Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

InfoCard Explained

Download

Right click “Save as…”

Ever wonder what InfoCard is all about? Well, Nigel Watling, an InfoCard Technical Evangelist, and Andy Harjanto, an InfoCard Program Manager,  sure can explain it all to you. Here, they discuss all aspects of InfoCard (with a lot of time spent on the whiteboard). We're joined by a special guest towards the end of the discussion, who you'll see more of as we cover InfoCard architecture and internals in an upcoming Going Deep episode.

Tag:

Follow the Discussion

  • ZeoZeo Channel 9 :)
    Great Explaination. Really good examples. This isn't passport 2.0 Big Smile
  • yes, looks 'a bit' more capable than passport 2.0. passport was (is) a goot idea, though - that has been killed by licensing terms.
  • Great video. I'm really looking forward to this. I have two quick questions however:

    (1) I understand the multiple users on a single computer scenario, but what about a single user across multiple computers? For instance, how would I check my mail at an internet cafe? How would I get my cards on that machine and make sure they're removed when I'm finished?

    (2) Why .crd and .crds instead of .card and .cards, respectively? When will the computer industry's war on vowels come to an end?

    Thanks. Smiley
  • cravikirancravikiran Ravi Chodavarapu
    BryanF wrote:

    (1) I understand the multiple users on a single computer scenario, but what about a single user across multiple computers? For instance, how would I check my mail at an internet cafe? How would I get my cards on that machine and make sure they're removed when I'm finished?


    Yes, I am wondering about this as well... I'm assuming that there is a way to get limited-time (per session, etc.) cards?  And for the moving across multiple comptuer scenario... do you always start out with a self-issued card that contains a password in the InfoCard system (this self-issued card being the gateway to some cryptographically strong card from some base identity provider)?
  • Windows InfoCard Live?
  • Maybe. But then... how would you log into Windows Live?

    We may need some "special" brownies for this one. Big Smile
  • OK so what happens when I log on to machine at home do I still have my infocard? 

    If not then is n't this flawed.

    It would be cool if you could change infocards trusted storage subsystem to be a usb drive or web service
  • dahatdahat inanity makes my head hurt

    Great stuff! I look forward to this, as well as the impending cries of the OSS crowed when they think Microsoft is trying to take over the world and count them out again.

    Of course... like many I’ve still got questions... What mechanisms are available for backing up ones own InfoCard? Are they simply files sitting on the HD that could be copied over to another machine?

    I am one who is quite good at hosing my Windows install from time to time and before paving and reinstalling, I will boot up in to a secondary install and copy over files I can’t live without... which also makes me wonder: how you would go about replacing a lost InfoCard (likely far harder with self issues ones)?

  • tsilbSlackmasterK This Space ​Intentional​ly Left Blank
    So if I wander around and use multiple computers, I'll have to carry my InfoCard around on a ThumbDrive?
  • Guys, these are great questions. Can you also go to Kim's blog site and post them there. I am sure he would like to hear them and respond.

    http://wwww.identityblog.com/

  • Is Microsoft thinking at all about the interoperability aspect of the Infocard technology. I mean are you thinking at all how to enable the rapid and seemless adoption of this technology into other non-Microsoft operating systems and applications. To enable I mean how you are thinking to aleviate fears around any legal (eg. licensing) issues or not to create them in the first place. To enable I mean how to support 3rd parties in creating Infocard implementations onto other platforms and web servers. To enable I mean how to formalize and standardize the Infocard technology through a transparent standardization process. To enable I mean how to even give away some source code for such 3rd party effords.
    If not, don't you worry that Infocard might have the fate of Passport concerning its interoperability aspect and that it might end up as a Windows only solution? After all, a universal authentication technology, as Infocard tries to be, should be above all ... universal!
    Infocard is too good of a technology and it would be unfortunate to it to fail due to miss-handling of trust issues in this complex industry.
  • (1) The best solution for this scenario - making the not unreasonable assumption that the internet cafe machine you're using has been compromised and has a key logger installed (be careful out there folks e.g. Outlook Web Access) - is to use a "portable STS". 

    Imagine a device that holds personal data and allows you to authenticate. This could be something like a USB key or a mobile phone. You would select a card and be supplied a signed, encrypted security token to present to a site or service. You walk away with the device when you're done.

    We showed a prototype of this at the PDC and are working on making it a reality.

    (2) You have a good point. We're still recovering from the shock of moving from 8.3 and feel honour-bound to maintain the rich tradition of file-naming conventions on Windows. Hey, it could be worse: we might have chosen the developers' initials for application names.

  • Yes,
    Or you could use group policy in an enterprise environment,
    Or you could use a "cards in the sky" type service.
  • Don't worry, we fully appreciate the importance of interoperability and cross-industry adoption. You would be hard-pressed to find a stronger advocate of this than Kim Cameron.

    The wire protocols we use, eg.
    WS-Trust
    WS-Security
    WS-MetadataExchange
    WS-SecurityPolicy
    are open standards, submitted to standards bodies such as OASIS.

    Our implementation of InfoCard and the Identity metasystem has been specifically designed for ease of adoption on other platforms and in other software. For example, we could have tied InfoCard to Internet Explorer but we have chosen an approach that allows Mozilla, Opera or whoever else to easily add InfoCard support.

    We have published a guide for Integrating with InfoCard specifically to help people on non-MS technologies and they are building. We fully hope and expect to see identity selectors, identity providers and relying parties on other platforms.

