I've added an introduction to my InfoCard PHP Tutorial and Demo. It explains how things fit together, and you'll also find a link to an updated (v2) zip of the code samples.
[Please note – these samples are here for historical purposes and are outmoded since there are now nice production code libraries available – Kim]
A SELF-ISSUED INFOCARD TUTORIAL AND DEMO
This tutorial includes a demo, an explanation of how Self-Issued InfoCard identity tokens work, and sample PHP code allowing you to accept these tokens at a web site.
One of the key goals of InfoCard and the Identity Metasystem is to put the release of identity information under the direct control of computer users. At the same time, the system respects the right of a web site to say what information it requires to grant entry. The accompanying demo shows how InfoCards help bring the two sides of this equation together in a way that accords with the Laws of Identity.
Information Card technology can be used to manage the exchange of any kind of token. CardSpace's self-issued tokens use the SAML format. With this format, identity information sent to a site is “signed” to guarantee that it really comes from whoever originates the “claims” in the identity token. Then, to protect the user's information during release, it is encrypted so only that site can get at it.
How can the identity provider encrypt the information destined for your web site? You need a public key and certificate. In the current version of InfoCard this has to be an SSL certificate (mine cost me under $20), and your web server needs to be able to support https. Identity tokens sent to you will be encrypted under the same key your system uses for https. If people need help with this, let me know and I'll add instructions to this tutorial.
I wrote my sample code in PHP 5 (I had a 4.2 version running at one point, but didn't want to keep two versions going). If you wonder why I chose PHP, I wanted it to be clear that InfoCards are not Windows-specific. You need to make sure your version of PHP has the mcrypt and openssl libraries enabled. (By way of example, these libraries are part of the default environment at TextDrive, my excellent web site host.)
You can download the sample PHP files here (I updated them to V3 in June 2007 to make the code compatible with the shipping version of Vista, and at the same time embrace the new OASIS claims names.)
I'll be evolving this work over the next little while, so let me know about anything that is unclear or not pitched at the right level.
People have asked if I'll be putting this tutorial into .pdf format. I will, once I've received a bit more feedback. In particular, I'm hoping some PHP gurus will look things over – this is my first PHP project.
I've also been asked what intentions I have for this code. My only goal is to share information as widely as possible.
Check out this amazing piece at Computerworld. It boggles the mind. To whet your appetite:
APRIL 12, 2006
Broward County, Fla., Maricopa County, Ariz., Fort Bend County, Texas. Three counties separated by hundreds of miles with something in common: They’re among potentially hundreds of counties in several states that in recent years have made Social Security numbers, driver's license information, bank account numbers and a variety of other personally sensitive data belonging to residents available to anyone in the world with Internet access.
The exposure follows the failure to redact sensitive information from land records and other public documents posted on the Internet and makes county Web sites a veritable treasure trove of information for identity thieves and other criminals, according to a number of privacy advocates.
“These sites are just spoon-feeding criminals the information they need,†said B.J. Ostergren, a privacy advocate based in Richmond, Va. “But no one appears to be seeing it and nobody’s changing the laws,†she said.
Among the pieces of personally identifiable information from county Web sites made available to Computerworld by Ostergren and other privacy advocates were: Rep. Tom Delay’s Social Security number on a tax lien document; the Social Security numbers for Florida Gov. Jeb Bush and his wife on a quit claim deed from 1999; driver’s license numbers, addresses, vehicle registration information, height and race of individuals arrested for traffic violations; names and dates of birth of minors from final divorce decrees and family court documents; and even complete copies of death certificates with Social Security numbers, dates of birth and cause of death. (The Social Security numbers for Bush and his wife have been redacted and are no longer available online.)
“All of this information is available to anyone sitting in a cafe in Nigeria or anywhere else in the world,†said David Bloys, a retired private investigator who publishes a newsletter called “News for Public Officials” in Shallowater, Texas. “It’s a real security threat.â€
The article includes a calming quote from Darity Wesley, CEO of Privacy Solutions, a privacy consultancy for the real estate industry based in San Diego.
“There’s a real need to keep the information flowing,†Wesley said, adding that while there’s a real need to protect data “at all costs,†there’s little evidence so far that the public availability of personal information on government sites has contributed to identity theft. For most identity thieves, the effort involved in sifting through millions of public records for sensitive information is simply not worth it, she said.
