Comment Feed for Channel 9 - InfoCard Explained

Re: InfoCard Explained

Zeo — Tue, 11 Apr 2006 00:04:49 GMT

Great Explaination. Really good examples. This isn't passport 2.0

posted by Zeo

Re: InfoCard Explained

mwirth — Tue, 11 Apr 2006 00:10:28 GMT

yes, looks 'a bit' more capable than passport 2.0. passport was (is) a goot idea, though - that has been killed by licensing terms.

posted by mwirth

Re: InfoCard Explained

BryanF — Tue, 11 Apr 2006 01:02:10 GMT

Great video. I'm really looking forward to this. I have two quick questions however:

(1) I understand the multiple users on a single computer scenario, but what about a single user across multiple computers? For instance, how would I check my mail at an internet cafe? How would I get my cards on that machine and make sure they're removed when I'm finished?

(2) Why .crd and .crds instead of .card and .cards, respectively? When will the computer industry's war on vowels come to an end?

Thanks.

posted by BryanF

Re: InfoCard Explained

cravikiran — Tue, 11 Apr 2006 11:23:25 GMT

BryanF wrote:

(1) I understand the multiple users on a single computer scenario, but what about a single user across multiple computers? For instance, how would I check my mail at an internet cafe? How would I get my cards on that machine and make sure they're removed when I'm finished?

Yes, I am wondering about this as well... I'm assuming that there is a way to get limited-time (per session, etc.) cards? And for the moving across multiple comptuer scenario... do you always start out with a self-issued card that contains a password in the InfoCard system (this self-issued card being the gateway to some cryptographically strong card from some base identity provider)?

posted by cravikiran

Re: InfoCard Explained

mathiaspettersson@msn.com — Tue, 11 Apr 2006 22:46:15 GMT

Windows InfoCard Live?

posted by mathiaspettersson@msn.com

Re: InfoCard Explained

BryanF — Tue, 11 Apr 2006 23:58:37 GMT

Maybe. But then... how would you log into Windows Live?

We may need some "special" brownies for this one.

posted by BryanF

Re: InfoCard Explained

Darth Kronos — Wed, 12 Apr 2006 01:58:25 GMT

OK so what happens when I log on to machine at home do I still have my infocard?

If not then is n't this flawed.

It would be cool if you could change infocards trusted storage subsystem to be a usb drive or web service

posted by Darth Kronos

Re: InfoCard Explained

dahat — Wed, 12 Apr 2006 18:55:16 GMT

Great stuff! I look forward to this, as well as the impending cries of the OSS crowed when they think Microsoft is trying to take over the world and count them out again.

Of course... like many I’ve still got questions... What mechanisms are available for backing up ones own InfoCard? Are they simply files sitting on the HD that could be copied over to another machine?

I am one who is quite good at hosing my Windows install from time to time and before paving and reinstalling, I will boot up in to a secondary install and copy over files I can’t live without... which also makes me wonder: how you would go about replacing a lost InfoCard (likely far harder with self issues ones)?

posted by dahat

Re: InfoCard Explained

SlackmasterK — Wed, 12 Apr 2006 21:58:54 GMT

So if I wander around and use multiple computers, I'll have to carry my InfoCard around on a ThumbDrive?

posted by SlackmasterK

Re: InfoCard Explained

toast — Thu, 13 Apr 2006 07:44:00 GMT

Guys, these are great questions. Can you also go to Kim's blog site and post them there. I am sure he would like to hear them and respond.

http://wwww.identityblog.com/

posted by toast

Re: InfoCard Explained

nektar — Thu, 13 Apr 2006 07:57:40 GMT

Is Microsoft thinking at all about the interoperability aspect of the Infocard technology. I mean are you thinking at all how to enable the rapid and seemless adoption of this technology into other non-Microsoft operating systems and applications. To enable I mean how you are thinking to aleviate fears around any legal (eg. licensing) issues or not to create them in the first place. To enable I mean how to support 3rd parties in creating Infocard implementations onto other platforms and web servers. To enable I mean how to formalize and standardize the Infocard technology through a transparent standardization process. To enable I mean how to even give away some source code for such 3rd party effords.
If not, don't you worry that Infocard might have the fate of Passport concerning its interoperability aspect and that it might end up as a Windows only solution? After all, a universal authentication technology, as Infocard tries to be, should be above all ... universal!
Infocard is too good of a technology and it would be unfortunate to it to fail due to miss-handling of trust issues in this complex industry.

posted by nektar

Re: InfoCard Explained

nigel.watling — Fri, 14 Apr 2006 00:00:40 GMT

(1) The best solution for this scenario - making the not unreasonable assumption that the internet cafe machine you're using has been compromised and has a key logger installed (be careful out there folks e.g. Outlook Web Access) - is to use a "portable STS".

