Thursday Jan 17, 2008

infocard: An Expensive Affair

This " - night - Graveyard-shift " infocard project of mine is working out to be an expensive affair for me, in the $$ terms. I travel around so much (every mon-fri) that in order to work on it at nights, I needed to have WinXP with SP2 and ie7 on it. There's no way I would risk putting my endeared Ferarri through the BSoD (Blue Screen of Death) trauma. Well There was no way for me to carry all my desktops around when I travel. So came VMware to the rescue. My VMWare Workstation costs US$199, and then another WinXP Pro license was another US$299. And another CD$100 for bribing my wife with a L'Occitane gift pack to entice her to let me spend this money. Whew!!. I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run. Now I have a "infocard" ready system in addition to a development environment, and a webserver with me all the time. Hopefully in the coming weeks, (with my new set of ammunition), I should be able to blog more on my discoveries... So stay tuned...

InfoCard or JavaCard

Kim had posted a nice article on A simple managed payment card example a while ago. So basicaly what happens with a "issued" infocard is that the infocard only contains a pointer to where the user information is to be obtained from (in this case as per Kim's example the issuer happens to be Bank Of America, and the requestor is Well, Kapil had a nicer post on Smartcards and Federated Identity. Kapil quotes
Smartcards are the actually the real enabler of biggest network of identity federations world has known till date i.e GSM. [...] various standards like SAML, Liberty, InfoCard/WS-Trust, WS-Federation etc for identity federation respect and understand the usefulness of security devices like Smartcards. All these standards propose the solution to same set of problems in _almost_ same way and differ mostly in wire protocols used. SAML and Liberty has a profiles ECP (Enhanced client proxy) and LECP (Liberty enabled client or proxy) respectively which enables a Smartcard based authentication where as InfoCard (a profile of WS-Trust) treats Smartcard as another Security token service which can generate self issued security tokens.
nice... I see the light at the end of the tunnel. infocard treats a smartcard as a personal security token service (PSTS) which can issue security token in form of SAML assertions. and so i thought... or rather... continue to think... Whats the difference between the long existent JavaCard/Liberty vs InfoCard/WS-Federation ? I remember sometime back I had read an article on Microsoft Employees Get Carded" by Karen Epper Hoffman via Kapil's Blog. Well, Scott made us use these along from a long time ago... And Microsoft's views on smartcards are no different. Hubert has put together a nice demo of how a using Liberty’s ID-WSF protocols, we can create a module that greatly helps the user in dealing with his digital identities. Currently laptops, sunray 1g, sunray 170 and desktops ARE available with builtin smartcard readers. and hence my dilema...

