Thursday Jan 17, 2008

infocard: An Expensive Affair

This " - night - Graveyard-shift " infocard project of mine is working out to be an expensive affair for me, in the $$ terms. I travel around so much (every mon-fri) that in order to work on it at nights, I needed to have WinXP with SP2 and ie7 on it. There's no way I would risk putting my endeared Ferarri through the BSoD (Blue Screen of Death) trauma. Well There was no way for me to carry all my desktops around when I travel. So came VMware to the rescue. My VMWare Workstation costs US$199, and then another WinXP Pro license was another US$299. And another CD$100 for bribing my wife with a L'Occitane gift pack to entice her to let me spend this money. Whew!!. I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run. Now I have a "infocard" ready system in addition to a development environment, and a webserver with me all the time. Hopefully in the coming weeks, (with my new set of ammunition), I should be able to blog more on my discoveries... So stay tuned...

Microsoft Infocard & my realtime discoveries

Yes (to all those who were wondering on who is working on porting infocard to Solaris/Linux, I currently am working on integrating infocard with access manager and my next move would be to port infocard to Solaris/Linux. The process of porting infocard over is not a 1 week task. It may take me longer as i'm overloaded with work and hardly have time to spare for this development. But with me assigning an hour or two everyday I hopefully would complete this shortly. In the meantine I shall also blog my experiences in the process. and here's my first run at it. infocard in it's current form can be used on Window XP desktops  which have SP2 installed, Windows 2003 Server with SP1 installed and Windows Vista (February CTP). It require WinFX Runtime Components (for x86 or for x64). I currently am playing around with infocard on Window XP with SP2 and Windows 2003 Server with SP1. As soon as the WinFX CTP is installed on the system, the infocard components also get installed. You would also notice that your control panel would now have a "Digital Identities" component installed. This is the core component from which you can create, edit, import or delete your infocard's.
You can create as many "Identities" as you choose. but what Bugs me is that I can create "any" Identity of my choosing. The screenshot below shows how I created Identities with Myself, Kim, Pat and Bill Gates as the "identities" "I" wish to be recognized as.
Microsoft Infocard
click to enlarge
Here's the issue that bugs me. This issue has been bugging me for a while since the time "user-controlled" identities became the talk of the town oops web. The term "identity management" I believed was a step forward in preventing "identity theft" (someone, please correct me If i'm wrong here). With the volume of identity theives who exists on the web today, the ability of creating "identities" just faciliatates the process. I agree that the "identity" may be of no good is nobody accepts the identity. But however, Microsoft would succeed to enabling organization in adopting infocard and it's usage participation would rise. For Organizations (participants) who have their head over their shoulders, the organizations ("issuers") would issue users their "infocard"/"identities" which could be used to access a service. Users could import the "issued" infocard onto their desktops using the "Install a provider card" as in the screenshot below.
Infocard Provider
click to enlarge
Here's my biased opinion. If the only infocard's that MATTER are the ones that are issued by a provider, What makes it different from "Liberty"? Liberty is built on the "identity-given" framework/concept. The ability of enabling a user to create his own "infocard" may sound appealing, but how does it help? Well, for a novice user, it may sound cool, because he/she can create several "infocards" of themselves and choose which one to provide a "requestor" based on the information he/she would want to provide a particular web service/application. But for the miscreants, it's a toolkit to spoof identities. Another issue is that the "infocard's" are stored on a users desktop (porting them from one system to another "may" be a pain to a novice user). Now, this makes it even worse. anybody who has access to the users machine has the ability to delete the infocard's that one may have created. What IF my son deletes my infocard'S intentionally or accidentally ? What If my infocard gets stolen ? If the infocard's are not protected, they could be exported from one machine to the other with ease. The only way to secure it it by password protecting it. (So where does no passwords required play a picture in this ?) One can come up (makeup) with numerous issues with this model. But whats important is the fact that the "only" infocard's that matter would be the ones that are issued by a service provider/identity provider. Well, we have another issue now, IF  each IDP/SP would start issuing infocard's to their users, the user ends up having tens of hundreds of infocard's to manage. How different is that from tens of hundreds of username/password combinations? As a infocard user am I supposed to store all my infocard's on a USB drive and carry it along with me just to enable me to use a service from any desktop? (the desktop additionally should be infocard enabled !!). AH!! I'm tired right now. I shall follow up on this again soon.. as my thoughts keep formulating and changing. PS: I personally like JavaCards. Please read Hubert's post on Liberty à la InfoCard. And think... "JavaCards and Liberty". You be the judge. So you decide for yourselves. UPDATE : This does not mean that I am not working on porting infocard to \*nix and integrating it with AM. I am working on that too. Shall keep you posted on developments at my end periodically. UPDATE 2 : I am NOT against infocard. I'm just thinking out loud as I keep discovering new stuff. And thought processes change periodically. The only thing that has been constant in my discoveries so far has been "change"

