InfoCard Explained
- Posted: Apr 10, 2006 at 3:34 PM
- 101,957 Views
- 27 Comments
Ever wonder what InfoCard is all about? Well, Nigel Watling, an InfoCard Technical Evangelist, and Andy Harjanto, an InfoCard Program Manager, sure can explain it all to you. Here, they discuss all aspects of InfoCard (with a lot of time spent on the whiteboard). We're joined by a special guest towards the end of the discussion, who you'll see more of as we cover InfoCard architecture and internals in an upcoming Going Deep episode.
Comments Closed
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation,
please create a new thread in our Forums,
or
Contact Us and let us know.
More posts in this blog
-
Anders Vinberg: Oughtness, Isness and the world of…
-
InfoCard Explained
-
Biztalk support
Follow the Discussion
Oops, something didn't work.
What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in. You need to be signed in to Channel 9 to use this feature.What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in and view them all on your notifications page.sign up for email notifications?
(1) I understand the multiple users on a single computer scenario, but what about a single user across multiple computers? For instance, how would I check my mail at an internet cafe? How would I get my cards on that machine and make sure they're removed when I'm finished?
(2) Why .crd and .crds instead of .card and .cards, respectively? When will the computer industry's war on vowels come to an end?
Thanks.
Yes, I am wondering about this as well... I'm assuming that there is a way to get limited-time (per session, etc.) cards? And for the moving across multiple comptuer scenario... do you always start out with a self-issued card that contains a password in the InfoCard system (this self-issued card being the gateway to some cryptographically strong card from some base identity provider)?
We may need some "special" brownies for this one.
If not then is n't this flawed.
It would be cool if you could change infocards trusted storage subsystem to be a usb drive or web service
Great stuff! I look forward to this, as well as the impending cries of the OSS crowed when they think Microsoft is trying to take over the world and count them out again.
Of course... like many I’ve still got questions... What mechanisms are available for backing up ones own InfoCard? Are they simply files sitting on the HD that could be copied over to another machine?
I am one who is quite good at hosing my Windows install from time to time and before paving and reinstalling, I will boot up in to a secondary install and copy over files I can’t live without... which also makes me wonder: how you would go about replacing a lost InfoCard (likely far harder with self issues ones)?
Guys, these are great questions. Can you also go to Kim's blog site and post them there. I am sure he would like to hear them and respond.
http://wwww.identityblog.com/
If not, don't you worry that Infocard might have the fate of Passport concerning its interoperability aspect and that it might end up as a Windows only solution? After all, a universal authentication technology, as Infocard tries to be, should be above all ... universal!
Infocard is too good of a technology and it would be unfortunate to it to fail due to miss-handling of trust issues in this complex industry.
(1) The best solution for this scenario - making the not unreasonable assumption that the internet cafe machine you're using has been compromised and has a key logger installed (be careful out there folks e.g. Outlook Web Access) - is to use a "portable STS".
Imagine a device that holds personal data and allows you to authenticate. This could be something like a USB key or a mobile phone. You would select a card and be supplied a signed, encrypted security token to present to a site or service. You walk away with the device when you're done.
We showed a prototype of this at the PDC and are working on making it a reality.
(2) You have a good point. We're still recovering from the shock of moving from 8.3 and feel honour-bound to maintain the rich tradition of file-naming conventions on Windows. Hey, it could be worse: we might have chosen the developers' initials for application names.
Or you could use group policy in an enterprise environment,
Or you could use a "cards in the sky" type service.
Don't worry, we fully appreciate the importance of interoperability and cross-industry adoption. You would be hard-pressed to find a stronger advocate of this than Kim Cameron.
The wire protocols we use, eg.
WS-Trust
WS-Security
WS-MetadataExchange
WS-SecurityPolicy
are open standards, submitted to standards bodies such as OASIS.
Our implementation of InfoCard and the Identity metasystem has been specifically designed for ease of adoption on other platforms and in other software. For example, we could have tied InfoCard to Internet Explorer but we have chosen an approach that allows Mozilla, Opera or whoever else to easily add InfoCard support.