Microsoft Infocard & my realtime discoveries

Yes (to all those who were wondering on who is working on porting infocard to Solaris/Linux, I currently am working on integrating infocard with access manager and my next move would be to port infocard to Solaris/Linux. The process of porting infocard over is not a 1 week task. It may take me longer as i'm overloaded with work and hardly have time to spare for this development. But with me assigning an hour or two everyday I hopefully would complete this shortly. In the meantine I shall also blog my experiences in the process. and here's my first run at it. infocard in it's current form can be used on Window XP desktops  which have SP2 installed, Windows 2003 Server with SP1 installed and Windows Vista (February CTP). It require WinFX Runtime Components (for x86 or for x64). I currently am playing around with infocard on Window XP with SP2 and Windows 2003 Server with SP1. As soon as the WinFX CTP is installed on the system, the infocard components also get installed. You would also notice that your control panel would now have a "Digital Identities" component installed. This is the core component from which you can create, edit, import or delete your infocard's.
You can create as many "Identities" as you choose. but what Bugs me is that I can create "any" Identity of my choosing. The screenshot below shows how I created Identities with Myself, Kim, Pat and Bill Gates as the "identities" "I" wish to be recognized as.
Microsoft Infocard
click to enlarge
Here's the issue that bugs me. This issue has been bugging me for a while since the time "user-controlled" identities became the talk of the town oops web. The term "identity management" I believed was a step forward in preventing "identity theft" (someone, please correct me If i'm wrong here). With the volume of identity theives who exists on the web today, the ability of creating "identities" just faciliatates the process. I agree that the "identity" may be of no good is nobody accepts the identity. But however, Microsoft would succeed to enabling organization in adopting infocard and it's usage participation would rise. For Organizations (participants) who have their head over their shoulders, the organizations ("issuers") would issue users their "infocard"/"identities" which could be used to access a service. Users could import the "issued" infocard onto their desktops using the "Install a provider card" as in the screenshot below.
Infocard Provider
click to enlarge
Here's my biased opinion. If the only infocard's that MATTER are the ones that are issued by a provider, What makes it different from "Liberty"? Liberty is built on the "identity-given" framework/concept. The ability of enabling a user to create his own "infocard" may sound appealing, but how does it help? Well, for a novice user, it may sound cool, because he/she can create several "infocards" of themselves and choose which one to provide a "requestor" based on the information he/she would want to provide a particular web service/application. But for the miscreants, it's a toolkit to spoof identities. Another issue is that the "infocard's" are stored on a users desktop (porting them from one system to another "may" be a pain to a novice user). Now, this makes it even worse. anybody who has access to the users machine has the ability to delete the infocard's that one may have created. What IF my son deletes my infocard'S intentionally or accidentally ? What If my infocard gets stolen ? If the infocard's are not protected, they could be exported from one machine to the other with ease. The only way to secure it it by password protecting it. (So where does no passwords required play a picture in this ?) One can come up (makeup) with numerous issues with this model. But whats important is the fact that the "only" infocard's that matter would be the ones that are issued by a service provider/identity provider. Well, we have another issue now, IF  each IDP/SP would start issuing infocard's to their users, the user ends up having tens of hundreds of infocard's to manage. How different is that from tens of hundreds of username/password combinations? As a infocard user am I supposed to store all my infocard's on a USB drive and carry it along with me just to enable me to use a service from any desktop? (the desktop additionally should be infocard enabled !!). AH!! I'm tired right now. I shall follow up on this again soon.. as my thoughts keep formulating and changing. PS: I personally like JavaCards. Please read Hubert's post on Liberty à la InfoCard. And think... "JavaCards and Liberty". You be the judge. So you decide for yourselves. UPDATE : This does not mean that I am not working on porting infocard to \*nix and integrating it with AM. I am working on that too. Shall keep you posted on developments at my end periodically. UPDATE 2 : I am NOT against infocard. I'm just thinking out loud as I keep discovering new stuff. And thought processes change periodically. The only thing that has been constant in my discoveries so far has been "change"

