drstarcat.com » CardSpace

The History of Tomorrow’s Internet: Identity (iCards, pt 3)

drstarcat — Sun, 30 Mar 2008 17:04:27 +0000

It’s been over a week since I last posted for a number of reasons, but one of them is because in this post I wanted to explain how it feels for a regular person to use Cardspace. This poses a few challenges as we’ve used Macs exclusively in my work with angel investors at Angelsoft since we began three years ago, and I’ve had a Mac at home for nearly as long. Little did I know this was only the beginning of my struggles.Now let me preface this post by saying that I’ve never been a big participant in the Mac vs. PC war. I ran a NetOps business back in the Web 1.0 days, and we managed high-volume Windows, Unix, and Linux environments successfully. More importantly, as someone who’s business it is to build great software, I KNOW how hard good UI is. Believe me, I work with a GREAT product team and we try REALLY hard to make intuitive software and we fail EVERY day. Having said that, this post isn’t going to paint a real pretty picture.My story begins in what I used to think of as my office. I USED to think of it as such because now my 5 month old rules the room, and I work out on the kitchen counter. I still keep my PC in the office though, so in between naps I sneaked back to play with Cardspace. The first thing you will note if you are one of the many people with a slightly older PC still running XP and IE 6.x is that you don’t HAVE Cardspace. In order to get Cardspace, you need to download IE 7.x and the .NET Framework 3.0 Runtime Components. NetFx3.com has a nice sandbox that will walk you through this process [Note: They link to the 3.0 .Net Framework, but 3.5 has been released and may have some UI improvements]. I hadn’t installed anything on Windows for years, but boy did this bring back memories–total download and install time: 1 hour, 15 minutes.Okay… now that you HAVE Cardspace, it’s time to create an iCard. An iCard is a visual representation of identity data. Cardspace has two kinds of iCards: Managed and Personal. A Managed card is issued to you by someone else (what I call a “Claim Provider”) who supposedly has “official” data about you, like the fact that you have a certain credit limit or are a citizen of a particular country. Since none of these exist, I decided to create a Personal card. To do this, I went to my Control Panel and opened up Cardspace.This is where I experienced the first slightly annoying thing about Cardspace. When you open Cardspace, for whatever reason, it takes over your entire computer. What do I mean by this? Your entire computer screen is dimmed except for the Cardspace light box and no keys function outside of Cardspace. Why was this annoying? Because I wanted to take screenshots! Nothing works for this. PrintScreen is disabled [Note: Mike Jones pointed out this is in fact NOT true. While all SCREEN elements are frozen, and PrintScreen APPEARS to do nothing, it actually does copy the screen--damnit!]. I had even gone to the trouble to install a better screenshot capture plugin–also disabled. I resorted to the 1970s solution of taking photos of what I was doing and they sucked so bad, I couldn’t use them. Fortunately, the Window’s geniuses at dotnetslackers.com figured out how to get screenshots, so I’m using them. So let’s create our first Personal iCard!Now as you can probably tell from the screenshot above this is actually what pops up when you try to use an iCard using Cardspace. They guys at Nethacker had already created one, but you’ll see essentially the same screen the first time, but with just the “Add” feature. Annoying UI feature 2: Click on the “Add a Card” icon and you will NOT be taken to an iCard creation screen. Instead the button at the bottom of the screen changes to “Add Card”. Click that, and then you’re taken to the iCard creation screen.Once you get there, you will note the second shocker when it comes to Cardspace. The Personal card, which you can create, is limited to your most basic contact information. You CANNOT even add a picture of yourself (the upload pic dialog is for the image that YOU see to identify the card). There is no ability to add additional fields, so you are limited to your name, address, email address, phone numbers, and URL. This is pretty disappointing because I can think of all sorts of self-issued cards you might want to create, but apparently that’s not part of Cardspace.Alright, so anytime you touch Cardspace it locks the rest of your windows, the creation process is a little clunky, and you have no choice as to what kind of data to add–once it’s created though, it must be a pleasure to use right? To test this, I decided not to tax my new iCard too much and just use it to leave a comment on a blog. To do this, I chose Mike Jones’ cool blog, Self Issued, since I knew I’d seen the Cardspace login logo on it. After navigating to the blog, I easily identified the Cardspace login logo. When I clickd on it, I was taken to this screen (note I can use screenshots here because I haven’t entered Cardspace land yet):So this looks promising. I see Mike’s using the Pamela Project, which is a very cool project to help sites become relying parties for any kind of iCard (not just Cardspace). The natural thing felt like to click the Cardspace logo again, but when I hovered over it, my cursor failed to turn into a hand. The buttons at the top were hot, but those didn’t seem like something I wanted to click on. The words “Use your Card Now”, though equally tempting, also failed to register as hot. After about 20 seconds I decided to click on the icon even though it gave every indication of being dead–Bingo!Once I clicked on the Cardspace logo, I saw my newly created iCard (note, the borrowed screenshots again, since my computer is now frozen). It actually looked a little different on my screen as it noted the site wasn’t verified as a bank or financial institution and also showed me Mike’s SSL cert. I was a little surprised about this, as most people have no idea what an SSL cert is and the primary purpose of Cardspace is to fullfill the UI requirements of the Laws of Identity. Regardless, I then chose my new personal iCard and selected “Send”.Instead of sending my card and getting down to the business of commenting, I got the following screen (or actually one that looked basically the same). Apparently if you haven’t sent your iCard to THAT site before, even if you select to send it, you will be taken to preview. This is probably a good security feature, but annoying nonetheless (why even give me the option?). If I’ve created my personal card and KNOW what it contains, why do I have to preview it EVERY time I send it to a new site? Imagine every time you pay for something on a new site using your new Visa iCard. When you click send you will be required to look at all the information–I KNOW what’s on the credit card iCard, that’s the point.Ready to post? Not yet. Since my iCard is self-issued, Mike’s site (yes, the site is called self-issued.info ironically enough) doesn’t trust me and has now decided that I need to verify my email address. This is obviously a little annoying, but it brings up a good use-case for the first Claim Provider–one that has verified my email address, home address, and phone numbers, so I NEVER have to respond to an email or text message like this again.After I got the email and clicked on the verification link in it, I was taken to the screen above. I don’t really know what it means, but I figured I should probably click on the (still dead-appearing) Cardspace icon again and it might let me post.The screen above signaled that my journey might finally be over. I clicked on the “Go to Blog” link and I was logged in and ready to post. The posting went very smoothly and my name and URL showed up as I would have expected. A comment well-earned!So what’s the final analysis? Well, as I stated in the beginning, the purpose of this post isn’t to bash Microsoft or Cardspace. Like I said, I build software and when I actually see a normal person use it for the first time, I’m inevitably embarrassed at how difficult it is. Software is hard and Cardspace is brand new. Nonetheless, this does show how far the technology has to go before Mom and Dad are going to be using it. Usernames and Passwords are UBIQUITOUS. We’ve been trained on the visual metaphors for at least a decade. Replacing that with ANY other paradigm is going to rough. To have any chance of success, the Cardspace workflow will need to be much improved.