Imagine a device that holds personal data and allows you to authenticate. This could be something like a USB key or a mobile phone. You would select a card and be supplied a signed, encrypted security token to present to a site or service. You walk away with the device when you're done.

We showed a prototype of this at the PDC and are working on making it a reality.

(2) You have a good point. We're still recovering from the shock of moving from 8.3 and feel honour-bound to maintain the rich tradition of file-naming conventions on Windows. Hey, it could be worse: we might have chosen the developers' initials for application names.

posted by nigel.watling

Re: InfoCard Explained

nigel.watling — Fri, 14 Apr 2006 00:07:13 GMT

Yes,
Or you could use group policy in an enterprise environment,
Or you could use a "cards in the sky" type service.

posted by nigel.watling

Re: InfoCard Explained

nigel.watling — Fri, 14 Apr 2006 00:54:57 GMT

Don't worry, we fully appreciate the importance of interoperability and cross-industry adoption. You would be hard-pressed to find a stronger advocate of this than Kim Cameron.

The wire protocols we use, eg.
WS-Trust
WS-Security
WS-MetadataExchange
WS-SecurityPolicy
are open standards, submitted to standards bodies such as OASIS.

Our implementation of InfoCard and the Identity metasystem has been specifically designed for ease of adoption on other platforms and in other software. For example, we could have tied InfoCard to Internet Explorer but we have chosen an approach that allows Mozilla, Opera or whoever else to easily add InfoCard support.

We have published a guide for Integrating with InfoCard specifically to help people on non-MS technologies and they are building. We fully hope and expect to see identity selectors, identity providers and relying parties on other platforms.

Publishing source code is always a delicate topic in this company so I cannot promise anything there but we are doing our very best to get this technology adopted on other platforms. We'll know we've really succeeded when someone can use Firefox on a Mac with a Mac identity selector to access a security token service running on Linux and thereby authenticate to an Apache website.

Ultimately, this is a problem that we all want to solve. When you read reports such as one from Gartner where it says confidence in the Internet is impacting online purchasing behaviour and one from Harvard and Berkeley showing how incredibly effective phishing can be - even with savvy users - it makes you realize that something needs to be done. What's the point of Web 2.0 if people have no confidence in the Internet to begin with?

We're trying to provide a solution that everyone can use.

posted by nigel.watling

Re: InfoCard Explained

aJanuary — Mon, 17 Apr 2006 16:22:26 GMT

"(2) Why .crd and .crds instead of .card and .cards, respectively? When will the computer industry's war on vowels come to an end?"

If the crds wasn't 4 letters long I would say it had to do with the ISO 9660 CD filesystem. But I guess it doesn't.

posted by aJanuary

Re: InfoCard Explained

RichTurner — Thu, 27 Apr 2006 22:28:42 GMT

In "InfoCard" v1.0, you'll be able to export/import cards to/from your hard-drive/USBkey etc.

We're currently working on a mechanism to allow you to safely store your cards on secure portable storage devices whilst still maintaining InfoCard's open extensible architecture.

posted by RichTurner

Re: InfoCard Explained

otes — Tue, 02 May 2006 14:41:18 GMT

Nigel,
that sounds great.
Do you know if the portable STS will be available in the first Infocard release (in Vista)?
If not, any target date for a SP?

thanks

posted by otes

Re: InfoCard Explained

Borvik — Thu, 11 May 2006 17:48:42 GMT

Ok - First off very informative video, it answered quite a few questions I had about the security of InfoCards.

But I still have a question.

I get the fact that your computer doesn't have the card data on it - a plus.
I get the fact that the server requests an encrypted token from your machine, and your machine gets it from the STS, and transmits it to the site your trying to view (which then can get your information).

My question is: What happens, or is planned, when a 3rd party (say a hacker who compromised your computer) obtains your .crd file(s)? From my understanding they could then use the card to login to your bank site (assuming they support InfoCard logins). Is having it as an InfoCard greater/lesser/equal security from hackers in this sense?

posted by Borvik

Re: InfoCard Explained

nigel.watling — Thu, 11 May 2006 23:53:23 GMT

Do you know if the portable STS will be available in the first Infocard release (in Vista)?
If not, any target date for a SP?

