The Beginning – of the middle.

Those of us in OSIS have half-joked about the I4 Interop event being the end of the beginning — but yesterday, the announcement of Geneva ushered in a new beginning.  It is still a long road ahead,  but mark my words, the momentum changes here.

I was recently asked in a rather public forum whether people are really using Information Cards.  The answer was a reluctant no.   There are a few pools of use that are extraordinary, the largest being in Europe.  There are many very interested parties.  There is development happening all over, but not released yet.  I am ok with this however,  because the truth is,  this technology will break out when it is not just cool, but also the obvious choice for the job.

In the past, this technology has been evangelized as the end of passwords, which is, in my mind, a mischaracterization.  It is not the end of the password.  It is the end of the login form.   It is the end of that uncertain little piece of html out there that may or may not be well written, or well protected, and may not actually even be the place you trust.   That may sound like a small little piece of the pie – but when you combine that little piece with the power of the underlying protocols,  and the massive usability problem that confronts us now in the security space,  what we get is a lot closer to the complete picture.

Why is this complete picture necessary?  Ah, well this is the thing, isn’t it?  People keep asking me, why would we ever NEED information cards?  We’re already busy, we don’t want to add something we have to work hard to understand to our Enterprises or to our products, and we’re getting by JUST FINE thank you very much…

Microsoft answered that question yesterday too, with Azure.   As I’ve said before, your provisioning problems can be ignored when removal of network access can act as a master switch for all the nonexistent process in the Enterprise.    Once your Enterprise starts pushing critical business functions outside of the Enterprise, there is no choice but to evolve your Enterprise towards claims-based Identity, federation, SAML, information cards, and this whole next generation of accountability.   In order for Azure to exist,  MS had to find a way to push credentials out into the cloud as well — and here we are.

This is the vision.  And the opportunity,  long awaited.   For those of you who might think that this sounds like a great Microsoft conspiracy here,  remember the protocols that this identity layer rests upon are OPEN, and although MS was involved, so were a huge number of other people and companies. Anyone can play. Instead of simply engineering an Identity layer for themselves,  Microsoft has instead worked within the community to enable something much greater.  I have been lucky enough to see just how much work, time, money, and care has been put into making sure that there are tools, products, and services out there that give people choice in the Identity Infrastructure they use to interact with services such as Azure.

I tip my hat to all you folks on the federated identity team at Microsoft — past and present members.   You have walked and will continue to walk a tough line,  but I hope that now, at least the story gets easier. Thank you.

Small Note on IE Protected Mode

I ran into an interesting phenomenon the first time I used IE protected mode.   I’m documenting it here, in case somebody else gets into this situation.

My test blogs are at, but my login page and the rest of my administrative pages are protected using HTTPS.   Past use had resulted in my having added to my trusted sites list in IE.

If you use the default settings for enablement of protected mode in IE,  Internet sites operate with protected mode on, while trusted sites operate with protected mode off.  When I attempted to go to my blog front page,  IE was in protected mode – but by authenticating, I changed from an Internet Site to a Trusted Site, and changed protection mode.  The result was extremely unsatisfactory.

Upon logging in, a separate IE instance started, showing an authenticated WordPress admin page.  I could view my profile or use other admin functionality.  If I tried to visit my main WordPress site blog front page content however,  I was taken to my original IE instance — where I could view my front page, but where I was not authenticated.  It was a lovely catch-22: If I tried to comment, I’d end up in IE window #1, with no user session.  If I tried to authenticate, boom!  I’d end up in the IE window #2, authenticated, but with nothing to comment on.

Fun huh?

To fix this problem, you can simply remove the https url of your site from your trusted sites list, so that everything runs in the same protection mode.  You can also meddle with your protection mode settings per site classification — after all, what’s the point in turning protection mode off for trusted sites, if doing so causes complexity rather than reducing complexity? At least if everything is in protected mode, you don’t have unasked-for windows popping up when you least expect them.  Of course, I haven’t used IE enough recently to know if there are other reasons why you would want protection turned off.   I suppose only time will tell.

All the Goings On

I haven’t been able to do much (anything) in the world of Information Cards lately.  No work on my code, no examination of the new version of the protocol.  It’s like the Ice Cream truck is driving around and around my house, and I can only watch it circle…  soon though.  I keep telling myself that…

For those of you out there that want to know what’s going on,  you should be subscribing to Vittorio and to Axel.  Vittorio is posting all sorts of delicious technical information about Zermatt, the new Microsoft Identity coding framework bits, and Axel is posting all sorts of tasty tidbits of information about ISIP 1.5.

