An infrastructure that enables different Internet identity systems to work in a secure manner with a consistent user interface. The identity metasystem was first developed by Microsoft and is embodied in the CardSpace system (see Windows CardSpace). Higgins is an open source identity metasystem that supports all platforms and is compatible with CardSpace (see Higgins project).
The identity metasystem is designed to prevent identity theft on the Internet by providing a secure framework for authentication as well as give users control over the data they share on Web sites. If and when fully implemented, it would provide a system that eliminates the myriad usernames and passwords that prevail on the Internet for each user. It would replace the browser password manager that currently remembers users' passwords with a system that is more secure, flexible and consistent.
Multiple Authenticators
The identity metasystem lets multiple organizations authenticate a user's identity just as a driver's license and credit card serve as two forms of ID in day-to-day life. The user confirms which providers should be used to satisfy a Web site's request for authentication.
The Wallet Metaphor - Information Cards
The metasystem uses "information cards," which are the digital counterpart to the plastic cards people keep in their wallets. The user is presented with a window full of card images to choose from, just like you might remove all your business, ID and credit cards from your wallet and lay them out on a table.
Personal cards (p-cards) are self-issued and hold the data users typically type into Web site registration forms. A person can create multiple p-cards, with one card having more data than another.
Managed information cards (m-cards), such as membership ID cards and credit cards, are issued by organizations. M-card data are stored on the managed card provider's site, while p-card data are stored on the user's computer. However, transaction history for all cards is stored on the client side.
The identity metasystem also supports the OpenID authentication system, and one of the cards in the card selector can be an OpenID card (see OpenID).
Relying Parties Rely on Identity Providers
A Web site that accepts information cards is known as the "relying party," because it relies on a third-party "identity provider" for authentication, rather than authenticate the user directly as is common today.
The software in the user's computer that orchestrates the interaction between the relying party (RP) and the identity provider (IdP) is the "card selector," also called the "identity selector." The CardSpace and Higgins software in the user's computer is the card selector.
When a user visits an information card-compliant site, the site (the relying party) states its identity requirements, and the user's card selector highlights the cards that meet those requirements. The user confirms the selection, and a request is sent to the identity provider. The identity provider sends back a digitally signed token that the user can inspect to be sure it is genuine before releasing it to the relying party for authentication.
In the case of a personal card, the card selector functions as the identity provider and sends a secure token to the relying party.
Claims
The identity metasystem uses the term "claims" to refer to any data that is captured in information cards. Although the term "assertion" has been traditionally used, "claim" implies that it has to be proven.
Web Services Protocols
An identity metasystem relies on the Web services protocols for interaction between the relying party (RP), the identity provider (IdP) and the card selector. See Windows CardSpace, Higgins project, Web services protocols and Identity 2.0.
The Authentication Process
The card selector highlights the card that satisfies the site's identity requirements and sends it to the identity provider (IdP) with the user's approval. The IdP returns a security token that is forwarded to the relying party, once again, via the user's confirmation. The PIN exchange in step 5 is optional.
The identity metasystem is designed to prevent identity theft on the Internet by providing a secure framework for authentication as well as give users control over the data they share on Web sites. If and when fully implemented, it would provide a system that eliminates the myriad usernames and passwords that prevail on the Internet for each user. It would replace the browser password manager that currently remembers users' passwords with a system that is more secure, flexible and consistent.
Multiple Authenticators
The identity metasystem lets multiple organizations authenticate a user's identity just as a driver's license and credit card serve as two forms of ID in day-to-day life. The user confirms which providers should be used to satisfy a Web site's request for authentication.
The Wallet Metaphor - Information Cards
The metasystem uses "information cards," which are the digital counterpart to the plastic cards people keep in their wallets. The user is presented with a window full of card images to choose from, just like you might remove all your business, ID and credit cards from your wallet and lay them out on a table.
Personal cards (p-cards) are self-issued and hold the data users typically type into Web site registration forms. A person can create multiple p-cards, with one card having more data than another.
Managed information cards (m-cards), such as membership ID cards and credit cards, are issued by organizations. M-card data are stored on the managed card provider's site, while p-card data are stored on the user's computer. However, transaction history for all cards is stored on the client side.
The identity metasystem also supports the OpenID authentication system, and one of the cards in the card selector can be an OpenID card (see OpenID).
