Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft .
-
Upload
rosemary-holmes -
Category
Documents
-
view
219 -
download
0
Transcript of Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft .
Windows CardSpace and the Identity Metasystem
Glen GordonDeveloper Evangelist, Microsofthttp://blogs.msdn.com/glengordon
Identity Crisis
The Internet is dangerous!Identity theft, spoofing, phishing, phraudUsername + password is weak and overwhelmed
Enterprises are in identity silo hell
www.antiphishing.org
22% Cut back
25% Stopped
GoalsSafe and secure Internet for all
Safely, reliably identify sites to users……and users to sites
Connected Systems
Internal and external
What’s Needed?
Usable by everyone, everywhere Put users in control of their
identity Remove walls between systems
Simple, consistent, secure identity
Passport?
Identity provider for MSN/Windows Live
300M+ users, > 1 billion logons/day
Identity provider for the InternetFailure
Why?
Identity MetasystemUnifying identity meta-layer
Protect applications from underlying complexitiesDecouple digital identity from implementation details
Not first time we’ve seen this in computing
The Laws of Identity
User control and consentMinimal disclosure for a constrained useJustifiable partiesDirected identityPluralism of operators and technologiesHuman integrationConsistent experience across contexts
Abstracting Identity
Identity: set of claims in a security tokenRoles:
Subject Identity ProviderRelying Party
Protocol:1) User is asked for identity2) User chooses an identity provider3) Identity provider gives user a security
token4) User passes the token to the
requestor
Protocol Drill Down
Identity Provider(IP)
Relying Party(RP)
ClientClient wants to access a resource
RP provides identity requirements
1
2
User
3Which IPs can satisfy requirements?
User selects an IP4
5Request security token
6
Return security token based on RP’s requirements
7User approves release of token
8Token released to RP
How? Web Services!
Encapsulation?SOAP + WS-Security
Negotiation?WS-SecurityPolicy + WS-MetadataExchange
Claims Transformation?Security Token Web Service and WS-Trust
User Experience?Identity Selector
www.microsoft.com/interop/osp
Windows CardSpace™
Easier
Provides consistent user experienceReplaces usernames and passwords with strong tokens
Safer
Protects users from phishing & phraud attacksSupport for two-factor authenticationTokens are crypto-graphically strongStandards, standards, standards!!
• Built on WS-* Web Services Protocols• Can be supported by websites on any technology & platform
What is Windows CardSpace?Identity Selector for Windows
Digital identities represented by cards
When user selects a cardGet security token from Identity ProviderGive it to the Relying Party after user consent
User is in control Security
TokenService
UserExperienc
eService
CardSpace Environment
Runs under separate desktop and restricted accountIsolates CardSpace runtime from Windows desktopDeters hacking attempts by user-mode processes
• Contains claims about my identity that I assert
• Not corroborated• Stored locally• Signed and encrypted to prevent
replay attacks
• Provided by banks, stores, government, clubs, etc
• Locally stored cards contain metadata only!
• Data stored by Identity Provider and obtained only when card submitted
CardSpace Cards
SELF - ISSUED MANAGED
Summary
Users can control their digital identitiesSimple, consistent and secureOpen and inclusiveMany contexts Existing and future systems
Windows CardSpace is an identity selectorVery little developer effort is required
Conclusion
“Now, with the debut of the Info Card identity management system, Microsoft is leading a network-wide effort to address the issue. To those of us long skeptical of the technology giant's intentions, the plan seems too good to be true. Yet the solution is not only right, it could be the most important contribution to Internet security since cryptography.”
Lawrence Lessig, Wired Magazine, March 2006.
Resources
Windows CardSpace Community Site
cardspace.netfx3.com
Kim Cameron’s Identity Weblogwww.identityblog.com
.NET Framework 3.5http://msdn2.microsoft.com/en-us/library/aa569263.aspxInternet Explorer 7.0www.microsoft.com/windows/ie/ie7
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Glen GordonDeveloper Evangelist, Microsofthttp://blogs.msdn.com/glengordon