There is a huge conversation to be had around what in the new ISIP document dictates change in code for existing common features.  I’m sure people have already been having that discussion in private, but I hope to see some of the subtleties come out as part of our next Interop effort, underway now!

New Version of the ISIP!!!

Microsoft has just announced a new version of the ISIP (Identity Selector Interoperability Profile, the main document describing information card interaction behavior).  This is a BIG deal, certainly from an interoperability perspective, although I don’t expect much to be a surprise in the document, as the CardSpace team has been working hard to blog upcoming features.

In conjunction with the new documentation,  there is also a Service Pack release for .NET 3.5.    I can’t wait to see what goodies await in the CardSpace arena — perhaps it will mostly be under the hood, only play time will tell…

Er, when exactly I’ll get that play time is a different question.  Soon, I hope.  If you get there first, be sure to let me know what you think!

ICF – Information Card Foundation

As you may have already heard, the Information Card Foundation has finally been made public.  As a community board member, I’ve been mostly a spectator in the formation of this foundation, watching as an intense amount of legal work, diplomacy, recruitment, and PR work sped by.   It has been a real eye opener to see this entity come to exist,  and to see the huge commitment that has been necessary to attain organizational escape velocity.

To me, the ICF is about enablement.  We now have a place where interested parties can collaborate to create value; a place with a well-defined legal context, and the ability to allocate funds to achieve community goals.

I believe that we have a good mix of people contributing to the ICF at the governance level – we have zealots & skeptics, dreamers & realists, Enterprise representation as well as Consumer representation, protocol people & implementers, big business and grassroots organizations.  I think this kind of diversity will keep us from drowning in our own self-made koolaid ;)

Actions speak louder than words, of course.  I look forward to letting our actions do the speaking as soon as possible.  In the meantime, I want to send many thanks and kudos to the Executive Director of the ICF, Charles Andres, for his work as orchestra conductor and primary cat-herder in getting things off the ground.

The squeaky wheels are oiled for now…

Whenever things are this quiet, you can be sure that there is a lot of work going on beneath the surface. Just in case you don’t believe me, check out the latest version of the Bandit DigitalMe Selector: I *love* the yellow band that displays the hostname of the Relying Party you are trying to interact with, it’s a great addition. Nice work Andy!

This is new!

I must have missed the memo on unencrypted tokens… will check with the OSIS crowd and report back – this will most likely temporarily break some Relying Parties (including mine). Oh, the wicked pace of progress :)

Usually these things are encrypted

Managed Card Portability

I’ve decided that there is no better way than to learn the ins and outs of a technology than to publicly assert your understanding — as long as your ego can take it, you learn very quickly where all the gaps and flaws in your logic lie :)

It turns out that all this time that I’ve been working with information cards, I’ve misunderstood the nature of .crd files and managed card portability. In my talk at RSA, I stated that managed cards had a different portability model than self-issued cards, because a user could download a .crd file from an Identity Provider at any time, import it into a new selector, and use it to get to all of their sites where they had previously associated a card from that account at the Identity Provider.

This isn’t the way that .crd files work, as it turns out. A .crd file is not an information card – it is an information card *template*. When you download a .crd file, the master key for the card is not part of the file, it is generated upon import — thus if you import a .crd file into two different selectors, each card will have two different master keys. Different master keys mean different privatepersonalidentifiers being sent to the Relying Party, who will most likely object. This means that even if somebody out there compromises my identity provider, they may be able to download a card that points to my identity, but it is highly likely that they won’t be able to use that card anywhere that matters (unless the Relying Party isn’t asking for ppid, that is). This revelation has opened the door for me to cook new hare-brained schemes around how cards might be used for what I like to call “user-centric forensics” –I see two possibilities for intrusion detection here:

1. If my card is an auditing card, I hope that in the future, Identity Providers will prominently feature any unsuccessful card use attempts, giving me a cue that something is wrong, and giving me data that I could use to find my attacker.