The History of Tomorrow’s Internet: Identity (iCards, pt 2)

drstarcat — Sun, 16 Mar 2008 18:20:07 +0000

In my last post I wrote about the 7 laws of identity. In this post, I’ll try to explain how Microsoft is implementing these laws through Cardspace. To begin with, we need to take a look at a diagram I posted back in the beginning of this series:

As I explained in that post, three participants make up this simplified view of the Identity Metasystem, a Subject (you), a Relying Party (the website that needs to authenticate you) and the Identity Provider (the service you and the RP both trust to assert claims about who you are). CardSpace encapsulates all of these entities and their interactions using the Web Services (WS-*) specifications.

Before explaining how this is done, just a brief word on the history of Web Services. Web Services are a suite of specifications that enable two (or more) different software systems to interact without knowing the details of the other’s technology. SOAP, the core specification, was released in 1998 and essentially defined a way to encapsulate data in XML. Since that time, many specifications have been developed that add advanced functionality to this simple idea. These specifications are collectively known as WS-*.

Now let’s return to Identity and our various parties in the above diagram. To represent your identity CardSpace uses the WS-Security Token. WS-Security was one of the first extensions of SOAP and, as the name implies, it specifies a way of protecting SOAP messages. Part of the WS-Security specification is the concept of a WS-Security Token, which is essentially a way to encapsulate tokens from existing security specifications into universally understandable security tokens. The cool thing about this is that, theoretically at least, your Identity Provider could use whatever security specification it prefers, convert the authentication data into a WS-Security Token and send it to the Relying Party, who could then translate the WS-Security Token back into whatever format of authentication it needed.

