Infocard

I have recently been reading the discussions between Kim Cameron and Dick Hardt, not to mention the outside commentary as well, concerning the use of client sided security and where it fits in. I found this very interesting due to the fact that when I initially began playing with InfoCards, this was one of the features that drew me in. I am neither an identity nor security expert, nor have I had much time to play around with OpenID (that will be changing soon), so I am going to assume my final understanding of what I read is correct and that OpenID currently needs an additional third-party plug-in to perform the same client sided security as InfoCards. If I am incorrect in this assumption, someone please correct me.

If this really is the identity revolution, power to the people and all that jazz, then it really needs to be done correctly from the start. Personally, how it all works or what protocols are used is of much lesser concern to me than what will happen when the technology gets in the hands of my Dad. You can all stop wondering WTF I am talking about as I'll elaborate on that.

Yesterday I upgraded my firefox identity selector plugin to find an interesting new addition. Of course I'm not talking about the managed card support added last month, or that the missing plugin dialog no longer appears, or even the fact that this plugin runs on both my Windows and Fedora 5 x86_64 machines. No..... instead, what caught my attention was the callout to the form button that kicks off the selector (Go figure).

Anyone who has looked at my registration or login page might have noticed that I really suck at graphics and all that I have is a tiny button labeled enter. Not very informative on its purpose, eh? After installing the latest version of the plugin (0.8.5 at the time - a lot of activity happening so this might already be outdated), I was pleasantly surprised to find my page looked a little different.

If you look at the screenshot to the left, you should notice the "What's this?" callout in green. The plugin automatically added this to callout my infocard enabled form. Currently clicking on the image is still a work in progress. It pops up a box where additional information about infocards will be provided and allows the callout to be turned off. Right now it can only be disabled for the current session. Once firefox is restarted, it will appear again. In any case I think its a great feature. There is no current standard image for indicating the login, so if you are graphically challenged like me then it at least provides people with an indication of what your button is for.

The one feature I am really waiting for is the ability to backup and restore infocards using the plugin. Chuck Mortimer recently added the code and utility for working with a Windows Cardspace backup file. Hopefully this feature will be added to the plugin so that I will be able to share my cards between Windows Cardspace (the selector when using IE 7) and firefox (on all my platforms). Currently when using Windows I prefer to use Windows Cardspace just for the fact that it is feature rich, but don't have that option when using Fedora. With the rate features are being added to the firefox plugin though, it shouldn't be too long before it's going head-to-head with Cardspace (at least feature wise).

The slides for my tutorial and talk can be found at:
Advanced XML and Web Services (with accompanying code)
XML Security

For the XML Security session, what people are probably most interested is the code used to implement WS-Security and possibly Infocards using PHP.

Security Library - Base XML Security library implementing XMLENC and XMLDSig functionality.
WS-Security library - WS-Security library for use with SOAP. Currently only implements client functionality and is missing the ability to encrypt SOAP data.
Example Usage of WS-Security - An example of interacting with the Amazon Elastic Compute Cloud (Amazon EC2) SOAP Service. Easily re-factored for use with other services requiring WS-Security.
Infocard Library - Base library for processing infocards.
Infocard demonstration - Demonstration of processing a submitted Infocard. The result is a SAML token along with a function to view submitted assertions. The form has NOT been updated to work with the recent namespace change, so modify the requiredClaims for use with IE7 RC1, Vista RC1 or .NET 3.0 RC1.

With the releases of RC1s for IE, .NET 3.0 and Vista, there has been a slight change in CardSpace. The http://schemas.microsoft.com/ws/2005/05/identity namespace has been discontinued in favor of http://schemas.xmlsoap.org/ws/2005/05/identity. In accordance with this change, as of today, the Infocard usage within my site has been updated to use the new namespace. Anyone running an older implementation will most likely be greeted with a message stating that the site requires a managed card.

This message is not really true and just means anyone using older CardSpace cannot access the site until they upgrade. I use the namespace when calling CardSpace only to identity the claims I require when submitting a card. The good news is that this change was only comsetic, requiring the small change on the registration and login forms. No backend code changes were required to support this namespace change.

Warning: I upgraded both my .Net 3.0 framework and IE 7 one after another and never backed up my previously created cards. Once my system was up and running and I launched the Windows CardSpace, I was greeted by a nice message telling me that either my cards were corrupted or somehow were removed from the system. I did not have a backup of them (good thing I have only been playing around with them so far) and was required to re-create my cards and re-establish relationships with sites using my cards again.

Lesson learned: Backup your cards prior to upgrading if you dont want to lose them!