Implementing InfoCard and the identity metasystem
The authentication experience
InfoCard is more than the replacement for Microsoft's Passport; in some ways it’s the antidote.
Identity architect Kim Cameron (read his paper on The Laws of Identity here) joined Microsoft when it bought the metadirectory he developed at Zoomit to turn into Active Directory, and stayed because he thought Microsoft was the best place to be to try to solve the internet’s identity problem.
He’s very clear on what Passport got wrong: “It did not make sense to most non-MSN sites for Microsoft to be involved in their customer relationships,” he says. “Nor were users clamouring for a single Microsoft identity service to be aware of all their internet activities. Passport was positioned as a candidate for or something ready to be the identity system for the internet. Nobody used it as that identity system; it doesn't take a rocket scientist to see that doesn't fly.”
InfoCard isn’t trying to be the identity system for the internet, and it isn’t just a password management system like Opera’s Magic Wand or the Password Manager in Firefox. It’s intended to be a consistent and secure way to choose the identity you want to use for a website or an application – like picking a card from your wallet - and to find out who you’re dealing with and what they’re asking for.
Users will have multiple InfoCards, each of them an XML description of the information about you that each identity supplies. But the information –name, age, email address, credit card number, membership number or whatever else is on the card – isn’t in the InfoCard or even on your PC (unless it’s a card you’ve issued yourself).
Instead, when you use an InfoCard it retrieves that information from the identity provider – VeriSign, your bank, the airline you have a frequent flyer card with and so on – and passes it to the site you want to access. This is done using a new class of “higher-value” X.509 site certificates that Microsoft is developing with VeriSign and other certificate authorities, which include digitally-signed company logos to show who you’re giving your details to.
InfoCard works with an identity metasystem that allows different identity systems to interact. Each identity provider runs a Security Token Server (STS) using WS-Trust to securely exchange claims with other identity systems (negotiations between systems use WS-MetadataExchange and WS-SecurityPolicy and messages are secured with WS-Security). It doesn’t have to be a Microsoft STS; Ping Identity’s PingTrust is the first third-party STS for the identity metasystem but several identity providers support WS-Trust and the other WS-* web services.
Authentication is based on unique keys generated each time you use an InfoCard. You get a new key pair even if you use the same card on the same site. And the information sent doesn’t have to be everything in that InfoCard; a site asking you to prove you’re over 18 won’t get your birth date, just the confirmation you’re a legal adult. Your credit card company can supply a one-time transaction authorisation rather than your card number.
What is on your PC is configuration information telling InfoCard how to contact the identity provider. That’s encrypted in a Metadata Store with no programmatic interface so nothing but InfoCard can access it. In version 1, this stays on your PC, unless you export it by hand to copy to another computer. In the future it could be on your phone, on a smartcard or a USB stick - or even supplied by a web service.
InfoCard works with smartcards and security fobs; you could use biometric sensors to protect especially confidential information. VeriSign’s Identity Protection Network will use InfoCard and one-time passwords generated by security fobs, USB keys, or certain mobile phones to login to sites like eBay, PayPal and Yahoo!.
InfoCard runs on a separate secure desktop under a different user account. Malware will have to run with administrative privileges to see the InfoCard process; something Windows Vista aims to make less common.
On a website InfoCard uses the same HTTP/HTTPS GET and POST, and writes the same client-side browser cookie as a username and password login. The login link is either an OBJECT tag or XHTML, to support multiple browsers (although Microsoft is talking to other browser developers about adding InfoCard support, at this stage only IE 7 has it).
This link details the information the site wants from the user (such as name, email address or age8). If you’re using an STS of your own (or specifying a third-party STS) to authenticate users, the details of that go in the link. You also need the code to log the user in once the credentials have been supplied; the rest of your website works as before.
To add InfoCard support to Windows applications, you need to use the Windows Communication Foundation (that’s in WinFX so it will be available on Windows XP and Vista), but you can develop in any programming language that supports seb services.
Anyone can issue their own InfoCard – and Passport will accept self-issued InfoCards once Vista comes out. Other identity providers will be able to issue InfoCards. Microsoft is going to be pushing Active Directory as a source of InfoCards. In Windows Server R2, Active Directory Federation Services uses WS–Trust although it isn’t until we finally see Longhorn Server that Active Directory will be able to issue and manage InfoCards for a company, as well as acting as an STS.
That emphasis on Active Directory may be why IBM is backing Higgins, the open source implementation of WS-Trust in Eclipse.
Paul Trevithick from The SocialPhysics Project emphasises that it isn’t meant to compete with InfoCard or the identity metasystem. “We are following what Microsoft is doing; to us it looks like a very inspired move. Higgins is a software framework that relies on service adapters that connect to external systems using that system’s native protocols or APIs. We expect that in the next few months a WS-* service will be created for Higgins. Higgins - when configured with this service and running on Linux, Mac OS and so on - will fully interoperate with InfoCard running on Windows.”
The more systems that work like this, the better, Kim Cameron says. “There's a visual metaphor we call InfoCards and then there's the identity metasystem. That is not something that we're building. All we can do is build a contribution to it.” ®
Find out more about supporting InfoCard within web applications and browsers here.
Visit Andy Harjanto’s InfoCard Blog.
Visit Windows Vista Developer Centre: InfoCard.
Read more (from Kim Cameron and Michael B Jones) about the design rationale behind the Identity Metasystem Architecture here.