Identity expert Peter Vander Auwera from Belgium just sent me this:
Weird that this information is available online. You can search for any passport on name of someone and get full information. I wonder where they get this data…
Identity expert Peter Vander Auwera from Belgium just sent me this:
Weird that this information is available online. You can search for any passport on name of someone and get full information. I wonder where they get this data…
Here's a new managed card provider from Patrick Patterson at Carillon Information Security Inc. With commendable understatement, Patrick writes:
I just thought that you'd like to know about a demonstration STS for issuing managed infocards that we've just finished.It's written in PHP, backends into either a database or LDAP, and is easily customizable to accommodate custom claims.And, since it is written in PHP, it is easily deployable for those that want to experiment with a CardSpace STS, but who may not have either a JSP server to deploy one of the other Java based implementations, or an IIS .NET server to experiment with the one Microsoft has provided.
It is available here.
I'm a sucker for PHP and Ruby on Rails, so I love seeing this support. Beyond that, I'm interested in Carillon's support for certificates.
What is it?
The Carillon STS is a PHP-based Federated Identity Provider (IdP) which is capable of acting as a Secure Token Service (STS) compatible with Windows CardSpace and other “infocard” implementations. It has been successfully tested with CardSpace, as well as with Chuck Mortimore's Firefox identity selector plugin.
Once installed and configured, the Carillon STS allows a user to authenticate himself, either by password or by X.509 certificate, whereupon he is issued a digitally signed infocard containing some standard identity claims and optionally some customizable identity claims. When he presents this infocard to a Relying Party's (RP's) site, his browser's identity selector requests a SAML token from the Carillon STS. If the authentication information is still valid, a digitally signed token will be issued with the various claims asserted. The browser takes this token, checks the digital signature, encrypts it for the RP, and passes it along. It is the RP's responsibility to decrypt the SAML token, check the digital signature, check the asserted claims, and make an access decision based on this information.
Current Status:
This project has been tested with available releases of Windows CardSpace and the Firefox identity selector plugin. There are several Relying Party (RP) sites on the web to test against; in particular, the xmldap.org RP is able to consume Carillon STS infocards and display their contents.
Version 0.01 is the initial release of the Carillon STS. It is presently under active development.
License:
The Carillon Demo STS is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Carillon Demo STS is Copyright © 2007 Carillon Information Security Inc.
Download:
Note: Please hold down the SHIFT key while clicking on package you want to download to avoid file corruption.
Source: carillon-sts-0.01.tar.gz
I hope to meet Carillon at the next Interopathon. It's really awe-inspiring to see this level of Information Card expertise developing spontaneously in the security and identity communities. Congratulations, folks!
Over the next few days I will write about some of the Information Card ideas and products I saw at the Burton Group's Catalyst Conference. The Interopathon demonstrated a whole slew of identity provider, identity selector and relying party products written by all kinds of competitors and collaborators. Pretty much all the big software companies were involved, as were a some smart identity industry startups. The next day, the party continued in the Microsoft hospitality suite – and probably other suites as well.
One of my favorite demonstrations was put together by Gemalto, one of the world's largest manufacturers of smart cards, cell phone SIMS and dongles. They collaborated closely with the CardSpace team on a prototype of CardSpace in which Information Cards and the associated metadata and secret keys are all kept on a smartcard or dongle.
Here's the user experience:
You arrive at a machine, and insert your smart card.
CardSpace asks for a password, and when you enter it, you see your CardSpace cards as usual – except they marterialize from the smart card. The system supports both self-issued and managed cards.
Then, when you remove your smart card, all the CardSpace cards go away.
In other words, the system completely solves the roaming and “kiosk” problem. You take your Information Cards with you, and use them wherever you go. A single smart card can transport a whole set of unrelated cards – the “Fist full of dongles” problem is solved.
The Gemalto folks have a demo that makes the ideas completely clear here. Much of the work was done by Kapil – great guy and I have my fingers crossed that he'll start blogging again.
This notice is the entire privacy notice for the site at http://www.identityblog.com which is solely owned and operated by Kim Cameron.
Personal information usage and storage
No combining or revealing of information
No persistant cookies or tracking of your reading
SPAM
Updating your personal information
This is a personal blog and my goal here is to convey why and how I am using (and will use) any information I ask you to provide. If you have other questions I should answer or comments on my policy, please let me know.