Musings on Digital Identity

Month: October 2007

Understanding Windows CardSpace Book

Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital IdentitiesI highly recommend the new book Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities by Vittorio Bertocci, Garrett Serack, and Caleb Baker. As I wrote for the “praise page” of the book after reading the current draft:

Chock full of useful, actionable information covering the “whys”, “whats”, and “hows” of employing safer, easier-to-use, privacy-preserving digital identities. Insightful perspectives, on topics from cryptography and protocols to user interfaces and online threats to businesses drivers, make this an essential resource!

A must-have for anyone deploying or considering deploying Information Cards. And if you can’t wait for the book to be published, you can also purchase a first draft of the book from Rough Cuts. Enjoy!

User-Centric Identity Interop at Catalyst in Barcelona

Logos of Barcelona Interop Participants 2007

Last night OSIS and the Burton Group held the third in a series of user-centric identity Interop events where companies and projects building user-centric identity software components came together and tested the interoperation of their software together. Following on the Interops at IIW in May and Catalyst in June, the participants continued their joint work of ensuring that the identity software we’re all building works great together.

This Interop had a broader scope along several dimensions than the previous ones:

An excerpt from Bob Blakley’s insightful-as-always commentary on the Interop is:

The participants have posted their results on the wiki, and a few words are in order about these results. The first thing you’ll notice is that there are a significant number of “failure” and “issue” results. This is very good news for two reasons.

The first reason it’s good news is that it means enough new test cases were designed for this interop to uncover new problems. What you don’t see in the matrix is that when testing began, there were even more failures — which means that a lot of the new issues identified during the exercise have already been fixed.

The second reason the “failure” and “issue” results are good news is that they’re outnumbered by the successes. When you consider that the things tested in Barcelona were all identified as problems at the previous interop, you’ll get an idea of how much work has been done by the OSIS community in only 4 months to improve interoperability and agree on standards of component behavior.

Be sure to read his full post for more details on what the participants accomplished together. And of course, this isn’t the end of the story. An even wider and deeper Interop event is planned for the RSA Conference in April 2008. Great progress on building the Internet identity layer together!

Information Card Icon Usage Guidelines Updated

Information Card IconDuring Catalyst in San Francisco we announced the now-familiar Information Card icon and its accompanying usage guidelines. Since then we’ve received community feedback on clarifications we could make to the guidelines. In response, we’ve publish an updated version of the guidelines addressing that feedback and an accompanying updated complete icon zip file during Catalyst in Barcelona.

Specifically, we were asked if we could be clearer that the icon can be used in contexts discussing and promoting Information Cards, not just in software, and some felt that the spacing guidelines were overly restrictive. My favorite feedback along these lines came from Dale Olds, in his wonderful Fashions in information card beachware post, where he wrote:

Thanks to Mike for the information card shirt. I try to wear it in compliance with the logo usage guidelines, but I think I probably sometimes stand too close to other images and I spilled some salsa on it. I’ll keep working on it.

So don’t worry Dale… I’m glad you’re enjoying your shirt and displaying the icon to the world. Heck, you can even print some cool new ones of your own using it if you want. (And if you do, it’d love it if you saved one for me!)

MyOpenID adds Information Card Support

JanRain logoKevin Fox just announced that JanRain has added Information Card support to As he wrote:

The JanRain OpenID team is pleased to announce Information Card support has been added to

What is an Information Card?

What can I do with it? With a self-issued Information Card you can sign-in to MyOpenID, as well as sign-up and recover your account, without ever having to enter your password. Anywhere on MyOpenID that you can enter a password will now allow you to use an Information Card instead. With the addition of Information Card support MyOpenID is able to offer another solid option for people wanting to protect their OpenID account from phishing attacks and remember fewer passwords.

We were able to work with Microsoft’s Mike Jones and Kim Cameron who have both been long time proponents of OpenID + Information Card support.

As noted by Kim Cameron “Cardspace is used at the identity provider to keep credentials from being stolen. So the best aspects of OpenID are retained.” While one of the less desirable aspects (confusing user experience) has been improved for someone using an Information Card to login to their OpenID provider.

Support for Information Cards has been growing as more software projects implement the technology. It is important to note that this technology is being supported by many other organizations besides Microsoft. Information Card support is available for Windows platforms (Vista / XP) as well as Mac OS X and Linux.

