Musings on Digital Identity

Category: Documentation

WS-Addressing Identity Extension Published

Information Card IconIBM and Microsoft just published the specification “Application Note: Web Services Addressing Endpoint References and Identity” at This specification is referenced by the Identity Selector Interoperability Profile (ISIP) and is covered by Microsoft’s Open Specification Promise (OSP). This completes the publication and licensing under the OSP of all specifications that Information Cards based upon the ISIP depend upon.

Note: While ISIP 1.5 references the addressing identity extension using a date of July 2008, it was actually published in August. This is an erratum in the ISIP that resulted from the publication of the extension taking longer than anticipated — not a reference to a different document. Both consistently use the URL

Identity Selector Interoperability Profile V1.5

Information Card IconI am pleased to announce the publication of the Identity Selector Interoperability Profile V1.5 and companion guides. The ISIP (as it’s come to be called) documents the protocols and data formats used by Windows CardSpace so as to enable others to build compatible Information Card software.

Version 1.0 of these documents corresponded to the.NET Framework 3.0 version of CardSpace. Version 1.5 corresponds to CardSpace as of .NET Framework 3.5 Service Pack 1. Like the previous version, ISIP 1.5 is licensed under Microsoft’s Open Specification Promise.

Significant new content covers:

  • Relying Parties without SSL certificates
  • Use of WS-Trust 1.3 and WS-SecurityPolicy 1.2
  • Relying Party STSs
  • More stable PPID algorithm
  • Specifications for computing ic:IssuerId and ic:IssuerName
  • Token references by Identity Providers via wst:RequestedAttachedReference and wst:RequestedUnattachedReference elements
  • Custom issuer information in cards
  • Custom error messages
  • Clarification that an ic:MasterKey is required for managed cards
  • Plus numerous of clarifications that were found by others building Information Card software — especially during the OSIS interops

The three new document versions are:

Thanks to the literally dozens of you who provided comments on ways to improve the ISIP and companion docs and who reviewed drafts of this material. This version of the docs benefited substantially from your detailed knowledge of and experience with the previous spec gained through implementing interoperable Information Card software.

Finally, I’d like to thank the members of the CardSpace team who diligently documented many of these features on the CardSpace Team Blog in advance of their publication under the ISIP. Your work let the industry gain early experience with implementing these features and was a tremendous resource to me as I was producing these versions of the documents.

CardSpace Consumer Website

Windows logoMicrosoft recently created a Consumer Website for CardSpace to educate end-users about Windows CardSpace and Information Cards. This complements the developer-focused information at the MSDN CardSpace site and the CardSpace Community Site.

No, it’s not the kind of content targeted at regular readers of this blog — especially the short video — but then, that’s kind of the point. :-)

ANSI-BBB Identity Theft Prevention and Identity Management Standards Panel Final Report

ANSI-BBB Identity Theft Prevention and Identity Management Standards PanelThe ANSI-BBB Identity Theft Prevention and Identity Management Standards Panel recently issued its final report. Quoting from the report announcement:

Launched in September 2006, the IDSP was established by the American National Standards Institute (ANSI) and Better Business Bureau (BBB) to identify and catalog existing standards, guidelines, and best practices related to identity theft prevention.
Panel members considered the entire life cycle of identity management: from the issuance of identity documents by government and commercial entities, to the acceptance and exchange of identity data, and to the ongoing maintenance and management of identity information. Hundreds of documents — including the applicable laws, regulations, proposed legislation, white papers, and research studies and reports — are identified in the catalog.
The report also includes recommendations for business and government agencies to:

  • enhance the security of identity issuance processes to facilitate greater interoperability between the government and commercial sectors;
  • improve the integrity of identity credentials;
  • strengthen best practices for authentication;
  • augment data security management best practices such as the use and storage of Social Security numbers;
  • create uniform guidance for organizations on data breach notification and remediation;
  • increase consumer understanding of ID theft preventative strategies, including the benefits and limitations of security freezes.