Kim's Infocard Demo

As a taste of upcoming MIX06 sessions, Kim Cameron presents a thumbnail sketch of how InfoCards bring an architecture for identity to the Internet, a demo of how it works and a peek at how you integrate it into a Web page.
  1. 20060209InfoCardKC.EXE
  2. 20060209InfoCardKCDemo.EXE
source : MSDN TV
See Kim's full session on this topic at the MIX06 conference. UPDATE 1 : Also read Johannes Ernst's blog on "There are lots of things that are right about Microsoft InfoCard. After seeing the infocard demo, I feel that infocard really is a nice thing. I do not want to comment on the "open source or closed source" part as there are several of us in this field who are debating that topic. So I leave that upto those who better understand it and fight for it in the open source community. Here's my take. Sun has the Sun Java Systems Access Manager. This product really has extremely good visibility and usage in the real world, especially in the corporate sector. Individuals who care about secure identity and those who (by choice or otherwise) use a microsoft windows desktop as the client would end up using infocard for authentication in the future as microsoft plans to use infocard for building what they call a fundamentally secure platform. Now having said that I dont see the entire world not using windows as the desktop client. yep; true; mac's, linux, and solaris have a long way to go to becoming the defacto standard desktop for end users. So. All said and done, I thought of a small project that I would embark on in my free time. I would try to develop a InfoCard Authentication Plugin (using the Microsoft Federated Identity and Access Resource Kit and JAAS) for the Sun Java Systems Access Manager. Well; this may not be a good idea, but I guess it would be well worth my free time. As soon as I finish the module (hopefully soon, especially with Kim's & Kapil's help), I shall distribute the entire codebase and procedure for enabling you to deploy the infocard authentication plugin on Access Manager soon. (This may make for a good demo given that most users happen to have a windows desktop). One main reason for me to embark on this is because I see a strong similarity between this effort and nFactor Authentication (which I had blogged about a long tiem ago). After all SUN and Microsoft have joined hands for the inter-operability of Liberty and WS-Federation and the results of which have led to the Web Single Sign-On Interoperability Profile & the Web Single Sign-On Metadata Exchange Protocol (which have just been released). UPDATE 2 : Also read "Microsoft Employees Get Carded" (an old post) by Karen Epper Hoffman

Replace Microsoft Exchange as well as Microsoft Windows Server

This PR NewsWire report published earlier this PM, announcing the Samba OXtender which enables the replacement of Microsoft Exchange as well as Microsoft Windows Server was the nicest article I read today. It was really worth a mention here and so... here goes...
New Open-Xchange 'OXtender' Enables Replacement of Windows Server : giving customers the option to fully replace Microsoft Exchange as well as Microsoft Windows Server.
  1. New Open-Xchange 'OXtender' Enables Replacement of Windows Server
    Yahoo! News (press release)
  2. Open-Xchange offers Microsoft Exchange/Windows Server alternative
    ComputerWeekly.com
  3. New Open-Xchange "OXtender" Enables Replacement of Windows Server
    Linux PR (press release)

