{"id":410,"date":"2006-03-18T17:43:54","date_gmt":"2006-03-19T01:43:54","guid":{"rendered":"\/?p=410"},"modified":"2019-03-06T09:11:02","modified_gmt":"2019-03-06T15:11:02","slug":"more-hardy-pioneers-try-out-infocard","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=410","title":{"rendered":"MORE HARDY PIONEERS TRY OUT INFOCARD"},"content":{"rendered":"

It's currently hard to locate and install the right software to try out InfoCard on the identityblog but a bunch of intrepid explorers have now actually done it, making me feel a deep wave of geek comraderie<\/em>.<\/p>\n

In fact, the subscription list has doubled since yesterday (doubling once every twenty-four hours may not be sustainable!) And we've had our first identity attack! Things are poppin’ – so to speak – techies bumping into a new technology and a lot of fun.<\/p>\n

You can see a sanitized list of subscribers here – the uncategorized entry at the bottom is the attacker (more later).<\/p>\n

<\/p>\n

So let me start with Ashish Jain<\/a>. Looks like he is starting an identity blog called iTickr.com. He calls this posting<\/a> Welcome InfoCard<\/strong>:<\/p>\n

\n

As a core Java \/ ex-BEA guy (if I only got a penny every time I told customers to stay away from .NET),<\/em> I never thought I would say this: it's been fun playing with Infocards for the past couple of days. Sure, it takes a lifetime to figure out what you need and what's the right place to download (MS overusage of ‘setup.exe’ doesn't really help)… but once you have that figured out, it's all ‘click’ and ‘play’. Managed to log into Kim Cameron's Identity Blog using my self-issued Infocard. This is what I did:<\/p>\n

    \n
  1. Harass my IT guy to get a vanilla m\/c with WinXP2 (I wasn't going to risk my own).<\/li>\n
  2. Downloaded (here<\/a>) and installed WinFX Runtime Component.<\/li>\n
  3. Updated some COM+ Hotfix (the installation process guides you there).<\/li>\n
  4. In my control panel, verified that I have the extra icon ‘Digital Identities’.\"Digital<\/li>\n
  5. Clicked ‘Digital Identities’ icon and created some dummy infocards (the interface is pretty intuitive).<\/li>\n
  6. Downloaded IE7 from here<\/a>.<\/li>\n
  7. Accessed identityBlog.com<\/a> and clicked on login.<\/li>\n
  8. Selected Infocard as the option to login.<\/li>\n
  9. Installed the ActiveX control (it's a test machine so I was little more liberal in clicking ‘Yes’ to every download).<\/li>\n<\/ol>\n

    Screen started greying out… (very theatrical… they should add some sound effects too). Picked one of my self-issued inforcard and I'm in.<\/p>\n

    Some of the screen shots here.<\/p>\n

    \"Identity \"Login\"Pick<\/p>\n

    Plan to put together a SP application and hopefully use some managed Infocards in the coming days. Stay tuned.<\/p>\n<\/blockquote>\n

    So cool. Before we go further, let me say that Ashish is totally on the money here in making sure he rounded up a test PC.<\/strong> Please follow his example.<\/p>\n

    I've actually installed this stuff on my production laptop, which is insane, but this is only because I am prepared to sacrifice deeply<\/em> to get a feeling for what it's really like to live in an infocard world. (Someone just called me the “Madame Curie of Identity”). I need to understand the experience issues as well as I can.<\/p>\n

    Be prepared for minor changes with breaking periods before InfoCard goes to release. In case of doubt follow the implementor's guide when it comes to futures.<\/p>\n

    If you think installing the software is hard, upgrading it is just not supported<\/strong>. So use a dedicated or virtual machine.<\/p>\n

    I like Ashish's comment that the InfoCard desktop is, well, “…theatrical… they should add some sound effects too”. The goal is to draw the user into a ceremony where he or she will be on the lookout for abnormal behavior – in accordance with the sixth law. And yet, not to do something that would grate on your nerves as you get used to it. It's pretty clean.<\/p>\n