This report provides one of the most comprehensive looks to date at the problem of identity theft and the fraud that accompanies it. It both surveys the current identity landscape and makes recommendations for business, government, and consumers to mitigate these threats both in the offline and online environments.

Come ‘n get it!

Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital IdentitiesUnderstanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities by Vittorio Bertocci, Garrett Serack, and Caleb Baker, is now in print!. As I wrote for the “praise page” of the book:

Chock full of useful, actionable information covering the “whys”, “whats”, and “hows” of employing safer, easier-to-use, privacy-preserving digital identities. Insightful perspectives, on topics from cryptography and protocols to user interfaces and online threats to businesses drivers, make this an essential resource!

Come ‘n get it!

OpenID 2.0 Specifications Complete

This morning at the Internet Identity Workshop, the OpenID Foundation announced that the OpenID 2.0 Specification and a set of related specifications are now complete. Furthermore, Intellectual Property Contribution Agreements have been executed by all the contributors to these specifications.

Here’s a camera-phone photo of Dick Hardt of Sxip Identity, Josh Hoyt of JanRain, and David Recordon of Six Apart making the announcement. Congratulations to the OpenID community on this significant accomplishment!

Dick Hardt, Josh Hoyt, and David Recordon announcing that the OpenID 2.0 specifications are complete

Understanding Windows CardSpace Book

Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital IdentitiesI highly recommend the new book Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities by Vittorio Bertocci, Garrett Serack, and Caleb Baker. As I wrote for the “praise page” of the book after reading the current draft:

Chock full of useful, actionable information covering the “whys”, “whats”, and “hows” of employing safer, easier-to-use, privacy-preserving digital identities. Insightful perspectives, on topics from cryptography and protocols to user interfaces and online threats to businesses drivers, make this an essential resource!

A must-have for anyone deploying or considering deploying Information Cards. And if you can’t wait for the book to be published, you can also purchase a first draft of the book from Rough Cuts. Enjoy!

User-Centric Identity Interop at Catalyst in Barcelona

Logos of Barcelona Interop Participants 2007

Last night OSIS and the Burton Group held the third in a series of user-centric identity Interop events where companies and projects building user-centric identity software components came together and tested the interoperation of their software together. Following on the Interops at IIW in May and Catalyst in June, the participants continued their joint work of ensuring that the identity software we’re all building works great together.

This Interop had a broader scope along several dimensions than the previous ones:

An excerpt from Bob Blakley’s insightful-as-always commentary on the Interop is:

The participants have posted their results on the wiki, and a few words are in order about these results. The first thing you’ll notice is that there are a significant number of “failure” and “issue” results. This is very good news for two reasons.

The first reason it’s good news is that it means enough new test cases were designed for this interop to uncover new problems. What you don’t see in the matrix is that when testing began, there were even more failures — which means that a lot of the new issues identified during the exercise have already been fixed.

The second reason the “failure” and “issue” results are good news is that they’re outnumbered by the successes. When you consider that the things tested in Barcelona were all identified as problems at the previous interop, you’ll get an idea of how much work has been done by the OSIS community in only 4 months to improve interoperability and agree on standards of component behavior.

Be sure to read his full post for more details on what the participants accomplished together. And of course, this isn’t the end of the story. An even wider and deeper Interop event is planned for the RSA Conference in April 2008. Great progress on building the Internet identity layer together!

Information Card Icon Usage Guidelines Updated

Information Card IconDuring Catalyst in San Francisco we announced the now-familiar Information Card icon and its accompanying usage guidelines. Since then we’ve received community feedback on clarifications we could make to the guidelines. In response, we’ve publish an updated version of the guidelines addressing that feedback and an accompanying updated complete icon zip file during Catalyst in Barcelona.

Specifically, we were asked if we could be clearer that the icon can be used in contexts discussing and promoting Information Cards, not just in software, and some felt that the spacing guidelines were overly restrictive. My favorite feedback along these lines came from Dale Olds, in his wonderful Fashions in information card beachware post, where he wrote:

Thanks to Mike for the information card shirt. I try to wear it in compliance with the logo usage guidelines, but I think I probably sometimes stand too close to other images and I spilled some salsa on it. I’ll keep working on it.

