What is Infocard and how is it different from Passport?

To start with, here is a condensed description of what Infocard is. Infocard is an identity provider/consumer system (trying not to use the official terms as I feel they are confusing).

It is part of the WinFX system and is available on any platform that supports WinFX. It gives users the ability to select a particular identity that they want to use with a particular consumer such as online merchants, banks, and government agencies. These identities are provided by trusted sources such as Verisign, your company and in some cases self-signed identities.

Infocard Steps

The way it works is that when you need to provide an identity to an online merchant, there will be a button that you can click that will allow you to select one of your Infocards from one of the identity provides you have signed up with. When you click the button, a new session is initiated to contain the Infocard selection screen. This prevent malicious processes from being able to access the Infocards and the related information. It is very much like the CTRL-ALT-DEL Secure Attention Sequence.

You then select which ever Infocard you want from the list of available ones. This list is determined by the type of credentials the merchant will accept. The ones that the merchant will not accept are greyed out in the list. For example, a merchant may state that they will only accept Infocards that are based on a digital certificate signed by a trusted root CA. Other’s may only accept Infocards that are based on a user ID and password that they have issued, etc. You can even have self-signed Infocards that you create and sign yourself. However, I would imagine that the only places likely to accept these will be low security merchants and shall we say… sites of questionable moral value.

This allows organisations to avoid having to support their own identity infrastructure. For example, in Australia the ATO issues digital certificates to tax payers that choose to request them. Because the ATO issues more digital certificates that all other providers combined in Australia, and they already have the infrastructure to support it, other government agencies can choose to accept an Infocard based on an ATO issued digital certificate.

The way this works is based on SAML and identity requests and assertions. The merchant or Infocard consumer requests an Infocard, the individual chooses the one they want to use, then merchant then sends a request to the Infocard identity provider to validate the individual, the Infocard identity provider validates the credentials and sends a one time assertion to the merchant indicating that the credentials the individual is providing are legitimate. That assertion is good for that session, and for a limited duration. (There are various protection mechanisms built into the protocol that prevent man-in-the-middle and replay attacks against it.)

So how is this different to Passport? Well, with Passport all of your information is stored in one place, and everyone has to trust Microsoft, and only Microsoft, to hold the information and validate it. With Infocard, you can request that any viable provider handle your identity provisioning. For example Verisign announced at the RSA conference that they are on board with Infocard and will be an identity provider. Not all your data has to be in one place, and you can choose who you want to be your provider. Each company can implement their own Infocard libraries and assemblies so that you aren’t tied to one vendor for the implementation. So pretty much any language that can deal with the underlying technologies can be used to write Infocard systems. Essentially, there is no vendor lock-in which was a big stumbling block for Passport. A good reference for Identity stuff is Kim Cameron’s blog.