Charles

InfoCard Explained

Download this episode

Download Video

Description

Ever wonder what InfoCard is all about? Well, Nigel Watling, an InfoCard Technical Evangelist, and Andy Harjanto, an InfoCard Program Manager,  sure can explain it all to you. Here, they discuss all aspects of InfoCard (with a lot of time spent on the whiteboard). We're joined by a special guest towards the end of the discussion, who you'll see more of as we cover InfoCard architecture and internals in an upcoming Going Deep episode.

Tag:

CardSpace

Embed

Format

Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • Zeo
      Great Explaination. Really good examples. This isn't passport 2.0 Big Smile
    • mwirth
      yes, looks 'a bit' more capable than passport 2.0. passport was (is) a goot idea, though - that has been killed by licensing terms.
    • BryanF
      Great video. I'm really looking forward to this. I have two quick questions however:

      (1) I understand the multiple users on a single computer scenario, but what about a single user across multiple computers? For instance, how would I check my mail at an internet cafe? How would I get my cards on that machine and make sure they're removed when I'm finished?

      (2) Why .crd and .crds instead of .card and .cards, respectively? When will the computer industry's war on vowels come to an end?

      Thanks. Smiley
    • cravikiran
      BryanF wrote:

      (1) I understand the multiple users on a single computer scenario, but what about a single user across multiple computers? For instance, how would I check my mail at an internet cafe? How would I get my cards on that machine and make sure they're removed when I'm finished?


      Yes, I am wondering about this as well... I'm assuming that there is a way to get limited-time (per session, etc.) cards?  And for the moving across multiple comptuer scenario... do you always start out with a self-issued card that contains a password in the InfoCard system (this self-issued card being the gateway to some cryptographically strong card from some base identity provider)?
    • mathiaspett​ersson@msn.​com
      Windows InfoCard Live?
    • BryanF
      Maybe. But then... how would you log into Windows Live?

      We may need some "special" brownies for this one. Big Smile
    • Darth Kronos
      OK so what happens when I log on to machine at home do I still have my infocard? 

      If not then is n't this flawed.

      It would be cool if you could change infocards trusted storage subsystem to be a usb drive or web service
    • dahat

      Great stuff! I look forward to this, as well as the impending cries of the OSS crowed when they think Microsoft is trying to take over the world and count them out again.

      Of course... like many I’ve still got questions... What mechanisms are available for backing up ones own InfoCard? Are they simply files sitting on the HD that could be copied over to another machine?

      I am one who is quite good at hosing my Windows install from time to time and before paving and reinstalling, I will boot up in to a secondary install and copy over files I can’t live without... which also makes me wonder: how you would go about replacing a lost InfoCard (likely far harder with self issues ones)?

    • SlackmasterK
      So if I wander around and use multiple computers, I'll have to carry my InfoCard around on a ThumbDrive?
    • toast

      Guys, these are great questions. Can you also go to Kim's blog site and post them there. I am sure he would like to hear them and respond.

      http://wwww.identityblog.com/

    • nektar
      Is Microsoft thinking at all about the interoperability aspect of the Infocard technology. I mean are you thinking at all how to enable the rapid and seemless adoption of this technology into other non-Microsoft operating systems and applications. To enable I mean how you are thinking to aleviate fears around any legal (eg. licensing) issues or not to create them in the first place. To enable I mean how to support 3rd parties in creating Infocard implementations onto other platforms and web servers. To enable I mean how to formalize and standardize the Infocard technology through a transparent standardization process. To enable I mean how to even give away some source code for such 3rd party effords.
      If not, don't you worry that Infocard might have the fate of Passport concerning its interoperability aspect and that it might end up as a Windows only solution? After all, a universal authentication technology, as Infocard tries to be, should be above all ... universal!
      Infocard is too good of a technology and it would be unfortunate to it to fail due to miss-handling of trust issues in this complex industry.
    • nigel.​watling

      (1) The best solution for this scenario - making the not unreasonable assumption that the internet cafe machine you're using has been compromised and has a key logger installed (be careful out there folks e.g. Outlook Web Access) - is to use a "portable STS". 

      Imagine a device that holds personal data and allows you to authenticate. This could be something like a USB key or a mobile phone. You would select a card and be supplied a signed, encrypted security token to present to a site or service. You walk away with the device when you're done.

      We showed a prototype of this at the PDC and are working on making it a reality.

      (2) You have a good point. We're still recovering from the shock of moving from 8.3 and feel honour-bound to maintain the rich tradition of file-naming conventions on Windows. Hey, it could be worse: we might have chosen the developers' initials for application names.

    • nigel.​watling
      Yes,
      Or you could use group policy in an enterprise environment,
      Or you could use a "cards in the sky" type service.
    • nigel.​watling

      Don't worry, we fully appreciate the importance of interoperability and cross-industry adoption. You would be hard-pressed to find a stronger advocate of this than Kim Cameron.

      The wire protocols we use, eg.
      WS-Trust
      WS-Security
      WS-MetadataExchange
      WS-SecurityPolicy
      are open standards, submitted to standards bodies such as OASIS.

      Our implementation of InfoCard and the Identity metasystem has been specifically designed for ease of adoption on other platforms and in other software. For example, we could have tied InfoCard to Internet Explorer but we have chosen an approach that allows Mozilla, Opera or whoever else to easily add InfoCard support.

      We have published a guide for Integrating with InfoCard specifically to help people on non-MS technologies and they are building. We fully hope and expect to see identity selectors, identity providers and relying parties on other platforms.