So don’t worry Dale… I’m glad you’re enjoying your shirt and displaying the icon to the world. Heck, you can even print some cool new ones of your own using it if you want. (And if you do, it’d love it if you saved one for me!)

New CardSpace Team Blog, New CardSpace Features

I’m pleased to announce two great developments. First, the CardSpace team just established a team blog. The blog will provide a direct voice for the team members to communicate about their work.

Second, on the blog they’ve started a series of posts about new features to come in the .Net Framework 3.5, which will ship with Windows Vista Service Pack 1 and be available as a free download for Windows XP and Windows Server 2003. The first post in the series describes the ability to use Information Cards at relying parties over http connections, without requiring a SSL certificate. This was a feature a number of you had asked for and the team responded.

Subscribe to the blog and read the series! Also, check out Vittorio Bertocci’s useful commentary on the no-SSL feature.

Information Cards for OpenIDs

Sxip Identity just finished a draft specification that enables a really useful form of convergence between OpenIDs and Information Cards: presenting your OpenID as an Information Card you select rather than as a string you type. Johnny Bufu’s OpenID general mailing list note introduces this specification for community review.

This combination has several advantages over standard OpenID usage. First, there’s no OpenID string to type when you use your OpenID, which should make OpenIDs easier for more people to use. Second, this is a phishing-resistant authentication method. Finally, it lets you recognize and choose your OpenID visually, based on the card graphics supplied by the OpenID provider.

Sxip also backed this specification by a sample implementation, which you can check out at Now for some more details….

Here’s how it works: In this model, the OpenID relying party asks for an OpenID Information Card using an object tag on the page rather than having the user type the OpenID as a string (while probably also giving the user the option to instead type in the string for backwards compatibility). The user’s Identity Selector then lets the user choose which OpenID card to send to the site. The card transmits the actual OpenID string to the site as a claim. From that point on, standard OpenID protocol interactions ensue.

For instance, the sample relying party page asks you to “Login with an OpenID InfoCard” and requests the card using this evocative graphic:

OpenID InfoCard

Upon clicking the graphic, my identity selector is invoked, which shows me that I can use this OpenID Information Card at the site (which I’d previously obtained here):

Sxip OpenID InfoCard

After that, the sample performed a standard OpenID attribute exchange and the relying party greeted me with:

Welcome! You have logged in using your OpenID identifier.

Phone: (omitted)
Country: USA
City: Redmond
Address: One Microsoft Way, Building 40/5138
LastName: Jones
FirstName: Mike

Behind the scenes, the relying party had received this OpenID assertion:

<openid:OpenIDToken xmlns:openid="">openid.ns:
openid.ext1.value.attr5:One Microsoft Way, Building 40/5138

One final technical note that will be of interest to some of you: OpenID Information Cards do not use SAML tokens. They use one of two variants of openid:OpenIDToken tokens (depending upon whether the OpenID relying party uses OpenID 1.1 or 2.0 authentication).

Go get yourself an OpenID Information Card and give it a spin! Read and comment on the spec. Or even better yet, implement it and tell us about your experience!

Information Card Deployment Guide Update

Sign in with your Information CardAn updated version of the Information Card Deployment Guide is now available. Among other improvements, it’s been updated to employ the Information Card Icon. As the original deployment guide announcement said:

So you’ve decided to use Information Cards on your web siteā€¦ Now what? I’m pleased to announce that we’ve just published a document giving step-by-step guidance to Web developers on what we believe are the best practices for doing this. The document walks Web site developers through two different deployment scenarios: sites exclusively using Information Cards for authentication, and mixed-mode sites allowing the use of either passwords or Information Cards. Examples are given for site sign-in, site sign-up, and handling lost Information Cards, including suggested confirmation text for each of these scenarios.