Relying Parties Rely on Identity Providers
A Web site that accepts information cards is known as the "relying party," because it relies on a third-party "identity provider" for authentication, rather than authenticate the user directly as is common today.
The software in the user's computer that orchestrates the interaction between the relying party (RP) and the identity provider (IdP) is the "card selector," also called the "identity selector." The CardSpace and Higgins software in the user's computer is the card selector.
When a user visits an information card-compliant site, the site (the relying party) states its identity requirements, and the user's card selector highlights the cards that meet those requirements. The user confirms the selection, and a request is sent to the identity provider. The identity provider sends back a digitally signed token that the user can inspect to be sure it is genuine before releasing it to the relying party for authentication.
In the case of a personal card, the card selector functions as the identity provider and sends a secure token to the relying party.
Claims
The identity metasystem uses the term "claims" to refer to any data that is captured in information cards. Although the term "assertion" has been traditionally used, "claim" implies that it has to be proven.
Web Services Protocols
An identity metasystem relies on the Web services protocols for interaction between the relying party (RP), the identity provider (IdP) and the card selector. See Windows CardSpace, Higgins project, Web services protocols and Identity 2.0.
The Authentication Process
The card selector highlights the card that satisfies the site's identity requirements and sends it to the identity provider (IdP) with the user's approval. The IdP returns a security token that is forwarded to the relying party, once again, via the user's confirmation. The PIN exchange in step 5 is optional.
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2009 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- CA and Microsoft Support for User-Centric Identity and the Identity Metasystem
- This paper discusses the Identity Metasystem, Windows CardSpace and CA SiteMinder Information Card Authentication Scheme ICAS. After reviewing the existing problems encountered when managing digital identity, this paper introduces the Identity Metasystem, defines its architectural components, then describes how Microsoft Windows CardSpace and CA SiteMinder ICAS can be used together...
- White papers 2008-04-01
- MSDN Webcast: Next-Generation Identity Management With Windows CardSpace (Level 200)
- The presenter of this webcast discuss Windows CardSpace, a Microsoft .NET Framework version 3.0 component that provides a standards-based, interoperable solution for managing diverse digital identities. With phishing attacks and identity theft deterring people from using the Web, Windows CardSpace makes it safer and easier for users to manage online...
- Webcasts 2007-05-03
- Windows CardSpace gets Firefox support
- Windows CardSpace gets Firefox supportIE browser is about deadWith just one feature, RSS, there is a compelling reason to upgrade the internet browser on corporate and government computers. I did so last week on my wife's computer. As had been reported to me by half a dozen others, it doesn't...
- Discussion threads 2006-12-13
- Windows CardSpace gets Firefox support
- A new plug-in providing Firefox support for Microsofts CardSpace digital-identity framework is now available for public download. Solution architect Kevin Miller, who played an instrumental role in developing the technology, announced the availability of his Firefox add-on for Windows via his blog. Why is Firefox support important? Until...
- Blog posts 2006-12-13
- Internet Identity Workshop and interop
- Kaliya Hamlin, Doc Searls, and I will be doing another installment of the Internet Identity Workshop (IIW2006b) in December. Were back at Computer History Museum, Dec 4-6. The Interenet Identity Workshop is about moving user-centric identity ideas and technologies forward. User-centric identity starts with the...
- Blog posts 2006-11-16
- Meeting of the minds: Microsoft and Mozilla
- So what ever happened to the brave Mozilla delegation that accepted Microsoft’s invitation earlier this summer to travel to the belly of the Borg? Was it mission accomplished, as far as insuring Vista compatibility for Firefox?Looks like the Mozilla folks made it out alive, according to a blog post from...
- Blog posts 2006-10-05
- Google's authentication vs. Microsoft's Live ID
- Recent announcements of Google's authentication service have prompted comparisons to Passport, and even gotten to Dick Hardt (of "Identity 2.0" fame) to call it the, "deepening of the identity silo." I'd like to contrast Google's work with Microsoft's recent work around Live ID. Microsoft's Live ID *is* the old...
- Blog posts 2006-06-29
- Google: The Oracle of Identity
- Bob Blakely just gave a fascinating talk at Catalyst entitled, "Identity and Community in Human Society." I won't try to summarize *all* of Bob's points, which began with the social construction of reality and walked through the "non-person-ness" of corporations and subsequently what they value. Rather, I want to touch...