“There’s a lot of value in public records, and shutting down access to them†over privacy concerns would be a step backward, she said. “Rather than wrap a lot of fear and sensationalism†around the issue, what is needed is an informed discussion of the issue by legislators and privacy advocates.
This is a good example of how simply transfering a manual process to the virtual world can result in a whole new level of invasiveness and threat.
“I understand people’s concerns, but a lot of this information has been freely available for public inspection since Plymouth Rock,†said Carol Fogelsong, the assistant comptroller for Orange County, Fla.
Even so, privacy advocates say the move to post public records on the Web without removing personally identifiable information has greatly broadened access to sensitive data and the potential for misuse. “The simple truth is these records were safe in the courthouse for 160 years,†Bloys said. Now, all it takes is Internet access and a very rudimentary idea of how to look for data to find all sorts of information, he said.
Ostergren, for instance, claims to have harvested more than 17,000 Social Security numbers simply by “messing around†in county Web sites over the past two years. Among the countless nuggets Bloys turned up was the complete medical history of a terminally ill county official.
Finally, if you worry that this type of attack seems like too much work for an identity thief, console yourself:
It is not always necessary to search for data, since online records often can be purchased in bulk for a fraction of what it would cost to buy them from a courthouse, Bloys said. One example: Fort Bend County, Texas, last year sold to a Florida company every document ever filed with the county clerk’s office — estimated to be around 20 million — for roughly $2,500. Bloys wrote about the transaction in his newsletter in December. Fort Bend County officials did not immediately return a call seeking comment.
I've been promising to share the sample code I wrote to InfoCard-enable my site.
Working on this, it became pretty clear that I needed to explain how tokens work before I could explain how the related code works.
And then, since few people so far have access to InfoCard bits compatible with my site, I saw that I needed to do a demo of what the user experience would be, showing how InfoCards actually work.
Finally, thanks to the review work of a number of colleagues across a number of different companies, I have a Simple InfoCard Tutorial and Demo ready for you to try out. Watch the five-minute demo, and then follow this link into the tutorial.
Are you using Windows Media player? Then use this version of my demo, encoded with the Techsmith Screen Capture Codec (TSCC). If your system complains that the codec isn't installed, it is totally worth picking it up here. It does a tremendous job of compressing demos.
If your player doesn't support TSCC, I hope the Quicktime version will help. I found I had to download the whole file, then click on the icon to open Quicktime, and then double click on the demo image to make the demo start playing. Am I doing something wrong? The biggest drawback seems to be that the encoding is four (4) times larger than the TSCC version. But hey, it works, and I like the way you can drag the progress bar to jump around within the demo.
Thanks to Robert Richardson for helping me understand the codec issues. If others have advice for me, please send it, since I want to do more demos in the near future.
I'll be evolving this work over the next little while, so let me know about anything that is unclear. I'll also add some demos of what it looks like using InfoCards on the compatible sites that have been created by Chuck Mortimer and Ashish Jain.
Once I get more feedback on what can be improved, I'll assemble the tutorial into .pdf format, and make a zip for downloading the samples, .
Someone has asked me what intentions I have for this code. My only goal is to share information as widely as possible.
I've heard many positive comments about Pam Dingle's talk on “InfoCard in the Enterprise” at the Directory Experts Conference in Vegas. Unfortunately I couldn't get to Vegas – but here's her recent post.
Things went along just swimmingly last night at my “Infocard in an Enterprise Context†talk at the Directory Experts Conference. There were many insightful questions from the audience, and afterwards, it warmed my geeky little heart to see Stuart Kwan surrounded by crowds of administrators, all wanting to give feedback and have questions answered.
There were some very interesting topics brought up during the discussion, which I want to capture before I forget. The most discussed topics surrounded that of “card proliferationâ€. If you end up having as many different managed cards on your desktop as you do cards in your physical wallet, does that become easier or harder to use than regular username/password combinations?
It is a really good point. A great example was brought up, which was identification cards for gambling establishments. What if you have 20 membership cards for 20 casinos? There are two ways that those casinos might want to do the infocard thing: either they could give you a managed card with that information in it, or they could register your self-asserted card.
