InfoCard - Deep Architecture

This is a great deep dive on the technology. I like how they use real world future scenearios.

I like how they write with blue markers on the white board. 8-)

Interesting video....

I would like to know how this compares to SXIP?

Also how does this fit in with Microsoft Passport? (It seems like Passport attempted to solve this problem already, does this mean Passport fell short of its orginal goals. why?)

Cheers Ed.

Yes it is a replacement for MS Passport, Passport fellshort because no one trusted MS enough, well thats how I understand it.

It does sound very similar to SXIP.... is this just MS implenmentation?

EDIT: Added question and amended typo above...

Where/how do digital certs fit in with InfoCard Architecture?

Another great video from the Channel 9 team!

Kryptos wrote:



Yes it is a replacement for MS Passport, Passport fellshort because no one trusted MS enough, well thats how I understand it.

No, it is not. InfoCard does not replace passport. Passport (or Windows Live ID, its new name) will be one of many identity providers supported by InfoCard, but it won't get any special treatment over any other identiy provider. InfoCard is an identity selector, which essentially is a secure way for users to choose amongst various providers that might be able to make statements about the user. For example: A web page might require the age of its users before it shows its content. The web page would trigger the InfoCard UI, the Infocardsystem would look at the set of identity providers the user is registered with, would pick the ones that can certify the age of the user (and maybe Windows Live ID is one of them), present a UI to the user that lets him/her pick which provider to use and then securly transmits that claim to the web page. It is actually a bit more complicated that that, but there are many good whitepapers on it on MSDN.

But the key point is: Infocard does NOT replace Passport. It solves a different set of problems.

Truly a great video... One of the best I have seen with respect to a clear overview of the framework from an architecture perspective. 

I was also stunned that they didn't employ more managed code for the UI.  As I was thinking it (and as my wife would attest, vocally complaining about it) Charles asked it.  I would have to say I still don't clearly understand why they didn't.  As Charles said, one would think that would be a more secure way to implement the UI, with less effort.  Can Arun, Ruchi or Nigel give a little more detail as to why?

The whole "They might not have the .NET Framework" just doesn't hold water....

Another thought is if the interfaces are written as they stated, one major step Microsoft could do to convince us they want this to use open standards and foster other platforms use it, would be to offer some of it via share source/open source for use in... well... Mono maybe? Then each platform need only implement the "windows service" piece in their own way and use the other pieces to offer a common interface...  Am I crazy to want Microsoft to take this approach more often than not for this type of stuff?

Anyhow, great video, keep these coming.

>> The whole "They might not have the .NET Framework" just doesn't hold water....

Yes it does, if they want to support (and they stated they did) all operating systems.  That would include operating environments that don't have a Framework implementation.

assuming they will be sharing code you have a potential point if you ignore Project Mono http://www.mono-project.com or don't believe in it.... I didn't hear anything about them sharing code... Just using open standards, which means other are free to use anything... C++, Java, or whatever.  But on Windows why not use .NET and offer some or most up via shared-source/open source?

Fabulous stuff!

I love these deep level videos.

Love it! This is one of the things I'm really excited about

The fact that with WinFX and IE7 we'll be able to use it on XP/2003 too, is very yummy indeed.

It's also great to see the levels of componentisation that the system provides - allowing different browsers / management interfaces to interact with InfoCards.

Great video, and great explanation

davida242 wrote:



Kryptos wrote:  Yes it is a replacement for MS Passport, Passport fellshort because no one trusted MS enough, well thats how I understand it.

No, it is not. InfoCard does not replace passport. Passport (or Windows Live ID, its new name) will be one of many identity providers supported by InfoCard, but it won't get any special treatment over any other identiy provider. InfoCard is an identity selector, which essentially is a secure way for users to choose amongst various providers that might be able to make statements about the user. For example: A web page might require the age of its users before it shows its content. The web page would trigger the InfoCard UI, the Infocardsystem would look at the set of identity providers the user is registered with, would pick the ones that can certify the age of the user (and maybe Windows Live ID is one of them), present a UI to the user that lets him/her pick which provider to use and then securly transmits that claim to the web page. It is actually a bit more complicated that that, but there are many good whitepapers on it on MSDN.

