Microsoft offers personal digital ID cards

gallery

Identity and the internet are not words that sit well together to many people. The internet has changed the way people interact with systems for work and leisure.

People are increasingly able to log into their office computers from anywhere in the world. At the same time, they are taking advantage of online shopping to order cheaper goods and using online banking to avoid charges and the problems of getting to banks.

The problem with all of this is identity. How do you prove who you are? How does your office server know to trust you? How can you be sure that the site you are connecting to is legitimate? Identity theft via the internet is a global business and affects both individuals and businesses.

Every month brings reports of new phishing sites that are trying to get hold of your details. This is causing chaos for users and businesses and has resulted in something of a crisis of confidence in the security of the internet. Changing passwords regularly is no guarantee of safety as keyboard logging software will harvest the password right from your machine. What has been missing is a solution that is immune from the bad guys but at the same time is simple and easy to use.

The role of InfoCard

The InfoCard project is an industry initiative based around the use of secure digital identities. Unlike previous attempts to do this, this is not based on a single vendor technology. What it provides is a framework by which vendors and developers can build their own solutions that accept a Digital ID Card from multiple sources. The system also puts a lot of control back to the users of the system by allowing them to see what information they are being asked for and what they are sharing.

Microsoft has been active in InfoCard from the start and recently revamped and renamed its InfoCard product to Microsoft CardSpace. It will introduce CardSpace with Windows Vista and provide versions for Windows XP and Windows Server 2003.

One of the things underpinning InfoCard is something called the Laws of Identity. These are:

1.User control and consent

2.Minimal disclosure for a constrained use

3.Justifiable parties

4.Directed identity

5.Pluralism of operators and technologies

6.Human integration

7.Consistent experience across contexts

Like all "laws" there is a lot of detail hidden by these headings. In a nutshell what this means is that:

1.You create or are "issued" a card for your use

2.The card does not contain real data only "metadata" which tells people what information it does represent known as "claims"

3.Where to go to obtain the "claims"

4.A signature that confirms the card is valid

The problem with most computer solutions is that they end up being pretty complicated. The designers of InfoCard have designed a solution that is pretty simple to make sense of. There are two ways of using the service - with a self issued card or one provided by a third party such as your employer, bank or similar. You then go through a simple process to identify yourself.

Self-issued cards

1.You connect to a site, application or service - Relying Party (RP) - that supports InfoCard

2.RP sends back a list of information it needs.

3.You select which of your InfoCards you want to use for this site.

4.InfoCard creates a security token using the data required, encrypts it and sends it to the RP

Email to a friend

Print this page