Musings on Digital Identity

Category: Information Cards Page 4 of 5

Phishing Protection for the Enterprise

Enterprise Phishing ProtectionI was surprised during the recent blogosphere conversation on user-centric identity in the Enterprise, that no one referenced Sxip’s contemporaneous intelligently-written 2-page piece on how the use of Information Cards can help protect enterprise login credentials from being phished. Using Information Cards to enable safer remote access to hosted enterprise applications makes business sense. This seems to me like a perfect example of what Pam wrote: “I would like to see Enterprises adopt technologies such as the Identity Metasystem for no other reason than because it helps their business to succeed.”

Dick’s introduction to the security bulletin also references a number of recent press articles on phishing attacks against the enterprise that are well worth reading. I’m with Pam: user-centric identity technologies will be adopted in the enterprise exactly when they’re perceived as delivering real business value. This is such a case.

ASP.Net Information Card Relying Party Software

Dominick Baier recently extended his Information Card relying party ASP.Net Control to be able to be used on no-SSL sites in the same way as sites employing SSL. It’s available under an MIT License, so everyone should be able to use it.

At my urging, he also added a demo site where you can try it out, both with and without SSL, and with both self-issued and managed cards. I’ve added the demo site to my page of Sites Using Information Cards.

I-names without Passwords at LinkSafe

I’m pleased to report that ooTao and LinkSafe have recently collaborated to enable you to create and use i-names with Information Cards rather than passwords. They’ve achieved for what JanRain did for Below is a screen shot of me signing up for an i-name using an Information Card, rather than a password. Now when you see someone signed in to a site with the OpenID =me, you’ll know who it actually is! i-name signup with Information Card

Firefox Information Card Add-on Collaboration

Firefox logoThe new release of the Firefox Information Card add-on recently announced by Axel Nennker is notable not only for its features, but also because it incorporates contributions by Andy Hodgkinson of the Bandit Project that make it work with the DigitalMe Identity Selector. This means that the same Firefox add-on can now be used with at least three Identity Selectors — openinfocard, DigitalMe, and Windows CardSpace.

The benefits of sharing this core piece of Information Card infrastructure became apparent when some recent releases of Firefox broke the add-on in some scenarios. Because several copies of the code were in use by different projects by then, all the projects had to make their own fixes in their copies, both duplicating effort, and increasing the chances that different selectors would behave differently in quirky and non-obvious ways. I’m really pleased that Andy pitched in and contributed his fixes to the add-on project and that Axel incorporated them in a way that I believe means that DigitalMe won’t have to use a separate add-on anymore. Hopefully the other identity selectors will also follow suit soon, eliminating any unnecessary forking in this key project.

One nit with Axel’s post though… While he suggested calling the add-on “CardSpace for Firefox”, even though I’m a fan of CardSpace, the add-on is intended to work with any Identity Selector — not just CardSpace. Therefore I’d prefer selector-neutral names for the project like “Firefox Information Card add-on”, “Firefox Identity Selector add-on”, “Information Cards for Firefox”, etc. What selector-neutral term for the project do others prefer?

Look ma! No passwords!

As Vittorio excitedly pointed out, you never have to enter a password to create or use an OpenID at Kim’s excited about this too. So am I. When I wrote:

The JanRain team has done a fantastic job integrating account sign-up, sign-in, and recovery via Information Cards into their OpenID provider. I’m really impressed by how well this fits into the rest of their high-quality offering.