Now that we have a way to securely encapsulate our identities using WS-* Security Tokens, we need a way for websites (RPs) and your Identity Providers (IPs) to figure out what the RP needs and what the IP has. To do this, CardSpace uses WS-Policy and WS-Metadata. As usual the WS geniuses have named the services well. WS-Policy and WS-Metadata enable the RP to encapsulate and publish exactly what it needs (SAML token from the DMV asserting you are over 21) and WS-Metadata allows the IP to publish what it is capable of (I’m the DMV and have an over 21 claim for you authenticated using Kerberos).

Cool! Now that the RP and IP can figure out what each other has and needs, and they can both understand a WS-Security token we just need to convert their specification specific tokens into the WS-Security tokens. To do this CardSpace uses the WS-Trust specification, which, along with a LOT of other things, defines a Security Token Service (STS). The STS is a token exchange where the input can be any of five existing token profiles (Username, SAML, X.509, Kerberos, Rights Expression Language) and convert them into each other.

As you can see, all the communication technologies needed for CardSpace already exists in the WS* specifications. If you refer back to the 7 Laws of identity, you will note that I haven’t addressed Laws 6 and 7 that address making the Identity Metasystem usable by ordinary people. I’ll cover that in my next post.

The History of Tomorrow’s Internet: Identity (iCards, pt. 1)

drstarcat — Wed, 12 Mar 2008 16:09:59 +0000

In my OpenID report from SXSW I jumped to OpenID briefly, but I want to cover iCards before continuing down that road. iCards are the generic name (technically just for the client-side technology, but I’m using the term generically to refer to Cardspace and Higgins) for a couple of implementations of what has become known as the “Identity Metasystem”. The Identity Metasystem is in turn a formalization of what have become known as the “Laws of Identity”. So let’s backup to the beginning and talk about the Laws in this post.

In 2004, Microsoft was still smarting from its hugely ambitious and hugely unpopular Passport service. As a way to move forward, Kim Cameron, Microsoft’s Identity Architect, did an interesting thing: he started a blog. On his identity blog Kim started a discussion about why Passport had failed and how to properly bring an identity layer to the internet. In 2005, Kim encapsulated the discussion of the previous year in a white paper called “The Seven Laws of Identity”.

1. User control and consent: Pretty straight-forward—people should determine what information they share about themselves.

2. Minimal disclosure for a constrained use: This means the system should share ONLY what it needs to. The canonical example is buying booze. The Identity Metasystem should only say that you are “over 21” (necessary), not your actual age (too much information).

3. Justifiable Parties: Only parties that need to be involved should be involved. This one is a little tricky—how to we determine who needs to be involved? The short answer is you do. The point of this is NOT that there shouldn’t be a third party (like an Identity Provider), the point is that if there IS a third-party, it should be clear to YOU that they are involved so you can make the choice whether to proceed.

4. Directed Identity: A directed identity is one intended for a particular party (e.g. my medical records for my doctor). It seems OBVIOUS that an identity metasystem would do this, but REALLY what this law is asserting is that the system shouldn’t use correlatable information as your identity. In other words, an identity metasystem that decided to send your Social Security number to every site that wanted to verify you are you would be subject to GROSS abuse. Instead, the IP should send a unique token to each site, so that it isn’t easy for them to realize you are the same person across sites.

5. Pluralism of Operators and Technologies: This just means that we can’t have a single company or a single technology manage identity for the internet. The prohibition against a single company is pretty obvious, as that company would be WAY to powerful. The prohibition against a single technology is more controversial. On the surface it makes sense for the identity layer to handle any previous and future protocols and security frameworks. In reality though, the internet has done pretty well relying on HTTP, and there is a real question as to whether this law adds unnecessary complexity.

6. Human integration: Put simply this means the metasystem should be as clear as possible to ordinary people. Implicitly it means this need should overrule other considerations (like UI customization or rad design). This is also the “anti-fishing” law.

7. Consistent experience across contexts: This is kind of a weird one, but essentially it means that whether you are handing over your medical records or just your email address, the experience should be consistent enough so that in both cases you know that you are giving up a piece of your identity.

I’ll save the discussion as to whether these laws are ALL really necessary and some of the real historical reasons for their inclusion for other posts. Next up is the actual implementation of an identity metasystem that Kim derived from these laws and after that the Higgins project.