Digital Identity
What is digital identity?
A digital identity is a set of characteristics (or “claims”, see below) by which a person or thing is recognizable or distinguished in the digital realm. Digital identity allows us to address an individual or thing without confusing it for someone/something else.
What is identity theft?
Identity theft is the misappropriation of another person's personal information (e.g., name, Social Security number, credit card number, or passport). Identity theft manifests itself in many different forms in both the physical world and online. Frequently, online identity theft comes in the form of “phishing.”
What is phishing?
Phishing schemes trick individual consumers into releasing banking and other identity-related information. They take advantage of consumers’ inability to confirm the identity of who they’re dealing with (their Bank, a credit card company, an online business, etc). You think it’s your bank’s website but it is not and once a bad guy gets your username and password he can do what he wants.
How big is the identity theft problem?
Internet fraud such as phishing cost banks & credit card issuers $1.2B in 2003. Over 200,000 complaints of Internet-related fraud were reported in 2004. $250 billion lost in 2004 from exposure of confidential info. 13,776 unique types of phishing attacks reported in August 2005 by Anti-Phishing working group. You can look up the latest data at http://www.antiphishing.org
What do these identity-related terms mean?
Claims
A claim is an assertion of the truth of something. Several claims can be made as a set. For example, someone may claim that their last name is “Smith”, their first name is “John” and that their date of birth is “June 17th 1965”. These claims can be made by an end user or by a third party identity provider. Clearly there are different levels of assurance as to the accuracy of a claim depending on who makes it. A verified identity provider will typically provide higher levels of assurance.
Tokens
A token is a cryptographically signed – and typically, if not always, encrypted – set of claims. This is how a collection of claims gets from one machine to another. The signature allows the recipient to verify the issuer and to check that the contents of the token have not been tampered with.
Federation
A model for identity systems that allows them to interoperate by exchanging claims-based tokens
Federated identity
The notion of having an identity provider provide a set of identity claims to separate, automonous system. Federated identity in the identity metasystem does not involve the notion of a central identity provider as many historical systems have attempted to promote but instead is user-centric with the ability to use a range of different identity providers according to the context.
Federated Trust
The trust relationships between the parties involved in the secure exchange of users’ identity information.
Multi-Factor Authentication
Requires two or more forms of identification in order to access a system, e.g. a PIN and a smart-card. There are three forms of identification “factor” generally in use today:
1. Something you know: a password, PIN, etc.
2. Something you have: a credit card, smartcard, hardware token,.
3. Something you are: biometric information; e.g. fingerprint, retina scan, etc
In most systems, at least two of the above “factors” are necessary to identify an individual. Sometimes, n-factor authentication requires an increasing number of factors to be presented in order to identify a person beyond reasonable doubt.
Security Token Service (STS)
A service which is responsible for releasing cryptographically signed tokens containing corroborated claims about an individual. It adheres to the WS-Trust web service specification.
Relying Party
The requestor and eventual consumer of the token containing claims about an individual.
Identity Provider
An organization who acts as a trusted provider of identity information through a Security Token Service (STS).
What is the Identity Metasystem?
http://www.identityblog.com/?p=355
The Identity Metasystem is an interoperable architecture for digital identity that assumes people will have several digital identities based on multiple underlying technologies, implementations, and providers. Using this approach, not only will individuals be put in control of their identity, but organizations will be able to continue to use their existing identity infrastructure investments, choose the identity technology that works best for them, and more easily migrate from old technologies to new technologies without sacrificing interoperability with others.
What are the laws of identity?
http://www.identityblog.com/?p=354
1. User Control and Consent:
Digital identity systems must only reveal information identifying a user with the user’s consent.
2. Limited Disclosure for Limited Use
The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.
3. The Law of Fewest Parties
Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.
4. Directed Identity
A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
5. Pluralism of Operators and Technologies:
A universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers.
6. Human Integration:
A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications.
7. Consistent Experience Across Contexts:
A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies.
Windows CardSpace
What is CardSpace?
CardSpace is a new feature of Windows that gives individuals unprecedented control of their digital identities, while also helping users to manage their privacy. Users can install managed information cards from identity providers such as their bank, employer, government agency, or membership organization, and they can create their own self-issued information cards. When a website or web service requests a user’s credentials, CardSpace will be invoked and allow the user to select a card. CardSpace then retrieves a verifiable credential in the form of a signed security token from the selected identity provider, or the self-issuing authority as the case may be, utilizing interoperable protocols. It then returns the token to the requesting application. This provides users with a simple, secure and familiar sign-on experience that is consistent across websites and web services.
