Technology: Page (1) of 1 - 06/15/06
Email this story to a friend. email article Print this page (Article printing at MyDmn.com). print      facebook  

You Are Now Entering CardSpace

CardSpace (previously InfoCard) promises to make it easier and safer to log on online

By Esther Schindler

In the early days of e-commerce and online security, it meant something for a Web site to have an SSL certificate. The process of getting one of these "high assurance" (HA) certificates took a few weeks, during which you had to prove that the company really existed, that the person applying for the certificate was truly an officer of the company, and so on. And it was expensive.

"Today," said Richard Turner, Microsoft product manager on the WinFX (now .NET Framework 3.0) Strategy team, speaking at the TechEd conference in Boston this week, "You can get an SSL certificate for $8 from Bolivia."

Yet, proving one's online identity is more urgent than ever before. We're inundated by Web sites which have unique password requirements, we're threatened with keyloggers who are primed to catch private data, phishing schemes make us distrust the sites we visit, and it's ever more difficult for users and IT shops to keep up with security methods.




Some years ago, Microsoft attempted to deal with this conundrum by providing its Passport technology. Passport required users to log into a Microsoft-managed service, which would act as password provider for Web sites that supported the technology. Passport failed miserably, for reasons that sound obvious today, such as Microsoft's, er, less than stellar security reputation and the requirement for sites to explicitly write their code to support Passport.

The company is trying again with InfoCard ? which, this week, they just renamed CardSpace ? and they're doing their best to convince users, developers, and companies to get on board. In Microsoft's definition, CardSpace is an identity layer for the Internet that's an inclusive, standards-based model built on the "laws of identity."

A CardSpace environment runs under a separate desktop and restricted account, isolated from the Windows desktop. It can include two kinds of cards (infocards? information cards? with the technology rename, nobody's sure yet what to call these), each of which hold data in an encrypted form. A self-issued card contains whatever the user enters personally, such as name, address, pet's name, whatever. A managed card is one that you authorize but which is authenticated by a third party (an "Identity Provider"), such as a bank, store, or government agency. Managed cards contain metadata only; the data is stored by the Identity Provider and obtained only when the card is submitted.

An example will make this a little clearer. Microsoft's standard CardSpace demo ? we saw it at MIX and again at TechEd ? is a car rental company. We could come up with another arbitrary application, but theirs is useful enough for the purpose.

In the demo, instead of the familiar log in screen, the site pops up a request for a card with a demand (we're getting beyond polite requests in this industry) for the info it needs: name, phone number, a frequent-renter card ID. The CardSpace environment shows all the cards that match the requested information, presumably including the one you created when you signed up for the rental car program. The card you pick is sent, encrypted, to the site, as well as an indication that this is a self-issued card.

In more technical terms: when the user hits the login with InfoCard button on the site, the relying party responds with an OBJECT tag containing the site's claim demands (which claims the website requires that the user provide on return) and the URL of the page to which to send the token. The web browser (they've shown this only with IE7) recognizes the tag and calls InfoCardClient.GetToken(...) passing in the claim demands and postback URL. InfoCard spools up, and the UI is displayed. The UI sorts the cards according to their ability to satisfy the relying party's claim demands and whether the card was previously submitted to the site.

So far, so good. You haven't needed to remember a password that looks like line noise, and no data has transmitted across the wire that a keylogger could snag. The data is kept in your possession, and transissions are timestamped to prevent replay attempts. But maybe that's not all that much of an improvement.

However, let's say you're a member of an Automobile Association which gives you a discount on car rentals. When you choose "Select discount" for the car rental, the site pops up another Card request. Again, you choose from those which meet the criteria. (You could have a membership in more than one auto club, after all.) But this card is managed by a third party. It doesn't have your identifying data directly stored in the card. When you send it to the car rental agency, the agency's software contacts the Association to acquire the metadata from the managed card site -- that is it ascertains your membership (did you remember to pay your dues?), qualifying discount, and whatever else is relevant.

Microsoft is emphasizing the ease of adoption for CardSpace, which is a nice way of saying that they're begging developers to get involved. For a proof of concept project, says Turner, all it takes to use the technology is to embed a bit of XML in your Web site, and to update the sign-in page. A three-line code change is all that's necessary to change from self-issued to managed infocards.

And, they stress, all this can be done with non-Microsoft technologies, including Java and Linux. "The only Microsoft bit here is Infocard," said Turner.

CardSafe will be built into Windows Vista, and will be available for Windows XP and Windows Server 2003, the company says. (Betas and CTPs are available here.) According to Turner, Microsoft is pushing for a CardSafe RTM (Release to Manufacturing) "in just a few months."

For CardSafe to succeed, it will need buy-in from more than site developers. The company is exhorting financial firms and other such organizations ? pleading might be a better word ? to participate in the managed card program as Indentity Providers.
Esther Schindler has been writing about technology professionally since 1992, and her byline has appeared in dozens of IT publications. She's optimized compilers, owned a computer store, taught corporate training classes, moderated online communities, run computer user groups, and, in her spare time, written a few books. You can reach her at esthers@digitalmediaonlineinc.com.
Related Sites: IBN - IT Business Net ,   IBN - Internet ,   IBN - Security ,   IBN - Enterprise Applications ,   IBN - SoftwareDev

Related Newsletters: IBN - IT Weekly Newsletter
Source:Digital Media Online. All Rights Reserved
Consumer Electronics Net - Tools and Toys for Your Digital Lifestyle
• Camcorders •Audio/Video Software • Digital Photography • Desktop Computers • Wireless Tech
• Personal DVD • Notebooks • Home Office • PDAs & Handhelds • Computer Add-Ons • Digital Audio • Games
 • Phones • Digital Toys • Home Theater • TVs • Music • Movies • Gadgets
Content Insider #148 - The iGen
 NO...Doesn't have a thing to do with "that" smartphone...or "that" store...or "that" tablet. It's the next generation. Kids and we mean little kids. That's what today's products are being designed for/targeted at. You happen to buy one...fine. Watch a little, little kid pick up a smartphone. He/she just uses it. They've come pre-wired and we're still trying to figure out how to IM. It's the IGen. They want it instantly. They want to use it instantly. They expect their photos, their video, their music, their stuff immediately when/where/how they want it. Read More
eBay Essential Training: Proxy Bidding
In this clip, lynda.com host Mark Abdelnour takes a look at proxy bidding. He discusses the strategy and how it works. He also discusses the maximum bid, and when to use Proxy bidding. Read More
Insider #149 - Game Demographics
 The blood, gore, adrenalin challenges that were unveiled at E3 and enjoyed at ComicCon are fun to look at, easy to hold but are they really the games people want to plunk down their credit cards to own or rent time with? Seems as though the investors, the players who control the controllers have a different idea of a "good" game than the kids who develop them. While mobs of people play educational, informational, stimulating games our kid huddles in his room and mumbles "The Few, The Proud, The Gamers." Read More
Social Media #3
 Part of a series of articles to plainly explain what organizations need to consider and carry out in today's social media. Read More

@ Copyright, 2010 Digital Media Online, All Rights Reserved

Webmaster
Privacy.