The JanRain team has done a fantastic job integrating account sign-up, sign-in, and recovery via Information Cards into their OpenID provider. I’m really impressed by how well this fits into the rest of their high-quality offering.

There’s another kind of integration they also did that makes this even more impressive in my mind: connecting their new Information Card support with their existing support for the draft OpenID phishing-resistant authentication specification. This is another significant step in fulfilling the promise of the JanRain/Microsoft/Sxip Identity/VeriSign OpenID/Windows CardSpace collaboration announcement introduced by Bill Gates and Craig Mundie at the RSA Security Conference this year. Because of this work, this sequence is now possible:

  1. A person goes to an OpenID relying party and uses an OpenID from
  2. The OpenID relying party requests that use a phishing-resistant authentication method to sign the user in.
  3. The person signs into his OpenID with an Information Card.
  4. informs the relying party that the user utilized a phishing-resistant authentication method.

This means that MyOpenID users will be able to get both the convenience and anti-phishing benefits of Information Cards at OpenID-enabled sites they visit and those sites can have higher confidence that the user is in control of the OpenID used at the site. That’s truly useful identity convergence if you ask me!

Strong Authentication to Healthcare Portal through CardSpace

myhealth cardThis week the public pilot of the healthcare portal launched in Singapore, enabling individuals to manage their health, nutrition, and fitness information online. I’m writing about this because access to the site is secured by managed Information Cards backed by hard tokens. These USB form-factor tokens are issued in the context of the National Authentication Infrastructure initiative of the Singapore Government.

Like custom smart card applications, accessing the portal requires possession of both the physical token and the passphrase for the token, providing true multi-factor authentication. But because the token is accessed via an Information Card by CardSpace, no custom application is needed on the user’s PC. This is a concrete example of a service taking advantage of the ability to employ multi-factor authentication through Information Cards. Read all about it in Vittorio’s detailed description.

More Open Source Information Card Relying Party Software Projects

Today at the ZendCon conference in San Francisco, Microsoft announced two additional open source Information Card Relying Party software projects. These projects for the PHP and C languages complement those that were previously announced for Ruby and Java. All make it easy for web sites to add the ability to accept and create accounts with Information Cards.

The PHP software is being built by Zend Technologies. It can be used either as a stand-alone component or in combination with the Zend Framework. The C software has been built by Ping Identity. It implements core crypto and SAML token processing code for accepting Information Cards that can be utilized from any development environment.

See these sites for details on the projects:

C Relying Party code:

PHP Relying Party:

Ruby on Rails Relying Party:

Java Relying Party:

Ashish Jain’s Open Letter to the CardSpace Team

Today Ashish Jain posted an “Open Letter to the CardSpace Team” that I’d highly encourage everyone interested in Information Cards to read. As I replied to Ashish, this is fabulous feedback. These are exactly the kinds of issues we’re going to need to nail, both as the Microsoft CardSpace team, and as an industry, to get to seamless, ubiquitous use of Information Cards. Thanks for the great input!

As we’re planning future versions of CardSpace, it’s incredibly valuable to be hearing this and other constructive feedback from the community based on real deployment experiences. Keep it coming!

Towards that end, please permit me to be so bold, Ashish, as to ask you to write a second installment of your Open Letter. You did a tremendous job in the first capturing things that we could do better on. In the second it would be cool if you could capture the things that you believe that we already got right. Why? To hear you heap on the praise? No (although we’ll never refuse that when offered :-) ). I’m asking so that as we change things to make future versions better, we also have community input in some areas saying “This aspect of CardSpace is already working well for me — please keep it working at least that well in the future!”

And of course, my request doesn’t only apply to Ashish. The more concrete feedback we receive about what’s working well for you with CardSpace and what isn’t, the more data we’ll have to base our future decisions upon. Drop me a note when you post feedback and maybe also leave a blog comment on this post pointing to your feedback as well so I and others will be sure to see it.

Finally, as you know, the CardSpace team now has a voice at CardSpace: Behind The Code where you can expect to hear both posts both about things we’ve already improved in the upcoming the .Net Framework 3.5 release and also questions from the team and community dialog. So be sure to tune in to the discussion there as well.

Thanks again for the great letter, Ashish!

Powered by WordPress & Theme by Anders Norén