How is CardSpace used?
CardSpace helps consumers reduce the need to remember long lists of usernames and passwords, and helps prevent the theft of personal information through phishing schemes. Consumers use their information cards to identify themselves to applications, websites and online services. It is the first step in enabling millions of Web sites to provide a safer, more secure experience to customers.
What are the intended scenarios for CardSpace?
CardSpace provides consumers with a simpler and safer digital identity experience that is very similar to the experience they have in the physical world. It provides a common way for people to manage their digital identities (similar to how we use wallets or purses to hold physical cards ); a way to know when to use which digital identity (similar to seeing a sticker that indicates which credit cards are accepted for payment); and a way of telling that the party asking for a users identity is who they say they are.
Will Microsoft store personal information in CardSpace on my Windows PC?
MMicrosoft does not provide a universal, centralized identity store. It is up to each identity providers to decide how and where to store that information. Consumers can also create self-issued cards with the information they are willing to store and submit.
Is CardSpace targeted at consumers or businesses?
CardSpace was designed to support Microsoft’s vision of an Identity Metasystem, which spans personal, commercial, and government scenarios. The CardSpace user experience will be consistent and predictable across B2B, B2C, and B2E applications.
Can CardSpace prevent phishing and identity theft?
While no single technology measure will absolutely prevent identity theft, CardSpace mitigates the risks of the most commonly deployed attacks, including phishing, by eliminating the need for passwords and replacing them with cryptographically strong credentials.
What is the difference between CardSpace and smart cards?
SSmartcards and CardSpace can work in concert with one another. An information card is a digital representation of a user’s identity as issued by a particular Identity Provider. When the customer selects an information card in the CardSpace UI, such as when logging into an online account, CardSpace sends a request to a Security Token Service (STS) at the Identity Provider to generate a security token of a requested type. Sometimes the user is prompted for an additional credential, such as a PIN or password, to authenticate to the Security Token Service. A smartcard is one such credential.
With CardSpace, do passwords go away?
Passwords will be in use for years to come. CardSpace will provide a more secure method for users and organizations to establish relationships. Over time, CardSpace will reduce the reliance on passwords.
How would a typical end-user make use of CardSpace?
CCardSpace provides the consumer with a simpler and safer digital identity experience that is very similar to how we use wallets or purses to hold the different physical identity cards we have today. Consumers use information cards online the way we use ID and payment cards in the physical world. For example, a user might use one of their information cards in order to log into online websites or services. These cards might be self-issued (containing uncorroborated claims) or provider-issued (containing claims corroborated by a third party such as a bank or an insurance company). After adding several items to their shopping cart, a user might opt to pay for the products by selecting a card issued by a bank or credit card company.
What are the benefits of using CardSpace?
Consumer:
Increased confidence – Customers can interact with Websites and Internet applications knowing that their identity is secure.
Consistent experience – Customers get the same easy-to-use, recognizable & trusted user experience across websites.
Control - Consumer always remains in control of their identity
Businesses:
Reduced costs – associated with fraudulent purchases
Customer intimacy – Build better relationship with identified customers
Be seen as taking active interest in protecting customer’s identity
ISVs and IHVs:
Improved security – Deliver applications that help protect users’ identities
Improved customer relationships – Boost customer’s confidence by delivering apps that provide a standard, consistent, secure identity model
Increased sales – through increased customer confidence and trust
Developers and IT Pros:
Reduced Code - Reduces amount of code & effort required to enable secure identity features
Productivity - Offload the hard work of identity management to generic platform infrastructure, saving time, effort and money
What Websites and businesses support CardSpace?
We are working with a broad range of businesses, organizations and vendors to understand how they can leverage the benefits CardSpace and offer these benefits to their customers and partners.
Have any governmental security agencies (NSA, GCHQ, MI5, etc) been involved in CardSpace? Are they aware of it?
Yes. We have been, and will continue to work with several government agencies and businesses around the world to understand the identity metasystem as well as our implementation of CardSpace.
Is CardSpace a way of doing single sign on (SSO)?
CardSpace offers a streamlined authentication mechanism but it is not, in its current incarnation, really what we refer to as single sign-on. SSO usually refers to a user only signing on to the Operating System and not being prompted again for their credentials. CardSpace when invoked always prompts the user to choose an information card, placing the user in control of how they are authenticated and identified.
How does CardSpace relate to SOA?
