An infrastructure that enables different Internet identity systems to work in a secure manner with a consistent user interface. The identity metasystem was first developed by Microsoft and is embodied in the CardSpace system (see Windows CardSpace). Higgins is an open source identity metasystem that supports all platforms and is compatible with CardSpace (see Higgins project).
The identity metasystem is designed to prevent identity theft on the Internet by providing a secure framework for authentication as well as give users control over the data they share on Web sites. If and when fully implemented, it would provide a system that eliminates the myriad usernames and passwords that prevail on the Internet for each user. It would replace the browser password manager that currently remembers users' passwords with a system that is more secure, flexible and consistent.
Multiple Authenticators
The identity metasystem lets multiple organizations authenticate a user's identity just as a driver's license and credit card serve as two forms of ID in day-to-day life. The user confirms which providers should be used to satisfy a Web site's request for authentication.
The Wallet Metaphor - Information Cards
The metasystem uses "information cards," which are the digital counterpart to the plastic cards people keep in their wallets. The user is presented with a window full of card images to choose from, just like you might remove all your business, ID and credit cards from your wallet and lay them out on a table.
Personal cards (p-cards) are self-issued and hold the data users typically type into Web site registration forms. A person can create multiple p-cards, with one card having more data than another.
Managed information cards (m-cards), such as membership ID cards and credit cards, are issued by organizations. M-card data are stored on the managed card provider's site, while p-card data are stored on the user's computer. However, transaction history for all cards is stored on the client side.
The identity metasystem also supports the OpenID authentication system, and one of the cards in the card selector can be an OpenID card (see OpenID).
Relying Parties Rely on Identity Providers
A Web site that accepts information cards is known as the "relying party," because it relies on a third-party "identity provider" for authentication, rather than authenticate the user directly as is common today.
The software in the user's computer that orchestrates the interaction between the relying party (RP) and the identity provider (IdP) is the "card selector," also called the "identity selector." The CardSpace and Higgins software in the user's computer is the card selector.
When a user visits an information card-compliant site, the site (the relying party) states its identity requirements, and the user's card selector highlights the cards that meet those requirements. The user confirms the selection, and a request is sent to the identity provider. The identity provider sends back a digitally signed token that the user can inspect to be sure it is genuine before releasing it to the relying party for authentication.
In the case of a personal card, the card selector functions as the identity provider and sends a secure token to the relying party.
Claims
The identity metasystem uses the term "claims" to refer to any data that is captured in information cards. Although the term "assertion" has been traditionally used, "claim" implies that it has to be proven.
Web Services Protocols
An identity metasystem relies on the Web services protocols for interaction between the relying party (RP), the identity provider (IdP) and the card selector. See Windows CardSpace, Higgins project, Web services protocols and Identity 2.0.
The Authentication Process
The card selector highlights the card that satisfies the site's identity requirements and sends it to the identity provider (IdP) with the user's approval. The IdP returns a security token that is forwarded to the relying party, once again, via the user's confirmation. The PIN exchange in step 5 is optional.
The identity metasystem is designed to prevent identity theft on the Internet by providing a secure framework for authentication as well as give users control over the data they share on Web sites. If and when fully implemented, it would provide a system that eliminates the myriad usernames and passwords that prevail on the Internet for each user. It would replace the browser password manager that currently remembers users' passwords with a system that is more secure, flexible and consistent.
Multiple Authenticators
The identity metasystem lets multiple organizations authenticate a user's identity just as a driver's license and credit card serve as two forms of ID in day-to-day life. The user confirms which providers should be used to satisfy a Web site's request for authentication.
The Wallet Metaphor - Information Cards
The metasystem uses "information cards," which are the digital counterpart to the plastic cards people keep in their wallets. The user is presented with a window full of card images to choose from, just like you might remove all your business, ID and credit cards from your wallet and lay them out on a table.
Personal cards (p-cards) are self-issued and hold the data users typically type into Web site registration forms. A person can create multiple p-cards, with one card having more data than another.
Managed information cards (m-cards), such as membership ID cards and credit cards, are issued by organizations. M-card data are stored on the managed card provider's site, while p-card data are stored on the user's computer. However, transaction history for all cards is stored on the client side.
The identity metasystem also supports the OpenID authentication system, and one of the cards in the card selector can be an OpenID card (see OpenID).
Relying Parties Rely on Identity Providers
A Web site that accepts information cards is known as the "relying party," because it relies on a third-party "identity provider" for authentication, rather than authenticate the user directly as is common today.