I should have expanded upon my point “fantastic job integrating account sign-up” to explicitly call out that no passwords are needed. Notice the Information Card button on the sign-up page below. Thanks Vittorio and Kim, for sharing your excitement about this. I’m hoping that as other sites integrate Information Card sign-in to their user experience that they’ll also follow this example (and the guidance in the deployment guide) and enable password-less sign-up with Information Cards. signup with Information Card

Related to this is JanRain’s earlier announcement that they are including PAPE support in their widely-used OpenID relying party libraries. As Kevin Fox wrote:

Just a note to let everyone know that we are developing and will release relying party libraries supporting PAPE once the specification is finalized.
We have deployed an example relying party available here:
The example fully supports OpenID 2.0 draft 12, and can request phishing-resistant authentication using PAPE. Feel free to use it for testing.
PAPE allows sites that use OpenID 2.0 authentication to get information about the way that the user authenticated to the provider. This is an important step on the way to getting the convenience needed of OpenID authentication for higher-valued transactions. It’s trivial to implement and will be included in JanRain’s OpenID 2.0 libraries as well as Sxip’s libraries.

Gary Krall also added that:

Verisign will also be releasing an update to the JOID library which we use on the PiP for as you may know we have added PAPE support to the PiP.

And I’ll add that and both also support PAPE on their OpenID providers.

Why is this exciting? Because it means that without use of without any use of passwords, people can create and use OpenIDs with their Information Cards. And that sites accepting OpenIDs can ask for phishing-resistant authentication when you sign in — which these OpenIDs will do for you. All more great steps towards building a convenient, secure, ubiquitous identity layer for the Internet!

Nice Shirt!

Andre and Ashish may have liked the Mac, but I liked the shirt. ;-)

Ashish Jain with a Mac and an Information Card shirt

New Version of CardSpace Available

.NET 3.5 Default Card ImageI’m pleased to announce that the .NET Framework 3.5, which includes a new version of Windows CardSpace, is now available for download. The CardSpace team has been blogging about the new features and usability improvements at the team blog CardSpace: Behind the Code. I highly recommend reading it to understand the details of what the team has included in this release.

I did choose a picture for this post, however, that is emblematic to me of the many usability improvements, large and small, that have been made since the initial CardSpace release in the .NET Framework 3.0. The colored image is the new default self-issued card graphic. The previous default image was sepia-toned, making it difficult to visually distinguish between “full-color” and grayed-out versions of the image (which are shown when the card does not meet the requirements of a relying party). Based on customer feedback, we changed the default image so that it’s now easy to tell the two apart. This is but one example of the numerous improvements we’ve made to CardSpace based on feedback from actual use.

Like its predecessor, the new version runs on Windows XP, Windows Server 2003, and Windows Vista. Download it and give it a whirl!

Sites Using Information Cards

Percentage of Computers with an Identity SelectorI’ve been inspired by Kim’s Information Card Thermometer to start tracking sites using Information Cards. If you know of sites using Information Cards that that I don’t have on my list, please send me a note or leave a comment on this post and I’ll add them. I’ll know that we’re reaching the tipping point when maintaining this list becomes completely impossible. Can’t wait…!

New Release of Firefox Information Card Add-on

Firefox logoI wanted to call your attention to the new release of the Firefox Information Card add-on that Axel Nennker posted this week. Axel’s changes address a number of issues identified during the Interop at Catalyst in Barcelona. Among other things, with this add-on, Firefox now supports:

  • privacyUrl and privacyVersion, which enable privacy policies to be shown,
  • issuer and issuerPolicy, which enable the use of Relying Party STSs, and
  • sites that don’t use SSL certificates (which use http rather than https).

I believe that this brings Firefox up to feature parity with the Information Card support in IE7 when used with CardSpace, as well as enabling the use of Firefox with additional identity selectors such as the openinfocard selector and others. Thanks for the great work Axel!

Understanding Windows CardSpace Book

Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital IdentitiesI highly recommend the new book Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities by Vittorio Bertocci, Garrett Serack, and Caleb Baker. As I wrote for the “praise page” of the book after reading the current draft:

Chock full of useful, actionable information covering the “whys”, “whats”, and “hows” of employing safer, easier-to-use, privacy-preserving digital identities. Insightful perspectives, on topics from cryptography and protocols to user interfaces and online threats to businesses drivers, make this an essential resource!