CardSpace provides a way for any application to identify the user, regardless of any given architectural perspective. CardSpace is a natural fit for an SOA-based architecture given its use of the web services protocols and integration with Windows Communication Foundation.
Will CardSpace help content providers prevent theft/piracy of copyrighted materials?
Potentially, yes. Since CardSpace provides a way to identify individuals, it could be used as part of a Digital Rights Management solution.
Could CardSpace provide the basis for a national ID system?
CardSpace and information cards provide a compelling way for governmental bodies to identify citizens online. Not surprisingly, many governments around the world are looking at CardSpace and building proofs of concept and pilots.
How does CardSpace allow businesses to comply with national regulations on identity storage?
These regulations differ widely around the world – some are more restrictive than others. We’re working to understand the role that CardSpace could play within such regulations.
Does CardSpace enable micro-payments?
CardSpace provides a powerful identity management system. Should a micro-payment provider require the ability to securely identify the parties involved in a payment transaction, then they could certainly use CardSpace for this purpose.
How does CardSpace relate to Microsoft’s broader security efforts?
CardSpace is one of the many activities Microsoft is engaged in to ensure the security and confidentiality of individuals’ identities and information and is a key component providing user-controlled authentication facilities.
Relationship to Other Microsoft Technologies
Is CardSpace built into Windows?
CardSpace is included within Windows Vista and is available as an optional add-on for both Windows XP SP2 and Windows 2003 Server SP1.
Is CardSpace supported by IE7 in both Windows XP and Windows Vista?
YYes. Web applications are one of the primary use cases for CardSpace and Microsoft’s goal is for all available browsers, including IE 7, to support it.
How does CardSpace relate to .NET Framework 3.0?
CardSpace is one of the next-generation technologies exposed as part of the .NET Framework 3.0 APIs, along with Windows Communication Foundation, Windows Workflow Foundation and Windows Presentation Foundation.
How does CardSpace relate to Windows Communication Foundation (WCF)? Is it a feature of WCF or is it just an app built on WCF?
CCardSpace and WCF are two distinct technologies that are delivered within .NET Framework 3.0. CardSpace provides an end-user focused technology that allows users to create and choose security claims that naturally span trust domains and mitigate several security issues (e.g. phishing) that exist today. CardSpace uses WCF for its web service calls and policy handling. CardSpace also integrates into WCF’s security subsystem. Using an explicit credential type, CardSpace can be easily integrated into a WCF-based application.
How will the identity etasystem change technology development?
While WCF was being built we formed a core security team that closely examined how previous identity and access models had been built. It became clear that a very similar set of scenarios were repeatedly implemented time and again in different technology silos.
Rather than repeat this pattern, we began a process of collaborating with other groups to jointly define a suite of WS-* specs that abstracted the security protocols necessary to enable federated security, identity and access control. It was very important that this family of protocols would support the encapsulation and exchange of various identity tokens such as x509, Kerberos, SAML, etc.
There are several key pieces to the suite of security protocols:
A person makes claims about their identity (e.g. my username is “foo”, my password is “bar”, etc) to an authentication engine. How a user validates their identity claims is dependent on the authentication engine they’re using such as Kerberos, x509, etc. Once the person’s claims are validated, the authentication engine returns a cryptographically secured token representing the assertion that the person’s identity is valid.
WS-Security uses these tokens in order to sign and/or encrypt messages in order to provide message integrity or privacy.
WS-SecureConversation provides a way to to establish a secure “conversation” between two parties while reducing the cost of security to the minimum.
WS-SecurityPolicy provides a way to tell other parties what claims to use in order to secure messages. This is an extremely important facility and essential to simplifying the development of secure distributed systems.
WS-Trust enables federated identity scenarios by providing a way for an entity’s claims to be securely obtained from a Security Token Service (STS). This means that an individual’s credentials to be federated across a number of providers rather than stored in a single central engine.
The net result of this approach is that it enables existing systems and new systems to work together through a set of simple principles, regardless of which platforms and technologies are involved.
On top of this suite of protocols, Microsoft has built a security technology platform consisting of WCF, CardSpace and Active Directory Federation Services (ADFS) and is built into the core of the Microsoft platform. This will enable Windows developers to deliver more secure, robust and flexible applications with far less effort than ever before.
CardSpace and Microsoft’s Online Services
HHow does CardSpace relate to Live ID and Passport? Will Live ID be a provider of information cards?