Saturday Nov 04, 2006

Infocard for Wordpress Cramped

Though Kim's placeholder for publishing the php code for wordpress integration is still "on hold" Kim has just blogged about the wordpress version differences betwen his "test" box and the "production" blog. He also mentioned that "a bunch" of people have been using the infocard client on his site... Well, I sure am one of them. However i'd like to meet the others... SO if there are others out there trying to use learn more about infocards, introduce yourself. Well, I did log into Kim's site with an infocard, but I informed Kim about my moves... I'm not doing anything behind his back... So I'd suggest you folks who are trying to log into identityblog, to introduce yourselves... Well, we can start a "support group". I'm not too worried about the "php" part as the php code for WordPress I predict would be an extremely simple thing... Here's my prediction... All the code would do is, "provision" the "authenticated" user info mysql, and establish a WordPress session. (Correct me if i'm wrong Kim, but infocard addresses a specific usecase. ie: Authentication and not Authorization). Additionally, the user may be associated with a "role" that would enable the "user" to comment on the blog... nothing more... The php stuff aint magic... The "REAL" magic is the browsers capability to invoke the "Identity Selector"... Now, Kim, if your'e reading this... could you share "THAT" code ? Now, I may get a response in the form of ... Just embed an OBJECT tag in your HTML code and that would do it.. But hey !! that aint it. Embedding an OBJECT tag in HTML just does not do it. There's more to it than just an OBJECT tag. There's some relationship between the browsers capability of identifying the application type "infocard" and having the ability to invoke the Identity Selectior thats installed on the desktop. I know that ie7 Can do it as I blogged about that earlier. Kim mentioned that he "had" a plugin for ie6. Well, apart from me trying to develop a open source version of the "Identity Selector" in Java ( which has nothing to do with HIGGINS ), I also am trying to develop a plugin/addon for Firefox/Mozilla. And If Kim shares that "plugin" code for ie6, it would make life so simple.... (at least mine...) PS: In order to get a "browser" to "invoke" the installed WCF Identity Selector, the browser needs to recognize "specific" HTML extenstions. I do have a doc that describes those extentions, but am currently unclear on it's workflow; as I got my local browser (firefox) to recognize "those" extentions, but was unable to invoke the WinFX Component from my HTML page with an embedded OBJECT tag. I've got a lot more to learn..... and I shall share as I roll along... Will you ?

Browser Infocard Support Code

I just wanted to share with you the "browser" requirements for "browsers" to have the ability to invoke the Infocard Identity Selector (WinFX CTP Component). For now, I know what the "browsers" should do. Would they do it... is another story altogether...
  1. The browser InfoCard support code invokes the InfoCard identity selector, passing it parameter values supplied by the InfoCard HTML tag supplied by the site.
  2. The user then uses the identity selector to choose an InfoCard, which represents a digital identity that can be used to authenticate at that site.
  3. The Identity Selector uses the Identity Metasystem protocols to retrieve a security token representing the digital identity selected by the user from the STS at the identity provider for that identity.
  4. The browser should post the token obtained back to the web site using a HTTP(S)/POST.
  5. The web site validates the token, completing the user’s InfoCard-based authentication to the web site.
  6. Following authentication, the web site would typically then write a client-side browser cookie and redirect the browser back to the protected page.
AH!! authentication, see... Infocard addresses "authentication" and NOT "authorization". I believe that my assumption is true. Could someone correct me if i'm wrong?

Integrating with infocard

Reference Links :
  1. A guide to Integrating with Infocard V 1.0
  2. Infocard Godfathers :
  3. Design Rationale behind the Identity Metasystem infrastructure
  4. Microsofts vision of a Identity Metasystem
  5. The Law's of Identity ( microsofts version )
  6. A technical reference for infocards 1.0
  7. WinFX Developer Center

Infocard without WinFX CTP

I have just completed a basic infocard plugin for firefox. Currently with my plugin, you can create infocards and save them. yeah... A hellava lot of work has gotten into it already... Please remember, I have a day job too and this is my effort on a "time restrained" basis... Some folks mentioned to me just yesterday that I am burning myself with "infocard". I want to put on record that this effort of mine is outside the boundaries of my day job. Well, if you think that I'm lagging in my "official work", your DEAD wrong. My utilization is in excess of 100% and hey !! I'm a revenue engine for my employer. (I just hope that they are aware of it and appreciate it) ~just kidding... There are folks who go clubing, skiing, surfing, sailing, etc... for recreation. Well, I code for recreation... So.. All's good... I hope.. Well, the next step is to enable the HTML-OBJECT (enable the browser to recognize the application type "infocard") tag to invoke my "plugin" to enable the user to select an infocard (identity) and pass the security token representing the digital identity from the Security Token Service (STS) onto the requesting site using the HTTP(s)/POST operation. I am not sure how the website would validate the token, but however I guess I shall find out shortly.. Screenshots of my Firefox Plugin are shown below:
Firefox Extension Installer/Update:
Firefox Infocard Options:
Firefox Infocard Editor:
PS: The plugin is in "alpha" right now. I shall keep you posted developments from my end. UPDATE: I should have said, PRE-alpha rather than alpha. The plugin is way from close to completion. Please remember I just started working on this and it would take me time to complete it. (especially when i'm doing this after hours) I shall post updates periodically as functional modules get added.. And as soon as i have a "working" instance, I shall make it available for download both from here and also the mozilla downloads directory.

