Welcome to The Metaverse : Identity

LiveID Announces Beta Support For Information Cards & Windows CardSpace

richardt — Tue, 28 Aug 2007 19:25:26 GMT

Well, here's the news that many of you have been waiting for!

Angus Logan, Technical Product Manager in LiveID has just announced that LiveID has launched beta support for information cards and Windows CardSpace.

There's a great webcast and step-by-step instructions on how to associate a personal card with your LiveID account.

We just took one giant leap forward towards a safer internet.

Many congrats to the LiveID and CardSpace teams who worked hard to make this happen.

Dana Epps on RunAs Radio discussing CardSpace

richardt — Tue, 24 Jul 2007 22:32:23 GMT

Just listened in to Scorpion Software's Dana Epps' great interview on RunAs Radio discussing Information Cards, CardSpace and STS', interop and why usernames and password are a pain.

WS-Trust vs. WS-Federation

I do want to correct a small but important error: Identity Selectors in the Identity Metasystem use WS-Trust to request tokens representing the user from Identity Providers, not WS-Federation.

This is an easy mistake to make but it's important to understand the difference between WS-Trust and WS-Federation:

WS-Trust is for scenarios where the user needs to interact with an "identity selector" to decide who they want to be at the beginning of each visit or session. This is a scenario we're all familiar with today when we sign in at our web-based email provider as one user to check our "Friends" mail and then sign out and sign back in to check our "Work" mail, etc. This is why identity selectors in the identity metasystem use WS-Trust
WS-Federation is for scenarios where two organizations wish to closely collaborate and enable users in one organization to access resources within the other organization without having to manually sign-in. Supported by Enterprise-class technologies like Microsoft's ADFS and PingID's PingFederate, WS-Federation enables a user's organization to tell a partner organization who the user is and also convey extra information such as the user's role and rights.

Personal Cards vs. Managed Cards

Dana did a great job of discussing how information cards can be used TODAY instead of using traditional username/password authentication. However, quite some time was spent focusing on managed-card scenarios and I wanted to provide a little perspective on this matter:

Personal Cards

In order for you to sign-in to a given relying party (website or application) with information cards, all you need is an Identity Selector such as Windows CardSpace and an information card that is compatible with the relying party's specified policies.

Since relying parties decide what type of information they want from you in order to sign you into their systems, they get to ask you for a particular type of token and a particular set of claims. A common personal card scenario is associating or linking one or more personal cards with a relying party's existing account:

After logging in with your username and password, the relying party may allow you to register one or more personal cards that you can use to sign-in during subsequent visits. Since the relying party already knows you, they only really need you to provide a personal card with a PPID (unique ID for that card at this site) which they can use to generate a UniqueID that they can store in their DB and use to look you up next time you sign into their site using your information card. This enables you to sign in more safely and easily from one or more machines with three mouse-clicks rather than having to remember your username and password.

These "personal card" scenarios are easy to support today, with little developer effort.

Managed Cards

Managed cards are issued by identity providers who are willing to assert that a particular set of claims about a person do in fact relate to that person. Examples of organizations who might be interested in issuing a managed card to you are your bank, your employer, your government, your favorite hotel chain or airline, etc.

Where managed cards become extremely exciting and powerful is where a relying party needs some form of information about you that has been corroborated by an organization that they trust. For example: An online wine store might want a confirmation from your state government that you are over 21 and so might ask you to provide a state-issued token containing the "Over21" claim.

Another good example of where managed cards provide great value is when a relying party needs some information about you that is likely to change fairly regularly. For example, imagine if you could sign-in to your favorite online store with your credit card company's member rewards card and the site could show you a list of the products that might interest you that are covered by your available points balance. No usernames, no passwords, no awkward redirection - just a plain and simple, easy to use mechanism that gets you into the site and shows you a list of products that you might want that you can afford!

Which type of card to support now!

However, whilst managed cards are exciting, the infrastructure to support them isn't quite there yet. Specifically, you need an STS (Security Token Service) - a service that issues and processes requests for managed identity tokens. Whilst some vendors (such as PingID's PingTrust and Arcot Systems' WebFort) are currently shipping with managed card support, Microsoft, Novell, IBM and many others are currently building STS capabilities into their future product offerings.

Until then, if you want to start making your users' lives easier and safer then we urge you to add support for personal cards.

Supporting personal cards now will also make it much easier for you to support advanced managed card scenarios when the infrastructure becomes available.