Microsoft’s Passport/Live ID engine is a very successful identity and authentication engine for Microsoft Web sites and applications. In addition to working with various other identity providers across the industry, we are working with the Live ID team to incorporate the necessary features into Live ID to enable it to issue identity tokens. You can use information cards to logon to Live ID.
How will CardSpace impact Live ID?
PPassport and MSN plan to implement support for the identity metasystem as an online identity provider for MSN and its partners. Live ID users get improved security and ease of use, and MSN Online partners are able to interoperate with Live ID through the identity metasystem.
Will MSN implement CardSpace support?
MSN uses Microsoft Live ID to identify users. Live ID supports information card login so you can use an information card to log on to MSN.
How does CardSpace intersect with Windows Live positioning?
FFor consumers using Microsoft’s new Windows Live Internet-based services, CardSpace provides enhanced security by helping users better manage their personal identity information and control its release.
Does Windows Live ID work with CardSpace?
Yes. You can manage your cards here and login here
Ship Schedule and Vehicles
CConsidering the number of security vulnerabilities associated with the Windows client and Internet Explorer, why would a customer trust this technology to handle their digital identity information?
Microsoft has made very deep investments and made huge advances in securing not only the core Operating System, but also the subsystems and applications that run on top of the OS. Also managed code (.NET) is significantly less prone to many of the problems experienced by traditional native code, regardless of which OS the native code is running on. Furthermore, the Identity Metasystem is about flexibility and choice. If someone wants to use a non-Microsoft identity selector on a non-Microsoft OS with a non-Microsoft browser to retrieve identity information from a non-Microsoft Security Token Service to authenticate to a non-Microsoft website then go in peace! This needs to happen for CardSpace and the Identity Metasystem to be truly successful - rather than being condemned to being yet another identity system to manage and interoperate with. We are working with all the major software vendors to make this a reality.
Can CardSpace be used on non-Microsoft OSes?
CardSpace is Microsoft’s implementation of an end user experience for managing digital identities based upon the open, standard WS-* protocols. Not only are other platform vendors, browser vendors, etc, free to implement their own versions of CardSpace and other parts of the identity metasystem, we are actively helping them do so.
How will customers get CardSpace?
CCardSpace ships as part of the .NET Framework 3.0 and 3.5. The .NET Framework 3.0 is built into Windows Vista and is available as a redistributable package for Windows XP and Windows 2003 Server.
On what versions of Windows is CardSpace supported?
Windows XP SP2+, Windows Server 2003 SP1+, and Windows Vista.
Features and Implementation
Where is personal information stored?
EEach identity Provider (Bank, Government agency, Credit Card Vendor, Insurance company, Hotel Chain) determines the information stored about a user. Sometimes, nothing more than an ID number is stored. Other Issuing Parties may store more/less/different information. It is the responsibility of the Identity Provider to store this information and to return it at the user’s bequest – this is the basis of the federated identity metasystem. Microsoft does not provide a universal, centralized identity store. It also very important to realize that the information card that is imported into CardSpace by the user contains no user data. Rather it contains metadata about how and where to get user data when the card is selected.
What happens if the device running CardSpace is lost or stolen?
All information stored within cards is encrypted and can also be protected with a pin or password to prevent theft. The cards themselves do not contain user data and managed cards have a second authentication factor associated with them, such as a smart card, meaning that in possession of the information card is not sufficient for a thief to gain access to a user's personal information.
How do I transfer digital identity from [Web/computer] and put it onto the [card/USB/etc]?
Cards can be exported to and imported from secure files which can be copied from one machine to another.
What other platforms support CardSpace?
Because CardSpace is implemented on top of open, standard WS-* protocols, other vendors are free to build, and are building, equivalent implementations of CardSpace on other platforms.
Will CardSpace run on non-Microsoft platforms?
CCardSpace is Microsoft’s implementation for Windows of a secure identity system built on top of open, standard WS-* protocols. CardSpace therefore will only run on Microsoft’s platform of choice, Windows, but we are actively encouraging and helping other vendors to build equivalent implementations on other platforms.
What Internet browsers support CardSpace?
Microsoft’s Internet Explorer 7 supports CardSpace as will Mozilla FireFox 3.0. We’re working with other browser vendors to include support for CardSpace.
Where do you get digital identities from? How do they get onto an information card?
Information cards can be issued by various Identity Providers and imported into a user’s CardSpace using the CardSpace UI. How the card, a signed XML file, gets to the user is up to the identity provider. It could be downloaded from a webpage, sent by email or given to the user in any way, shape or form that a file can be given by one party to another.
