Sunday, October 7, 2007

Windows CardSpace

Windows CardSpace, formerly known by its codename InfoCard, is the client software (or Identity selector) for the Identity Metasystem, a concept developed by Microsoft which securely stores and delivers the digital identities of a person, providing a unified, secure and interoperable identity layer for the Internet. The identity selector provides a unified interface for choosing the identity for a particular transaction, such as logging in to a website.

When a CardSpace-enabled application or Information card aware website wishes to obtain personal information about the user, the application or website demands a particular set of claims or a particular token type from the user. CardSpace then appears, locking the display to the CardSpace program which displays the stored identities as virtual information cards. The user selects the card to use and the CardSpace software contacts the issuer of the identity to obtain a digitally signed XML token that contains the requested information.

CardSpace allows users to create self-issued identities for themselves, which can contain one or more of around 15 fields of telephone book-quality identity information. Other transactions may require a managed identity issued by a trusted identity provider, such as a bank, employer or a governmental agency.

Windows CardSpace is built on top of Web Services Protocol Stack, an open set of XML-based protocols, including WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy. This means that any technology or platform which supports WS-* protocols can integrate with CardSpace. In order to accept information cards, a website developer simply needs to declare an HTML tag that specifies the claims the website is demanding from the user and then implement code to decrypt the returned token and extract the claim values. If an Identity Provider (IP) wants to issue tokens, they must provide a means by which a user can obtain a managed card and provide a Security Token Service (STS) which handles WS-Trust requests and returns an appropriate encrypted & signed token. If an IP does not wish to build an STS, they will be able to obtain one from a variety of vendors including PingID, BMC, Sun, Microsoft or Siemens, as well as other companies or organizations.

Because it is token-agnostic, CardSpace does not compete directly with other Internet identity architectures like OpenID and Liberty Alliance. In some ways the three approaches to identity can be seen as complementary.

In February 2006, IBM and Novell announced that they will support the Higgins trust framework to provide a development framework that subsumes a support for the Web Services Protocol Stack underlying CardSpace within a broader, extensible support for other identity-related technologies, such as SAML and OpenID.

Microsoft included Windows CardSpace within its new operating system Windows Vista, and is also available as part of Microsoft's .NET Framework 3.0 for Windows XP and Windows Server 2003.

(Identity Metasystem is a platform for managing digital identities and provide authentication services. An identity metasystem manages authentication service providers and facilitates authenticating the user to resources that require authentication. It thus provides interoperability between various authentication credential providers (including password based authentication systems to biometric systems) and allows the user to authenticate himself to any resource using the authentication system of choice.)

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)