Firefox 3.0 (likely) to support Windows CardSpace

richardt — Wed, 11 Jul 2007 20:07:36 GMT

In case you missed it, Mozilla's Percy Cabello has just announced the list of features it's planning on including in Firefox 3.0. Among these features are integrated support for identity selectors such as Windows CardSpace :)

This is awesome news and I am delighted to see the Mozilla community supporting information cards to help users better manage and control their digital identities online.

As readers of my blog will know, following a meeting with several members of the Mozilla team last fall, we were delighted to announce Kevin Miller's "Perpetual-Motion" - a CardSpace extension for Firefox 2.x (source here). Whilst Perpetual-Motion adds seamless support for Windows CardSpace to Firefox, it is an additional download that users have to go find and install.

By including support for identity selectors such as Windows CardSpace, Mozilla has put a very definite stake in the ground, making it clear that they, along with much of the rest of the industry, believe that information cards offer users an opportunity to enjoy a far safer and simpler online experience.

Congratulations guys - look forward to seeing the release of Firefox 3.0! :)

Why don't Microsoft's own sites support CardSpace?

richardt — Wed, 11 Jul 2007 01:02:45 GMT

This is a question I am hearing with increasing frequency as I talk to people about why, how and when they might support information cards. Essentially, it comes down to three reasons:

History
Perceptions
Timing

Alas, some of Microsoft's prior forays into the world of online identity (e.g. Passport, Hailstorm, Wallet, etc) are encumbered (rightly or wrongly) with negative perception issues.

Whilst LiveID (formerly Passport) is an enormously successful online authentication engine that performs in excess of a billion authentications each and every day (and yes, that's not a typo - more than a billion a day!), the world made it clear that it doesn't want ONE authentication authority - it wants MANY. Why? Essentially, it comes down to trust.

If you had to store all your identity information in one place, who would you trust with that data? Microsoft? Google? Your bank? Your Government? There is no clear answer here.

It's this one core issue that has led to the creation of identity selectors such as Windows CardSpace and the Identity Metasystem (IDMS) which permits identities federated across a number of identity providers to be managed and exchanged under the user's explicit control.

One of the decisions we made early in 2006 was to NOT have LiveID support CardSpace at the outset! We did this deliberately to allow us to clearly demonstrate that CardSpace and LiveID were separate but complementary - just as CardSpace and your bank or CardSpace and your government, etc., are. We wanted to ensure that people could examine and explore CardSpace unencumbered by any negative (and incorrect) preconceptions.

However, this is not to say that we've been sitting idly by. Of course, we knew that once it was clearly established that CardSpace is in no way related to or reliant upon LiveID, the next inevitable question would be "so, when are Microsoft's sites going to support CardSpace?"

Both Kim and yours truly pointed out some time ago, LiveID will (in the future) support Information Cards. In fact, we've spent the last several months working closely with our friends over in the LiveID team to support them in building support for information cards into LiveID. When they're done with their implementation and ready to announce, you'll read it here or on Kim's blog within seconds of sign-off! :)

Identity discussion on Run As Radio

richardt — Tue, 03 Jul 2007 21:07:00 GMT

A couple of weeks ago at TechEd 2007, I was invited to discuss the world of identity with Richard Campbell and Greg Hughes for RunAs Radio - the Internet audio talk show for IT Professionals.

Greg just announced that the interview is now live for your listening pleasure.

Greg & Rich: Thanks for the opportunity to talk with you guys - looking forward to doing it again soon :)

Enjoy!

Announcing the Information Card Icon

richardt — Mon, 25 Jun 2007 19:44:11 GMT

[Update: 6/25/2007 @ 13:40 PST]
Please note: This icon is NOT a Windows CardSpace Icon. It's an icon to symbolize that a site or application supports Information Cards, regardless of the identity selector used to submit an Information Token associated with any Information Card.

Ever since announcing Windows CardSpace and introducing the world to the benefits of Information Cards, we’ve been asked repeatedly when there would be a visual icon that could be used by sites and applications that accept Information Cards …

We’re delighted to announce the immediate availability of the Information Card Icon. You’re free to use this icon (in accordance with the accompanying guidelines) to provide a clear, consistent visual cue to your users that your sites and applications support Information Cards. This will make it easier for users to recognize how and where to sign-in to your site and enjoy the ease-of-use and safety of Information Cards.

We encourage you to replace any temporary icons you might have used on your existing sites and demos with an appropriately sized version of the Information Card icon to increase consistency and recognition of your support of Information Cards.

Please download the Information Card Icon package which contains usage guidelines, FAQ, and a series of pre-rendered PNG images in different sizes along with the master Illustrator artwork.

"Phishing Resistant" OpenID spec published

richardt — Mon, 25 Jun 2007 01:48:32 GMT

Mike Jones has just posted news that VeriSign's David Recordon has just published a proposed "OpenID Provider Authentication Policy Extension 1.0" spec.

