Windows Communication Foundation (that’s in WinFX so it will be available on Windows XP and Vista), but you can develop in any programming language that supports web services.

Anyone can issue their own InfoCard – and Passport will accept self-issued InfoCards once Vista comes out. Other identity providers will be able to issue InfoCards. Microsoft is going to be pushing Active Directory as a source of InfoCards. In Windows Server R2, Active Directory Federation Services uses WS–Trust although it isn’t until we finally see Longhorn Server that Active Directory will be able to issue and manage InfoCards for a company, as well as acting as an STS.

That emphasis on Active Directory may be why IBM is backing Higgins, the open source implementation of WS-Trust in Eclipse.

Paul Trevithick from The SocialPhysics Project emphasises that it isn’t meant to compete with InfoCard or the identity metasystem. “We are following what Microsoft is doing; to us it looks like a very inspired move. Higgins is a software framework that relies on service adapters that connect to external systems using that system’s native protocols or APIs. We expect that in the next few months a WS-* service will be created for Higgins. Higgins – when configured with this service and running on Linux, Mac OS and so on – will fully interoperate with InfoCard running on Windows.”

The more systems that work like this, the better, Kim Cameron says. “There's a visual metaphor we call InfoCards and then there's the identity metasystem. That is not something that we're building. All we can do is build a contribution to it.”

Celeste Biever has also done a nice piece in New Scientist but since it's a pay-per-view, I'll leave each of you to fend for yourself.