Those of us in OSIS have half-joked about the I4 Interop event being the end of the beginning — but yesterday, the announcement of Geneva ushered in a new beginning.  It is still a long road ahead,  but mark my words, the momentum changes here.

I was recently asked in a rather public forum whether people are really using Information Cards.  The answer was a reluctant no.   There are a few pools of use that are extraordinary, the largest being in Europe.  There are many very interested parties.  There is development happening all over, but not released yet.  I am ok with this however,  because the truth is,  this technology will break out when it is not just cool, but also the obvious choice for the job.

In the past, this technology has been evangelized as the end of passwords, which is, in my mind, a mischaracterization.  It is not the end of the password.  It is the end of the login form.   It is the end of that uncertain little piece of html out there that may or may not be well written, or well protected, and may not actually even be the place you trust.   That may sound like a small little piece of the pie – but when you combine that little piece with the power of the underlying protocols,  and the massive usability problem that confronts us now in the security space,  what we get is a lot closer to the complete picture.

Why is this complete picture necessary?  Ah, well this is the thing, isn’t it?  People keep asking me, why would we ever NEED information cards?  We’re already busy, we don’t want to add something we have to work hard to understand to our Enterprises or to our products, and we’re getting by JUST FINE thank you very much…

Microsoft answered that question yesterday too, with Azure.   As I’ve said before, your provisioning problems can be ignored when removal of network access can act as a master switch for all the nonexistent process in the Enterprise.    Once your Enterprise starts pushing critical business functions outside of the Enterprise, there is no choice but to evolve your Enterprise towards claims-based Identity, federation, SAML, information cards, and this whole next generation of accountability.   In order for Azure to exist,  MS had to find a way to push credentials out into the cloud as well — and here we are.

This is the vision.  And the opportunity,  long awaited.   For those of you who might think that this sounds like a great Microsoft conspiracy here,  remember the protocols that this identity layer rests upon are OPEN, and although MS was involved, so were a huge number of other people and companies. Anyone can play. Instead of simply engineering an Identity layer for themselves,  Microsoft has instead worked within the community to enable something much greater.  I have been lucky enough to see just how much work, time, money, and care has been put into making sure that there are tools, products, and services out there that give people choice in the Identity Infrastructure they use to interact with services such as Azure.

I tip my hat to all you folks on the federated identity team at Microsoft — past and present members.   You have walked and will continue to walk a tough line,  but I hope that now, at least the story gets easier. Thank you.

I ran into an interesting phenomenon the first time I used IE protected mode.   I’m documenting it here, in case somebody else gets into this situation.

My test blogs are at http://pamelaproject.com, but my login page and the rest of my administrative pages are protected using HTTPS.   Past use had resulted in my having added https://pamelaproject.com to my trusted sites list in IE.

If you use the default settings for enablement of protected mode in IE,  Internet sites operate with protected mode on, while trusted sites operate with protected mode off.  When I attempted to go to my blog front page,  IE was in protected mode – but by authenticating, I changed from an Internet Site to a Trusted Site, and changed protection mode.  The result was extremely unsatisfactory.

Upon logging in, a separate IE instance started, showing an authenticated WordPress admin page.  I could view my profile or use other admin functionality.  If I tried to visit my main WordPress site blog front page content however,  I was taken to my original IE instance — where I could view my front page, but where I was not authenticated.  It was a lovely catch-22: If I tried to comment, I’d end up in IE window #1, with no user session.  If I tried to authenticate, boom!  I’d end up in the IE window #2, authenticated, but with nothing to comment on.

Fun huh?

To fix this problem, you can simply remove the https url of your site from your trusted sites list, so that everything runs in the same protection mode.  You can also meddle with your protection mode settings per site classification — after all, what’s the point in turning protection mode off for trusted sites, if doing so causes complexity rather than reducing complexity? At least if everything is in protected mode, you don’t have unasked-for windows popping up when you least expect them.  Of course, I haven’t used IE enough recently to know if there are other reasons why you would want protection turned off.   I suppose only time will tell.

Ah, it’s great to see we’re making progress.  To those hardy souls in and around the OASIS IMI TC with the mental fortitude to yet again enter into the great Identity Metasystem Definition Debate on mailing lists near and far, I salute you with a blast from the past, nicely formatted for pleasurable zen-like consumption:

I haven’t been able to do much (anything) in the world of Information Cards lately.  No work on my code, no examination of the new version of the protocol.  It’s like the Ice Cream truck is driving around and around my house, and I can only watch it circle…  soon though.  I keep telling myself that…

For those of you out there that want to know what’s going on,  you should be subscribing to Vittorio and to Axel.  Vittorio is posting all sorts of delicious technical information about Zermatt, the new Microsoft Identity coding framework bits, and Axel is posting all sorts of tasty tidbits of information about ISIP 1.5.

