Information Card

Information Cards are personal digital identities that people can use online. Visually, each Information Card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select one they want to use for any given interaction. The Information Card metaphor is implemented by Identity Selectors like Windows CardSpace, DigitalMe or Higgins Identity Selector.

Overview

There are three participants in Digital Identity interactions using Information Cards:
* Identity Providers issue digital identities for you. For example, businesses might issue identities to their customers, governments might vouch for the identities of their citizens, credit card issuers might provide identities enabling payment, online services could provide verified data such as age, and individuals might use self-issued identities to log onto web sites.
* Relying Parties accept identities for you. Online services that you use can accept digital identities that you choose and use the information provided by them on your behalf, with your consent.
* Subject is yourself, the party in control of all these interactions. The subject can choose which of its applicable digital identities to use with the relying party.

An Identity Selector is used to store, manage, and use their digital identities. Examples of Identity Selectors are Microsoft's Windows CardSpace, the Bandit Project's [http://www.bandit-project.org/index.php/DigitalMe DigitalMe] , and several kinds of Identity Selectors from the Eclipse Higgins Project.

Sign-In with Information Cards

Using Information Cards, users can authenticate without needing a username and password for every web site; instead, at sites accepting them, they can log in with an Information Card, which may be used at multiple sites.

Each Information Card utilizes a distinct pair-wise digital key for every realm where a key is requested. A realm may be a single site or a set of related sites all sharing the same target scope information when requesting an Information Card. The use of distinct pair-wise keys per realm means that even if a person is tricked into logging into an imposter site with an Information Card, a different key would be used at that site than the site that the imposter was trying to impersonate; no shared secret is released.

Furthermore, many Identity Selectors provide a means of Phishing detection, where the HTTPS certificate of the Relying Party site is checked and compared against a list of the sites at which the user has previously used an Information Card. When a new site is visited, the user is informed that they have not previously used a card there.

Types of Information Card

The [http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1.pdf Identity Selector Interoperability Profile] specifies two types of Information Cards an Identity Selector must support.

* Personal (also called Self-Issued) Information Cards: These cards allow you to issue Claims about yourself to sites willing to accept them. These claims can include your name, address, phone numbers, e-mail address, web address, birth date, gender, and a site-specific key uniquely generated for each site where the card is used.
* Managed Information Cards: These cards allow Identity Providers other than yourself to make Claims about you to sites willing to accept them. These claims can include any information that that a Relying Party requests, an Identity Provider is able to provide, and you are willing to send between them.

However the Information Card format allows for custom types; The Bandit project demonstrated prototype managed cards backed by OpenIDs at the BrainShare conference in March 2007. The Higgins project is defining two new kinds of Information Cards as well, as described in the I-Card article: Relationship Cards (a.k.a. R-Cards) that establish an ongoing relationship between the identity provider and relying party (that themselves may be either self-issued or managed) and Zero-Knowledge (a.k.a. Z-Cards).

Managed Information Card Details

Information Cards issued by third parties can employ any of four methods for the user to authenticate himself as the card owner:
* a Personal (Self-Issued) Information Card,
* an X.509 certificate (which can either be from a hardware device such as a SmartCard or it can be a software certificate),
* a Kerberos ticket, such as those issued by many enterprise login solutions, or
* a username and password for the card.Additional methods could also be implemented by future Identity Selectors and Identity Providers (see #Futures).

Managed Information Cards can be auditing, non-auditing, or auditing-optional:
* Auditing cards require the identity of the Relying Party site to be disclosed to the Identity Provider. This can be used to restrict which sites the Identity Provider is willing to release information to.
* Non-auditing cards will not disclose the identity of the Relying Party site to the Identity Provider.
* Auditing-optional cards will disclose the identity of the Relying Party site if provided by the Relying Party, but do not require this disclosure.

Claims

Beyond being used to log into sites, Information Cards can also facilitate other kinds of interactions. The Information Card model provides great flexibility because cards can be used to convey any information from an Identity Provider to a Relying Party that makes sense to both of them and that the person is willing to release. The data elements carried in Information Cards are called Claims.

One possible use of claims is online age verification, with Identity Providers providing proof-of-age cards, and Relying Parties accepting them for purposes such as online wine sales; other attributes could be verified as well. Another is online payment, where merchants could accept online payment cards from payment issuers, containing only the minimal information needed to facilitate payment. Role statements carried by claims can be used for access control decisions by Relying Parties.

