{"id":418,"date":"2006-03-30T10:39:03","date_gmt":"2006-03-30T18:39:03","guid":{"rendered":"\/?p=418"},"modified":"2006-03-30T17:40:26","modified_gmt":"2006-03-31T01:40:26","slug":"the-registers-new-developer-section-does-infocards","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=418","title":{"rendered":"THE REGISTER'S NEW DEVELOPER SECTION DOES INFOCARDS"},"content":{"rendered":"

The British web site The Register<\/a> has a new developer section<\/a>, and journalist Mary Branscombe has written a piece<\/a> in it on InfoCard and the Identity Metasystem.  She gets many deep points about the system across in very few words, again amazing me.   <\/p>\n

InfoCard is more than the replacement for Microsoft's Passport; in some ways it\u00e2\u20ac\u2122s the antidote.<\/p>\n

Identity architect Kim Cameron (read his paper on The Laws of Identity here<\/a>) joined Microsoft when it bought the metadirectory he developed at Zoomit to turn into Active Directory, and stayed because he thought Microsoft was the best place to be to try to solve the internet\u00e2\u20ac\u2122s identity problem.<\/p>\n

He\u00e2\u20ac\u2122s very clear on what Passport got wrong: \u00e2\u20ac\u0153It did not make sense to most non-MSN sites for Microsoft to be involved in their customer relationships,\u00e2\u20ac\u009d he says. \u00e2\u20ac\u0153Nor were users clamouring for a single Microsoft identity service to be aware of all their internet activities. Passport was positioned as a candidate for or something ready to be the identity system for the internet. Nobody used it as that identity system; it doesn't take a rocket scientist to see that doesn't fly.\u00e2\u20ac\u009d<\/p>\n

InfoCard isn\u00e2\u20ac\u2122t trying to be the identity system for the internet, and it isn\u00e2\u20ac\u2122t just a password management system like Opera\u00e2\u20ac\u2122s Magic Wand or the Password Manager in Firefox. It\u00e2\u20ac\u2122s intended to be a consistent and secure way to choose the identity you want to use for a website or an application \u00e2\u20ac\u201c like picking a card from your wallet – and to find out who you\u00e2\u20ac\u2122re dealing with and what they\u00e2\u20ac\u2122re asking for.<\/p>\n

Users will have multiple InfoCards, each of them an XML description of the information about you that each identity supplies. But the information \u00e2\u20ac\u201cname, age, email address, credit card number, membership number or whatever else is on the card \u00e2\u20ac\u201c isn\u00e2\u20ac\u2122t in the InfoCard or even on your PC (unless it\u00e2\u20ac\u2122s a card you\u00e2\u20ac\u2122ve issued yourself).<\/p>\n

Instead, when you use an InfoCard it retrieves that information from the identity provider \u00e2\u20ac\u201c VeriSign, your bank, the airline you have a frequent flyer card with and so on \u00e2\u20ac\u201c and passes it to the site you want to access. This is done using a new class of \u00e2\u20ac\u0153higher-value\u00e2\u20ac\u009d X.509 site certificates that Microsoft is developing with VeriSign and other certificate authorities, which include digitally-signed company logos to show who you\u00e2\u20ac\u2122re giving your details to.<\/p>\n

InfoCard works with an identity metasystem that allows different identity systems to interact. Each identity provider runs a Security Token Server (STS) using WS-Trust to securely exchange claims with other identity systems (negotiations between systems use WS-MetadataExchange and WS-SecurityPolicy and messages are secured with WS-Security). It doesn\u00e2\u20ac\u2122t have to be a Microsoft STS; Ping Identity\u00e2\u20ac\u2122s PingTrust is the first third-party STS for the identity metasystem but several identity providers support WS-Trust and the other WS-* web services.<\/p>\n

