Security: Microsoft’s CardSpace scheme explained

Eric Doyle previews Microsoft's new CardSpace secure payments scheme.

ITPro Today

December 17, 2006

6 Min Read
ITPro Today logo in a gray background | ITPro Today

Doing business on the web is a leap of faith. You trust that the keeper of your details is competent and will have sufficient protection in place to protect your details. Regardless of what safeguards are in place to keep hackers away from the customer database, the weak point is actually at the interface with the website -- the username and password.

For several years there has been the idea of developing a mutual protection scheme for web transactions to ensure that the customer is who they say they are and that the vendor site is actually a bone fide site. The basis is trust, the kind of trust you place in a financial institution to keep your money safe or to manage your insurance portfolios.

In the internet world, the idea is that a trusted third party can act as a referee to guarantee the transactors identities. Microsoft started the ball rolling with Passport but this relied on Microsoft as the sole trusted third party. To be frank, too many people felt that the this was too much trust to place in a single company. In the real world, trust tends to be spread across several companies and Microsoft soon learnt that this should also be the case on the web.

Microsoft announced its latest initiative as Infocard early in 2006 and, as it has developed, the commercial name of CardSpace has been settled upon.

Paul Mackinnon, senior identity advisor at Microsoft, says that there are two main aims for the service: to be secure and to be simple. These are often conflicting targets but he feels that CardSpace answers both needs.

The CardSpace name developed as a description of the system whereby cards, visual icons resembling credit cards, are stored in a secure place on the customer’s PC -- a space for cards. In everyday life, most people are used to using credit cards, membership cards and ID cards such as passports and Microsoft has simply transferred this to cyberspace. All of these cards have one thing in common. A trusted organisation has checked the identity of the card holder and the card verifies their identity. Of course, we do still have ID fraud but Mackinnon believes that CardSpace will prove to be even more secure.

“Passport failed because of the trust issue and Microsoft cannot afford a similar failure with CardSpace,” he says. “We have addressed all of the concerns that people had with Passport and I feel sure that this will be a simple, secure and successful.”

The basis for his confidence is the intellectual foundation that the service has been built on. These are the Laws of Identity developed by Kim Cameron, Microsoft's chief identity and access architect, using the so-called blogosphere. By airing his views and those of other correspondents through his web log on the internet, Cameron broadened his initial concepts into a set of rules for ID security ( http://www.identityblog.com/?page_id=354 ). These have shaped CardSpace and will continue to do so throughout its development.

One of the key elements is to allow a user to have as many identities as they wish. This has always been possible on the web but often it means filling in different membership forms for each site involved. What Microsoft is proposing is the development of an identity metasystem layer that will tag the various elements of an individuals profile. Naturally, this means the use of XML and SOAP, along with their standards-based security elements WS-Security, WS-Trust, WS- MetadataExchange and WS-SecurityPolicy.

One way of conveying personal data to a vendor is to have it stored on the customer’s PC as a cookie. This cookie is presented whenever the user logs on, but it lacks security. What is needed is a more robust form of security through the use of a digital signature. This is an encrypted tag that uniquely identifies its owner and it acts like the physical signature on the back of a credit card.

There are three parties involved in CardSpace. The first is the User, or Subject, who owns the digital identity and this can be almost anything: a person, an organisation, an application or even a machine. The link at the end of the chain is called the Relying Party and this is often an application on the web such as a shopping trolley or other order-taking service. In the middle is the Identity Provider who validates the User’s signature and details based on information provided by the User.

When a User decides to purchase something, the Relying Party will request ID. This is provided as a policy that describes the information required for the transaction, such as the user’s name, address and credit card details.

A key part of this initial stage is that the user can view what information is being requested and choose whether to continue with the transaction. If the transaction is to download a free document and the policy unnecessarily requests credit card details, the User can back out at this point or choose to attempt the download while withholding the credit card information. The main aim of the system is to allow the customer to control the flow of data.

The choice of which particular ID card to present can also be selected by the customer from the CardSpace’s graphical display of cards. These may be general-purpose cards or specific cards for a particular vendor. A user-friendly touch is to allow the Relying Party to download their own card designs so that the icon looks like a store charge card with a company logo and any other graphics that will make it stand out. From the User’s perspective this means that they can just click on an icon to initiate a transaction.

Once the policy is approved, a request is sent by CardSpace to the Identity Provider for a signed token that contains the details. This is then passed to the Relying Party and the transaction is completed. Effectively, CardSpace will make relatively insecure password log-ins a thing of the past but Microsoft will not be the only vendor of secure transaction systems. There is currently a competitor called the Higgins Trust framework in the open source world. This is where open standards show their strength.

Microsoft is placing its development efforts into Windows as the platform of choice. CardSpace will work easily in Windows Vista and by extension to Windows XP and Windows 2003 using the .NET Framework 3.0. The Higgins Trust system is open platform and is backed by IBM and Novell. There is also Open ID and the Liberty Alliance to consider. The use here of the word “competitor” is misleading as there are plans in hand to ensure that these systems will all work seamlessly together.Similarly, CardSpace only works with Internet Explorer in Microsoft’s implementation but there is already an extension available for the Firefox browser developed independently of Microsoft. No doubt other browser manufacturers, such as Opera, will soon follow suit.

There is no date for the release of CardSpace other than to say it will be with us in 2007. Microsoft is beta testing the system and it can be downloaded from its website. Mackinnon admits that the system is not foolproof -- no security system is -- but it is a major step towards removing some of the fraudulent behaviour on the web and offers much better protection against ID theft.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like