The software in the user's computer that orchestrates the interaction between the relying party (RP) and the identity provider (IdP) is the "card selector," also called the "identity selector." The CardSpace and Higgins software in the user's computer is the card selector.
When a user visits an information card-compliant site, the site (the relying party) states its identity requirements, and the user's card selector highlights the cards that meet those requirements. The user confirms the selection, and a request is sent to the identity provider. The identity provider sends back a digitally signed token that the user can inspect to be sure it is genuine before releasing it to the relying party for authentication.
In the case of a personal card, the card selector functions as the identity provider and sends a secure token to the relying party.
Claims
The identity metasystem uses the term "claims" to refer to any data that is captured in information cards. Although the term "assertion" has been traditionally used, "claim" implies that it has to be proven.
Web Services Protocols
An identity metasystem relies on the Web services protocols for interaction between the relying party (RP), the identity provider (IdP) and the card selector. See Windows CardSpace, Higgins project, Web services protocols and Identity 2.0.
The Authentication Process
The card selector highlights the card that satisfies the site's identity requirements and sends it to the identity provider (IdP) with the user's approval. The IdP returns a security token that is forwarded to the relying party, once again, via the user's confirmation. The PIN exchange in step 5 is optional.
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2008 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- News to know: Apple sued; IDF; Adobe hijack; Microsoft-Novell
- Here are today's notable headlines. You can get News To Know via email alert and RSS daily: Sam Diaz: Apple faces suit over iPhone. Is it still worth the switch? Techmeme IDF wrap: Christopher Dawson: New touch screen Classmates unveiled today...
- Blog posts 2008-08-21
- Novell-Microsoft interop pact may look sweeter to IT shops these days
- Novell took a lot of heat from open source backers for executing an interoperability pact with Microsoft in late 2006 but the partnership -- strengthened with a new $100 million investment from Microsoft today -- is probably looking sweeter to mixed IT shops these days. Why? Because of recent...
- Blog posts 2008-08-20
- Identity theft for the hip blogger on-the-go?
- Xpenser allows users to send their expense information to a hosted spreadsheet using SMS, IM, Twitter and Jott. Security risk, anyone? by Jennifer Leggio
- Blog posts 2008-08-20
- Motorola VE20 - silver (Sprint)
- Just when you thought the Motorola Razr was dead, Moto has brought it back for another round with the Razr VE20 for Sprint. Before you start grumbling about Moto never having anything new--a sentiment we've no doubt shared--we advise you to give this Razr a chance. Sure, the design is...
- Product reviews 2008-08-17
- Export Database to SQL for SQL Server (exe)
- Export Database to SQL for Microsoft SQL Server helps to save table's data as a set of insert SQL statements and optional create table statement. Predefined or cusrtom separators like 'go', two identity support modes and a few options make this tool flexible. The program has easy to learn and...
- Software downloads 2008-08-13
- State AGs ignore phishing, spyware
- Phishing, spyware and viruses cost consumers $7.1 billion in 2007, $5 billion in 2006. The Federal Trade Commission received 226,000 complaints of Internet-related fraud. But who cares? Not state attorney generals, apparently. As part of a survey of Internet-related crime, the Center for American Progress reports...
- Blog posts 2008-08-12
- Followup with Greenpeace - "recycling" your computers
- Followup with Greenpeace - "recycling" your computersNot sure about the whole pledge idea.I in no way have any clue about the actual state of ethics in the recycling business; but if I pledge to not export to developing countries, and instead export to, say, a company in Germany, and then...
- Discussion threads 2008-08-12
- Black Hat Las Vegas Day 1
- Well, this is well late, but here's my recap of Black Hat Day 1. Sorry for the delay, but I've been terribly busy finishing up preparations for my Day 2 talk. The first talk I went to see, "Pointers and Handles, A Story of Unchecked Assumptions...
- Blog posts 2008-08-08
- New technique IDs substances, not just fingerprints
- Law enforcement has a powerful new tool – mass spectrometry. The technique to measure the chemical composition of a sample isn't a new technology but, writing in Science, R. Graham Cooks has identified a variation that will allow crime labs to identify not only the identity of...
- Blog posts 2008-08-08
- Internet brand-jacking: What can be learned from Exxon Mobil?
- Internet brand-jacking: What can be learned from Exxon Mobil?Is this blackmail?My guess is that this ia actually blackmail.Br, Hessu"Identity is a serious issue on the web"No it's not! And I'm glad it isn't. Only a dumb fool would trust anything he sees on a "social" site, and only a bigger...
- Discussion threads 2008-08-08
- Internet brand-jacking: What can be learned from Exxon Mobil?
