Infocard and Interoperability

Is Infocard Interoperable with Java?

Channel9 has a new segment entitled Infocard Explained. Infocard is Microsoft's second take on addressing the issue of federated identity on the web; the first try was called Passport, and failed for a number of reasons, mostly because it didn't address stakeholder interests (that's a polite way of saying it!). Infocard is something very different, and we believe it will address peoples interests much better. Infocard involves a couple of things:

  • protocol specifications - that describe the messages that travel between applications (like a browser and a web server) and identity providers (like a directory server).
  • an actual implementation of these protocols - running on Windows, packaged as a DLL, and mated to a user interface for the client - the latter is a dialog box that pops up within the context of a browser experience, and asks, do you want to provide your credentials to the requesting server? and if so, which credentials?

Is Infocard Passport v2 ?

Both Passport and Infocard deal with identity. But philosophically they are quite different in approach to a solution. Passport was a single-identity system -where a single identity for a person is shared among many different services. Infocard is expanded to reflect the reality that people have multiple, compartmentalized identities - credit card holder, registered voter, frequent flyer on Airline X, etc. And Infocard is designed with the understanding that you may not want your credit card provider to know your political party affiliation, or your Frequent flyer status. *You* have multiple independent identities, and *you*, the user, control how you distributed the credentials for those identities.

About Interop

The protocols used by Infocard are pretty simple, and are based on WS-splat, including WS-Trust, and WS-Security. What this means is, any application that does WS-* can implement the Infocard protocols and can participate in this identity meta-network.

To the extent that your Java environment supports WS-{Trust,Security}, Java apps built on that environment will be able to participate in the Infocard system. In practice, it means a website powered by Java servlets or JSP (or PHP or ...) will be able to "talk the Infocard talk" and request identities securely. The user will get a consistent user experience, and a consistent security semantics, regardless of the back-end server s/he is authenticating to. It also means a Java-based client-side app could use the same protocols to authenticate to any sort of server.

This is not just a theory - there are implementations already emerging of the Infocard protocols in Java and other systems. Phil Windley gave a review of the IIW2006 conference where some people from UNC implemented an Infocard client in Java. And there's also a Firefox plug-in for Infocard.

This is only interesting if Infocard catches on - if the community vets it and likes it and people start using it very broadly. We're hopeful that Infocard provides the right balance of usability, privacy, and security, and that broad adoption will happen fairly quickly.