Musings on Digital Identity

Month: July 2007

Information Cards at OpenID Providers

PIP InfoCardsThis week VeriSign upgraded their Personal Identity Provider (PIP) to support Information Cards. As David Recordon wrote at VeriSign’s official “Infrablog”:

Last Saturday, we completed the upgrade of our Personal Identity Provider. All accounts have been automatically upgraded and the URL is the same at We definitely encourage everyone to come try it out as we believe it is the best OpenID Provider in existence! Not only does it have all of the features from the PIP we launched last May, but adds support for OpenID 2.0, the ability to manage multiple identities within one PIP account, integration with strong authentication via our VeriSign Identity Protection network, Information Card support as one way to help protect against phishing attacks, and our SeatBelt Firefox add-on which works with a variety of OpenID Providers.

PIP supports Information Cards in two ways:

  • Logging into your PIP account: You can use a managed Information Card to log into your PIP account, providing a phishing-resistant alternative to logging in with a username and password typed into the browser.
  • Using your PIP Identities at other sites: PIP issues managed Information Cards for each of your PIP identities, which you can use to sign into sites using Information Cards for login and/or account creation. (And of course, these same identities are also OpenIDs as well.)

Images of my PIP cards for these two use cases are shown at the top of this post. I can now use my PIP account card to sign into my PIP account and my PIP identity card to sign into other sites. PIP is doubly cool because I believe it’s also the first general-purpose identity provider to be secured by an Extended Validation Certificate (see the green color of the IE7 address bar?). Great progress! LogoThis follows on last month’s launch of Ping Identity’s identity provider. lets you log into your OpenID account using a self-issued Information Card — a convenient, password-free, and phishing-resistant authentication mechanism.

Both are fantastic steps towards our shared goal of building a convenient, secure, ubiquitous identity layer for the Internet. Expect to see lots more developments like this soon!

Yours truly, and

Congratulations to David Recordon

David RecordonLet me second Scott Kveton‘s congratulations to David Recordon for winning this year’s Google-O’Reilly Open Source award for Best Strategist. As Scott wrote:

Tonight, David Recordon of Verisign won Google’s prestigious “Best Strategist” open source award for his work on OpenID.

I’ve known David for a little over a year and have been amazed at hist ability to help shape the technology and community that makes up OpenID (all this before the ripe old age of 21 … no congratulatory beers for you David!).

I first met David during a meeting at Six Apart (long, long ago) with he and Brad (the creator of OpenID) when we all cooked up the OpenID Bounty program. I was a newbie in the OpenID world and David was great at helping me as I found my way.

David has been tireless in his work on OpenID being “the face” of the community and spending more time on the road than anybody I’ve ever seen (c’mon, the guy is already a United uber frequent flyer) showing up at every conference you can think of across the entire globe. He has been instrumental in seeding small user communities across the globe with his passion for making OpenID the technology it has become.

David, you have a fantastic future ahead of you … congrats, the best is yet to come.

I’ve also greatly enjoyed working with David on advancing digital identity together over the past year and value his energy, judgment, and fun-loving spirit. I’ll see you out there on the Identity road, David… Congratulations again!

Information Cards and CardSpace Book

Beginning Information Cards and CardSpace: From Novice to ProfessionalThe first CardSpace book, Marc Mercuri‘s Beginning Information Cards and CardSpace: From Novice to Professional went to press last week and can now be ordered. Marc is an expert in CardSpace and numerous related technologies and his book is chock full of practical examples and samples. Read more about Marc here. Another CardSpace expert, virtual team member, and friend of mine, Steven Woodward, served as technical editor for the book. Congratulations Marc and Steven!

Where to get Windows CardSpace

In a recent comment, midtoad wrote:

There appears to be no way possible to allow my browser to recognize or use CardSpace cards. The one-minute video mentions a small download to be provided but none are available.

Let me try to help here. If you’re on Windows XP or Windows Server 2003 and you want to use Windows CardSpace you need to:

(Of course, if you’re on Windows Vista, you already have both.)

Finally, you didn’t say what browser you’re using. If you’re using IE you’re already set. If you’re using Firefox, follow the installation instructions at And if you’re on other platforms, you might want to check out the Bandit Project’s DigitalMe downloads. Hope this helps!

Sample Information Card Site Live

At you can try out a web site that uses Information Cards for account creation and site sign-in. It also allows you to create an account in the old way, with a username and password, and then associate Information Cards with that account. This site is intended to enable you to experience a site using Information Cards that you can use as a model for the flows on your site.

This site simulates e-mail address verification upon account creation. This enables “lost card” scenarios to be handled via card reset e-mails, similarly to how “lost password” scenarios are often handled today. I write “simulated”, because the site doesn’t actually send the e-mails — it just presents the bodies of the e-mails that would be sent as web pages.

This site is built using the Information Card Relying Party Resources I wrote about last week and follows the guidance in the Information Card Deployment Guide. I hope you will find this site useful to further your understanding of how to best employ information cards at your site.

Of course, site best practices are still a work in progress that others are helping to evolve as well, so I’d love to hear feedback on what you like at this site and what you think can be improved. For instance, Eric Norman correctly points out a place where the current site needs to be improved. The My Account page at already does a much better job here, identifying your cards by displaying your name and e-mail address, rather than an unintelligible string of characters. Keep those good ideas coming!

Powered by WordPress & Theme by Anders Norén