Considering the coverage it got, it shouldn’t be a surprise to anyone that in a February 6, 2007 keynote address at the RSA conference in San Francisco, Microsoft chairman Bill Gates and Microsoft chief research and strategy officer Craig Mundie announced the software giant’s support for OpenID. Gates and Mundie pledged to work toward the integration of Microsoft’s CardSpace identity management software with the OpenID project. In my opinion there is still one question that’s still unanswered—why should we care? What value does either of these products—alone or together—provide to home or business users?
What is CardSpace?
CardSpace, formally known as InfoCard, is a certificate-based identity meta-system used to manage InfoCards. Integrated into Vista and IE7, this functionality targets online identity verification to reduce fraud and theft.
An InfoCard is a container or selector for a person’s identities (“Q&A: Advancing Identity Security on the Internet with “InfoCard” Technology”, Microsoft, 14 Feb 2006). In “Getting Started with CardSpace” (2007), Microsoft lists the following justifications for using CardSpace:
- Sites can request information from users
- Users can review the site’s identity
- Users can manage their identity information by using InfoCards
- Card information can be reviewed before it is sent to a requesting site
Figure 1 depicts what happens in a CardSpace interaction. A Microsoft video with a detailed explanation of how this works as well as the contents of an InfoCard is located at channel9.msdn.com.
Figure 1: CardSpace Interaction (Keith Brown, “Step-by-Step Guide to InfoCard”, Microsoft, April 2006)
InfoCards can be created locally by a user, issued by a trusted vendor or— with the release of Longhorn—created and managed within Active Directory. A user can have more than one card, each at a level of trust commensurate with the issuer, containing different amounts of personal information the user is willing to provide. Each card is graphically represented on her desktop like an ID card.
When attempting to authenticate to a web service provider, she selects the card that provides the minimum information necessary for the transaction—but no more. Once the provider requesting the information is identified and verified, the information to be provided is displayed to the user for verification and approval. Once approved, it’s sent to complete the authentication process.
What is OpenID?
OpenID, a project launched by Brad Fitzpatrick, is a free and open framework for managing a user’s digital identity. A user creates a digital identity by registering with an OpenID Personal Identity Provider (OP), such as MyOpenID.com or VerisignLabs.com. Once the identity is created, a URL provided by the OP is used when a user attempts to authenticate to an OpenID-enabled web site. You can view a screencast showing how to create and use OpenID by visiting Simon Willison’s blog.
Figure 2, from Kim Cameron’s Identity Weblog, shows what happens “under the hood” when authenticating with OpenID.
The steps, as described by Cameron, are as follows:
1. An interaction starts with the user providing her OpenID URL to the Relying Party (RP). The RP is the web service provider with which the user is attempted to authenticate.
2. The RP redirects the user to her OP (IP in the diagram) to pick up an authentication token.
3. The token is returned from the IP.
4. To ensure the requesting user actually owns the identity, the OP presents the user with an authentication screen, typically asking for a user ID and password.
5. If the user ID and password are correct, , the OP creates a token to sent to the RP, as shown in steps 5 and 6. Assuming that the OP and RP already know each other, this is the end of the authentication process.
CardSpace and OpenID
There is value in both technologies. Internet users no longer have to provide a user ID and password to multiple sites. This information is located only at the identity provider’s location. The purpose of each is to help protect user identities. So if they both provide the same service, why would Microsoft announce integration with OpenID? The answer is found in Cameron’s Weblog.
Cameron describes a phishing attack that could potentially be launched against an OpenID authentication instance. This is depicted in Figure 3.
Figure 3 (Cameron)
Although not shown here, the attack begins by a criminal-controlled RP representing itself as authentic. During the OpenID authentication process, the user’s credentials are sent to a malicious site. Cameron, Identity Architect for Microsoft, claims that CardSpace can prevent this type of attack.
In Figure 4, the OP-User communication is secured by an InfoCard. This helps prevent an attacker from initiating the connections necessary to steal user credentials through the use of certificate-based identity verification
The final word
Both technologies present opportunities for Internet identity protection. CardSpace appears to be more mature and less vulnerable to attack. It is also positioned to provide enterprise protection, going beyond single user security.
OpenID is rapidly spreading across the Internet. It’s a simple, open, platform independent approach to identity protection; though I’m concerned about its ability to provide protection beyond the individual Internet user. However, the fact that it’s freely available to hundreds of millions of Internet users is a big step toward increasing the safety of the Internet.
Although it’s too early to predict how well the integration of CardSpace with OpenID will play out, I believe it has the potential of pushing us into a new era of secure identity management and web service authentication.
The following resources provide additional information about CardSpace and OpenID.
Kim Cameron’s Identity Weblog
Introducing Windows CardSpace
Verisign, Microsoft & Partners to Work together on OpenID + Cardspace
Unified Identity Management
Microsoft’s OpenID embrace reflects new approach
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.