Feeds

Implementing InfoCard and the identity metasystem

The authentication experience

Internet Security Threat Report 2014

InfoCard is more than the replacement for Microsoft's Passport; in some ways it’s the antidote.

Identity architect Kim Cameron (read his paper on The Laws of Identity here) joined Microsoft when it bought the metadirectory he developed at Zoomit to turn into Active Directory, and stayed because he thought Microsoft was the best place to be to try to solve the internet’s identity problem.

He’s very clear on what Passport got wrong: “It did not make sense to most non-MSN sites for Microsoft to be involved in their customer relationships,” he says. “Nor were users clamouring for a single Microsoft identity service to be aware of all their internet activities. Passport was positioned as a candidate for or something ready to be the identity system for the internet. Nobody used it as that identity system; it doesn't take a rocket scientist to see that doesn't fly.”

InfoCard isn’t trying to be the identity system for the internet, and it isn’t just a password management system like Opera’s Magic Wand or the Password Manager in Firefox. It’s intended to be a consistent and secure way to choose the identity you want to use for a website or an application – like picking a card from your wallet - and to find out who you’re dealing with and what they’re asking for.

Users will have multiple InfoCards, each of them an XML description of the information about you that each identity supplies. But the information –name, age, email address, credit card number, membership number or whatever else is on the card – isn’t in the InfoCard or even on your PC (unless it’s a card you’ve issued yourself).

Instead, when you use an InfoCard it retrieves that information from the identity provider – VeriSign, your bank, the airline you have a frequent flyer card with and so on – and passes it to the site you want to access. This is done using a new class of “higher-value” X.509 site certificates that Microsoft is developing with VeriSign and other certificate authorities, which include digitally-signed company logos to show who you’re giving your details to.

InfoCard works with an identity metasystem that allows different identity systems to interact. Each identity provider runs a Security Token Server (STS) using WS-Trust to securely exchange claims with other identity systems (negotiations between systems use WS-MetadataExchange and WS-SecurityPolicy and messages are secured with WS-Security). It doesn’t have to be a Microsoft STS; Ping Identity’s PingTrust is the first third-party STS for the identity metasystem but several identity providers support WS-Trust and the other WS-* web services.

Authentication is based on unique keys generated each time you use an InfoCard. You get a new key pair even if you use the same card on the same site. And the information sent doesn’t have to be everything in that InfoCard; a site asking you to prove you’re over 18 won’t get your birth date, just the confirmation you’re a legal adult. Your credit card company can supply a one-time transaction authorisation rather than your card number.

What is on your PC is configuration information telling InfoCard how to contact the identity provider. That’s encrypted in a Metadata Store with no programmatic interface so nothing but InfoCard can access it. In version 1, this stays on your PC, unless you export it by hand to copy to another computer. In the future it could be on your phone, on a smartcard or a USB stick - or even supplied by a web service.

InfoCard works with smartcards and security fobs; you could use biometric sensors to protect especially confidential information. VeriSign’s Identity Protection Network will use InfoCard and one-time passwords generated by security fobs, USB keys, or certain mobile phones to login to sites like eBay, PayPal and Yahoo!.

InfoCard runs on a separate secure desktop under a different user account. Malware will have to run with administrative privileges to see the InfoCard process; something Windows Vista aims to make less common.

Security for virtualized datacentres

Next page: Supporting InfoCard

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.