Archive

Posts Tagged ‘cardspace’

Information Cards & Kerberos Similarities

February 1, 2010 Leave a comment

I’m still wading through federated identity and I’ve been reading up on information cards. Before now, the most I’d ever really thought about them was when @IdentityWoman, a proponent of information cards, came to Quest’s hospitality suite (we had a wicked cool James Bond theme) at Catalyst and wanted to know what I thought about them. I hadn’t thought much about them; I said they had little effect on Quest, which is true. But that left a little placeholder in my head to learn more.

In my recent reading, one thing that struck me is how similar information cards are to kerberos. I know; there are a lot of differences. But I can’t help seeing the similarities:

  • Identity and access are contained in a token the user uses implicitly. With kerberos they are generally only aware of their pre-authentication, their initial logon, and with information cards they are prompted each time they need to select a new card. But in both cases they are using very complex underlying mutually authenticated (at least with managed cards) principles that are being transmitted in well encrypted channels. All that security and authentication comes implicitly with the user’s simple actions. Also, these tokens, be they cards or tokens, can all pile up happily until you have a whole mess of them around. Of course, information cards can even pull off the multi-domain model easily.
  • There is a good distribution of responsibilities to all the parties in an identity transaction with both kerberos and information cards. And this distributed nature will even allow for one or more parties to be offline and have it still work, as long as the remaining parties trust each other enough. i.e. there can be an offline authentication using an information card or cached ticket as long as the service provider is willing to trust the ticket as it is supplied given that it can’t reach the identity provider at that time.
  • Both kerberos and information cards pay close attention to encryption and secure transmission. Not much more to say there, but it is a very good thing.

All of these really come when you’re dealing with managed information cards, but those seem to be the real target for conversations about information cards in serious settings. I’ve been working with Microsoft’s kerberos for so long and like it so much it struck me when i realized the relationship. It really makes sense that Microsoft would have seized this up front. But I couldn’t find any reference on the interwebs about kerberos being inspiration for information cards or the reason cardspace was so rolled out. But maybe it was on some level.

Federated identity graphic (SAML, OpenID, WS-*, more…)

January 26, 2010 Leave a comment

I’ve got an idea in my head I can’t shake. I’d like to make a picture that will display as simply as possibly the whole landscape of “federation”. Right away, it runs into problems because that world does not adequately capture the space anymore. The term federated identity seems better. Every major identity project I’ve come upon in the last 6 months has had a “federation” component. Some are looking to ease bringing in new users via M&A. Some are thinking about people visiting their public websites. The only thing they all seem to have in common is they are all very confused about their options. The confusion is not surprising. There are so many options. Many of the Microsoft centered clients that Quest sees on a regular basis are thinking about ADFS and Geneva (most still call the whole Microsoft next generation federated identity Geneva even thought they are aware it has it’s new official set of names). Everyone is talking about SAML and many about OpenID. So my thought was to make a picture to use as a discussion tool. Love to get thoughts here or at @jonathansander. My first, rough attempt is here:

%d bloggers like this: