[December 18, 2006]
Security: Microsoft’s CardSpace scheme explained
Editors
InstantDoc #94609
Email this Article
Printer Friendly
Digg This
Del.icio.us
RSS
Reprints

Doing business on the web is a leap of faith. You trust that the keeper of your details is competent and will have sufficient protection in place to protect your details. Regardless of what safeguards are in place to keep hackers away from the customer database, the weak point is actually at the interface with the website -- the username and password.

For several years there has been the idea of developing a mutual protection scheme for web transactions to ensure that the customer is who they say they are and that the vendor site is actually a bone fide site. The basis is trust, the kind of trust you place in a financial institution to keep your money safe or to manage your insurance portfolios.

In the internet world, the idea is that a trusted third party can act as a referee to guarantee the transactors identities. Microsoft started the ball rolling with Passport but this relied on Microsoft as the sole trusted third party. To be frank, too many people felt that the this was too much trust to place in a single company. In the real world, trust tends to be spread across several companies and Microsoft soon learnt that this should also be the case on the web.

Microsoft announced its latest initiative as Infocard early in 2006 and, as it has developed, the commercial name of CardSpace has been settled upon.

Paul Mackinnon, senior identity advisor at Microsoft, says that there are two main aims for the service: to be secure and to be simple. These are often conflicting targets but he feels that CardSpace answers both needs.

The CardSpace name developed as a description of the system whereby cards, visual icons resembling credit cards, are stored in a secure place on the customer’s PC -- a space for cards. In everyday life, most people are used to using credit cards, membership cards and ID cards such as passports and Microsoft has simply transferred this to cyberspace. All of these cards have one thing in common. A trusted organisation has checked the identity of the card holder and the card verifies their identity. Of course, we do still have ID fraud but Mackinnon believes that CardSpace will prove to be even more secure.

“Passport failed because of the trust issue and Microsoft cannot afford a similar failure with CardSpace,” he says. “We have addressed all of the concerns that people had with Passport and I feel sure that this will be a simple, secure and successful.”

The basis for his confidence is the intellectual foundation that the service has been built on. These are the Laws of Identity developed by Kim Cameron, Microsoft's chief identity and access architect, using the so-called blogosphere. By airing his views and those of other correspondents through his web log on the internet, Cameron broadened his initial concepts into a set of rules for ID security ( http://www.identityblog.com/?page_id=354 ). These have shaped CardSpace and will continue to do so throughout its development.

One of the key elements is to allow a user to have as many identities as they wish. This has always been possible on the web but often it means filling in different membership forms for each site involved. What Microsoft is proposing is the development of an identity metasystem layer that will tag the various elements of an individuals profile. Naturally, this means the use of XML and SOAP, along with their standards-based security elements WS-Security, WS-Trust, WS- MetadataExchange and WS-SecurityPolicy.

One way of conveying personal data to a vendor is to have it stored on the customer’s PC as a cookie. This cookie is presented whenever the user logs on, but it lacks security. What is needed is a more robust form of security through the use of a digital signature. This is an encrypted tag that uniquely identifies its owner and it acts like the physical signature on the back of a credit card.

There are three parties involved in CardSpace. The first is the User, or Subject, who owns the digital identity and this can be almost anything: a person, an organisation, an application or even a machine. The link at the end of the chain is called the Relying Party and this is often an application on the web such as a shopping trolley or other order-taking service. In the middle is the Identity Provider who validates the User’s signature and details based on information provided by the User.

When a User decides to purchase something, the Relying Party will request ID. This is provided as a policy that describes the information required for the transaction, such as the user’s name, address and credit card details.

A key part of this initial stage is that the user can view what information is being requested and choose whether to continue with the transaction. If the transaction is to download a free document and the policy unnecessarily requests credit card details, the User can back out at this point or choose to attempt the download while withholding the credit card information. The main aim of the system is to allow the customer to control the flow of data.

The choice of which particular ID card to present can also be selected by the customer from the CardSpace’s graphical display of cards. These may be general-purpose cards or specific cards for a particular vendor. A user-friendly touch is to allow the Relying Party to download their own card designs so that the icon looks like a store charge card with a company logo and any other graphics that will make it stand out. From the User’s perspective this means that they can just click on an icon to initiate a transaction.

Once the policy is approved, a request is sent by CardSpace to the Identity Provider for a signed token that contains the details. This is then passed to the Relying Party and the transaction is completed. Effectively, CardSpace will make relatively insecure password log-ins a thing of the past but Microsoft will not be the only vendor of secure transaction systems. There is currently a competitor called the Higgins Trust framework in the open source world. This is where open standards show their strength.

Microsoft is placing its development efforts into Windows as the platform of choice. CardSpace will work easily in Windows Vista and by extension to Windows XP and Windows 2003 using the .NET Framework 3.0. The Higgins Trust system is open platform and is backed by IBM and Novell. There is also Open ID and the Liberty Alliance to consider. The use here of the word “competitor” is misleading as there are plans in hand to ensure that these systems will all work seamlessly together. Similarly, CardSpace only works with Internet Explorer in Microsoft’s implementation but there is already an extension available for the Firefox browser developed independently of Microsoft. No doubt other browser manufacturers, such as Opera, will soon follow suit.

There is no date for the release of CardSpace other than to say it will be with us in 2007. Microsoft is beta testing the system and it can be downloaded from its website. Mackinnon admits that the system is not foolproof -- no security system is -- but it is a major step towards removing some of the fraudulent behaviour on the web and offers much better protection against ID theft.

End of Article

Windows IT Pro Community
Blogs






ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing