Windows CardSpace and the Identity Metasystem

Glen GordonDeveloper Evangelist, Microsofthttp://blogs.msdn.com/glengordon

Identity Crisis

The Internet is dangerous!Identity theft, spoofing, phishing, phraudUsername + password is weak and overwhelmed

Enterprises are in identity silo hell

www.antiphishing.org

22% Cut back

25% Stopped

GoalsSafe and secure Internet for all

Safely, reliably identify sites to users……and users to sites

Connected Systems

Internal and external

What’s Needed?

Usable by everyone, everywhere Put users in control of their

identity Remove walls between systems

Simple, consistent, secure identity

Passport?

Identity provider for MSN/Windows Live

300M+ users, > 1 billion logons/day

Identity provider for the InternetFailure

Why?

Identity MetasystemUnifying identity meta-layer

Protect applications from underlying complexitiesDecouple digital identity from implementation details

Not first time we’ve seen this in computing

The Laws of Identity

User control and consentMinimal disclosure for a constrained useJustifiable partiesDirected identityPluralism of operators and technologiesHuman integrationConsistent experience across contexts

What is a Digital Identity?SubjectClaimsSecurity Token

Abstracting Identity

Identity: set of claims in a security tokenRoles:

Subject Identity ProviderRelying Party

Protocol:1) User is asked for identity2) User chooses an identity provider3) Identity provider gives user a security

token4) User passes the token to the

requestor

Protocol Drill Down

Identity Provider(IP)

Relying Party(RP)

ClientClient wants to access a resource

RP provides identity requirements

1

2

User

3Which IPs can satisfy requirements?

User selects an IP4

5Request security token

6

Return security token based on RP’s requirements

7User approves release of token

8Token released to RP

Key Characteristics

NegotiationDriven

Encapsulation UserExperience

ClaimsTransformation

How? Web Services!

Encapsulation?SOAP + WS-Security

Negotiation?WS-SecurityPolicy + WS-MetadataExchange

Claims Transformation?Security Token Web Service and WS-Trust

User Experience?Identity Selector

www.microsoft.com/interop/osp

Windows CardSpace™

Easier

Provides consistent user experienceReplaces usernames and passwords with strong tokens

Safer

Protects users from phishing & phraud attacksSupport for two-factor authenticationTokens are crypto-graphically strongStandards, standards, standards!!

• Built on WS-* Web Services Protocols• Can be supported by websites on any technology & platform

What is Windows CardSpace?Identity Selector for Windows

Digital identities represented by cards

When user selects a cardGet security token from Identity ProviderGive it to the Relying Party after user consent

User is in control Security

TokenService

UserExperienc

eService

CardSpace Environment

Runs under separate desktop and restricted accountIsolates CardSpace runtime from Windows desktopDeters hacking attempts by user-mode processes

• Contains claims about my identity that I assert

• Not corroborated• Stored locally• Signed and encrypted to prevent

replay attacks

• Provided by banks, stores, government, clubs, etc

• Locally stored cards contain metadata only!

• Data stored by Identity Provider and obtained only when card submitted

CardSpace Cards

SELF - ISSUED MANAGED

Summary

Users can control their digital identitiesSimple, consistent and secureOpen and inclusiveMany contexts Existing and future systems

Windows CardSpace is an identity selectorVery little developer effort is required

Conclusion

“Now, with the debut of the Info Card identity management system, Microsoft is leading a network-wide effort to address the issue. To those of us long skeptical of the technology giant's intentions, the plan seems too good to be true. Yet the solution is not only right, it could be the most important contribution to Internet security since cryptography.”

Lawrence Lessig, Wired Magazine, March 2006.

Resources

Windows CardSpace Community Site

cardspace.netfx3.com

Kim Cameron’s Identity Weblogwww.identityblog.com

.NET Framework 3.5http://msdn2.microsoft.com/en-us/library/aa569263.aspxInternet Explorer 7.0www.microsoft.com/windows/ie/ie7

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Glen GordonDeveloper Evangelist, Microsofthttp://blogs.msdn.com/glengordon