This link to the document Patterns for Supporting Information Cards at Web Sites: Personal Cards for Sign up and Signing In references the current version and will be updated to point to any future revisions as well. The Sample Information Card Site employs these guidelines and is built using the Information Card Relying Party Resources announced earlier. Enjoy adding Information Card support to your web sites!

Information Cards and CardSpace Book

Beginning Information Cards and CardSpace: From Novice to ProfessionalThe first CardSpace book, Marc Mercuri‘s Beginning Information Cards and CardSpace: From Novice to Professional went to press last week and can now be ordered. Marc is an expert in CardSpace and numerous related technologies and his book is chock full of practical examples and samples. Read more about Marc here. Another CardSpace expert, virtual team member, and friend of mine, Steven Woodward, served as technical editor for the book. Congratulations Marc and Steven!

Where to get Windows CardSpace

In a recent comment, midtoad wrote:

There appears to be no way possible to allow my browser to recognize or use CardSpace cards. The one-minute video mentions a small download to be provided but none are available.

Let me try to help here. If you’re on Windows XP or Windows Server 2003 and you want to use Windows CardSpace you need to:

(Of course, if you’re on Windows Vista, you already have both.)

Finally, you didn’t say what browser you’re using. If you’re using IE you’re already set. If you’re using Firefox, follow the installation instructions at And if you’re on other platforms, you might want to check out the Bandit Project’s DigitalMe downloads. Hope this helps!

Information Card Icon

Information Card IconI’m very pleased to announce that, as of today, there is now a graphical icon freely available for people to use to indicate that “Information Cards are accepted here”. This icon is intended to provide a common visual cue that Information Cards can be used to provide information to a site or program, similarly to how the RSS icon is used to indicate the availability of syndicated content.

The guidelines for the use of the icon, a frequently asked questions document, a set of png images of the icon rendered in a range of sizes, and the original artwork in Illustrator format are all available together in a download package. Please consult the guidelines and the FAQ before using the icon.

You’ll notice that the login page for my blog now uses the icon. Hopefully your sites will soon too!

And just for fun, because the icon is, after all, a graphical element, here’s a gallery of the renderings of the icon that we included in the downloads package. Enjoy!

Phishing-Resistant Authentication Specification Ready

David Recordon just posted a simple draft OpenID specification enabling OpenID relying parties to request that a phishing-resistant authentication method be used by the OpenID provider and for providers to inform relying parties whether a phishing-resistant authentication method, such as Windows CardSpace, was used. This is a major step forward in fulfilling the promise of the JanRain/Microsoft/Sxip Identity/VeriSign OpenID/Windows CardSpace collaboration announcement introduced by Bill Gates and Craig Mundie at the RSA Security Conference this year.

In his post “Bringing Useful Scalable Security to OpenIDDavid wrote:

The integration cost of OpenID as a Relying Party is extremely low, the technology is free and as Brian Ellin and I showed at Web 2.0 Expo the time commitment is also low due to a lot of great Open Source code out there which takes care of the heavy lifting. So now the RP has successfully integrated OpenID and removed the need for new users to create yet another password for their site, though they no longer have the control over the strength of a user’s authentication process. The RP may be a simple Web 2.0 site and not care beyond that the user has a password, it may store marginally sensitive information and want to make sure that the Provider did something to help protect the user from common phishing attacks, or maybe it’s a site which has truly sensitive information and wants to make sure that a second-factor device, such as a VIP token, was used.

With the OpenID Provider Authentication Policy Extension that I just published, this is now possible. This extension to OpenID 1.1 and 2.0 allows Relying Parties to express preferences around the authentication, such as “use technology which is phishing resistant” (stemming from the collaboration announcement at the RSA conference earlier in the year), for the Provider to inform the user of the request, guide them through the authentication process, and then inform the Relying Party what happened. By taking advantage of existing specifications from the likes of the National Institute of Standards and Technology (NIST), Providers can also convey information as to the strength of a password or combination of a password and digital certificate or hardware device used. While the high-end of the specification may be beyond the uses of OpenID today, it certainly fulfills the scalable security vision that we have. Through this specification not only can I now strongly protect my OpenID identity, but let others know that I’m doing so and truly take advantage of a reduction in credentials needed when browsing the web.