In the first case, you literally would end up with 20 different cards. Remember though, in that case the gambling establishment would be requiring an exact issuer, so ALL the cards in your wallet would be greyed out except the right one, and that the same card would always be used for transactions with that site, so it would always pop up at the top, with the “you used this card last time, would you like to use it again? messageâ€. In the second case, you could create a “gambling card†that could be registered at as many sites as you wished. You could do this safely, because nothing in the information stored in the infocard is specific to any one of the gambling institutions, it is just personal contact information. Instead of you giving them your membership number, you are giving them your PPID, which is associated with your membership number at the gambling site. By doing so, you have completely removed any data from the card that would be of interest to steal, or that could be accidentally given away during the process of using the card at multiple sites. Remember that a PPI is a calculated identifier that is different for every Relying Party.
I think that at least in the beginning, that 2nd case will be more common. However, users themselves will not be able to choose what kind of card the Relying Party demands, and besides, the root point of the original question remains. How many cards do YOU have in your wallet? How many username/password combos have you, over the years, accumulated? If Infocard really takes off, there is no doubt that people will begin to accumulate infocards, even if they work hard to keep their cardsets small.
I can’t speak for MS of course, but I’m pretty sure that the Infocard team would be delighted to have this technology become so popular that they have to race to get rid of the currently existing card limit (I know there is one, can’t remember what it is) and implement mass-management tools for the interface sooner rather than later (-:
Another discussed topic was the idea of having cards that had some controlled fields and some open fields. That one is a topic for a whole other conversation, and a very interesting concept.
Lastly – Dave Kearns asked me what about my presentation was “user-centricâ€. I replied “nothing†as I was specifically addressing how the identity metasystem could be locked down and controlled/audited/managed centrally to satisfy business needs. I think that perhaps that answer was flippant — users still get to see what of their information is being passed in the enterprise, and they can also choose which corporate credentials they wish to use for what corporate resources — this is still an increase in choice and visbility to what they have now.
If you were there and if you are interested in trying this technology out, here is a uber-quick set of instructions and gotchas:
- Although infocard will run on both W2K3 and XP sp2, I suggest using XP sp2, as IE7 beta previews are not yet supported on W2K3
- Getting the right version of IE7 is *critical*. I don’t know all the version numbers, but the version I have works – IE7 Beta preview 2. There was another version following that which does NOT work, so be careful. If you can’t afford the time to be wrong, let me know and I’ll make sure you get a working version.
- Don’t use a host system that you have any attachment to. If you want to follow the CTPs as they come out, you will almost certainly have to start from scratch (for example, moving from the Jan CTP to the Feb CTP required a vanilla install). Use VMs if you can.
- Apparently (and I haven’t even tried it yet, it is that new), there are now TWO Relying Parties on the internet that you can go to with your new Infocard client, Kim Cameron’s Identity Blog and Chuck Mortimore’s Java-based Relying Party.
Thanks again to everyone who attended, I hope that y’all had fun.
Update: Jef comments that IE7 version 5335 fails, and that he got version 5299 to work. I also know that Rohan Pinto had trouble with version 5299 and had to resort to 5296. No matter what, it seems that 5335 is a no go, so I hope that helps! Thanks Jef.
At this point, I think the best thing to do is get the MIX06 bits if you want to experiment with the InfoCard sites. I'm definitely publishing my PHP sample code and tutorials this week, so stay tuned.
Jimmy Atkinson has written to tell us about a series he's involved in at Credit Card Blog “that may interest readers of Identity Weblog. It's the Top Five Credit Card Scams. Each day this week, we're covering a different scam and providing tips to consumers as to how they can protect themselves against identity theft and credit card fraud.”
The site will definitely give you things to think about. I don't know a lot about findcreditcards.org. Maybe Jimmy can help us to understand more.
Anyway, here is a sample – the recent posting on “skimming”:
One of the most insidious forms of credit card fraud occurs with a little device known as a skimmer. Skimmers are the size of a pager and can be carried by a scam artist to swipe your credit card and steal the information needed to create a counterfeit card with your name on it. Here’s how it works: You pay at a restaurant or other business and the clerk takes your card. In the back, the clerk swipes your card for the purchase and then swipes it secretly into the skimmer, which records the name and numbers.
