Ensuring Privacy and Consent

I think many will benefit from Marco Casassa Mont's Research on Identity Management blog.  He discusses business-driven identity management – and its foibles.

A recent post invites us to an upcoming Kable conference that I would attend if I possibly could:

An interesting conference is going to take place on July, 9th in London, UK on “Ensuring Privacy and Consent in Identity Management Infrastructures”. It is supported by DTI and free to attend to the private sector and academics. The conference program and online registration form are available here.

“The Department of Trade and Industry (DTI), through the Technology Strategy Board's Network Security Innovation Platform, is working with the Identity and Passport Service (IPS), the Home Office, the Economic and Social Research Council (ESRC) and the Engineering and Physical Sciences Research Council (EPSRC) to develop a work package that will sponsor a £10m, 3-year, research and development programme into how to balance the potentially intrusive nature of identity services and network security with users’ expectations of privacy and consent. This research will be cross-disciplinary, combining social science with technological innovation. …

The aim of this initial workshop on 9 July is to discuss and refine the areas of importance for research, as well as identifying where the research is needed and where the UK has potential to develop world-leading commercial services. The findings of the workshop will lead to the development of projects and proposals using the EPSRC's sand-pit concept at a further workshop to be held in early October.”

You might want to consider attending if you work in the areas of identity and privacy management …

PHP managed card provider

Here's a new managed card provider from Patrick Patterson at  Carillon Information Security Inc.  With commendable understatement, Patrick writes:

I just thought that you'd like to know about a demonstration STS for issuing managed infocards that we've just finished.It's written in PHP, backends into either a database or LDAP, and is easily customizable to accommodate custom claims.

And, since it is written in PHP, it is easily deployable for those that want to experiment with a CardSpace STS, but who may not have either a JSP server to deploy one of the other Java based implementations, or an IIS .NET server to experiment with the one Microsoft has provided.

It is available here.

I'm a sucker for PHP and Ruby on Rails, so I love seeing this support.  Beyond that, I'm interested in Carillon's support for certificates. 

What is it?

The Carillon STS is a PHP-based Federated Identity Provider (IdP) which is capable of acting as a Secure Token Service (STS) compatible with Windows CardSpace and other “infocard” implementations. It has been successfully tested with CardSpace, as well as with Chuck Mortimore's Firefox identity selector plugin.

Once installed and configured, the Carillon STS allows a user to authenticate himself, either by password or by X.509 certificate, whereupon he is issued a digitally signed infocard containing some standard identity claims and optionally some customizable identity claims. When he presents this infocard to a Relying Party's (RP's) site, his browser's identity selector requests a SAML token from the Carillon STS. If the authentication information is still valid, a digitally signed token will be issued with the various claims asserted. The browser takes this token, checks the digital signature, encrypts it for the RP, and passes it along. It is the RP's responsibility to decrypt the SAML token, check the digital signature, check the asserted claims, and make an access decision based on this information.

Current Status:

This project has been tested with available releases of Windows CardSpace and the Firefox identity selector plugin. There are several Relying Party (RP) sites on the web to test against; in particular, the xmldap.org RP is able to consume Carillon STS infocards and display their contents.

Version 0.01 is the initial release of the Carillon STS. It is presently under active development.


The Carillon Demo STS is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Carillon Demo STS is Copyright © 2007 Carillon Information Security Inc.


Note: Please hold down the SHIFT key while clicking on package you want to download to avoid file corruption.

Source: carillon-sts-0.01.tar.gz

I hope to meet Carillon at the next Interopathon.  It's really awe-inspiring to see this level of Information Card expertise developing spontaneously in the security and identity communities.  Congratulations, folks!

CardSpace and Smart Cards

Over the next few days I will write about some of the Information Card ideas and products I saw at the Burton Group's Catalyst Conference.  The Interopathon demonstrated a whole slew of identity provider, identity selector and relying party products written by all kinds of competitors and collaborators.  Pretty much all the big software companies were involved, as were a some smart identity industry startups.  The next day, the party continued in the Microsoft hospitality suite – and probably other suites as well.

One of my favorite demonstrations was put together by Gemalto, one of the world's largest manufacturers of smart cards, cell phone SIMS and dongles.  They collaborated closely with the CardSpace team on a prototype of CardSpace in which Information Cards and the associated metadata and secret keys are all kept on a smartcard or dongle.

Here's the user experience:

You arrive at a machine, and insert your smart card. 

CardSpace asks for a password, and when you enter it, you see your CardSpace cards as usual – except they marterialize from the smart card.  The system supports both self-issued and managed cards. 

Then, when you remove your smart card, all the CardSpace cards go away.

In other words, the system completely solves the roaming and “kiosk” problem.  You take your Information Cards with you, and use them wherever you go.  A single smart card can transport a whole set of unrelated cards – the “Fist full of dongles” problem is solved.

The Gemalto folks have a demo that makes the ideas completely clear here.   Much of the work was done by Kapil – great guy  and I have my fingers crossed that he'll start blogging again.