I recently attended the RealDevelopment 06 tour here in Vancouver and had the change to listen John Bristowe give us an overview of Microsoft’s big plans for the next client security model.  It’s called InfoCard or recently named “Windows CardSpace” (WCS). 

A quick overview, as I see it…

So in Vista we see this new control panel item, which is supposed to emulate a “Virtual Wallet”.  Literally it gives the end user a place to store their credentials all in one handy place. 

Note: In Build 5384 of Vista you need to go to Control Panel, User Accounts (and Family Safety),  and choose “Digital Identities”.  It will launch the InfoCard interface.

So, how do we use this?  Well what happens is, let’s say you do banking with Wells Fargo for example.  Wells Fargo needs to meet the requirements which Microsoft will lay down in order to participate/qualify for an InfoCard exchange to happen.  They also need to embed an <object…> tag on their site, typically in a membership area which you will need to click and then go through some authorization process.  Once that process is complete you are now in a sharing relationship with Wells Fargo.  IIRC, so far, there is no way to revoke this sharing relationship, or give the ability to the client to modify their details at will in order to notify of a change of address, etc.   I know this is a vague description but you get the point.

So, I ask, what is so different from this and Passport?  Essentially the concept is the same.  The 3^rd party (Wells Fargo, or other institution) needs to go through some sort of development process to make this InfoCard feature available on their site.  It does add additional metadata to the entire service but I simply don’t see that as any value added for these 3^rd party sites to spend the time and money going through the integration process.

Is it more secure?  I can’t see how.  The biggest issue with security is typically NOT software, it’s the people.  Since we can never fully secure people, and the (sometimes stupid) decisions they make why wrap it all up in a new UI/API for people to struggle with?

So what could be a potential solution…?

Recently I’ve been using the Microsoft Fingerprint reader.  DigitalPersona is the actual vendor for the product, but just tagged the devices with the Microsoft Logo.  With this product we get a full blown GINA (the login screen, etc.) and a little application which sits in your System Tray which responds to the Finger Down/Up events on your Fingerprint reader.  This software (most of the time) is actually quite nice because it handles Windows and Webform authentication quite nicely.  You have a dialog box on the screen asking for your credentials, simply press the reader and it will give you a simple step to punch in the needed details for you and automatically submit the form.  The next time you hit that authentication challenge you need only to press your finger to the device and it submits the form for you.  Very easy.

Now I know, not everyone can get their hands on one of these readers but why can’t MSFT simply beg/borrow/steal/buy this software from DigitalPersona and embed it at the core level of Vista?

Have a tray app, call it “InfoCard” or whatever the heck you please.  This tray app is activated whenever the user clicks on it (instead of the finger down/up event).  This new version of “InfoCard” will scan the active form (Win or Web) and uses the same logic and work flow as DigitalPersona uses.  It could even pop-up the fancy virtual  wallet and give us the option of using pre-defined credentials to make the association. 

This would be a 100% client sided feature.  As a developer I would never have to care about making my site or my windows form application “InfoCard aware” or whatever.  All I would need to do is pop-up the authentication dialog, like I always do now, and allow the client to choose the way they want to integrate.

Bottom line, InfoCard is doomed to merely be a Passport v2 tool which Microsoft and very few of its closest vendors will use and that’s it.  Lame!

6 Comments

• jon_galloway@yahoo.com said Monday, June 12, 2006 2:46:03 PM

  It's no longer InfoCard, it's CardSpaces. Things move quickly around here... CardSpaces is dramatically different from Passport in that it's an open identity system which places control in the hands of the user. Passport was a centralized SSO system which gave end users no control and was difficult (and expensive) to support on the server side. It's the difference between a mainframe / client system (Passport) and a browser / server system (CardSpaces). CardSpaces is a simple identity "browser" which can talk to any identity provider which follows the open protocols - Linux/PHP, ASP.NET, it doesn't matter. Another key point of CardSpaces is the concept of Directed Identity - so I can let my bank know what it needs to so I can manage my account, my local user group what they need to know (but not my bank info), etc. More here: http://www.identityblog.com/?page_id=352 Fingerprint readers are cool, but they're not a total solution (they can be fooled with a gummy bear imprint of a finger, for instance). How likely is it that you've left a few fingerprints near your computer? Also, a fingerprint ties to one identity, and I'm back to potentially giving my financial information to my friendly local user group admin. CardSpaces is very different from Passport, and the only thing that will doom it is if it is misunderstood.

• Rob Chartier said Monday, June 12, 2006 3:20:19 PM

  Let me clerify things, and add a bit... The reason why I believe it is doomed is because things have to happen on the server in order for people to use this technology. Why would any vendor sign up for that (headache)? If we completely forget about a *working* implementation of this for non-MSFT systems... MSFT is seen (at least in my eyes) as a very fast mover -not to mention untrusted-. It adopts new initiatives and then dumps them with zero or little support and at the drop of a hat. Our typical dev cycle is super short compared to most so we have a slight advantage but for those larger shops these cycles are much more longer and have a huge feature set they need to roll in. Which, is who this technology is seemed to target. If these larger shops start to adopt this for their customers right now, and start forcing most of their customers to this type of solution then what happens when MSFT jumps ship to a new bit of technology to solve this problem in a new way? By the time they get the support in place, will MSFT already switch to something else?

• jon_galloway@yahoo.com said Monday, June 12, 2006 4:36:08 PM

  I can't predict if it will be adopted, but I think there are very compelling reasons for a vendor to use an industry standard identity system rather than writing their own. As it is now, all websites which require login have to code their own identity systems. Everyone has to worry about the same things - security, privacy, robots (CAPTCHA, etc.), on and on. This is a global problem that's begging for some standards based solutions to replace the multitudes of one-off solutions we've got now. This should have a better chance than Passport because it's been architected by one of Passport's biggest critics (Kim Cameron), with a good amount of community involvement. It's very open - for instance, his demo's are in PHP. It's a standard rather than a product, so Microsoft could drop it and CardSpaces would continue on. I very much doubt Microsoft would drop CardSpaces if it gains any traction at all. Why on earth would they? This isn't a product that pays them for new versions; it's a protocol. They've already got egg on their face from Passport, so they've got every incentive to see CardSpaces succeed.

• jon_galloway@yahoo.com said Monday, June 12, 2006 10:11:16 PM

  P.S. Sorry for the comment barrage. I've definitely drunk the InfoCard^H^H^H^H^H^H CardSpace KoolAid.

• Ogre said Tuesday, June 13, 2006 3:05:07 PM

  Yeah and from what I understand InfoCard addresses the main issue with Passport which was Microsoft storing everyone's user data. With InfoCard, at last from my understanding, all the data is stored on the Service Provider's servers and not Microsoft's. I agree that the technology is doomed but only because people keep thinking of it as Passport 2.0 when really InfoCard != Passport && InfoCard > Passport.

• Ciaran Roarty said Tuesday, June 13, 2006 9:42:37 PM

  Rob I've been to a session today on InfoCard [CardSpace] and I think I've had my opinion changed..... The back-story to InfoCard is really all WS-* standards, the Vista UI is a limited subset of the identity piece. What Microsoft are suggesting is that a future market will be in 'Security Token Services' of which, for example, Passport might be one. This doesn't mean that it is Passport 2.0.... Why? Because we might get 'claim information' from the government, our employers, etc and then be able to use that against services to obtain access, and role based access at that, to those services. I agree with you that the tag instantiation of the InfoCard GUI is not the best, however, the identity metasystem proposed is equivalent to Single SignOn for all of the services you currently register for. Ciaran