The numbers in the skimmer can be downloaded into a computer and emailed anywhere across the globe. They are then used to make fake credit cards that are used by thieves in Europe, Asia, Latin America, and the US. Skimming is responsible for over $1 billion in losses each year.
Skimmers can also be placed on some older ATMs so that when you swipe your own card, the information is stored in the tiny bug and then retrieved at a later date by the scammer. To protect yourself, keep an eye on your credit card bills. Watch for any unusual activity and report it immediately. Also shred all your statements so that the numbers cannot be stolen.
When out and about, keep a close eye on your credit card as well, and report any suspicious activity to the Federal Trade Commission.
It all just shows how hard it is to change an infrastructure once it's in, no matter how many flaws it has. It's the problem of exposing your secret (as happens with north american credit cards) rather than using your secret to prove something. InfoCards give us a way to fix this in the online environment. The payment identity provider does not need to release a long-term credit card number – just a one-time approval (potentially modelled as a credit card number for compatibility purposes).
At identityblog I accept pretty much any infocard – on condition that you demonstrate ownership of your email address.
Going forward, I hope to hook up with organizations like sxore who can do the necessary verification and reputation gathering, and people who present infocards from these organizations won't even have to go through email validation.
It's great to see your interest in identityblog. I look forward to receiving comments and links from you.
Since you are using a self-issued identity, I hope you won't mind responding to an email that contains a link back to my site. It helps convince me you are not a spam robot. Currently its not a very demanding test – you just need to click on the link!
Until then, your login here doesn't do anything for you. Please watch for the email, then log in again.
Having done that, you'll be able to leave comments here without going through the moderation queue.
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="uuid:a5ca5dd2-f2b1-47c9-b3be-c9aa6e47d37f" Issuer="http://schemas.microsoft.com/ws/2005/05/identity/issuer/self" IssueInstant="2006-03-05T17:51:18.473Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2006-03-05T17:51:18.473Z" NotOnOrAfter="2006-03-05T18:51:18.473Z" /> <saml:AttributeStatement> <saml:Subject> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:holder-of-key </saml:ConfirmationMethod> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> </e:EncryptionMethod> <KeyInfo> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/ wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/ oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004 /01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"> +PYbznDaB/dlhjIfqCQ458E72wA= </o:KeyIdentifier> </o:SecurityTokenReference> </KeyInfo> <e:CipherData> <e:CipherValue>Zp9GQJBEuo4UZYxVh/QM3y8LzqVh2aium82nCsozh4 HwSK5NDIRfK/qKInUL8J7f+IrIQS1jpVkwlztUpoP4dkdaAAu9 A/EBzEuCGL/uz9wcD4HxxVAGrvV71H9gaAhgmvR561yaBLjaJC rrnSNaji/4pAGUq23oIDxHF3IhHfk= </e:CipherValue> </e:CipherData> </e:EncryptedKey> </KeyInfo> </saml:SubjectConfirmation> </saml:Subject> <saml:Attribute AttributeName="GivenName" AttributeNamespace="http://schemas.microsoft.com/ws/2005/05/identity/claims"> <saml:AttributeValue>William</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="Surname" AttributeNamespace="http://schemas.microsoft.com/ws/2005/05/identity/claims"> <saml:AttributeValue>Shakespeare</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="EmailAddress" AttributeNamespace="http://schemas.microsoft.com/ws/2005/05/identity/claims"> <saml:AttributeValue>william@avon.org</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#uuid:a5ca5dd2-f2b1-47c9-b3be-c9aa6e47d37f"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>E8fLZ1moCpnDYlLlX39Ooc2n+ec=</DigestValue> </Reference> </SignedInfo> <SignatureValue>nmRwWM/WjYlMK8v/bVBHOQeS+hBj603lxCcAcoD0GmxCKhm+c5O7X7X+iTj3qb DGQrFQSu/zqRadJRlFGS3N0O5hapGuDXrmP85ac7KeDVBQ90PrDDigeYZQU5Lw6NK1iG . . . pXlT1vAG7Snvu6DAJQpAL+gqeO2afJg== </SignatureValue> <KeyInfo> <KeyValue> <RSAKeyValue> <Modulus>xmJx9eJQYln5r8eR7X2XPcwcSS5C8fBjlLdv/rBsgfNA+KeAKx6Z7speFJp CmeNOe8v3nUldfYlvN9jWcKFn3AF4ddgMHw5e1M0TpPzQlBtcMTm12Uslg3ANFw0zM0h . . IqNDrzJGDU1fuLRSkNT/Q== </Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature> </saml:Assertion>
Alex Barnett has been pushing his postcasting to the edge and I've found a number of his conversations both helpful and enjoyable. I suggest people try them out:
Microformats Podcast, March 31, 2006
“Here's a great podcast for you. All about microformats…”
Guests: Tantek Çelik, Dan Connolly and Rohit Khare. I think it's safe to say these guys know a thing or two about the web and microformats
Here's an OPMLish podcast for you, March 10, 2006
“It's all about the draft OPML 2.0 spec and a few other things thrown in such as structured blogging, OPML tools, namespaces and microformats.”