A must-have for anyone deploying or considering deploying Information Cards. And if you can’t wait for the book to be published, you can also purchase a first draft of the book from Rough Cuts. Enjoy!

User-Centric Identity Interop at Catalyst in Barcelona

Logos of Barcelona Interop Participants 2007

Last night OSIS and the Burton Group held the third in a series of user-centric identity Interop events where companies and projects building user-centric identity software components came together and tested the interoperation of their software together. Following on the Interops at IIW in May and Catalyst in June, the participants continued their joint work of ensuring that the identity software we’re all building works great together.

This Interop had a broader scope along several dimensions than the previous ones:

An excerpt from Bob Blakley’s insightful-as-always commentary on the Interop is:

The participants have posted their results on the wiki, and a few words are in order about these results. The first thing you’ll notice is that there are a significant number of “failure” and “issue” results. This is very good news for two reasons.

The first reason it’s good news is that it means enough new test cases were designed for this interop to uncover new problems. What you don’t see in the matrix is that when testing began, there were even more failures — which means that a lot of the new issues identified during the exercise have already been fixed.

The second reason the “failure” and “issue” results are good news is that they’re outnumbered by the successes. When you consider that the things tested in Barcelona were all identified as problems at the previous interop, you’ll get an idea of how much work has been done by the OSIS community in only 4 months to improve interoperability and agree on standards of component behavior.

Be sure to read his full post for more details on what the participants accomplished together. And of course, this isn’t the end of the story. An even wider and deeper Interop event is planned for the RSA Conference in April 2008. Great progress on building the Internet identity layer together!

Information Card Icon Usage Guidelines Updated

Information Card IconDuring Catalyst in San Francisco we announced the now-familiar Information Card icon and its accompanying usage guidelines. Since then we’ve received community feedback on clarifications we could make to the guidelines. In response, we’ve publish an updated version of the guidelines addressing that feedback and an accompanying updated complete icon zip file during Catalyst in Barcelona.

Specifically, we were asked if we could be clearer that the icon can be used in contexts discussing and promoting Information Cards, not just in software, and some felt that the spacing guidelines were overly restrictive. My favorite feedback along these lines came from Dale Olds, in his wonderful Fashions in information card beachware post, where he wrote:

Thanks to Mike for the information card shirt. I try to wear it in compliance with the logo usage guidelines, but I think I probably sometimes stand too close to other images and I spilled some salsa on it. I’ll keep working on it.

So don’t worry Dale… I’m glad you’re enjoying your shirt and displaying the icon to the world. Heck, you can even print some cool new ones of your own using it if you want. (And if you do, it’d love it if you saved one for me!)

MyOpenID adds Information Card Support

JanRain logoKevin Fox just announced that JanRain has added Information Card support to As he wrote:

The JanRain OpenID team is pleased to announce Information Card support has been added to

What is an Information Card?

What can I do with it? With a self-issued Information Card you can sign-in to MyOpenID, as well as sign-up and recover your account, without ever having to enter your password. Anywhere on MyOpenID that you can enter a password will now allow you to use an Information Card instead. With the addition of Information Card support MyOpenID is able to offer another solid option for people wanting to protect their OpenID account from phishing attacks and remember fewer passwords.

We were able to work with Microsoft’s Mike Jones and Kim Cameron who have both been long time proponents of OpenID + Information Card support.

As noted by Kim Cameron “Cardspace is used at the identity provider to keep credentials from being stolen. So the best aspects of OpenID are retained.” While one of the less desirable aspects (confusing user experience) has been improved for someone using an Information Card to login to their OpenID provider.

Support for Information Cards has been growing as more software projects implement the technology. It is important to note that this technology is being supported by many other organizations besides Microsoft. Information Card support is available for Windows platforms (Vista / XP) as well as Mac OS X and Linux.

The JanRain team has done a fantastic job integrating account sign-up, sign-in, and recovery via Information Cards into their OpenID provider. I’m really impressed by how well this fits into the rest of their high-quality offering.