This spec is essentially the culmination of several months of effort by OpenID community to deliver upon what was promised at RSA 2007 back in February, namely, the introduction of technologies such as Information Cards as a mechanism to protect users from phishing and other identity related attacks.

Congratulations to the OpenID community on this landmark spec.

Did the chicken really come first?

richardt — Fri, 22 Jun 2007 01:06:05 GMT

Someone who I'll keep anonymous just mailed me in relation to my post yesterday:

I know you didn't ask (nor was it your point) -- but the Egg came first. It was laid by some animal that was really, really genetically close to a chicken.

I have to say, I'm not sure I agree. Didn't the creature that gave birth to the first egg have to exist before the egg it laid?

But then, come to think of it, maybe the egg from which the first chicken came was laid by something that was not a chicken and was perhaps formed in some other way than the usual egg 'n' sperm method? Which would mean it would have come first, no?

Q.E.D. the chicken (or other lifeform) came first! ;)

The Chicken and the Egg

richardt — Thu, 21 Jun 2007 01:05:38 GMT

You all know the age old question: "who came first, the chicken or the egg". Well, there's been some considerable discussion of late on the subject of how to help foster the growth of adoption of Information Cards and identity selectors such as Windows CardSpace and up-coming selectors such as Bandit.

in one recent discussion I commented that we're in a kind of chicken and egg situation right now - whilst everyone agrees that identity selectors and information cards are a good thing, it's taking some time for people to evaluate the concepts and ideas behind the Identity Metasystem and to look into actually supporting information cards at their sites. Many relying parties we've spoken to say they'll look into adding support to their sites once there are enough people to warrant doing so (and once there's an identity selector for non-Microsoft platforms, and once ...). Then there are the identity providers - many of whom want us to tell them how they can make money on this thing. Finally, we have users like my Mum & Dad - we can't turn the volume up for this audience until there are places to use their cards and identity providers willing to issue cards.

Keith Brown just posted my comments on his blog and goes on to say:

In my opinion, somebody (Microsoft?) needs to break this holding pattern fast. I agree that things aren't going to take off until there are more relying parties.

We're doing all we can to break this pattern. We were the first (through Kim) to espouse the principles of the 7 laws and articulate the need for and design of an Identity Metasystem. We were the first to release a viable identity selector - Windows CardSpace - and continue to invest heavily in future versions and supporting technologies. We're educating our field and providing them (and partners) with the resources they need to learn and then tell this story. We are working with a very large number of web-site operators and related businesses to take this fledgling concept and technology and help it grow and flourish into the magnificent creature that it promises to be.

But we can't do it all, and we can't do it all ourselves. In fact, we've already tried doing it all and only doing it ourselves, and the world said "no".

We are just part of this story - our many partners and compatriots in this space (IBM, Novell, PingID, VeriSign, OpenID, sxip, BMC, Sun and many, many others) are all busily beavering away, building support for information cards for a variety of platforms, technologies and products. But all our work is in vein unless there are sites that accept cards and identity providers to issue managed cards.

This is where we welcome you, dear reader, to investigate the principles, the design and the implementation of this Identity Metasystem and, if you believe that it's a "good thing", then take action. Join us and add support for information cards to your sites, systems and app's.

The time for nodding in appreciation but standing by and doing nothing is past. While the industry pontificates about the Identity Metasystem being a "good thing", our users (and that includes ourselves) are continuing to suffer from password fatigue at best and phishing attacks at worst.

Together, we can all help stop the rot.

Dominick going CardSpace crazy!

richardt — Tue, 19 Jun 2007 03:24:51 GMT

Y'know, sometimes you meet someone who needs a life, but is clearly having so much fun and churning out useful things that you're kinda glad they don't! Dominick is one such guy! ;)

Over the last couple of weeks, Dominick has churned out not just an updated ASP.NET control for Windows CardSpace (and other identity selectors when they start to become available) but has also just published a wrapper for the GetToken() method on the CardSpaceSelector object. This wrapper lets you easily use CardSpace from within your own WinForms apps, and elsewhere in order to integrate CardSpace support into your apps and systems.

Awesome stuff! Now, just make sure you don't barrage Dom with email - we don't want to distract him from his next project now do we? ;) :)

Shibboleth to support Information Cards

richardt — Tue, 29 May 2007 22:38:00 GMT

Mike Jones has posted the news that Internet2 (the advanced networking consortium) announced last week that they are adding support for information cards to the Shibboleth federated authentication infrastructure. This is fantastic news for the millions of people attending or employed by thousands of academic and research establishments around the world as it will enable them to not only authenticate more easily and safely than ever before, but also provide third parties with a signed statement of their affiliation with a given establishment, essentially proving that they are a student or an employee, etc.

