1. Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft http://blogs.msdn.com/glengordon

2. Identity Crisis The Internet is dangerous! Identity theft, spoofing, phishing, phraud Username + password is weak and overwhelmed Enterprises are in identity silo hell www.antiphishing.org 22% Cut back 25% Stopped

4. Goals Safe and secure Internet for all Safely, reliably identify sites to users… …and users to sites Connected Systems Internal and external

5. What’s Needed? Usable by everyone, everywhere Put users in control of their identity Remove walls between systems Simple, consistent, secure identity

6. Passport? Identity provider for MSN/Windows Live 300M+ users, > 1 billion logons/day Identity provider for the Internet Failure Why?

7. Identity Metasystem Unifying identity meta-layer Protect applications from underlying complexities Decouple digital identity from implementation details Not first time we’ve seen this in computing

8. The Laws of Identity User control and consent Minimal disclosure for a constrained use Justifiable parties Directed identity Pluralism of operators and technologies Human integration Consistent experience across contexts

9. What is a Digital Identity? Subject Claims Security Token

10. Abstracting Identity Identity: set of claims in a security token Roles: Subject Identity Provider Relying Party Protocol: 1) User is asked for identity 2) User chooses an identity provider 3) Identity provider gives user a security token 4) User passes the token to the requestor

11. Protocol Drill Down Identity Provider (IP) Relying Party (RP) Client Client wants to access a resource RP provides identity requirements 1 2 User 3 Which IPs can satisfy requirements? User selects an IP 4 5 Request security token 6 Return security token based on RP’s requirements 7 User approves release of token 8 Token released to RP

12. Key Characteristics NegotiationDriven Encapsulation UserExperience ClaimsTransformation

13. How? Web Services! Encapsulation? SOAP + WS-Security Negotiation? WS-SecurityPolicy + WS-MetadataExchange Claims Transformation? Security Token Web Service and WS-Trust User Experience? Identity Selector www.microsoft.com/interop/osp

14. WS-Trust, WS-MetadataExchange WS-* Metasystem ArchitectureKerberosSAMLCustom X.509Subject Relying Party Identity Provider Relying Party Identity Provider Security Token Service WS-SecurityPolicy Security Token Service WS-SecurityPolicy Identity Selector

15. Easily and safely manage your digital identities Authenticate with websites and web services Safer Built on WS-* Web Service Protocols Windows CardSpace No usernames and passwords Consistent login and registration Avoid phishes Multi-factor authentication Easier

16. Windows CardSpace™ Easier Provides consistent user experience Replaces usernames and passwords with strong tokens Safer Protects users from phishing & phraud attacks Support for two-factor authentication Tokens are crypto- graphically strong Standards, standards, standards!! Built on WS-* Web Services Protocols Can be supported by websites on any technology & platform

17. What is Windows CardSpace? Identity Selector for Windows Digital identities represented by cards When user selects a card Get security token from Identity Provider Give it to the Relying Party after user consent User is in control Security Token Service User Experience Service

18. CardSpace Environment Runs under separate desktop and restricted account Isolates CardSpace runtime from Windows desktop Deters hacking attempts by user-mode processes

19. Contains claims about my identity that I assert Not corroborated Stored locally Signed and encrypted to prevent replay attacks Provided by banks, stores, government, clubs, etc Locally stored cards contain metadata only! Data stored by Identity Provider and obtained only when card submitted CardSpace Cards SELF - ISSUEDMANAGED

21. Summary Users can control their digital identities Simple, consistent and secure Open and inclusive Many contexts Existing and future systems Windows CardSpace is an identity selector Very little developer effort is required

22. Conclusion “Now, with the debut of the Info­Card identity management system, Microsoft is leading a network- wide effort to address the issue. To those of us long skeptical of the technology giant's intentions, the plan seems too good to be true. Yet the solution is not only right, it could be the most important contribution to Internet security since cryptography.” Lawrence Lessig, Wired Magazine, March 2006.

23. Resources Windows CardSpace Community Site cardspace.netfx3.com Kim Cameron’s Identity Weblog www.identityblog.com.NET Framework 3.5 http://msdn2.microsoft.com/en- us/library/aa569263.aspx Internet Explorer 7.0 www.microsoft.com/windows/ie/ie7

24. © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Glen Gordon Developer Evangelist, Microsoft http://blogs.msdn.com/glengordon