- Exxon Mobil got "brand-jacked." About two weeks ago, someone named "Janet," believed to be a spokesperson for the oil company, started posting one-liner comments about the company on Twitter. There was no reason to doubt the legitimacy of the Twitter account. There are a lot of big-named...
- Blog posts 2008-08-07
- A look at risk-reward: Apple may nuke apps on your iPhone remotely
- A look at risk-reward: Apple may nuke apps on your iPhone remotelyMicrosoft already canAll MS has to do is flip a bit on their WGA servers and the next time your Vista logs in, you get a "not validated" message and can't do jack squat with your entire machine.The ONLY...
- Discussion threads 2008-08-07
- News to know: Mozilla; Windows Server; LinuxWorld; Apple
- Notable headlines: Ryan Naraine: Talking Firefox security with Mozilla's Window Snyder Mary Jo Foley: What's next for Windows Server Microsoft finalizes SQL Server 2008 TechRepublic: 10 questions and answers about Microsoft Live Mesh Dancho Danchev: Today's...
- Blog posts 2008-08-07
- TSA vendor finds lost laptop, remains suspended
- Travelers who use the Transportation Security Administration's Registered Traveler program might be verified as good security risks but the same can't be said about Steven Brill's Verified Identity Pass, one of the TSA vendors that operates the program. VIP, under the brand name Clear, lost a laptop containing...
- Blog posts 2008-08-06
- The social media corporate identity crisis
- The recent "hijacking" of the ExxonMobil brand for Twitter use made a whoosh as the news traveled around the socialsphere. It also brought into view a lot of questions around brand validity and responsibility in terms of social networking. Joel Postman, principal of Socialized, authored this guest piece on the...
- Blog posts 2008-08-06
- Consumer Reports urges Mac users to dump Safari, cites lack of phishing protection
- Consumer Reports urges Mac users to dump Safari, cites lack of phishing protectionWhen a feature is not a featureIf a feature is too hard to use then it is not a feature. Jobs did extensive case studies and found that warnings about phishing simply confused people and that in the...
- Discussion threads 2008-08-06
- CLEAR has a "Senior Moment"
- CLEAR has a "Senior Moment"Not reassuredWhat happened to the laptop during the week it was missing? How do we know where it was or wasn't?I work in public health, where the release of such "limited personal information" as was described in the article would be taken very seriously. ...
- Discussion threads 2008-08-06
- CLEAR has a "Senior Moment"
- AP Newswire is reporting this morning that CLEAR has found a laptop also see CLEAR Press Release that had gone missing for over a week from one of its kiosk locations that contained the "personal data" of over 30,000 enrolled members at San Francisco International Airport,...
- Blog posts 2008-08-06
- Indictments in huge hacking & theft case
- Indictments in huge hacking & theft caseNo sympathy on my partThere's something terribly ironic that hackers "concealed the data in encrypted computer servers that they controlled in Eastern Europe and the United States." I thought information was suppose to be free...I'm not interested in hearing about good hackers and...
- Discussion threads 2008-08-05
- Indictments in huge hacking & theft case
- A federal grand jury returned indictments today on 11 defendants in one of the largest hacking and online theft cases ever. The Department of Justice charged 11 individuals from around the world with stealing 40 million credit and debit card numbers, cracking the networks of nine retailers and stealing an...
- Blog posts 2008-08-05
Neighboring Terms
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Marc Canter: The master of multimedia speaks
-
In this Super Techies interview, larger-than-life techie Marc Canter talks with ZDNet's Editor in Chief Dan Farber about his career as a multimedia pioneer.
- Watch the video >>
- Access the latest Intel and industry best practices
-
Designed specifically to address the concerns of senior IT managers at organizations with more than 100 employees, the Intel Premier IT Professional Program provides best practices via local and e-Seminars and a members-only Web site.
- View the Intel Premier IT Professional web-site tour >>
- Sports and Technology
-
Major League Baseball pitches new app to iPhone users
At Apple's Worldwide Developers Conference in San Francisco, Jeremy Schoenherr of MLB.com demos At-Bat, a new iPhone app from Major League Baseball.
View the ZDNet video to learn more -
The SF Giants' new hi-tech ballpark
SF Giants CIO Bill Schlough discusses new technology upgrades at AT&T Park and outlines his dual role- managing technology operations at the backend while using hi-tech to improve player performance on the field.
View the ZDNet CIO Vision Series video - From our Sponsors
- Fantasy Football
-
-
3 Great Ways To Play Fantasy Football
Play for free, play to win cash prizes- up to $3500, or customize your own league.
Learn More » -
