Dana Epp runs SilverStr blog and is a security pro with passion and a real handle on CardSpace and Information Cards. Richard Campbell and Greg Hughs have the new radio blog called RunAsRadio. The trio come through as likeable and relevant in the podcast Dana describes here:
Recently I was interviewed by Richard Campbell and Greg Hughs on RunAsRadio. You might have heard of Richard… he's also the host of .Net Rocks!. Where .NET Rocks! is for developers, RunAsRadio is for IT Pros.
Anyways, if you would like to listen to the interview we did on CardSpace, you can download it here. Its about a half hour long, and is a simple introduction to the world of Cardspace, atleast for the client side perspective.
For those already versed in the subject, you will notice a few term definition problems in the interview. It went by so fast, and I didn't make it clear what I was getting at. For those that don't know, here is a primer that may help understand how I talk about digital identity:
- InfoCard : An information card. The previous code name for Cardspace [but now the name of the underlying technology – Kim]
- Identity Card: Generic term to mean a piece of digital information that represents your identity [definition not recommended – Kim]
- Identity Provider: As the name implies, a provider of one's digital identity.
- Relying Party: A system/application that relies on a digital identity for authentication, and possibly authorization. It is up to this party to decide which Identity Provider(s) it is willing to trust. ie: Web site, LOB app etc
- Claim: An assertion of a piece of information belonging to an identity. ie: username, password, age, phone number etc.
- Wallet: A piece of software that holds Identity Cards. Vista ships with a wallet that holds Information Cards. You can also download it for XP.
In a couple of places I used the term “credential” where I was really talking about “claims”. And in passing it may sound like I was saying its the Identity Providers (IdP) role to decide who to trust. That didn't come out right. It is up to the relying party to decide which IdP it wishes to trust. In some cases, it will trust you, because you act as the provider. How? Because when you create a a self-issued card and submit it, you are asserting you are who you say you are. It won't be as trusted as much as say… a government IdP. But you get the point. I hope Kim doesn't think about throwing a brick at my head if he hears the interview 🙂 [I love the interview – no brick – Kim]
Anyways, fun interview. Richard and Greg have asked me to come back and do another one where we can explore the server side of things… and discuss how Relying Parties and Identity Providers really work. We may even get into some discussion about Longhorn server and some of the interesting bits there that can be leveraged for the new digital identity ecosystem. Until then… enjoy!
Actually, Dana is remarkably precise while still being interesting. He has made even the hardest leap – separating credentials from claims cleanly enough that he catches himself when at one point he starts to slip.
In the interview Dana says “InfoCards”, and uses the word properly – to refer to the the technology we are working on across the industry. “Windows CardSpace”, on the other hand, is the name of the Microsoft implementation of this technology.
I take full responsibility for confusing everyone in this regard – and apologize to Dana and all my readers – because early in the product cycle I conflated our proposed technology ideas and our Microsoft implementation. Over time we've become very crisp about our usage. CardSpace is the way we store Information Cards on Windows; people abbreviate Information Cards into “InfoCards”.
I do not use and do not like the phrase “Identity Cards” when talking about digital identity.
“Identity Cards” conjure up government-issued citizen identities. While government cards are a legitimate notion when interacting with government sites, we don't want to imply that government-issued identities should be used everywhere or for everything! People need to be able to assert different identities and decide which ones they want to pull out of their “wallets” – just as they do in the physical world.
But I nit-pick. If you want to learn about CardSpace and Information Cards, check out this interview.
We're in this weird place where the broad notion of Identity is maybe abbused in terms of “the 7 laws of identity” and where “identity cards” has other repugnant connotations.
It is useful that InfoCards, Information Cards, and CardSpace do not meet those objections and I hadn't caught that before. I think that's valuable.
I'm still mulling on ID and identifier, and look forward to listening to Dana's treatment.
[PS: I hate being reminded that I must login when I am trying to post the comment (I didn't look up top, now I realize that I will be greeted if logged in. Also, logging in takes me to the front page of the blog, not the page I was on. Just a little kvetching from a visitor who has no sign-on provisions at all on his sites (except whatever Blogger uses).]