      Publishing source code is always a delicate topic in this company so I cannot promise anything there but we are doing our very best to get this technology adopted on other platforms. We'll know we've really succeeded when someone can use Firefox on a Mac with a Mac identity selector to access a security token service running on Linux and thereby authenticate to an Apache website.

      Ultimately, this is a problem that we all want to solve. When you read reports such as one from Gartner where it says confidence in the Internet is impacting online purchasing behaviour and one from Harvard and Berkeley showing how incredibly effective phishing can be - even with savvy users - it makes you realize that something needs to be done. What's the point of Web 2.0 if people have no confidence in the Internet to begin with?

      We're trying to provide a solution that everyone can use.

    • aJanuary

      "(2) Why .crd and .crds instead of .card and .cards, respectively? When will the computer industry's war on vowels come to an end?"


      If the crds wasn't 4 letters long I would say it had to do with the ISO 9660 CD filesystem. But I guess it doesn't.

    • RichTurner
      In "InfoCard" v1.0, you'll be able to export/import cards to/from your hard-drive/USBkey etc.

      We're currently working on a mechanism to allow you to safely store your cards on secure portable storage devices whilst still maintaining InfoCard's open extensible architecture. Cool
    • otes
      Nigel,
      that sounds great.
      Do you know if the portable STS will be available in the first Infocard release (in Vista)?
      If not, any target date for a SP?

      thanks
    • Borvik
      Ok - First off very informative video, it answered quite a few questions I had about the security of InfoCards.

      But I still have a question.

      I get the fact that your computer doesn't have the card data on it - a plus.
      I get the fact that the server requests an encrypted token from your machine, and your machine gets it from the STS, and transmits it to the site your trying to view (which then can get your information).

      My question is: What happens, or is planned, when a 3rd party (say a hacker who compromised your computer) obtains your .crd file(s)?  From my understanding they could then use the card to login to your bank site (assuming they support InfoCard logins).  Is having it as an InfoCard greater/lesser/equal security from hackers in this sense?
    • nigel.​watling
      
      Do you know if the portable STS will be available in the first Infocard release (in Vista)?
      If not, any target date for a SP?

      There are people working hard on this. If it doesn't make it into the box for v1 it should be soon afterwards. This is a key part of the story.
    • nigel.​watling
       What happens, or is planned, when a 3rd party (say a hacker who compromised your computer) obtains your .crd file(s)?  From my understanding they could then use the card to login to your bank site (assuming they support InfoCard logins).  Is having it as an InfoCard greater/lesser/equal security from hackers in this sense?


      When someone unpleasant steals my computer he does indeed have access to my InfoCards. However, the InfoCard itself has no sensitive data in it: it has information where to get data, how to get it and what it will look like when it's retrieved as a security token. The "where" part is the endpoint of a security token service, the "how" is the method of authentication when a request is made to that STS. You have to prove who you are before an IP will pony up a security token. And this is where a bank will utilize something like a smartcard or One Time Password device. InfoCard provides a nice, consistent UX for precisely this scenario.

      A bad guy will (eventually) crack into my stolen machine and be able to select my bank-supplied InfoCard (eventually) but then he will be asked to insert the bank-supplied smart card and enter the card PIN. At that point, unless he also has access to the card and PIN, it's time to move on to something else.

      InfoCard is not a security panacea - nothing is - and you need to combine it with multi-factor authentication, revocation and good practice where it makes sense to do so.
    • Borvik
      So there's something like a pin as well - that makes sense.  I really like the idea - great stuff (looking forward to Vista too).
    • krissie
      im lookinffg forward to vista too cant wait
      Big Smile:)
    • homerc44

      Will parents be able to create an InfoCard for their kids that cannot be changed?  This would help protect against kids faking their age for inappropriate sites?  I would also like to see social networking sites force the use of infocard's issued by reputable sources for confirming ID and Age.

    • javellan

      If I understood correctly, an identity provider may decide whether it will require the certificate of the relying party before releasing the personal data stored by it. I assume this also means that the identity provider can determine which relying party certificates it is willing to accept. If this is the case, then the client will not be able to use the infocard of such an identity provider unless the identity provider accepts the certs of that relying party.

      From the identity provider's legal standpoint point it makes sense that it work this way, especially to protect the ID provider with regard to the data it is supposed to have verified and who relies on that verification.

      On a day to day basis however, I see this significantly restricting the capacity of the client to use infocards at will (e.g. the ebay infocard for other communities).

      This also opens up the issue of ownership of the personal data and the additional data associated with it (e.g. reputation as a seller/buyer in ebay).

      This is really going to get interesting.....

      Is my understanding correct?

      Thanks,
      J.

    • Trappeu
      i saw that we can use smartcards with cardspace. But at the origin, OASIS don't want to use smartcards for loging Perplexed. (see : http://www.projectliberty.org/)
      Or smartcards and USB token are the unique great solution to save keys and preserve identity.
    • noeldp
      fun demo.  i've been emailing suggestion to use exactly this approach to ms and others for the last 10 years (client-chosen logons they can select and use at sites that publish what kinds of logons they trust - exactly like a restaurant says we take visa/mc).  sure makes my day to see it actually implemented.  super job

      my question is re use context.  if i'm at a non-personal workstation how do i access and use my infocards?  via a trusted website?  for example, can i logon to passport from anywhere via traditional logon/password, then use any of my passport-stored infocards to access other sites?
    • Sam101

      "im lookinffg forward to vista too cant wait" What a dissapointment that was, way to buggy and unstable.

    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.