There’s another kind of integration they also did that makes this even more impressive in my mind: connecting their new Information Card support with their existing support for the draft OpenID phishing-resistant authentication specification. This is another significant step in fulfilling the promise of the JanRain/Microsoft/Sxip Identity/VeriSign OpenID/Windows CardSpace collaboration announcement introduced by Bill Gates and Craig Mundie at the RSA Security Conference this year. Because of this work, this sequence is now possible:

  1. A person goes to an OpenID relying party and uses an OpenID from
  2. The OpenID relying party requests that use a phishing-resistant authentication method to sign the user in.
  3. The person signs into his OpenID with an Information Card.
  4. informs the relying party that the user utilized a phishing-resistant authentication method.

This means that MyOpenID users will be able to get both the convenience and anti-phishing benefits of Information Cards at OpenID-enabled sites they visit and those sites can have higher confidence that the user is in control of the OpenID used at the site. That’s truly useful identity convergence if you ask me!

Strong Authentication to Healthcare Portal through CardSpace

myhealth cardThis week the public pilot of the healthcare portal launched in Singapore, enabling individuals to manage their health, nutrition, and fitness information online. I’m writing about this because access to the site is secured by managed Information Cards backed by hard tokens. These USB form-factor tokens are issued in the context of the National Authentication Infrastructure initiative of the Singapore Government.

Like custom smart card applications, accessing the portal requires possession of both the physical token and the passphrase for the token, providing true multi-factor authentication. But because the token is accessed via an Information Card by CardSpace, no custom application is needed on the user’s PC. This is a concrete example of a service taking advantage of the ability to employ multi-factor authentication through Information Cards. Read all about it in Vittorio’s detailed description.

More Open Source Information Card Relying Party Software Projects

Today at the ZendCon conference in San Francisco, Microsoft announced two additional open source Information Card Relying Party software projects. These projects for the PHP and C languages complement those that were previously announced for Ruby and Java. All make it easy for web sites to add the ability to accept and create accounts with Information Cards.

The PHP software is being built by Zend Technologies. It can be used either as a stand-alone component or in combination with the Zend Framework. The C software has been built by Ping Identity. It implements core crypto and SAML token processing code for accepting Information Cards that can be utilized from any development environment.

See these sites for details on the projects:

C Relying Party code:

PHP Relying Party:

Ruby on Rails Relying Party:

Java Relying Party:

Ashish Jain’s Open Letter to the CardSpace Team

Today Ashish Jain posted an “Open Letter to the CardSpace Team” that I’d highly encourage everyone interested in Information Cards to read. As I replied to Ashish, this is fabulous feedback. These are exactly the kinds of issues we’re going to need to nail, both as the Microsoft CardSpace team, and as an industry, to get to seamless, ubiquitous use of Information Cards. Thanks for the great input!

As we’re planning future versions of CardSpace, it’s incredibly valuable to be hearing this and other constructive feedback from the community based on real deployment experiences. Keep it coming!

Towards that end, please permit me to be so bold, Ashish, as to ask you to write a second installment of your Open Letter. You did a tremendous job in the first capturing things that we could do better on. In the second it would be cool if you could capture the things that you believe that we already got right. Why? To hear you heap on the praise? No (although we’ll never refuse that when offered :-) ). I’m asking so that as we change things to make future versions better, we also have community input in some areas saying “This aspect of CardSpace is already working well for me — please keep it working at least that well in the future!”

And of course, my request doesn’t only apply to Ashish. The more concrete feedback we receive about what’s working well for you with CardSpace and what isn’t, the more data we’ll have to base our future decisions upon. Drop me a note when you post feedback and maybe also leave a blog comment on this post pointing to your feedback as well so I and others will be sure to see it.

Finally, as you know, the CardSpace team now has a voice at CardSpace: Behind The Code where you can expect to hear both posts both about things we’ve already improved in the upcoming the .Net Framework 3.5 release and also questions from the team and community dialog. So be sure to tune in to the discussion there as well.

