Digital Identity: Like identities in the real world, digital identities come in all shapes and sizes. Perhaps you have an e-mail account with Gmail, for example, identified by an e-mail address. You might also have digital identities with various commercial organizations, such as Amazon or eBay, along with identities for sites such as Orkut.com. Each of these is typically identified by a username that you defined. At work, you might have a digital identity assigned to you by your employer, identified by your network login. This identity is probably maintained by some directory service, such as Active Directory, and today it's typically useful only within the boundaries of your company network.
Just as in the real world, there are good reasons to use different digital identities in different contexts. It's common, for instance, to associate different information with each identity. An identity that you use with Amazon might allow access to your credit card number, while one used with Orkut.com does not. The rules for getting each identity are also different. Getting a digital identity at Amazon is easy: just make up a username and password. Getting a digital identity at your employer is probably somewhat more difficult, since, at a minimum, it requires the approval of the administrators who run your company's network.
Windows CardSpace, formerly codenamed “InfoCard”, is a piece of client software that enables users to provide their digital identity to online services in a simple, secure and trusted way. It is what is known as an identity selector: when a user or subject needs to authenticate to a website or a web service, CardSpace pops up a special security-hardened UI with a set of “cards” for the user to choose from. Each card has some identity data associated with it – though this is not actually stored in the card – and has been given to the user by an identity provider such as their bank, employer or government. In fact, the user can also act as an identity provider – this is essentially what we do every time we register at a website. The CardSpace UI enables users to create Personal cards and associate a limited set of identity data. When the user chooses a card, a request in the form of a web service call goes to the relevant provider, and a signed and encrypted security token is returned containing the required information (e.g. credit limit, employer’s name and address, or perhaps a social security number). The user then decides whether to release this information to the requesting online service. If the user approves then the token is sent on to this relying party where the token is processed and the user is authenticated.
CardSpace is an implementation of an identity selector on Microsoft Windows. Other operating systems will see their own identity selector implementations. The architecture upon which CardSpace has been built – consisting of subjects, identity providers and relying parties – is called “The Identity Metasystem”. This isn’t just a Microsoft initiative, but rather it is the shared vision of many across the industry as to how we can solve some of the fundamental identity challenges on the Internet today. The initial vision for the Identity Metasystem was developed by Microsoft’s Identity Architect, Kim Cameron, and has been broadly adopted and championed by thought-leaders such as Doc Searls and Lawrence Lessig.
No comments:
Post a Comment