There is a huge conversation to be had around what in the new ISIP document dictates change in code for existing common features.  I’m sure people have already been having that discussion in private, but I hope to see some of the subtleties come out as part of our next Interop effort, underway now!

Microsoft has just announced a new version of the ISIP (Identity Selector Interoperability Profile, the main document describing information card interaction behavior).  This is a BIG deal, certainly from an interoperability perspective, although I don’t expect much to be a surprise in the document, as the CardSpace team has been working hard to blog upcoming features.

In conjunction with the new documentation,  there is also a Service Pack release for .NET 3.5.    I can’t wait to see what goodies await in the CardSpace arena — perhaps it will mostly be under the hood, only play time will tell…

Er, when exactly I’ll get that play time is a different question.  Soon, I hope.  If you get there first, be sure to let me know what you think!

As you may have already heard, the Information Card Foundation has finally been made public.  As a community board member, I’ve been mostly a spectator in the formation of this foundation, watching as an intense amount of legal work, diplomacy, recruitment, and PR work sped by.   It has been a real eye opener to see this entity come to exist,  and to see the huge commitment that has been necessary to attain organizational escape velocity.

To me, the ICF is about enablement.  We now have a place where interested parties can collaborate to create value; a place with a well-defined legal context, and the ability to allocate funds to achieve community goals.

I believe that we have a good mix of people contributing to the ICF at the governance level – we have zealots & skeptics, dreamers & realists, Enterprise representation as well as Consumer representation, protocol people & implementers, big business and grassroots organizations.  I think this kind of diversity will keep us from drowning in our own self-made koolaid ;)

Actions speak louder than words, of course.  I look forward to letting our actions do the speaking as soon as possible.  In the meantime, I want to send many thanks and kudos to the Executive Director of the ICF, Charles Andres, for his work as orchestra conductor and primary cat-herder in getting things off the ground.

I must have missed the memo on unencrypted tokens… will check with the OSIS crowd and report back – this will most likely temporarily break some Relying Parties (including mine). Oh, the wicked pace of progress :)

I’ve decided that there is no better way than to learn the ins and outs of a technology than to publicly assert your understanding — as long as your ego can take it, you learn very quickly where all the gaps and flaws in your logic lie :)

It turns out that all this time that I’ve been working with information cards, I’ve misunderstood the nature of .crd files and managed card portability. In my talk at RSA, I stated that managed cards had a different portability model than self-issued cards, because a user could download a .crd file from an Identity Provider at any time, import it into a new selector, and use it to get to all of their sites where they had previously associated a card from that account at the Identity Provider.

This isn’t the way that .crd files work, as it turns out. A .crd file is not an information card – it is an information card *template*. When you download a .crd file, the master key for the card is not part of the file, it is generated upon import — thus if you import a .crd file into two different selectors, each card will have two different master keys. Different master keys mean different privatepersonalidentifiers being sent to the Relying Party, who will most likely object. This means that even if somebody out there compromises my identity provider, they may be able to download a card that points to my identity, but it is highly likely that they won’t be able to use that card anywhere that matters (unless the Relying Party isn’t asking for ppid, that is). This revelation has opened the door for me to cook new hare-brained schemes around how cards might be used for what I like to call “user-centric forensics” –I see two possibilities for intrusion detection here:

1. If my card is an auditing card, I hope that in the future, Identity Providers will prominently feature any unsuccessful card use attempts, giving me a cue that something is wrong, and giving me data that I could use to find my attacker.

2. Depending on what the Relying Party keeps about a given card, it should theoretically be possible to detect a token submission where both the claims and the issuer are identical to a valid cardholder, but where the ppid differs (or perhaps where the submission comes from an IP address in a different country or a combination of this kind of thing). Whether such a thing is desirable or not is a different question — the RP would have to store a *lot* of data, and the resulting privacy tradeoffs might not be worth it. The PamelaWare plugins couldn’t do this kind of tracking, as we store a hash of the issuer and ppid rather than the values themselves (this is the closest thing to an RP best practice that I know).

If managed card portability is needed in the way that I originally understood it, I think it could still be done – a claim other than privatepersonalidentifier could be used to pass an identifier not tied to the master key of the card — but all in doing so, you lose one of the qualities that in my mind makes information cards unique, you would essentially revert to a two-party system, with the selector merely passing things around instead of being an essential participant. No matter what, I think this concept of card templates could be used to do some very imaginative things – now that I understand the difference, I can’t wait to go and play!

Many thanks to Vittorio for attending my RSA session and giving me such valuable feedback – I am very happy to be just a little less clueless in at least one tangible way :-D