Saturday Nov 04, 2006

Browser Infocard Support Code

I just wanted to share with you the "browser" requirements for "browsers" to have the ability to invoke the Infocard Identity Selector (WinFX CTP Component). For now, I know what the "browsers" should do. Would they do it... is another story altogether...
  1. The browser InfoCard support code invokes the InfoCard identity selector, passing it parameter values supplied by the InfoCard HTML tag supplied by the site.
  2. The user then uses the identity selector to choose an InfoCard, which represents a digital identity that can be used to authenticate at that site.
  3. The Identity Selector uses the Identity Metasystem protocols to retrieve a security token representing the digital identity selected by the user from the STS at the identity provider for that identity.
  4. The browser should post the token obtained back to the web site using a HTTP(S)/POST.
  5. The web site validates the token, completing the user’s InfoCard-based authentication to the web site.
  6. Following authentication, the web site would typically then write a client-side browser cookie and redirect the browser back to the protected page.
AH!! authentication, see... Infocard addresses "authentication" and NOT "authorization". I believe that my assumption is true. Could someone correct me if i'm wrong?

Integrating with infocard

Reference Links :
  1. A guide to Integrating with Infocard V 1.0
  2. Infocard Godfathers :
  3. Design Rationale behind the Identity Metasystem infrastructure
  4. Microsofts vision of a Identity Metasystem
  5. The Law's of Identity ( microsofts version )
  6. A technical reference for infocards 1.0
  7. WinFX Developer Center

Infocard without WinFX CTP

I have just completed a basic infocard plugin for firefox. Currently with my plugin, you can create infocards and save them. yeah... A hellava lot of work has gotten into it already... Please remember, I have a day job too and this is my effort on a "time restrained" basis... Some folks mentioned to me just yesterday that I am burning myself with "infocard". I want to put on record that this effort of mine is outside the boundaries of my day job. Well, if you think that I'm lagging in my "official work", your DEAD wrong. My utilization is in excess of 100% and hey !! I'm a revenue engine for my employer. (I just hope that they are aware of it and appreciate it) ~just kidding... There are folks who go clubing, skiing, surfing, sailing, etc... for recreation. Well, I code for recreation... So.. All's good... I hope.. Well, the next step is to enable the HTML-OBJECT (enable the browser to recognize the application type "infocard") tag to invoke my "plugin" to enable the user to select an infocard (identity) and pass the security token representing the digital identity from the Security Token Service (STS) onto the requesting site using the HTTP(s)/POST operation. I am not sure how the website would validate the token, but however I guess I shall find out shortly.. Screenshots of my Firefox Plugin are shown below:
Firefox Extension Installer/Update:
Firefox Infocard Options:
Firefox Infocard Editor:
PS: The plugin is in "alpha" right now. I shall keep you posted developments from my end. UPDATE: I should have said, PRE-alpha rather than alpha. The plugin is way from close to completion. Please remember I just started working on this and it would take me time to complete it. (especially when i'm doing this after hours) I shall post updates periodically as functional modules get added.. And as soon as i have a "working" instance, I shall make it available for download both from here and also the mozilla downloads directory.

Kim Said that I was wrong...

