Page 2 of 5   « previous page   next page »

CF: I love the Elastigirl thing, what's that all about?

SH: On his site he uses Elastigirl from "The Incredibles" to represent his very flexible implementation of CardSpace. If you basically click on this object the browser will pop up and launch whatever that helper is. In the instance of IE 7, it will launch what's called an Identity Selector. It's going to launch the Windows CardSpace Identity Selector and on Windows or on Vista, you are going to get this kind of curtain of death, this kind of gray transparent curtain will drop and a CardSpace Identity Application will launch up and let you select a card and in this context, the card is a kind of a client-side certifi cate.

CF: Yeah, it's a good thing to clarify that it isn't necessarily a physical card although it can be stored on a card.

SH: It's a very good point. The CardSpace cards are basically kind of a client-side security token that are going to allow you to fulfi ll some claims that the site will make.

CF: It's like a metaphor for a credit card or something.

SH: Exactly, it's like handing someone a card because like if I go to - you are in Connecticut, right?

CF: Yes.

SH: Okay, I am in Oregon, I go to Connecticut and I get pulled over and I show the cop my Oregon driver's license. Why does he trust me? He trusts me because Connecticut trusts Oregon. He says well, I don't know you and you don't me but I know Oregon and I know Connecticut, so we trust each other because we trust this third party. InfoCard uses that card metaphor, that idea of here is something that I have, it is attached and issued by someone that we both trust, a lot like SSL works, right? I visit your site, you use a VeriSign SSL card, and then we have this trust relationship. You've got this object tag on your HTML page and it's just coded like a regular object tag like a Flash tag or any tag that uses an object and it has a certain type that says something, something/Info- Card, the browser associates, whatever the Identify Selector on your system, in this case the Windows CardSpace UI, that pops up this curtain of death and the reason I point out the curtain of death is because this is a new separate desktop, because you don't want to let any card loggers or evil things of that kind to sneak into your system, anything running in the tray or some malware.

This is technology similar to what they are using in the User Access Control stuff in Vista. They are basically running this in its own universe, its own parallel world on your machine, its own desktop context. No other applications get to get loaded in there and it's running in a very limited trust. It does exactly what it does and no more.

We are trying to prevent phishers from being able to get into that space and futz around. That...you select your identity or you create a card, there are two kinds of cards, you can have a self-issued card, you basically create your own cert and there is a little Security Token Service on your machine that basically issues the card to yourself. This would be the equivalent of writing on a piece of paper "I am me" and then using that as your identification.

CF: Right, if somebody wants to trust you they can but they don't have to.

SH: Exactly, a site would have the choice to say, "I am only going to deal with one that has done with a managed card and the other kind of card is a managed card." Now, I am hoping that not only will Windows Live - Windows Live is the rebranded Windows Passport - they will of course implement this and people, who have passports will automatically get CardSpace cards. But I think, like Visa, American Express, these big kind of places that manage your identity, they will issue managed cards. So, if you trust Visa and I trust Visa, then we will have this relationship.

CF: It's interesting because then your credit card becomes more usable as a source of identity.

SH: Exactly, well, one of things...

CF: Like a license is now, visually the credit card can electronically.

SH: Right and if...let's say I am going to buy something from Franklins.net. Right now, I go online and make a login and I register and it's all name and password. Then I would give you my credit card and I have got two choices, either I can let Franklins.net store it, without any understanding, about how you are going to choose to store my credit card or I just give it to you each time and I have to just fire it across the Internet and I have to keep updating you on things like the expiration date and if I did a managed card rather than me sending you the credit card number, I could send you the Managed Tokens, this Managed Security Token and then you could talk to Visa and they wouldn't have to give you the credit card, they could just say, oh, this person has decided to pay you $10. Here is the confi rmation number and credits cards could be removed entirely from the process. So, the number doesn't exist. It's a...

CF: And all the transactions happen behind the scenes at Visa.

SH: Exactly and it's all done in a cryptographically signifi cant way. This Identity Selector - back to what you were saying - as I call it - who else has done this? They are already starting to see Identity Selectors for other browsers. There is a Firefox one written in Java at www.Shrinkster.com/jkn, right now it works on Firefox 1.5 but I am sure he will update it and there is one for Safari at Shrinkster/jku, I think, that as more and more people realize that this is not a Microsoft thing - this is an open WS *.* standard that they are going to start creating these.

I think, we will see all the major browsers supporting an Identity Selector in various ways. I found that the one that's built in with Windows to be very flexible. Right now, you do have to store your cards on your local machines and you can move them from place to place. I've basically exported my cards and then imported them back home. In the future, a version of CardSpace is going to support using your USB key as a kind of a token and then saving the tokens on that key. So, then you would have no store on your local machine, but you will be able to login on any machine and then say, oh, "Here is my identity." So, you'd basically be using your USB key like you just said as a smart card. It would be a poor man's smart card and certainly that would be much more ubiquitous then a smart card itself.

Page 2 of 5   « previous page   next page »