MS Windows CardSpace
Windows CardSpace, formerly known by its codename InfoCard, is a framework developed
by Microsoft which securely stores digital identities of a person, and provides
a unified interface for choosing the identity for a particular transaction, such
as logging in to a website. Windows CardSpace is a central part of Microsoft's effort
to create an Identity Metasystem, or a unified, secure and interoperable identity
layer for the Internet.
When a CardSpace-enabled application or website wishes to obtain personal information
about the user, the app or site demands a particular set of claims or a particular
token type from the user. CardSpace then appears, taking over the display of the
computer and represents the stored identities as virtual information cards. The
user selects the card to use and the CardSpace software contacts the issuer of the
identity to obtain a digitally signed XML token that contains the requested information.
CardSpace allows users to create self-issued identities for themselves, which can
contain one or more of around 15 fields of telephone-book quality identity information.
Other transactions may require a managed identity issued by a trusted identity provider,
such as a bank, employer or a governmental agency.
Windows CardSpace is built on top of Web Services Protocol Stack, an open set of
XML-based protocols, including WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy.
This means that any technology or platform which supports WS protocols can integrate
with CardSpace. In order to accept information cards, a website developer simply
needs to declare an HTML object tag that specifies the claims the website is demanding
from the user and then implement code to decrypt the returned token and extract
the claim values. If an Identity Provider wants to issue tokens, they must provide
a means by which a user can obtain a managed card and provide a Security Token Service
(STS) which handles WS-Trust requests and returns an appropriate encrypted & signed
token. If an IP does not wish to build an STS, they will be able to obtain one from
a variety of vendors including PingID, BMC, Sun or Microsoft, as well as other companies
or organizations.
Because it is token-agnostic, CardSpace does not compete directly with other Internet
identity architectures like OpenID and Liberty Alliance. In some ways the three
approaches to identity can be seen as complementary.
In February 2006, IBM and Novell announced that they will support the Higgins trust
framework to provide a development framework that subsumes a support for the Web
Services Protocol Stack underlying CardSpace within a broader, extensible support
for diverse other identity-related technologies, such as SAML and OpenID. (Note
that initial reports in the mainstream media positioning Higgins as a direct competitor
for InfoCard were somewhat misconstrued.)
|