Authentication is based on unique keys generated each time you use an InfoCard. You get a new key pair even if you use the same card on the same site. And the information sent doesn\u00e2\u20ac\u2122t have to be everything in that InfoCard; a site asking you to prove you\u00e2\u20ac\u2122re over 18 won\u00e2\u20ac\u2122t get your birth date, just the confirmation you\u00e2\u20ac\u2122re a legal adult. Your credit card company can supply a one-time transaction authorisation rather than your card number.<\/p>\n

What is on your PC is configuration information telling InfoCard how to contact the identity provider. That\u00e2\u20ac\u2122s encrypted in a Metadata Store with no programmatic interface so nothing but InfoCard can access it. In version 1, this stays on your PC, unless you export it by hand to copy to another computer. In the future it could be on your phone, on a smartcard or a USB stick – or even supplied by a web service.<\/p>\n

InfoCard works with smartcards and security fobs; you could use biometric sensors to protect especially confidential information. VeriSign\u00e2\u20ac\u2122s Identity Protection Network will use InfoCard and one-time passwords generated by security fobs, USB keys, or certain mobile phones to login to sites like eBay, PayPal and Yahoo!.<\/p>\n

InfoCard runs on a separate secure desktop under a different user account. Malware will have to run with administrative privileges to see the InfoCard process; something Windows Vista aims to make less common.<\/p>\n

Supporting InfoCard<\/p>\n

On a website InfoCard uses the same HTTP\/HTTPS GET and POST, and writes the same client-side browser cookie as a username and password login. The login link is either an OBJECT tag or XHTML, to support multiple browsers (although Microsoft is talking to other browser developers about adding InfoCard support, at this stage only IE 7 has it).<\/p>\n

This link details the information the site wants from the user (such as name, email address or age8). If you\u00e2\u20ac\u2122re using an STS of your own (or specifying a third-party STS) to authenticate users, the details of that go in the link. You also need the code to log the user in once the credentials have been supplied; the rest of your website works as before.<\/p>\n

To add InfoCard support to Windows applications, you need to use the Windows Communication Foundation (that\u00e2\u20ac\u2122s in WinFX so it will be available on Windows XP and Vista), but you can develop in any programming language that supports web services.<\/p>\n

Anyone can issue their own InfoCard \u00e2\u20ac\u201c and Passport will accept self-issued InfoCards once Vista comes out. Other identity providers will be able to issue InfoCards. Microsoft is going to be pushing Active Directory as a source of InfoCards. In Windows Server R2, Active Directory Federation Services uses WS\u00e2\u20ac\u201cTrust although it isn\u00e2\u20ac\u2122t until we finally see Longhorn Server that Active Directory will be able to issue and manage InfoCards for a company, as well as acting as an STS.<\/p>\n

That emphasis on Active Directory may be why IBM is backing Higgins, the open source implementation of WS-Trust in Eclipse.<\/p>\n

Paul Trevithick from The SocialPhysics Project emphasises that it isn\u00e2\u20ac\u2122t meant to compete with InfoCard or the identity metasystem. \u00e2\u20ac\u0153We are following what Microsoft is doing; to us it looks like a very inspired move. Higgins is a software framework that relies on service adapters that connect to external systems using that system\u00e2\u20ac\u2122s native protocols or APIs. We expect that in the next few months a WS-* service will be created for Higgins. Higgins – when configured with this service and running on Linux, Mac OS and so on – will fully interoperate with InfoCard running on Windows.\u00e2\u20ac\u009d<\/p>\n

The more systems that work like this, the better, Kim Cameron says. \u00e2\u20ac\u0153There's a visual metaphor we call InfoCards and then there's the identity metasystem. That is not something that we're building. All we can do is build a contribution to it.\u00e2\u20ac\u009d<\/p><\/blockquote>\n

Celeste Biever has also done a nice piece<\/a> in New Scientist but since it's a pay-per-view, I'll leave each of you to fend for yourself.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

When you use an InfoCard it retrieves information from the identity provider \u00e2\u20ac\u201c VeriSign, your bank, the airline you have a frequent flyer card with and so on \u00e2\u20ac\u201c and passes it to the site you want to access.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/418"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=418"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/418\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=418"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}