But the key point is: Infocard does NOT replace Passport. It solves a different set of problems.

Thanks davida242 for putting me straight on this matter....

Interesting stuff.

It's a shame that the team will most likely have to accept a name like Microsoft Identity Services or Microsoft Unified Identification System instead of the snazzy and exciting name they were hoping for.

Such is life,  I guess.

I may be too late already, but ...

please don't give this a 'branded' name like 'Windows Live Identity Service' or similar!

It needs a nice, generic, one-word name like... well, like Infocard. Yes, I noticed that Infocard is trademarked. But please try to get your naming gurus thinking along those lines anyway, or redouble your efforts to get the use of Infocard, or something.

We need to think of our network identity management systems in simple, generic, worldwide terms. The minute someone uses this as a branding opportunity, no Average Joe will be able to remove all the MS-only connotations from his mental model.  

Seriously. I can think of no better way to kill this initiative than to treat the naming process as another Microsoft/Windows/Office/MSN/whatever branding excercise. Make it simple, make it generic, make it something that you could easily see turning up in a dictionary as a single entry!

this whole concept sounds awesome, and very secure.  and from what i gather no one can hack into my remote STS or my desktop and get my sensitive info.

but one this is missing:
what keeps an attacker from creating a website that asks me for an infocard, and it requires the type that will tell them my SSN or other sensitive info?

as an example, take something that is done today:
i get an email from some spammer that says "this new great bank will pay you a zillion dollars for opening an account!"  i click the link and go through the sign-up process, and up comes the infocard dialog.  now as secure as this process is, this is still a bank (or so i think), so i have to send them the kind of infocard that will tell this particular "relying party" my SSN, mother's maiden name and so on.  and so now i've just handed over all my sensitive info to some attacker.

shouldn't there be some sort of authentication of the relying party, to make sure they are a ligitamate(sp?) business?

I liked how C. didn't stop at some of the confusing answers.


There should be some effort to keep the current name; Googling for it, first 34 results for "InfoCard" are related to this technology.

Nigel seems to always ask the right questions, when he realizes that the ones who are talking are going too deep without giving a higher level picture first. I have also noticed this in the previous video on InfoCard.

I like that Scoble also asks critical questions and I love the sense of humor in his interviews.

Great work, guys!

I'm really looking forward to working with the future identity platforms. Fantastic video! I love your sense of humour - good job guys!!

<Denise />

Hey, I hope someone is still monitoring this thread... There seems to be precious little information about the life-cycle of an InfoCard. From what I have seen/read the life-cycle of an InfoCard seems strikingly simlar to a digital certificate and implementing digital certificate life-cycle solutions is notoriously difficult and expensive. Is there any information on this aspect of the solution? - provisioning, renewal, revokation and roll-over of credentials in the InfoCard framework doesn't seem to be discussed anywhere... I also see the, not very talked about, step of user authentication to the Identity Provider as critical to the usability of the solution. At this point the user is asking the Identity Provider to generate a security token for the Relying Party. The user has to prove they are who they say they are somehow. Password and Acive Directory have been mentioned very briefly. How do developers of this class of security component plug into the framework to build enhanced solutions? It seems that InfoCard is all about authentication of the user and the provisioning of information that the Identity Provider holds. Can InfoCard be used when I want someone to authenticate to gain access to my service then (this is the critical bit) I want them to prepare some ad-hoc data and deliver it to me in a way that I can rely on. I know I can use public key cryptography (sign and/or encrypt the data) right now, but does InfoCard provide me with any new tools to achieve the same outcome? I certianly don't want the user to send the data to the Identity Provider so that it can be packaged in a security token. Thanks. T

I also can't find any information on hw InfoCards (i.e. real plastic cards, etc) that work with Infocard.  Is it just a sw solution?