What are self-issued identities? How are they used?
SSelf-issued cards contain claims that an individual asserts about themselves, but are not corroborated by a third party.
Is it possible to selectively release information from an CardSpace without exposing more sensitive data?
CardSpace can present the list of claims requested by a site / application before a user selects a card and also displays a “preview” of the token’s values prior to returning them to the requestor. Users therefore have two opportunities to disallow their identity information to be sent to requesting sites. Also claims are marked as being either required or optional so a user can opt to withhold the optional information (the default) or provide it.
How can developers incorporate CardSpace into a WCF application?
Windows Communication Foundation has a flexible security infrastructure which is fully integrated with CardSpace as well as other forms of identity tokens including Kerberos and SAML. Developers can configure their WCF services to require authentication with CardSpace and the user will be seamlessly prompted to authenticate with CardSpace.
Can CardSpace be used in conjunction with winlogon to provide access to desktops?
TThis is not a currently supported scenario but one that we are actively considering.
What types of hardware can be used to authenticate with CardSpace? Smart cards, RSA cards, biometrics, USB keys?
We are working with a number of identity storage vendors interested in building support for CardSpace. The current version of CardSpace supports all authentication mechanisms that can be represented by a crypto service provider (CSP).
Standards and Interoperability
Is CardSpace Microsoft proprietary?
CaCardSpace is part of Microsoft’s implementation of the identity metasystem and uses open, standard WS-* protocols. While CardSpace runs on Microsoft Windows, it is compliant with the supported WS-* standards and with other vendors’ implementations on other platforms. In addition, other vendors are building implementations of CardSpace-like technologies to run on other platforms.
How does CardSpace relate to Web services and WS-* architecture?
CardSpace is part of Microsoft’s implementation of an identity metasystem based on standard protocols and composes seamlessly with the WS-* security protocol family (including WS-Security, WS-Secure Conversation, WS-SecurityPolicy, WS-MetadataExchange, WS-Trust, etc).
WhWhat other platform vendors will support CardSpace (IBM, Sun, Oracle, etc)?
We are working with a number of businesses, organizations and vendors to encourage their support and adoption of the identity metasystem. You can see one list at http://osis.netmesh.org/wiki/I2-Barcelona#Participants_and_Contact_Information
What WS-* specs are supported by CardSpace?
CardSpace supports WS-Security, WS-SecureConversation, WS-SecurityPolicy, WS-MetadataExchange and WS-Trust.
How does CardSpace relate to Liberty and the SAML 2.0 protocol?
CardSpace is the codename for a new feature of Windows that gives individuals unprecedented control of their digital identities, while also helping users to manage their privacy. Liberty is focused on a subset of the issues involved in federated SSO. We continue to communicate with the Liberty organization and its members, as well as drive discussion in the Web services space to ensure that customers will be able to use secure, reliable, transacted Web services as a part of their identify management solutions. We are engaged with the Concordia Project, in order to facilitate interoperability between the two systems.
How does CardSpace relate to the Sun/MS announcements about SSO?
ThThe Sun & Microsoft announcement on SSO focuses more on the way in which Microsoft’s ActiveDirectory and Sun’s Java Enterprise System can exchange authentication tokens using WS-Federation. This scenario is enabled by ADFS, although the scenario could be extended to support CardSpace in the future. We are currently working with Sun to help them build software for the identity metasystem.
How does CardSpace interoperate with existing security protocols?
CaCardSpace is part of Microsoft’s implementation of the identity metasystem. The metasystem is fully supported by the WS-* security protocols and is open to all parties according to the Open Specification Promise (OSP). CardSpace uses these protocols to provide a secure way in which the release of identity claims can be controlled by a user and trusted by a receiving application or service.
Which companies will be STSs?
We are working with potential identity providers across multiple industry segments to discuss the possibility of providing a range of STSs. Examples of potential identity providers include banks, government agencies (driver’s licenses, National Passports), Credit Card companies, Medical coverage providers, etc. These are implemented on Windows and other Operating Systems and platforms.
Does CardSpace provide end-to-end security features? In other words, with CardSpace, will users have to employ any other security mechanisms to share personal information securely? g security tokens, two factor authentication, etc.?
CardSpace is a useful substrate that provides much of what is needed to implement a secure identity infrastructure. Additional enhancements, such as n-factor authentication, biometrics, etc, are openly welcome and can be seamlessly integrated into the metasystem.