There are people working hard on this. If it doesn't make it into the box for v1 it should be soon afterwards. This is a key part of the story.

posted by nigel.watling

Re: InfoCard Explained

nigel.watling — Fri, 12 May 2006 00:24:26 GMT

What happens, or is planned, when a 3rd party (say a hacker who compromised your computer) obtains your .crd file(s)? From my understanding they could then use the card to login to your bank site (assuming they support InfoCard logins). Is having it as an InfoCard greater/lesser/equal security from hackers in this sense?

When someone unpleasant steals my computer he does indeed have access to my InfoCards. However, the InfoCard itself has no sensitive data in it: it has information where to get data, how to get it and what it will look like when it's retrieved as a security token. The "where" part is the endpoint of a security token service, the "how" is the method of authentication when a request is made to that STS. You have to prove who you are before an IP will pony up a security token. And this is where a bank will utilize something like a smartcard or One Time Password device. InfoCard provides a nice, consistent UX for precisely this scenario.

A bad guy will (eventually) crack into my stolen machine and be able to select my bank-supplied InfoCard (eventually) but then he will be asked to insert the bank-supplied smart card and enter the card PIN. At that point, unless he also has access to the card and PIN, it's time to move on to something else.

InfoCard is not a security panacea - nothing is - and you need to combine it with multi-factor authentication, revocation and good practice where it makes sense to do so.

posted by nigel.watling

Re: InfoCard Explained

Borvik — Fri, 12 May 2006 02:19:02 GMT

So there's something like a pin as well - that makes sense. I really like the idea - great stuff (looking forward to Vista too).

posted by Borvik

Re: InfoCard Explained

krissie — Thu, 25 May 2006 10:48:51 GMT

im lookinffg forward to vista too cant wait
:)

posted by krissie

Re: InfoCard Explained

homerc44 — Sun, 28 May 2006 14:28:49 GMT

Will parents be able to create an InfoCard for their kids that cannot be changed? This would help protect against kids faking their age for inappropriate sites? I would also like to see social networking sites force the use of infocard's issued by reputable sources for confirming ID and Age.

posted by homerc44

Re: InfoCard Explained

javellan — Wed, 31 May 2006 12:03:46 GMT

If I understood correctly, an identity provider may decide whether it will require the certificate of the relying party before releasing the personal data stored by it. I assume this also means that the identity provider can determine which relying party certificates it is willing to accept. If this is the case, then the client will not be able to use the infocard of such an identity provider unless the identity provider accepts the certs of that relying party.

From the identity provider's legal standpoint point it makes sense that it work this way, especially to protect the ID provider with regard to the data it is supposed to have verified and who relies on that verification.

On a day to day basis however, I see this significantly restricting the capacity of the client to use infocards at will (e.g. the ebay infocard for other communities).

This also opens up the issue of ownership of the personal data and the additional data associated with it (e.g. reputation as a seller/buyer in ebay).

This is really going to get interesting.....

Is my understanding correct?

Thanks,
J.

posted by javellan

Re: InfoCard Explained

Trappeu — Tue, 19 Sep 2006 13:01:34 GMT

i saw that we can use smartcards with cardspace. But at the origin, OASIS don't want to use smartcards for loging . (see : http://www.projectliberty.org/)
Or smartcards and USB token are the unique great solution to save keys and preserve identity.

posted by Trappeu

Re: InfoCard Explained

noeldp — Wed, 24 Jan 2007 18:03:11 GMT

fun demo. i've been emailing suggestion to use exactly this approach to ms and others for the last 10 years (client-chosen logons they can select and use at sites that publish what kinds of logons they trust - exactly like a restaurant says we take visa/mc). sure makes my day to see it actually implemented. super job

my question is re use context. if i'm at a non-personal workstation how do i access and use my infocards? via a trusted website? for example, can i logon to passport from anywhere via traditional logon/password, then use any of my passport-stored infocards to access other sites?

posted by noeldp

Re: InfoCard Explained

Sam101 — Tue, 22 Sep 2009 14:56:42 GMT

"im lookinffg forward to vista too cant wait" What a dissapointment that was, way to buggy and unstable.

posted by Sam101