Thanks again for the great letter, Ashish!

The Popularity of OpenID and How It Relates To “Home Realm Discovery”

Andy Dale recently made a great post titled “Adopting Evolution” in which he asked the question:

Why has OpenID grabbed so much popularity while SAML, a much more mature, academically respected, ‘robust’ specification has been largely ignored by the cutting edge web 2.0 community?

I’ll encourage you to read his post for his insightful answer.

His question reminded me of another answer to the same question that I gave during the recent Concordia meeting at DIDW: OpenID solves the “Home Realm Discovery” problem that all Federation protocols face; that is, figuring out where the person’s authentication information should come from.

There’s lots of ways this problem can be solved, many of which involve potential identity providers being pre-configured by system administrators as possible choices for specific services. Some systems have even dictated the use of a particular identity provider. OpenID’s solution to this is elegant in its simplicity: Let the user decide. When I type in an OpenID URL such as I’m telling the relying party where my identity provider for this interaction is — thus solving the “Home Realm Discovery” problem. As elegant as this is, of course, the potential downside of this solution is that it assumes that people will remember their OpenID identifiers and will faithfully type them in when a page prompts them for an OpenID.

OpenID 2.0 actually allows i-names such as =mbj or =Mike.Jones to be used as OpenIDs as well. I-names then use their own lookup protocol to discover the identity provider behind the i-name typed. This is arguably better (and is the kind of OpenID I personally use), but still relies on the user to reliably enter their OpenID identifier when prompted.

In this discussion at Concordia, others pointed out that using an Identity Selector (such as DigitalMe or CardSpace) is another means of solving the problem. Like OpenID, it also lets the user decide, but in this case, by clicking on a visual Information Card, rather than typing in a string. I personally believe that this will be an easier metaphor for many people to use once it’s commonly available than typing in an OpenID identifier.

I’ll also point out that it’s not a one-or-the-other choice between OpenIDs and Information Cards when letting the user decide. As was recently demonstrated, OpenID Information Cards can be used to deliver the OpenID identifier to the OpenID relying party, rather than having the user type it.

In conclusion, while it may seem esoteric, solving the “Home Realm Discovery” problem is essential to working digital identity deployments. And the usability of the solution chosen matters a lot. Using Andy’s terminology, I believe that its solution to this problem both accounts for some of “the juju that OpenID has” and may result in usability problems for less technical audiences that will need to be addressed if it’s to break out beyond just us geeks.

New CardSpace Team Blog, New CardSpace Features

I’m pleased to announce two great developments. First, the CardSpace team just established a team blog. The blog will provide a direct voice for the team members to communicate about their work.

Second, on the blog they’ve started a series of posts about new features to come in the .Net Framework 3.5, which will ship with Windows Vista Service Pack 1 and be available as a free download for Windows XP and Windows Server 2003. The first post in the series describes the ability to use Information Cards at relying parties over http connections, without requiring a SSL certificate. This was a feature a number of you had asked for and the team responded.

Subscribe to the blog and read the series! Also, check out Vittorio Bertocci’s useful commentary on the no-SSL feature.

Seeing the LiveID Information Card Beta and DigitalMe in Action

Kim and I had fun with this video but we’re seriously pleased to be able to show you both using LiveID with Information Cards and DigitalMe in action together. Check it out!

DigitalMe Identity Selector for the Mac

Today Andy Hodgkinson announced a binary release of the DigitalMe Identity Selector for Mac OS X. Now Mac users can use Information Cards with just a drag-and-drop install! This release builds upon the earlier success of their binary release for SuSE Linux.

As Andy wrote: “I would encourage anyone interested in using information cards on the Mac to install DigitalMe and the Firefox plug-in.” I’ll second that. Go check it out!

Congratulations again to the Bandit team!

DigitalMe Mac screen shot

Page 4 of 5

Powered by WordPress & Theme by Anders Norén