Infocard browser restriction

Just an FYI discovery of the moment.. Infocard authentication (as I had blogged about earlier this week) currently works on Windows XP with WinFX CTP installed and with Internet Explorer 7 Beta 2 Preview only. I tried to install ie7 Beta 2 Preview on Windows Server 2003. But got an "installation" error as ie7 Beta 2 Preview is currently not supported on Windows Server 2003. ie7 Beta 2 Preview release notes can be found here. If anybody out there has been successful in installing ie7 Beta 2 Preview on Windows Server 2003, please let me know how you did it or if it was possible.

infocard for Wordpress (pre-release)

pursuant to my prior post on Kim's php code release, I predicted that the php code would be no magic. The real "magic" is in the browsers capability of invoking the "identity Selector" and passing data packets back and forth between the infocard enabled website using the OBJECT tag and the "Identity Selector". More on the browser side later. This post is about what Kim's php code "may" look like.
Please Read Update 2 at the bottom of this post
First and foremost, infocard requires SSL. So What Kim may have done on the serverside is force SSL usage on his admin pages. This "probably" is accomplished by seting up Rewrite Rules on the "insecure" host. In the .htaccess or virtual host stanza in httpd.conf, Kim may have the rewrite rule to automatically go to the secure host when you browse to It's pretty evident because it does just that. RewriteRule \^wp-admin/(.\*)$1 [C] If Kim is using permalink rewrite rules, this line would probably appear before RewriteRule \^.\*$ - [S=40] I also noticed that Kim does not restrict access to the "public" over SSL. But if he chooses, he could restrict access to the secure site only to administrators, and force the public site to be served over non SSL. Well, his httpd.conf file may look something like the following:
It is probably a good idea to utilize SSL for user logins and registrations apart from administration. I hope Kim consider's the following substitute RewriteRules. He currently does not do that. Insecure RewriteRule \^wp-(admin|login|register)(.\*)$1$2 [C] Secure RewriteRule !\^/wp-(admin|login|register)(.\*) - [C] Now as far as the php code goes: Here's what I believe has been done.
  • He's enabled External Auth. (ie: not MYSQL, but infocard auth)
  • Modified the following Files:
    1. infocard/\* : Contains all the infocard functionality
    2. wp-login.php : Contains the infocard authentication code and modified cookie content
    3. wp-admin/auth.php : This is modified to take account of the infocard cookie marker
    4. wp-config.php : Contains some infocard definitions
  • wp-includes/functions.php:wp_login() : modified to do infocard authentication and check for the infocard marker in the cookie
  • wp-includes/functions.php:wp_setcookie() : modified to set the infocard marker instead of the password in the cookie
NOTE: The directory /infocard is not really called infocard. I have no idea what the directory name is. I assume that it's infocard. I cannot crosscheck it because He probably has a .htaccess file there that does not allow directory listing. So for all you know the directory may be called "unknowndirectory". The file wp-config.php probably contains an "infocard" switch define(’INFOCARD_ENABLED’, true);. Setting INFOCARD_ENABLED to TRUE turns on "infocard" authentication. Setting it to FALSE turns it off and normal WordPress authentication takes over. NOTE : I'm trying this on my own test box and not directly on And since I have my own private network, and am doing this on my own boxes (offline). I edited the file contents to "identityblog" to relate to what kim's doing on his site. Thats all for now. I gotto run, My daughter (my everything) just had a fall and is bleeding... I'll follow up on this later... I shall post PHP code itself shortly. Please note: I am not stealing Kim's code; nor have I obtained it from him in any form so far. I am doing something similar to what Kim "may" have done. and am posting that code here. Since the code's distributed across several files and directories I shall post a link to a tar file download and installation instructions. If you would like to "infocard" enable YOUR "wordpress" installation you could just follow the instructions in the tar file and use it. Also Note that This is not generic php. It's specific to wordpress. The reason i'm doing this, is because the market coverage for this php code is so so much that it suprises me that folks do not realize that php aint magic. The code release I would like to really see is the "browser" bit. releasing php code for wordpress does not make infocard opensource. UPDATE: I'd be very curious to find out how closely my code would resemble Kim's actual code. Kim: If youre reading this could you give me an indication if i'm going down the wrong path ? UPDATE 2: I tested this approach over and over... The php code DOES HAVE "some" magic in it. It needs to understand the MetaData and obtain the xml token that the "Identity Selector" sends across... more investigations underway... Will keep you posted..SORRY Kim, Sorry for saying there's no magic ;-)