    OK. Now let's move on to the next new visitor. I'm talking about Caleb Baker<\/strong>. I haven't said enough about my team, and I want everyone to know how much I like and appreciate these foks. They have worked relentlessly to get this stuff out.<\/p>\n

    Caleb is one of the guys who is most critical to our InfoCard team. He works in the test organization, building automation for the Identity Selector and other components. If anyone knows what components work with what others, it's Caleb!<\/p>\n

    Testing this kind of project is unbelievably complex given the security issues. Imagine doing UI testing on a product when your test programs can't even see the InfoCard screen (because they are running on a private desktop)! It boggles the mind! But Caleb always seems to be in a positive mood.<\/p>\n

    One of the great things about Caleb – and his buddies – is how deeply committed he is to the privacy and security aspects of InfoCard. Few architects are fortunate enough to work with people who go so far to make sure theory and high level design principles are being applied in every nook and cranny of a project – with no shortcuts. I'm very grateful.<\/p>\n

    Finally, last but not least, there is the inimitable Rohan Pinto.\n<\/p>\n

    Rohan is from Sun, and blogs about infocards here. He is working on this stuff as a personal initiative at this point, and he's right out there in trying to understand it. In fact, he was visiting my site and using infocard on it even before I had finished porting it. He actually stunned me – I thought there was some kind of an error since it never occured to me that someone would be using the system before I had even announced it was working!<\/p>\n

    Rohan tells it as he sees it, and this posting<\/a> is no exception. First he shows a graphic that proves he has logged in, which is great. Then he notes that the current incarnation takes you to a dashboard where you see a link to browsehappy.com<\/em>. He points out:<\/p>\n

    \n

    The first page of browsehappy.com has text that reads as : “Internet Explorer can make your computer unsafe. Why not switch to a browser that's more secure?”.
    \nI read that and thought…. {{{nothing}}} I Know, I Know, browsehappy.com and wordpress are interlinked… <\/p>\n<\/blockquote>\n

    I have to smile. All of us will be attacked and all of us have to work hard – and together – to create a safe internet. So the kind of stuff on browsehappy doesn't even register with me – or, I suspect, with my long-tail subscribers.<\/p>\n

    Back on the subject at hand, Rohan continues:<\/p>\n

    \n

    I sent an infocard with Kim's own FirstName, LastName and email address (because from Kim's infocard invoker code, I saw that the only info he requested from an infocard was just the firstname, lastname and email address) and was able to login with that infocard too. However either with my own infocard or with a FAKE infocard with Kim's own info, I could not do much on the site. But the point is that regardless of the authenticity of the user, a “user” was provisioned on his blog.<\/p>\n<\/blockquote>\n

    Actually, the way the system works, you start off as a “subscription requestor”. You aren't recognized as a subscriber until you respond to an email sent to your email address.<\/p>\n

    When Rohan made his FAKE card and posed as me, I was the one who got the invitation to validate my email address. Clearly I didn't – it was obvious to me that someone was pulling my leg. When I've finished the implementation, it will also be impossible to socially engineer anyone into inadvertantly confirming an email. More about this later.<\/p>\n

    The email verification stage explains why, in the screen shot above, the bottom “cameron” subscription requestor is not<\/strong> shown as a subscriber. Over time, the fake registration attempt will time out and be deleted.<\/p>\n

    The net result is that the people who are promoted to subscriber<\/strong> can use their infocard to post comments on the site, wheras the fakes cannot.<\/p>\n

    None of this is yet implemented as well as it should be. I'm still experimenting.
    \nBut for people interested in trying things out, after you've logged in using an infocard and been approved through the mail validation, click on the “view site” portion of the dashboard. That takes you to the public identity blog. Then click on a “comment” link and leave a comment. It bypasses the moderation queue and gets posted immediately.<\/p>\n

    Using my subscriber InfoCard, for example, this is what I saw when I went to type in a comment:<\/p>\n

    \"\"
    \nI pressed “Add my comment” and it was immediately posted.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Ashish has steps for downloading and installing the InfoCard components that will allow you to log in to this site.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/410"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=410"}],"version-history":[{"count":1,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/410\/revisions"}],"predecessor-version":[{"id":1722,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/410\/revisions\/1722"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}