Feeds

Implementing InfoCard and the identity metasystem

The authentication experience

The Power of One Brief: Top reasons to choose HP BladeSystem

InfoCard is more than the replacement for Microsoft's Passport; in some ways it’s the antidote.

Identity architect Kim Cameron (read his paper on The Laws of Identity here) joined Microsoft when it bought the metadirectory he developed at Zoomit to turn into Active Directory, and stayed because he thought Microsoft was the best place to be to try to solve the internet’s identity problem.

He’s very clear on what Passport got wrong: “It did not make sense to most non-MSN sites for Microsoft to be involved in their customer relationships,” he says. “Nor were users clamouring for a single Microsoft identity service to be aware of all their internet activities. Passport was positioned as a candidate for or something ready to be the identity system for the internet. Nobody used it as that identity system; it doesn't take a rocket scientist to see that doesn't fly.”

InfoCard isn’t trying to be the identity system for the internet, and it isn’t just a password management system like Opera’s Magic Wand or the Password Manager in Firefox. It’s intended to be a consistent and secure way to choose the identity you want to use for a website or an application – like picking a card from your wallet - and to find out who you’re dealing with and what they’re asking for.

Users will have multiple InfoCards, each of them an XML description of the information about you that each identity supplies. But the information –name, age, email address, credit card number, membership number or whatever else is on the card – isn’t in the InfoCard or even on your PC (unless it’s a card you’ve issued yourself).

Instead, when you use an InfoCard it retrieves that information from the identity provider – VeriSign, your bank, the airline you have a frequent flyer card with and so on – and passes it to the site you want to access. This is done using a new class of “higher-value” X.509 site certificates that Microsoft is developing with VeriSign and other certificate authorities, which include digitally-signed company logos to show who you’re giving your details to.

InfoCard works with an identity metasystem that allows different identity systems to interact. Each identity provider runs a Security Token Server (STS) using WS-Trust to securely exchange claims with other identity systems (negotiations between systems use WS-MetadataExchange and WS-SecurityPolicy and messages are secured with WS-Security). It doesn’t have to be a Microsoft STS; Ping Identity’s PingTrust is the first third-party STS for the identity metasystem but several identity providers support WS-Trust and the other WS-* web services.

Authentication is based on unique keys generated each time you use an InfoCard. You get a new key pair even if you use the same card on the same site. And the information sent doesn’t have to be everything in that InfoCard; a site asking you to prove you’re over 18 won’t get your birth date, just the confirmation you’re a legal adult. Your credit card company can supply a one-time transaction authorisation rather than your card number.

What is on your PC is configuration information telling InfoCard how to contact the identity provider. That’s encrypted in a Metadata Store with no programmatic interface so nothing but InfoCard can access it. In version 1, this stays on your PC, unless you export it by hand to copy to another computer. In the future it could be on your phone, on a smartcard or a USB stick - or even supplied by a web service.

InfoCard works with smartcards and security fobs; you could use biometric sensors to protect especially confidential information. VeriSign’s Identity Protection Network will use InfoCard and one-time passwords generated by security fobs, USB keys, or certain mobile phones to login to sites like eBay, PayPal and Yahoo!.

InfoCard runs on a separate secure desktop under a different user account. Malware will have to run with administrative privileges to see the InfoCard process; something Windows Vista aims to make less common.

Seven Steps to Software Security

Next page: Supporting InfoCard

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.