Musings on Digital Identity

Month: June 2007

Initial Release of Bandit Project’s DigitalMe Identity Selector

Let me be the first to congratulate the Bandit and Higgins project members on the release of the DigitalMe Identity Selector for SuSE Linux! Now, for the first time, Linux users have an installable Identity Selector available to them that enables them to use Information Cards in a way that’s compatible with Windows CardSpace. See Novell’s press release “Bandit Project’s Cross-Platform Card Selector Gives Users Control of their Internet Identities“, the Identity Selector Service page, and the Identity Selector Service Download page for more details.

This announcement lets people who aren’t developers start to use Information Cards on Linux and builds on the interoperability successes demonstrated at Brainshare. And as the downloads page says, “Work is under way to provide packages for other Linux distros, OS X and Windows.” Great stuff!

Congratulations again!

Information Card Relying Party Resources

Today Microsoft released two related code samples for Information Card relying parties: the Information Card Kit for HTML and the Information Card Kit for ASP.NET 2.0.

The HTML kit is platform-independent JavaScript and CSS code that can be used to dynamically detect client Information Card support and tailor the web site’s interactions with the user accordingly. If Information Cards are supported, this code will request an Information Card for the site. Utility code included can also be used to display passive notifications. Additional code will be required at the server to consume the security token sent by the user. Download the HTML kit here.

The Information Card Kit for ASP.NET 2.0 contains code that can be used on the ASP.NET 2.0 platform to accept Information Cards. This code enables the server to consume the security token delivered to the server when the person uses an Information Card. Download the ASP.NET 2.0 kit here.

Information Card Icon

Information Card IconI’m very pleased to announce that, as of today, there is now a graphical icon freely available for people to use to indicate that “Information Cards are accepted here”. This icon is intended to provide a common visual cue that Information Cards can be used to provide information to a site or program, similarly to how the RSS icon is used to indicate the availability of syndicated content.

The guidelines for the use of the icon, a frequently asked questions document, a set of png images of the icon rendered in a range of sizes, and the original artwork in Illustrator format are all available together in a download package. Please consult the guidelines and the FAQ before using the icon.

You’ll notice that the login page for my blog now uses the icon. Hopefully your sites will soon too!

And just for fun, because the icon is, after all, a graphical element, here’s a gallery of the renderings of the icon that we included in the downloads package. Enjoy!

WS-Federation code checked into OpenSSO

Great news from Pat Patterson of Sun Microsystems about support for WS-Federation now being checked into the OpenSSO project:

The WS-Federation service provider and configuration CLI code was committed into OpenSSO yesterday – this PDF gives some basic instructions on getting started with WS-Fed and OpenSSO. Note that this is just the initial drop of code – still to come is identity provider support.

Give it a whirl and send us feedback at dev(at)

Phishing-Resistant Authentication Specification Ready

David Recordon just posted a simple draft OpenID specification enabling OpenID relying parties to request that a phishing-resistant authentication method be used by the OpenID provider and for providers to inform relying parties whether a phishing-resistant authentication method, such as Windows CardSpace, was used. This is a major step forward in fulfilling the promise of the JanRain/Microsoft/Sxip Identity/VeriSign OpenID/Windows CardSpace collaboration announcement introduced by Bill Gates and Craig Mundie at the RSA Security Conference this year.

In his post “Bringing Useful Scalable Security to OpenIDDavid wrote:

The integration cost of OpenID as a Relying Party is extremely low, the technology is free and as Brian Ellin and I showed at Web 2.0 Expo the time commitment is also low due to a lot of great Open Source code out there which takes care of the heavy lifting. So now the RP has successfully integrated OpenID and removed the need for new users to create yet another password for their site, though they no longer have the control over the strength of a user’s authentication process. The RP may be a simple Web 2.0 site and not care beyond that the user has a password, it may store marginally sensitive information and want to make sure that the Provider did something to help protect the user from common phishing attacks, or maybe it’s a site which has truly sensitive information and wants to make sure that a second-factor device, such as a VIP token, was used.

With the OpenID Provider Authentication Policy Extension that I just published, this is now possible. This extension to OpenID 1.1 and 2.0 allows Relying Parties to express preferences around the authentication, such as “use technology which is phishing resistant” (stemming from the collaboration announcement at the RSA conference earlier in the year), for the Provider to inform the user of the request, guide them through the authentication process, and then inform the Relying Party what happened. By taking advantage of existing specifications from the likes of the National Institute of Standards and Technology (NIST), Providers can also convey information as to the strength of a password or combination of a password and digital certificate or hardware device used. While the high-end of the specification may be beyond the uses of OpenID today, it certainly fulfills the scalable security vision that we have. Through this specification not only can I now strongly protect my OpenID identity, but let others know that I’m doing so and truly take advantage of a reduction in credentials needed when browsing the web.

I can’t wait to use the implementations that are sure to follow shortly!

Unverified Claims

Which would you trust more? Self-issued claims or unverified claims?

Read Marc Goodner’s new blog and decide for yourself. ;-)

“Understanding WS-Federation” Whitepaper and Don’s Continuing Insights on Federation

Don Schmidt recently posted this valuable entry announcing the publication of the IBM/Microsoft whitepaper “Understanding WS-Federation“:

Yesterday a White Paper, Understanding WS-Federation, was jointly published by IBM and Microsoft.  The primary goal of this paper is to promote an appreciation for the functional scope of the revised publication of WS-Federation.  As I have stated in previous posts, the scope of this specification extends far beyond the features delivered in first generation WS-Federation products, such as, Active Directory Federation Services v1.

The paper includes two use cases, an Enterprise “request for proposal” scenario and a Healthcare “emergency room treatment” scenario, that highlight key new features of WS-Federation 1.1.   Textual descriptions of the scenarios are annotated with sample XML message flows.

Another goal of this paper is to encourage participation in the OASIS WSFED TC.  Hopefully WS-Federation supporters and critics, alike, will find functionality that they care about, and be wiling to join in the open standards process for WS-Federation 1.1.

Very valuable reading for anyone wanting to understand the capabilities of WS-Federation, its relationship to WS-Trust, and the Security Token Service (STS) model.

And then in Don’s classic gracious style, he wrote the post “Standing on the Shoulders of Giants“, giving credit where credit is due, and asking for broad community participation in the OASIS WSFED TC. I highly recommend it as well.

Powered by WordPress & Theme by Anders Norén