I’m still wading through federated identity and I’ve been reading up on information cards. Before now, the most I’d ever really thought about them was when @IdentityWoman, a proponent of information cards, came to Quest’s hospitality suite (we had a wicked cool James Bond theme) at Catalyst and wanted to know what I thought about them. I hadn’t thought much about them; I said they had little effect on Quest, which is true. But that left a little placeholder in my head to learn more.
In my recent reading, one thing that struck me is how similar information cards are to kerberos. I know; there are a lot of differences. But I can’t help seeing the similarities:
- Identity and access are contained in a token the user uses implicitly. With kerberos they are generally only aware of their pre-authentication, their initial logon, and with information cards they are prompted each time they need to select a new card. But in both cases they are using very complex underlying mutually authenticated (at least with managed cards) principles that are being transmitted in well encrypted channels. All that security and authentication comes implicitly with the user’s simple actions. Also, these tokens, be they cards or tokens, can all pile up happily until you have a whole mess of them around. Of course, information cards can even pull off the multi-domain model easily.
- There is a good distribution of responsibilities to all the parties in an identity transaction with both kerberos and information cards. And this distributed nature will even allow for one or more parties to be offline and have it still work, as long as the remaining parties trust each other enough. i.e. there can be an offline authentication using an information card or cached ticket as long as the service provider is willing to trust the ticket as it is supplied given that it can’t reach the identity provider at that time.
- Both kerberos and information cards pay close attention to encryption and secure transmission. Not much more to say there, but it is a very good thing.
All of these really come when you’re dealing with managed information cards, but those seem to be the real target for conversations about information cards in serious settings. I’ve been working with Microsoft’s kerberos for so long and like it so much it struck me when i realized the relationship. It really makes sense that Microsoft would have seized this up front. But I couldn’t find any reference on the interwebs about kerberos being inspiration for information cards or the reason cardspace was so rolled out. But maybe it was on some level.