Interoperability and Licensing

The Information Cards defined by the [http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1.pdf Identity Selector Interoperability Profile] are based on open, interoperable communication standards. Interoperable Information Card components have been built by dozens of companies and projects for platforms including Windows, Mac OS, and Linux, plus a prototype implementation for phones. Together, these components implement an interoperable Identity Metasystem. Information Cards can be used to provide identities both for Web sites and Web Services applications.

Several interoperability testing events for Information Cards have been sponsored by [http://osis.idcommons.net/wiki/Main_Page OSIS] and the [http://www.burtongroup.com/ Burton Group] , one was at the [http://identityblog.burtongroup.com/bgidps/2007/10/osis-user-centr.html Interop at the October 2007 European Catalyst Conference in Barcelona] and the most recent was at RSA 2008. These events are helping to insure that the different Information Card software components being built by the numerous participants in the Identity Metasystem work well together.

The protocols needed to build Information Card implementations based on the [http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1.pdf Identity Selector Interoperability Profile] can be used by anyone for any purpose at no cost and interoperable implementations can be built using only publicly-available documentation. Patent promises have been issued by [http://www.microsoft.com/interop/osp/ Microsoft] , [http://www-03.ibm.com/linux/opensource/ispinfo.shtml IBM] , and others, ensuring that this Information Card technology is freely available to all.

In June 2008, industry leaders including Equifax, Google, Microsoft, Novell, Oracle, PayPal and others created the Information Card Foundation in order to advance the use of the Information Card metaphor as a key component of an open, interoperable, royalty-free, user-centric identity layer spanning both the enterprise and the Internet.

ee also

* Identity Selector
* Identity Metasystem
* Information Card Foundation
* Windows CardSpace
* Higgins Project
* Bandit Project
* I-Card
* Digital Identity

References

* [http://www.nytimes.com/2008/06/24/technology/24card.html?_r=2&ref=business&oref=slogin&oref=slogin Technology Leaders Favor Online ID Card Over Passwords] - New York Times article 24-Jun-08 announcing the Information Card Foundation
* [http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1.pdf Identity Selector Interoperability Profile] , Arun Nanda, April 2007.
* [http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1-Guide.pdf An Implementer's Guide to the Identity Selector Interoperability Profile V1.0] , Microsoft Corporation and Ping Identity Corporation, April 2007.
* [http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1-Web-Guide.pdf A Guide to Using the Identity Selector Interoperability Profile V1.0 within Web Applications and Browsers] , Michael B. Jones, April 2007.
* [http://research.microsoft.com/~mbj/papers/Identity_Metasystem_Design_Rationale.pdf Design Rationale behind the Identity Metasystem Architecture] , Kim Cameron and Michael B. Jones, January 2006.
* [http://go.microsoft.com/fwlink/?LinkId=98051 Patterns for Supporting Information Cards at Web Sites: Personal Cards for Sign up and Signing In] , Bill Barnes, Garrett Serack, and James Causey, August 2007.
* [http://www.microsoft.com/interop/osp/ Microsoft Open Specification Promise] , May 2007.
* [http://www-03.ibm.com/linux/opensource/ispinfo.shtml IBM Interoperability Specifications Pledge] , July 2007.

External links

* [http://informationcard.net Information Card Foundation]
* [http://self-issued.info/?p=17 Information Card Icon Announcement] , June 2007.
* [http://msdn2.microsoft.com/en-us/library/ms996422.aspx Microsoft's Vision for an Identity Metasystem] , Michael B. Jones, May 2005.
* [http://msdn2.microsoft.com/en-us/library/ms996456.aspx The Laws of Identity] , Kim Cameron, May 2005.
* [http://www.ipc.on.ca/images/Resources/up-7laws_whitepaper.pdf 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age] , Ann Cavoukian, Information and Privacy Commissioner of Ontario, October 2006.
* [http://www.bandit-project.org/ Bandit Project]
* [http://www.bandit-project.org/index.php/DigitalMe DigitalMe Identity Selector]
* [http://www.eclipse.org/higgins/ Eclipse Higgins Project]
* [http://identityblog.burtongroup.com/bgidps/2007/08/recapping-the-c.html Burton Group report on OSIS June 2007 User-Centric Identity Interop at Catalyst in San Francisco] , August 2007.
* [http://identityblog.burtongroup.com/bgidps/2007/10/osis-user-centr.html Burton Group report on OSIS October 2007 User-Centric Identity Interop at Catalyst in Barcelona] , October 2007.
* [http://osis.idcommons.net/ Open-Source Identity System (OSIS)]