This latter scenario could prove to be hugely beneficial capability enabling people to forge stronger relationships with supporting merchants and service providers, helping them enjoy deeper discounts and value-added services than is achievable today.

Congratulations to the Internet2 teams and we look forward to seeing Shibboleth help educational establishments and their partners around the world become "Identity Aware".

The world's simplest CardSpace demo source code

richardt — Thu, 10 May 2007 07:47:00 GMT

A few weeks ago I published a couple of screencasts on Channel9. The first illustrated the Windows CardSpace user experience and how you can add support for information cards to your site with very little code. The second went on to demonstrate how to configure IIS7 to support a site that accepts information cards.

But where is the code you ask? The wait is over - you can find it here! :)

Playing with the Windows CardSpace sandbox

richardt — Thu, 10 May 2007 01:54:34 GMT

For those that are not aware, several months ago, we launched the Windows CardSpace “Sandbox” that you can play with to try out the CardSpace experience. Whilst many of you have managed to work out how to register and sign-in, many of you have experienced an issue or two. In order to to make it clear how to sign-in to the Sandbox, please follow these instructions:

Register:
1. Go to HTTPS://sandbox.netfx3.com/user/CreateUser.aspx and hit "Join with an information card"
2. Windows CardSpace will start up
3. If this is the first time you've registered at the site, Windows CardSpace will present you with a page introducing you to the site, helping you make sure this is the site you expected it to be. Confirm that you want to submit a card to the site.
4. If you have no compatible cards (i.e. a card lit up in color), create one making sure to provide data for at least the fields the Sandbox is requesting from you (first name, last name, email). Note that the card name is purely for your use and is never transmitted to a site so you can name the card whatever you like.
5. Select a compatible card and hit submit
  1. If this is the first time you’ve submitted this card, you’ll be shown a preview of the data – review and hit submit
  2. You’ll now be asked to create a site-specific user name (note in the top right that the site has already created you a temporary username (first initial+surname[+optional uniquifier]), bit this gives you a chance to call yourself something relevant (or anonymous) to that suite)
6. You’re now signed in.
7. Sign out of the site (using “logout” button) in the top right
Sign back in again. Hit the sign in link
1. Hit the “Sign in” with my information card button
2. Up pops Windows CardSpace
3. Notice the card you signed in with is sorted to the top of the list, helping you remember which cards you’ve previously submitted to the site
  Hit this card and hit send
4. You’re now signed in!

Hope this helps any of you having problems with the site. If you have any other issues, be sure to let us know through the ”Contact Us” Sandbox feedback mechanism and one of the team will respond as quickly as we can.

Enjoy! ;)

TSA Looses a hard-drive containing 100,000 names, social security numbers and payroll info

richardt — Tue, 08 May 2007 04:48:07 GMT

Read the story here: http://www.theregister.com/2007/05/07/tsa_loses_hard_drive/

The TSA doesn't know whether the device is still within headquarters or was stolen.

<Snip/>

They are unsure whether the data was encrypted or not.

I don't want to sound blasé, but it's a shame they aren't running Vista and using BitLocker to encrypt their drives.

I KNOW how painful this can be – about 4 months before I moved from Microsoft UK to Microsoft US, thieves broke into my car and stole my laptop (and bag containing my camera with pictures of my daughter's 1^st day at school L). My laptop had 2 years' worth of enormously sensitive email as well as a copy of the entire Windows source tree. Thankfully, I'd gotten spooked a year previously when there was a rash of laptops being stolen from employee's cars and decided to take the small perf hit to encrypt my sensitive folders so I knew my data was safe. I was soooo happy I didn't have to go tell my boss and get on the phone with Allchin and Valentine and alert them that the source code for Windows was out there in the wild!

The TSA is investigating to see if proper data security procedures were followed.

Personally, I wonder if the people responsible for the TSA's infrastructure might not be more liable and have to answer for THEIR jobs. It seems to me that most clerical staff, knowledge workers, etc. just use the tools they're given and don't want or need to understand the importance of things like data encryption. Surely it's the IT Director and Security Director who should be making sure that their infrastructure is as safe and secure as possible, no?

What happens when Identity goes wrong?

richardt — Tue, 08 May 2007 03:42:12 GMT

If you ever wondered why Kim worked so hard to form the 7 Laws of Identity, you *MUST* watch this short video!

http://www.adcritic.com/interactive/view.php?id=5927

Whilst funny, it's also shockingly potent.