I can’t wait to use the implementations that are sure to follow shortly!

“Understanding WS-Federation” Whitepaper and Don’s Continuing Insights on Federation

Don Schmidt recently posted this valuable entry announcing the publication of the IBM/Microsoft whitepaper “Understanding WS-Federation“:

Yesterday a White Paper, Understanding WS-Federation, was jointly published by IBM and Microsoft.  The primary goal of this paper is to promote an appreciation for the functional scope of the revised publication of WS-Federation.  As I have stated in previous posts, the scope of this specification extends far beyond the features delivered in first generation WS-Federation products, such as, Active Directory Federation Services v1.

The paper includes two use cases, an Enterprise “request for proposal” scenario and a Healthcare “emergency room treatment” scenario, that highlight key new features of WS-Federation 1.1.   Textual descriptions of the scenarios are annotated with sample XML message flows.

Another goal of this paper is to encourage participation in the OASIS WSFED TC.  Hopefully WS-Federation supporters and critics, alike, will find functionality that they care about, and be wiling to join in the open standards process for WS-Federation 1.1.

Very valuable reading for anyone wanting to understand the capabilities of WS-Federation, its relationship to WS-Trust, and the Security Token Service (STS) model.

And then in Don’s classic gracious style, he wrote the post “Standing on the Shoulders of Giants“, giving credit where credit is due, and asking for broad community participation in the OASIS WSFED TC. I highly recommend it as well.

Updated versions of Information Card profile documents published

New versions of three Information Card documents are now available:

These documents are intended for people building software that plays any of the roles in the Information Card ecosystem: Identity Providers to issue cards, Relying Parties to accept cards, and Identity Selectors to put the person in control by enabling them to employ Information Cards when and where they choose. They include the specifications necessary to move Information Cards from one Identity Selector implementation to another, enabling card portability. And they’re also for those of you who just want to look under the hood and understand how it all works…

Along with these updated documents also comes updated licensing. We recently completed the technical and legal review of the normative specifications that enabled us to bring them under Microsoft’s Open Specification Promise. While this had been in the queue since the beginning, sometimes good things take time and come in stages. Once we had a complete, highly reviewed (and community reviewed) version of the interoperability specifications, that enabled us to complete this licensing work as well.

Thanks to all of you who reviewed earlier versions of these docs and especially those of you who built software based upon them. These documents greatly benefited from the substantial community feedback we received.

A footnote for those of you who have used earlier drafts of these documentsā€¦ The “Identity Selector Interoperability Profile V1.0” was formerly known as “A Technical Reference to the Information Card Profile V1.0”; “An Implementer’s Guide to the Identity Selector Interoperability Profile V1.0” was formerly known as “A Guide to Interoperating with the Information Card Profile V1.0”; “A Guide to Using the Identity Selector Interoperability Profile V1.0 within Web Applications and Browsers” was formerly known as “A Guide to Supporting Information Cards within Web Applications and Browsers as of the Information Card Profile V1.0”.

Information Card Deployment Guide now live!

So you’ve decided to use Information Cards on your web site… Now what? I’m pleased to announce that we’ve just published a document giving step-by-step guidance to Web developers on what we believe are the best practices for doing this: Patterns for Supporting Information Cards at Web Sites: Personal Cards for Sign up and Signing In.

The document walks Web site developers through two different deployment scenarios: sites exclusively using Information Cards for authentication, and mixed-mode sites allowing the use of either passwords or Information Cards. Examples are given for site sign-in, site sign-up, and handling lost Information Cards, including suggested confirmation text for each of these scenarios.

We all owe Bill Barnes, Garrett Serack, and Keith Ballinger, as well as others behind the scenes, a big thank you for making this happen. Enjoy!

Page 2 of 2

Powered by WordPress & Theme by Anders Norén