Information Card
From Wikipedia, the free encyclopedia
It has been suggested that this article or section be merged into Identity Metasystem. (Discuss) |
Information Cards are visual representations of personal digital identities that people can use online. Each Information Card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select one they want to use for any given interaction. An implementation of the Information Card metaphor is used by Windows CardSpace.
Contents |
[edit] Overview
There are three participants in Digital Identity interactions using Information Cards:
- Identity Providers issue digital identities for you. For example, businesses might issue identities to their customers, governments might vouch for the identities of their citizens, credit card issuers might provide identities enabling payment, online services could provide verified data such as age, and individuals might use self-issued identities to log onto web sites.
- Relying Parties accept identities for you. Online services that you use can accept digital identities that you choose and use the information provided by them on your behalf, with your consent.
- Subject is in control of all these interactions. They can choose which of their applicable digital identities to use with the relying party.
An Identity Selector is used to store, manage, and use their digital identities. Examples of Identity Selectors are Microsoft's Windows CardSpace, the Bandit Project's DigitalMe, and several kinds of Identity Selectors from the Eclipse Higgins Project.
[edit] Sign-In with Information Cards
Using Information Cards, users can authenticate without needing a username and password for every web site; instead, at sites accepting them, they can log in with an Information Card, which may be used at multiple sites.
Each Information Card utilizes a distinct pair-wise digital key for every realm where a key is requested. A realm may be a single site or a set of related sites all sharing the same target scope information when requesting an Information Card. The use of distinct pair-wise keys per realm means that even if a person is tricked into logging into an imposter site with an Information Card, a different key would be used at that site than the site that the imposter was trying to impersonate; no shared secret is released.
Furthermore, many Identity Selectors provide a means of Phishing detection, where the HTTPS certificate of the Relying Party site is checked and compared against a list of the sites at which the user has previously used an Information Card. When a new site is visited, the user is informed that they have not previously used a card there.
[edit] Types of Information Card
The Identity Selector Interoperability Profile specifies two types of Information Cards an Identity Selector must support.
- Personal (also called Self-Issued) Information Cards: These cards allow you to issue Claims about yourself to sites willing to accept them. These claims can include your name, address, phone numbers, e-mail address, web address, birth date, gender, and a site-specific key uniquely generated for each site where the card is used.
- Managed Information Cards: These cards allow Identity Providers other than yourself to make Claims about you to sites willing to accept them. These claims can include any information that that a Relying Party requests, an Identity Provider is able to provide, and you are willing to send between them.
However the Information Card format allows for custom types; The Bandit project demonstrated prototype managed cards backed by OpenIDs at the BrainShare conference in March 2007. The Higgins project is defining two new kinds of Information Cards as well, as described in the I-Card article: Relationship Cards (a.k.a. R-Cards) that establish an ongoing relationship between the identity provider and relying party (that themselves may be either self-issued or managed) and Zero-Knowledge (a.k.a. Z-Cards).
[edit] Managed Information Card Details
Information Cards issued by third parties can employ any of four methods for the user to authenticate himself as the card owner:
- a Personal (Self-Issued) Information Card,
- an X.509 certificate (which can either be from a hardware device such as a SmartCard or it can be a software certificate),
- a Kerberos ticket, such as those issued by many enterprise login solutions, or
- a username and password for the card.
Additional methods could also be implemented by future Identity Selectors and Identity Providers (see #Futures).
Managed Information Cards can be auditing, non-auditing, or auditing-optional:
- Auditing cards require the identity of the Relying Party site to be disclosed to the Identity Provider. This can be used to restrict which sites the Identity Provider is willing to release information to.
- Non-auditing cards will not disclose the identity of the Relying Party site to the Identity Provider.
- Auditing-optional cards will disclose the identity of the Relying Party site if provided by the Relying Party, but do not require this disclosure.
[edit] Claims
Beyond being used to log into sites, Information Cards can also facilitate other kinds of interactions. The Information Card model provides great flexibility because cards can be used to convey any information from an Identity Provider to a Relying Party that makes sense to both of them and that the person is willing to release. The data elements carried in Information Cards are called Claims.
One possible use of claims is online age verification, with Identity Providers providing proof-of-age cards, and Relying Parties accepting them for purposes such as online wine sales; other attributes could be verified as well. Another is online payment, where merchants could accept online payment cards from payment issuers, containing only the minimal information needed to facilitate payment. Role statements carried by claims can be used for access control decisions by Relying Parties.
[edit] Interoperability and Licensing
The Information Cards defined by the Identity Selector Interoperability Profile are based on open, interoperable communication standards. Interoperable Information Card components have been built by dozens of companies and projects for platforms including Windows, Mac OS, and Linux, plus a prototype implementation for phones. Together, these components implement an interoperable Identity Metasystem. Information Cards can be used to provide identities both for Web sites and Web Services applications.
Several interoperability testing events for Information Cards have been sponsored by OSIS and the Burton Group, the most recent of which was the Interop at the October 2007 European Catalyst Conference in Barcelona. These events are helping to insure that the different Information Card software components being built by the numerous participants in the Identity Metasystem work well together.
The protocols needed to build Information Card implementations based on the Identity Selector Interoperability Profile can be used by anyone for any purpose at no cost and interoperable implementations can be built using only publicly-available documentation. Patent promises have been issued by Microsoft, IBM, and others, ensuring that this Information Card technology is freely available to all.
[edit] See also
- Identity Selector
- Identity Metasystem
- Windows CardSpace
- Higgins Project
- Bandit Project
- I-Card
- Digital Identity
[edit] References
- Identity Selector Interoperability Profile, Arun Nanda, April 2007.
- An Implementer's Guide to the Identity Selector Interoperability Profile V1.0, Microsoft Corporation and Ping Identity Corporation, April 2007.
- A Guide to Using the Identity Selector Interoperability Profile V1.0 within Web Applications and Browsers, Michael B. Jones, April 2007.
- Design Rationale behind the Identity Metasystem Architecture, Kim Cameron and Michael B. Jones, January 2006.
- Patterns for Supporting Information Cards at Web Sites: Personal Cards for Sign up and Signing In, Bill Barnes, Garrett Serack, and James Causey, August 2007.
- Microsoft Open Specification Promise, May 2007.
- IBM Interoperability Specifications Pledge, July 2007.
[edit] External links
- Information Card Icon Announcement, June 2007.
- Microsoft's Vision for an Identity Metasystem, Michael B. Jones, May 2005.
- The Laws of Identity, Kim Cameron, May 2005.
- 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age, Ann Cavoukian, Information and Privacy Commissioner of Ontario, October 2006.
- Bandit Project
- DigitalMe Identity Selector
- Eclipse Higgins Project
- Burton Group report on OSIS June 2007 User-Centric Identity Interop at Catalyst in San Francisco, August 2007.
- Burton Group report on OSIS October 2007 User-Centric Identity Interop at Catalyst in Barcelona, October 2007.
- Open-Source Identity System (OSIS)