    Publishing source code is always a delicate topic in this company so I cannot promise anything there but we are doing our very best to get this technology adopted on other platforms. We'll know we've really succeeded when someone can use Firefox on a Mac with a Mac identity selector to access a security token service running on Linux and thereby authenticate to an Apache website.

    Ultimately, this is a problem that we all want to solve. When you read reports such as one from Gartner where it says confidence in the Internet is impacting online purchasing behaviour and one from Harvard and Berkeley showing how incredibly effective phishing can be - even with savvy users - it makes you realize that something needs to be done. What's the point of Web 2.0 if people have no confidence in the Internet to begin with?

    We're trying to provide a solution that everyone can use.

  • "(2) Why .crd and .crds instead of .card and .cards, respectively? When will the computer industry's war on vowels come to an end?"


    If the crds wasn't 4 letters long I would say it had to do with the ISO 9660 CD filesystem. But I guess it doesn't.

  • In "InfoCard" v1.0, you'll be able to export/import cards to/from your hard-drive/USBkey etc.

    We're currently working on a mechanism to allow you to safely store your cards on secure portable storage devices whilst still maintaining InfoCard's open extensible architecture. Cool
  • Nigel,
    that sounds great.
    Do you know if the portable STS will be available in the first Infocard release (in Vista)?
    If not, any target date for a SP?

    thanks
  • Ok - First off very informative video, it answered quite a few questions I had about the security of InfoCards.

    But I still have a question.

    I get the fact that your computer doesn't have the card data on it - a plus.
    I get the fact that the server requests an encrypted token from your machine, and your machine gets it from the STS, and transmits it to the site your trying to view (which then can get your information).

    My question is: What happens, or is planned, when a 3rd party (say a hacker who compromised your computer) obtains your .crd file(s)?  From my understanding they could then use the card to login to your bank site (assuming they support InfoCard logins).  Is having it as an InfoCard greater/lesser/equal security from hackers in this sense?
  • 
    Do you know if the portable STS will be available in the first Infocard release (in Vista)?
    If not, any target date for a SP?

    There are people working hard on this. If it doesn't make it into the box for v1 it should be soon afterwards. This is a key part of the story.
  •  What happens, or is planned, when a 3rd party (say a hacker who compromised your computer) obtains your .crd file(s)?  From my understanding they could then use the card to login to your bank site (assuming they support InfoCard logins).  Is having it as an InfoCard greater/lesser/equal security from hackers in this sense?


    When someone unpleasant steals my computer he does indeed have access to my InfoCards. However, the InfoCard itself has no sensitive data in it: it has information where to get data, how to get it and what it will look like when it's retrieved as a security token. The "where" part is the endpoint of a security token service, the "how" is the method of authentication when a request is made to that STS. You have to prove who you are before an IP will pony up a security token. And this is where a bank will utilize something like a smartcard or One Time Password device. InfoCard provides a nice, consistent UX for precisely this scenario.

    A bad guy will (eventually) crack into my stolen machine and be able to select my bank-supplied InfoCard (eventually) but then he will be asked to insert the bank-supplied smart card and enter the card PIN. At that point, unless he also has access to the card and PIN, it's time to move on to something else.

    InfoCard is not a security panacea - nothing is - and you need to combine it with multi-factor authentication, revocation and good practice where it makes sense to do so.
  • So there's something like a pin as well - that makes sense.  I really like the idea - great stuff (looking forward to Vista too).
  • im lookinffg forward to vista too cant wait
    Big Smile:)
  • Will parents be able to create an InfoCard for their kids that cannot be changed?  This would help protect against kids faking their age for inappropriate sites?  I would also like to see social networking sites force the use of infocard's issued by reputable sources for confirming ID and Age.

  • If I understood correctly, an identity provider may decide whether it will require the certificate of the relying party before releasing the personal data stored by it. I assume this also means that the identity provider can determine which relying party certificates it is willing to accept. If this is the case, then the client will not be able to use the infocard of such an identity provider unless the identity provider accepts the certs of that relying party.

    From the identity provider's legal standpoint point it makes sense that it work this way, especially to protect the ID provider with regard to the data it is supposed to have verified and who relies on that verification.

    On a day to day basis however, I see this significantly restricting the capacity of the client to use infocards at will (e.g. the ebay infocard for other communities).

    This also opens up the issue of ownership of the personal data and the additional data associated with it (e.g. reputation as a seller/buyer in ebay).

    This is really going to get interesting.....

    Is my understanding correct?

    Thanks,
    J.

  • i saw that we can use smartcards with cardspace. But at the origin, OASIS don't want to use smartcards for loging Perplexed. (see : http://www.projectliberty.org/)
    Or smartcards and USB token are the unique great solution to save keys and preserve identity.
  • fun demo.  i've been emailing suggestion to use exactly this approach to ms and others for the last 10 years (client-chosen logons they can select and use at sites that publish what kinds of logons they trust - exactly like a restaurant says we take visa/mc).  sure makes my day to see it actually implemented.  super job

    my question is re use context.  if i'm at a non-personal workstation how do i access and use my infocards?  via a trusted website?  for example, can i logon to passport from anywhere via traditional logon/password, then use any of my passport-stored infocards to access other sites?
  • "im lookinffg forward to vista too cant wait" What a dissapointment that was, way to buggy and unstable.

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.