Kim Said that I was wrong...

Kim said that I was wrong on the cookie phenomena when "infocard" authentication was used... well, I'm not too sure about that.. Here's my exercise details to crosscheck if I really was wrong. I cleared by browser cache, cookies..... everything to start with a clean slate... The following screenshot shows the existing cookie list from my browser.. (note: no cookies)
Then I logged into identityblog using my "infocard" ID, And tried to post a comment. The screenshot below shows that the comment form was not filled out with my info.... However after the comment posted, it showed that the comment was posted by me... using the info that my "infocard" had...
The following screenshot shows the cookie list in my browser AFTER infocard auth. Notice that the cookie name is wordpressuser_MYSESSIONID & wordpresspass_MYSESSIONID
Then I logged out and the cookies disappeared... Neat stuff. Kim was right, the cookies get established when one logs in and then destroyed when one logs out.... or closes the browser, which is a nice thing because it was session based... usually the cookies exist for a period of time till the session timeout value exceeds the set limit. But in this case the session was immediately destroyed regardless of whetherI logged out or closed my browser... nice... really nice... IMPRESSIVE.... Then I posted a comment without authentication, and by filling out info in the comment form. The following screenshot shows what I did.
Actually I made a small error at this point.. I had posted a comment without logging out. I simply forgot to hit the "logout" button in the process of ALT-TABBing between this blog post and his blog. So I Hit the logout button and THEN posted the following comment:
As soon as I did that, I noticed that Kim's blog server set 3 cookies as the following screenshot depicts: (note the cookie names, they start with comment_author_MYSESSIONID, comment_author_email_MYSESSIONID, comment_author_url_MYSESSIONID.
Now I login with infocard again... and post a comment as the following screenshot shows:
I checked my cookie list and saw that in addition to the cookies priorly set without infocard auth, there were 2 more cookies... The following screenchot shows that....
...In short, Once a user uses the forms to post comments, the regardless of the "infocard" auth, the cookies persist in the browser.... However the form gets posted by the "authenticated user" regardless of the info one fills in the comment form.... But after the user logs out, he still can post comments without authentication and the persistent cookies take precedence.... INFERENCE: Kim's wrong 50%, I am wrong 50%. We are both 50% wrong.... ROTFL... AH! with these screenshots, I do not think I need to explain more, You dear readers of my blog/s, can be better judges of what works and what does not ;-) Cheers for now. That was a fun exercise... update/note : Please refrain from sending me emails that the cookie list screenshots were not from using ie7, but were from Firefox. Do not ask me how I did it (not right now), I shall announce how to use Firefox to authenticate using infocards in due time... when the time is right...

for everything on Identity, JCAPS, SOA, WebServices, Security, Single Signon, Federation, Provisioning, Virtualization, Optimization, Debugging, Workflows, Compliance, MySQL and more... WAY MORE....

[this is a group blog]


« July 2016