Guests: Joshua Porter, Adam Green and John Tropea.
Reading Lists (OPML) podcast: Danny Ayers and Adam Green, Feb 12, 2006
“Last year Dave Winer started to push the idea of Reading Lists for RSS. More recently, the idea of Dynamic Reading Lists and Feed Grazing (or Grazing Lists / Glists) has been kicking around.
Its likely that Reading Lists support will become a common feature of Feed Readers / Aggregators.”
Guests: Danny Ayers, Adam Green and Joshua Porter
Attention podcast : Attention with Steve Gillmor, Feb 08, 2006
“Steve has been leading Attention conversation for some time now. In 2003 he, along with David Sifry (CEO of Technorati), initiated the attention.xml efforts and has since taken on the role as president of the non-profit Attention Trust.”
Guests: Steve Gillmor and Joshua Porter
MSN Search Champs podcast – Privacy conversation Jan 26 2006
“I attended the MSN Search Champs today….and what a day. Given the recent news and concerns around the data MSN Search, Yahoo and AOL provided to the government, there was a session set up where the 57 bloggers / online experts at MSN Search Champ were invited to discuss the topic with senior MSN management (Senior VP Yusuf Mehdi and VP Chris Payne).”
Guests: Fred Oliveira, Dion Hinchcliffe, Joshua Porter, Chris Pirillo, Thomas Vander Wal and Brady Forrest.
Attention podcast: RSS feedreaders and aggregators Jan 22, 2006
“I asked two of the RSS industry's leading lights to join me for a call and share their perspective on the question of where Attention is going with respect to RSS feedreaders and aggregators: Nick Bradbury creator FeedDemon, part of Newsgator (Nick also developed Homesite – sold to Macromedia – and Topstyle) and Kevin Burton of Tailrank (also co-founder Rojo).”
Guests: Nick Bradbury, Joshua Porter and Kevin Burton
Structured Blogging podcast with Marc Canter and Joe Reger, Dec 16, 2006
“You might have heard of the Structured Blogging initiative announced earlier this week by Marc Canter and others…there was certainly plenty of buzz and reaction to the news, but not all the reaction was rosy.”
Guests: Marc Canter and Joshua Porter
Attention and Identity with Dick Hardt and Kim Cameron, Podcast, Dec 09, 2006
“A couple of weeks ago Joshua and I had a conversation about attention data (as podcasts). In that conversation we kept touching on the topic of online identities and their management, so we thought we'd invite two pioneers of the identity space, Dick Hardt and Kim Cameron, to a podcast session and discuss how they saw the connections between these two related topics: attention and identity.”Guests: Dick Hardt, Kim Cameron and Joshua PorterGuests:
OPML = Attention Data, Attention Engines and Tailrank, Nov 12, 2005“Although we met briefly last week, Kevin Burton and I didn't manage to get enough time to discuss some of the things on our mind at the time, so we got a Skype call together and posted it as a podcast (.mp3, 42mb).
We focused the discussion around what he calls Meme Engines and I call Attention Engines, Tailrank (Kevin's latest project), OPML, RSS and Attention.xml”
Guests: Kevin Burton
Attention podcast with Joshua Porter, Nov 26, 2006
“About OPML, Attention, and empowering people.”
Guest: Joshua Porter
Web 2.0 podcast, July 01, 2006
“Richard MacManus of Read/WriteWeb and I had a Skype chat this evening and recorded the call Talked about Web 2.0, attention.xml, a bit about RSS, APIs and more.”
Guest: Richard MacManus