Kim said that I was wrong on the cookie phenomena when "infocard" authentication was used... well, I'm not too sure about that.. Here's my exercise details to crosscheck if I really was wrong. I cleared by browser cache, cookies..... everything to start with a clean slate... The following screenshot shows the existing cookie list from my browser.. (note: no identityblog.com cookies)
Then I logged into identityblog using my "infocard" ID, And tried to post a comment. The screenshot below shows that the comment form was not filled out with my info.... However after the comment posted, it showed that the comment was posted by me... using the info that my "infocard" had...
The following screenshot shows the cookie list in my browser AFTER infocard auth. Notice that the cookie name is wordpressuser_MYSESSIONID & wordpresspass_MYSESSIONID
Then I logged out and the cookies disappeared... Neat stuff. Kim was right, the cookies get established when one logs in and then destroyed when one logs out.... or closes the browser, which is a nice thing because it was session based... usually the cookies exist for a period of time till the session timeout value exceeds the set limit. But in this case the session was immediately destroyed regardless of whetherI logged out or closed my browser... nice... really nice... IMPRESSIVE.... Then I posted a comment without authentication, and by filling out info in the comment form. The following screenshot shows what I did.
Actually I made a small error at this point.. I had posted a comment without logging out. I simply forgot to hit the "logout" button in the process of ALT-TABBing between this blog post and his blog. So I Hit the logout button and THEN posted the following comment:
As soon as I did that, I noticed that Kim's blog server set 3 cookies as the following screenshot depicts: (note the cookie names, they start with comment_author_MYSESSIONID, comment_author_email_MYSESSIONID, comment_author_url_MYSESSIONID.
Now I login with infocard again... and post a comment as the following screenshot shows:
I checked my cookie list and saw that in addition to the cookies priorly set without infocard auth, there were 2 more cookies... The following screenchot shows that....
...In short, Once a user uses the forms to post comments, the regardless of the "infocard" auth, the cookies persist in the browser.... However the form gets posted by the "authenticated user" regardless of the info one fills in the comment form.... But after the user logs out, he still can post comments without authentication and the persistent cookies take precedence.... INFERENCE: Kim's wrong 50%, I am wrong 50%. We are both 50% wrong.... ROTFL... AH! with these screenshots, I do not think I need to explain more, You dear readers of my blog/s, can be better judges of what works and what does not ;-) Cheers for now. That was a fun exercise... update/note : Please refrain from sending me emails that the cookie list screenshots were not from using ie7, but were from Firefox. Do not ask me how I did it (not right now), I shall announce how to use Firefox to authenticate using infocards in due time... when the time is right...

claims with infocards

Self issued information cards support only a select number of claims. Each of these claims is associated with an URI that one could use to look up the claim inside the token. The claims that are supported are:
  1. Given Name = "http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname";
  2. Email Address = "http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress";
  3. Surname = "http://schemas.microsoft.com/ws/2005/05/identity/claims/surname";
  4. Street Address = "http://schemas.microsoft.com/ws/2005/05/identity/claims/streetaddress";
  5. Locality = "http://schemas.microsoft.com/ws/2005/05/identity/claims/locality";
  6. State/Province = "http://schemas.microsoft.com/ws/2005/05/identity/claims/stateorprovince";
  7. Postal Code = "http://schemas.microsoft.com/ws/2005/05/identity/claims/postalcode";
  8. Country = "http://schemas.microsoft.com/ws/2005/05/identity/claims/country";
  9. Home Phone = "http://schemas.microsoft.com/ws/2005/05/identity/claims/homephone";
  10. Other Phone = "http://schemas.microsoft.com/ws/2005/05/identity/claims/otherphone";
  11. Mobile Phone = "http://schemas.microsoft.com/ws/2005/05/identity/claims/mobilephone";
  12. Date of Birth = "http://schemas.microsoft.com/ws/2005/05/identity/claims/dateofbirth";
  13. Gender = "http://schemas.microsoft.com/ws/2005/05/identity/claims/gender";
  14. PPID = "http://schemas.microsoft.com/ws/2005/05/identity/claims/privatepersonalidentifier";
One could use the URIs with the TokenHelper class to extract out the values for the claims.
..... more later.....

infocard: An Expensive Affair

This " - night - Graveyard-shift " infocard project of mine is working out to be an expensive affair for me, in the $$ terms. I travel around so much (every mon-fri) that in order to work on it at nights, I needed to have WinXP with SP2 and ie7 on it. There's no way I would risk putting my endeared Ferarri through the BSoD (Blue Screen of Death) trauma. Well There was no way for me to carry all my desktops around when I travel. So came VMware to the rescue. My VMWare Workstation costs US$199, and then another WinXP Pro license was another US$299. And another CD$100 for bribing my wife with a L'Occitane gift pack to entice her to let me spend this money. Whew!!. I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run. Now I have a "infocard" ready system in addition to a development environment, and a webserver with me all the time. Hopefully in the coming weeks, (with my new set of ammunition), I should be able to blog more on my discoveries... So stay tuned...
About

for everything on Identity, JCAPS, SOA, WebServices, Security, Single Signon, Federation, Provisioning, Virtualization, Optimization, Debugging, Workflows, Compliance, MySQL and more... WAY MORE....

[this is a group blog]

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today