- Blog posts 2006-06-15
- Unconferences and the value of participatory events
- The Internet Identity Workshop ended Wednesday afternoon and I've had a day to decompress. This was really an outstanding event and one I'm proud to have been a part of. Even though I was one of the organizers, along with Kaliya Hamlin and Doc...
- Blog posts 2006-05-05
- The many players at IIW
- The Internet Identity Workshop also talked about here has been going on for the past few days. The workshop is centered on "user-centric identity," which is confusing enough to be sure, but when you throw in the various protocols, systems and groups working in it -- well, things get downright...
- Blog posts 2006-05-03
- Identity Management as a Service
- Identity Management as a ServiceWindows LiveIDWe commented on an post from Phil earlier in the year on this very subject http://www.mwdadvisors.com/blog/2005/10/loosely-coupled-reinvents-passport.htmlYour references to Passport are interesting in light of this white paper from Microsoft discussion Passport 2.0 aka Windows LiveID: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlive/html/winliveidserv.aspwhich includes the following:Microsoft has published its vision of a...
- Discussion threads 2006-04-19
- Why does Microsoft Passport suck?
- The Microsoft Passport Network is supposed to be an effortless way to share a single set of logon credentials across multiple sites. Instead, it’s a colossal annoyance. Even Microsoft employees gripe about the inconsistencies and abysmal user experience of Passport.How does Microsoft Passport’s sign-in process suck? Let’s count the ways:It...
- Blog posts 2006-04-05
- Higgins and Vendor Sports
- A few days ago IBM, Novell, and Harvard's Berkman Center announced the Higgins Project. Higgins is a "user-centric identity" system that will be open source and managed by the Eclipse Foundation. When we held the Internet Identity Workshop last October, Paul Trevithick spoke about Higgins (listen...
- Blog posts 2006-03-03
- Craig Burton cries 'ubiquity'
- At Novell, Craig Burton was one of the driving forces behind the modern notion of a network as a collection of services rather than a collection of wires. He's a master at seeing the big picture and identifying the limitations of particular strategies within that picture. I've known...
- Blog posts 2005-10-07
- The red herring of data protection
- The numbers lately have been staggering: 145,000; 13.9 million; 40 million. I'm speaking, of course, of the recent rash of "data loss" -- the innocuous term for "millions of accounts containing personal data being exposed to the wrong eyes." Whether it's MasterCard, ChoicePoint, LexisNexis, Bank of America, Wachovia, Stanford or...
- Blog posts 2005-06-21
- InfoCard and Web Services
- Over at the IT Garage, Doc Searls goes through some history of Microsoft's InfoCard initiative and asks some good questions. InfoCard is an identity metasystem that Doc correctly describes as a "barn raising project" led by Microsoft. Kim Cameron, Microsoft's chief identity architect, believes that Microsoft has an...
- Blog posts 2005-06-06
- InfoCard and Web Services
- Over at the IT Garage, Doc Searls goes through some history of Microsoft's InfoCard initiative and asks some good questions. InfoCard is an identity metasystem that Doc correctly describes as a "barn raising project" led by Microsoft. Kim Cameron, Microsoft's chief identity architect, believes that Microsoft has an...
- Blog posts 2005-06-06
- All about Infocard
- By the end of this month Microsoft's will be releasing a "technical preview" of InfoCard, a new framework for managing identities based on WS-* protocols. Microsoft is also rolling out other related technologies for federation. It's a big deal if the industry can come up with a generally agreed upon,...
- Blog posts 2005-05-19
- Microsoft's enlightened identity metasystem
- Microsoft's enlightened identity metasystemWhat is Microsoft InfoCard?A blogged some more technical details based on Microsoft's description at this event.http://netmesh.info/jernst/Digital_Identity/what-is-msft-infocard.html
- Discussion threads 2005-05-13
- Microsoft's enlightened identity metasystem
- On the final day of Digital ID World 2005, John Shewchuk, CTO for distributed systems at Microsoft, and Kim Cameron, identity and access architect at Microsoft, outlined their company's plan for delivering a unifying identity metasystem, an abstraction layer, based on WS-* Web services technology. "The essential concept of the...
- Blog posts 2005-05-12
Neighboring Terms
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
Popular Sanity Saver Videos