We have published a guide for Integrating with InfoCard specifically to help people on non-MS technologies and they are building. We fully hope and expect to see identity selectors, identity providers and relying parties on other platforms.
Publishing source code is always a delicate topic in this company so I cannot promise anything there but we are doing our very best to get this technology adopted on other platforms. We'll know we've really succeeded when someone can use Firefox on a Mac with a Mac identity selector to access a security token service running on Linux and thereby authenticate to an Apache website.
Ultimately, this is a problem that we all want to solve. When you read reports such as one from Gartner where it says confidence in the Internet is impacting online purchasing behaviour and one from Harvard and Berkeley showing how incredibly effective phishing can be - even with savvy users - it makes you realize that something needs to be done. What's the point of Web 2.0 if people have no confidence in the Internet to begin with?
We're trying to provide a solution that everyone can use.
"(2) Why .crd and .crds instead of .card and .cards, respectively? When will the computer industry's war on vowels come to an end?"
If the crds wasn't 4 letters long I would say it had to do with the ISO 9660 CD filesystem. But I guess it doesn't.
We're currently working on a mechanism to allow you to safely store your cards on secure portable storage devices whilst still maintaining InfoCard's open extensible architecture.
that sounds great.
Do you know if the portable STS will be available in the first Infocard release (in Vista)?
If not, any target date for a SP?
thanks
But I still have a question.
I get the fact that your computer doesn't have the card data on it - a plus.
I get the fact that the server requests an encrypted token from your machine, and your machine gets it from the STS, and transmits it to the site your trying to view (which then can get your information).
My question is: What happens, or is planned, when a 3rd party (say a hacker who compromised your computer) obtains your .crd file(s)? From my understanding they could then use the card to login to your bank site (assuming they support InfoCard logins). Is having it as an InfoCard greater/lesser/equal security from hackers in this sense?
There are people working hard on this. If it doesn't make it into the box for v1 it should be soon afterwards. This is a key part of the story.
When someone unpleasant steals my computer he does indeed have access to my InfoCards. However, the InfoCard itself has no sensitive data in it: it has information where to get data, how to get it and what it will look like when it's retrieved as a security token. The "where" part is the endpoint of a security token service, the "how" is the method of authentication when a request is made to that STS. You have to prove who you are before an IP will pony up a security token. And this is where a bank will utilize something like a smartcard or One Time Password device. InfoCard provides a nice, consistent UX for precisely this scenario.
A bad guy will (eventually) crack into my stolen machine and be able to select my bank-supplied InfoCard (eventually) but then he will be asked to insert the bank-supplied smart card and enter the card PIN. At that point, unless he also has access to the card and PIN, it's time to move on to something else.
InfoCard is not a security panacea - nothing is - and you need to combine it with multi-factor authentication, revocation and good practice where it makes sense to do so.
Will parents be able to create an InfoCard for their kids that cannot be changed? This would help protect against kids faking their age for inappropriate sites? I would also like to see social networking sites force the use of infocard's issued by reputable sources for confirming ID and Age.
If I understood correctly, an identity provider may decide whether it will require the certificate of the relying party before releasing the personal data stored by it. I assume this also means that the identity provider can determine which relying party certificates it is willing to accept. If this is the case, then the client will not be able to use the infocard of such an identity provider unless the identity provider accepts the certs of that relying party.
From the identity provider's legal standpoint point it makes sense that it work this way, especially to protect the ID provider with regard to the data it is supposed to have verified and who relies on that verification.
On a day to day basis however, I see this significantly restricting the capacity of the client to use infocards at will (e.g. the ebay infocard for other communities).
This also opens up the issue of ownership of the personal data and the additional data associated with it (e.g. reputation as a seller/buyer in ebay).
This is really going to get interesting.....
Is my understanding correct?
Thanks,
J.
Or smartcards and USB token are the unique great solution to save keys and preserve identity.
my question is re use context. if i'm at a non-personal workstation how do i access and use my infocards? via a trusted website? for example, can i logon to passport from anywhere via traditional logon/password, then use any of my passport-stored infocards to access other sites?
"im lookinffg forward to vista too cant wait" What a dissapointment that was, way to buggy and unstable.
Remove this comment
Remove this thread
close