Monday, February 19, 2007

Windows CardSpace

Hello,

Each one of us has different identities in this real world. When you talk to your parents, you are using identity of son or daughter. When you communicate with your children, your identity is of father or mother. When you are in office, you are the boss. When you just hang around with your friend, you immediately wear friend’s hat. Thus we have different identities in our daily lives. Similarly, your driving license, passport, credit card, bank passbook, telephone bill, ration card, social security number etc. represent your different identities.

If we have so many identities in the physical world, then think about virtual world. Every day you access so many sites entering site specific user name and password or using your credit card number to buy airline tickets or your user name for e-mail account etc. Every single application provider has his own security mechanism. Good thing is that there are some common mechanisms as well like: https, Kerberos etc. Okay, so how do we deal with these DIGITAL IDENTITIES in this world of internet? Let us look at the some typical examples as curtain raiser for CardSpace. Then we will dive somewhat deep in the Windows CardSpace.

“Think about what happens, for instance, when you access an online airline tickets booking application such as Air India. In the simplest case, no digital identity is involved—anybody can browse through the tickets, without telling who they are. When you try to place an order, however, you need to log in, which requires providing a digital identity. Today, you'll most likely do this by entering a username and password, both of which you've chosen yourself. If this online booking application also supports CardSpace, it will provide another option for identifying yourself: using an information card. To allow this, the airline might have a separate button on its login screen that you can click to log in with an information card, rather than entering your username and password.

Clicking this button causes the browser to use CardSpace to log in to this site. As usual, you'll be presented with the CardSpace selection screen, and you'll choose one of the cards in order to identify yourself. Since all the site needs to do at this point is identify you as a unique customer, this simple form of digital identity is sufficient. To pay for your purchases, you might enter your credit card information and mailing address on a Web form as usual.

In this simple scenario, CardSpace provided a way to log in to an online booking without using a password. This is useful, and it's a step forward for digital identity on the Internet.”

I know this example will not be sufficient enough to know what exactly CardSpace is but it will definitely give some massage to your brain so that your neurons start moving in the right direction.

Despite having different digital identities, one this is sure that when information is transferred using any protocol, it is represented in some kind of security tokens. I would say security token is just collections of claims. Let us not dive deep within security tokens. But what will happen if you have only one digital identity that can be used across the applications? Life will be good in that case but unfortunately that is not so easy to implement for the obvious reasons. So, the real challenge is to manage different identities instead of having one identity for all purpose. Yes, now you are coming close to Windows CardSpace. 

It uses Identity metasystem which is like system of systems. The identity metasystem provides a consistent way to work with multiple digital identities, regardless of the kinds of security tokens they use. Using standard protocols that anyone can implement on any platform, the identity metasystem allows the acquisition and use of any kind of security tokens to convey identity. So, now what is CardSpace?

Here is the definition, direct from the God: “Windows CardSpace (formerly "InfoCard") is a Microsoft .NET Framework version 3.0 (formerly WinFX) component that provides the consistent user experience required by the identity metasystem. It is specifically hardened against tampering and spoofing to protect the end user's digital identities and maintain end-user control.”

Main aspects of the CardSpace are as given below:
1. Support for diverse digital identities
2. Empowering users to make good decisions about using their digital identities.
3. Replacement of password-based Web login
4. Improving user confidence in using such identities, making application secure. MS is also working on higher-assurance certificates apart from using server side certificates using SSL etc.

Now, how does it really work? Are there any user roles defined? Yes, there are three mail roles defined as given below:
1. User
2. Identity Provider
3. Relying Parties

User is the entity associated with digital identity. Where as Identity Provider provides digital identity to the user. And Relying Parties are those (applications) who accept digital identities and then decide to authenticate or authorize etc.

Following is the diagram for the same depicting how it works.


FAQ:
http://windowshelp.microsoft.com/Windows/en-US/Help/7dc9c520-9d16-473d-b21b-413ac7226fb61033.mspx

Thanks and Best Regards,
Amol Kulkarni