Back in March 2006, when Information Cards were unknown and untested, it became obvious that the best way for me to understand the issues would be to put Information Cards onto Identityblog.
I wrote the code in PHP, and a few people started trying out Information Cards. Since I was being killed by spam at the time, I decided to try an experiment: make it mandatory to use an Information Card to leave a comment. It was worth a try. More people might check out InfoCards. And presto, my spam problems would go away.
So on March 18th 2006 I posted More hardy pioneers try out InfoCard, showing the first few people to give it all a whirl.
At first I thought my draconian “InfoCard-Only” approach would get a lot of peoples’ hackles up and only last a few weeks. But over time more and more people seemed to be subscribing – probably because Identityblog was one of the few sites that actually used InfoCards in production. And I never had spam again.
How many people joined using InfoCards? Today I looked at my user list (see the screenshot below with PII fuzzed out). The answer: 2958 people successfully subscribed and passed email verification. There were then over 23,000 successful audited logins. Not very many for a commercial site, but not bad for a technical blog.
Of course, as we all know, the powers at the large commercial sites have preferred the “NASCAR” approach of presenting a bunch of different buttons that redirect the user to, uh, something-or-other-that-can-be-phished, ahem, in spite of the privacy and security problems. This part of the conversation will go on for some time, since these problems will become progressively more widespread as NASCAR gains popularity and the criminally inclined tune in to its potential as a gold mine… But that discussion is for another day.
Meanwhile, I want to get my hands dirty and understand all the implications of the NASCAR-style approach. So recently I subscribed to a nifty janrain service that offers a whole array of login methods. I then integrated their stuff into Identityblog. I promise, Scout's Honor, not to do man-in-the-middle-attacks or scrape your credentials, even though I probably could if I were so inclined.
From now on, when you need to authenticate at Identityblog, you will see a NASCAR-style login symbol. See, for example, the LOG IN option at the top of this page.
If you are not logged in and you want to leave a comment you will see :
Click on the string of icons and you get something like this:
Because many people continue to use my site to try out Information Cards, I've supplemented the janrain widget experience with the Pamelaware Information Card Option (it was pretty easy to make them coexist, and it leaves me with at least one unphishable alternative). This will also benefit people who don't like the idea of linking their identifiers all over the web. I expect it will help researchers and students too.
One warning: Janrain's otherwise polished implementation doesn't work properly with Internet Explorer – it leaves a spurious “Cross Domain Receiver Page” lurking on your desktop. [Update – this was apparently my problem: see here] Once I figure out how to contact them (not evident), I'll ask janrain if and when they're going to fix this. Anyway, the system works – just a bit messy because you have to manually close the stranded empty page. The problem doesn't appear in Firefox.
It has already been a riot looking into the new technology and working through the implications. I'll talk about this as we go forward.
Finally! NASCAR defined! I thought it was an unlikely naming collision! That is funny! Thanks for getting me to look at Information Card. Not very well supported under Linux and Mac it appears, so I'm commenting here via OpenID. I've been using myOpenID from Janrain, and I love it. Also the PIP from VerisignLabs.com is nicely done. Your use of their NASCAR is superb, I'll have to check it out.
It's seems to very difficult to find a non-Microsoft infocard selector. In the past I have successfully used the xmldap.org FF extension, but this seems to have disappeared from the face of the internet, as has the Higgins extension – yet both Pamela and Higgins sites contain references to them. Do they still exist, or has everything but Cardspace disappeared?
(nothing specifically against Cardspace, but I'm using Linux and Mac mainly, and am rarely in Windows these days)
Microsoft has also stopped developing CardSpace given low adoption by sites. So the search for the Holy Grail goes on! I like the convenience of NASCAR but we need to find a way to harden it against phishing and give it some basic privacy properties. Then integrate with the best ideas from CardSpace.
Wow, this is the first time I've actually been able to leave a comment on your blog. Someone should make infocards work on the mac.
Max
So here I am leaving my first comment here in years using my sorely over-used Google ID. Keep persevering Kim! We need to sort this out…
I also tried InfoCards a while ago. Very limited success, especially at the Mac.
This time OpenID was used. The nice thing: The service provider certifi.ca accepts CAcert client certificates for login. No username/pw needed.
Safari doesn't support that well but Firefox does.
BR
Frank
At last! I never succeeded in commenting till now because signing in with an Infocard proved impossible. 2958 managed to login with an Infocard – I wonder how many more tried and failed. Welcome to the messy world of identity.
Interesting about the Mac support. I think there are some good solutions out there – need to bring myself up to speed. But Ben makes a very good point. It was too hard – still experimental with too many loose ends. Plus defects in Cardspace itself – like Cards wouldn't roam. Frank's idea of identity providers using client certs is a nice one for phish-fighting. It's possible to make them roam over at least some devices – I've discussed this with Ben Laurie. That leaves us with the identity provider privacy problem, and u-prove would fix that if some of the players find the motivation to do so (big topic of discussion). So, as William implies, building on what we've all learned and the way things have evolved, there IS a solution in here somewhere. I certainly won't give up on finding it!