2. Depending on what the Relying Party keeps about a given card, it should theoretically be possible to detect a token submission where both the claims and the issuer are identical to a valid cardholder, but where the ppid differs (or perhaps where the submission comes from an IP address in a different country or a combination of this kind of thing). Whether such a thing is desirable or not is a different question — the RP would have to store a *lot* of data, and the resulting privacy tradeoffs might not be worth it. The PamelaWare plugins couldn’t do this kind of tracking, as we store a hash of the issuer and ppid rather than the values themselves (this is the closest thing to an RP best practice that I know).

If managed card portability is needed in the way that I originally understood it, I think it could still be done – a claim other than privatepersonalidentifier could be used to pass an identifier not tied to the master key of the card — but all in doing so, you lose one of the qualities that in my mind makes information cards unique, you would essentially revert to a two-party system, with the selector merely passing things around instead of being an essential participant. No matter what, I think this concept of card templates could be used to do some very imaginative things – now that I understand the difference, I can’t wait to go and play!

Many thanks to Vittorio for attending my RSA session and giving me such valuable feedback – I am very happy to be just a little less clueless in at least one tangible way :-D

No User Context Decisions in your Enterprise?

Photo Credit:  CarbonNYC (

Enterprise76468122_b4f810a0ac.jpg use of information cards have been a topic of great thought for me leading up to my talk at the Directory Experts Conference in Chicago this month and culminating in a panel at last week’s Novell BrainShare conference, in which Patrick Harding, Kim Cameron, Dale Olds and myself talked to the lovely Carolyn Ford on this very subject.

At DEC, the predominant opinion given to me by the experienced & capable Enterprise administrators present were as follows:

“We don’t want users to be interrupted at all — so why would we ever want or need information cards?”

If in the Enterprise you are responsible for, your users do not need to make a single context decision, if you the Administrator and your stored data can do it all in every situation — fantastic. My experience has been that many Enterprises find that the profile data they are able to serve from an Enterprise Directory or even a Meta-Directory cannot always suffice, and that measures have to be taken that deviate from the Zen of a single network profile in order to achieve business objectives. I’d like to put a few situations in front of you that I believe demonstrate common cases where undesirable measures are taken in order to get around an IT assumption that user context decisions are never necessary.

Situation #1: Do you ever have to assign two different accounts for the same application to the same user?

The only reason why a user might be issued two accounts for the same resource is because there is something critical but different about each account – and guess who chooses which account is appropriate – the user. The Enterprise cannot do the thinking for the user in this case – in fact, the Enterprise may not even know that both accounts belong to the same worker.

There are many many reasons why an Enterprise might feel forced to issue multiple accounts to a single user — it could be due to a need to completely separate conflicting roles. It could be due to a need for a certain privilege to only be available to a user under specific, acknowledged (and audited) circumstances.

Situation #2: Do your users ever have to logon to a separate network domain just to get to a specific application?

I see this at client sites every so often, often in cases where mergers and acquisitions have resulted in a fragmented Windows network. Users are forced to internally access a VPN in order to create a separate network session in order to get to a single application in an untrusted/unconnected domain still within the overall company perimeter. Maybe there is a better way to do this without Information Cards, I dunno – but it seems to me that cases like this where users have no choice but to exit their soft comfy SSO/Kerberos world using nasty clunky VPN software, using an Information Card might be a cheaper, nicer, more user friendly option.

Situation #3: Did you ever want to impress upon your workforce a sense of the solemnity of a given decision?

Currently, most workflows for approval of provisioning or service requests are implemented by a simple HTML button — “yes” I approve or “no” I reject. What if what you need in your Enterprise is something more along the lines of “I, Pamela Dingle, acting in my capacity as Manager of Business Unit X, approve this message”?

Situation #4: How many smart cards are hanging from your users’ belt-loops?

If your user is required to select the right smart card for the job, they are making context decisions – and in fact, I’d argue that you’ve already bought into the card metaphor :). In this case, chances are that the hardware solution would trump any kind of information card solution — for now. In the future, as information cards become more integrated with physical devices, the line may get awfully blurry…

Perhaps situations like the ones I’ve described above might influence you to take a closer look at information cards. Perhaps, there still isn’t enough to convince you yet. That’s ok – there is a lot more to come, this is just a small piece. I’d love to know what people’s experiences are in general around the concept of the need for user context decisions in the Enterprise – are such decisions as diametrically opposed to common SSO/IWA administrative philosophies out there now as I imply here?