Understanding Windows CardSpace : An Introduction to the Concepts and Challenges of Digital Identities

Explores the problem of identity management on the Internet and serves as a guide to designing and implementing CardSpace-based solutions.

Vittorio Bertocci is an Architect Evangelist in the service of Windows Server Evangelism for Microsoft. He is based in Redmond, Washington. He works with Fortune 100 and major G100 enterprises worldwide, helping them to stay ahead of the curve and take advantage of the latest unreleased technologies. In the past two years, he helped many customers all around the world to design and develop solutions based on technologies such as Identity and Access Management, Windows CardSpace, Windows Communication Foundation, and Windows Workflow Foundation. He frequently serves as a speaker at international conferences such as IDWorld, Gartner Summit, TechEd, and the like. His blog, located at  http://blogs.msdn.com/vbertocci, focuses on identity and distributed systems architecture; it is periodically translated into Chinese at www.china-ac.net.cn/zmjgsbkzxnew4.aspx.

 

Vittorio has more than 13 years of experience in the software industry. He worked in the fields of computational geometry, scientific visualization, usability, business data, and industrial applications and has published articles in international academic industry journals. Vittorio joined Microsoft Italy in 2001 in Consulting Services. Before falling hopelessly in love with identity, he worked with Web Services and Services Orientation from its very inception, becoming a reference and a trusted advisor for key industry players nationwide and at the European level. In October 2005, he answered the call of Microsoft headquarters and moved to Redmond, where he lives with his wife, Iwona. Vittorio holds a Master’s degree in Computer Science from the Universita’ di Genova, Italy.

 

Garrett Serack worked as an independent software development consultant in Calgary, Canada, for 15 years, with clients in fields such as government, telecom, petroleum, and railways. Joining Microsoft in the fall of 2005 as the Community Program Manager of the Federated Identity team, Garrett has worked with the companies and the Open Source community to build digital identity frameworks, tools, and standards that are shaping the future of Internet commerce and strengthening the fight against fraud. In the summer of 2007, he transitioned to be the Community Lead in the Open Source Software Labs at Microsoft.

 

Garrett lives in Bothell, Washington, with his fantastic wife, Brandie, and their two amazing daughters Tea and Indyanna. Catch up on CardSpace and begin to learn more about Microsoft Open Source efforts on his blog at http://fearthecowboy.com.

 

Caleb Baker has been at Microsoft for the past seven years and is part of the Federated Identity team. In addition to building CardSpace, the team is working on the other pieces needed to build the Identity Metasystem. Caleb has been on the CardSpace product team since 2004 (InfoCard at the time). Since the first release of CardSpace, he has continued to work on future CardSpace products as well as various Identity Metasystem interoperability projects.

 

Before working on CardSpace, Caleb gained experience in the identity and security space by working on Active Directory and the Active Directory Migration Tool (ADMT). Caleb is a Seattle-area native, having graduated from the University of Washington with a degree in Physics and Political Science and has also earned a Master’s degree in Computer Science.

Preface Preface In the past few years, identity has finally been receiving the attention it deservers. With rampaging phishing and widespread cybercrime as the forcing functions, the industry as a whole is reacting with a concerted effort to understand what the best practices are and is getting there fast. We had the privilege of being among the first people concretely working on one of the key efforts of the identity renaissance: Windows CardSpace. Windows CardSpace is an expression of the new user-centered approach to identity management. The new approach is poised to solve many different problems of diverse natures: There are technological considerations, such as offering better authentication mechanisms than passwords; usability considerations, such as guaranteeing that the user has a clear understanding of what is going on; and even social-science considerations about how we can effectively leverage trust relationships and make obvious to the common user the identity of the website being visited. That is the reason why explaining Windows CardSpace in just a few words is so challenging. Depending on your background and your role, you will be interested in a different angle of the story. We experienced this fact countless times in the past two years: with customers and partners, at conferences, with the press, with colleagues from other groups, and even with spouses, trying to explain what was that super important thing that kept us in the office until late. We believe that user-centered identity management has the potential to change for the better how everybody uses the Internet. We also believe that the best way of reaping its benefits is to develop a deep understanding of the approach, complemented by hands-on knowledge of supporting technologies such as Windows CardSpace. The book you are holding in your hands has the goal of helping you to gain such insights. We live in exciting times. The entire industry is moving toward a common solution, with a true spirit of collaboration and strong will to do the right thing. The discussion is open to anybody who wants to participate. We hope that you will join us! Book Structure, Content, and Audiences Windows CardSpace is part of a comprehensive solution, the Identity Metasystem, which tries to provide a solution to many security-related bad practices and widespread problems. CardSpace is also a very flexible technology that can be successfully leveraged to address a wide range of different scenarios and business needs. Finally, Windows CardSpace enables new scenarios and radically new ways of dealing with known problems. Given the sheer breadth of the areas it touches, it comes as no surprise that people of all positions and backgrounds are interested in knowing more about it. To address so many different aspects and such a diverse audience, we divided the book into three parts. Part I: Setting the Context The first part of this book introduces you to user-centered identity management, the model on which Windows CardSpace is based. This part lays the foundation for understanding the context in which CardSpace is meant to operate and the problems it has been designed to overcome. Architects, analysts, and even strictly nontechnical folks will get the most from this part. There are practically no assumptions of prior knowledge; the text introduces the necessary concepts and technologies as needed. Note that in the first part CardSpace is barely mentioned, because the focus is on the underlying models and considerations that are purely platform agnostic. Chapter 1, "The Problem," explores the problems with identity management today. It explores how authentication technologies evolved to the current practices, showing the historical reasons for current widespread problems. The chapter introduces basic concepts such as Internet protocols, types of attacks, introdu