Infocard and Interop with Java

  • Article

Infocard and Interoperability

Is Infocard Interoperable with Java?

Channel9 has a new
segment entitled Infocard
Explained. Infocard is Microsoft's second take on
addressing the issue of federated identity on the web; the first
try was called Passport, and failed for a number of reasons,
mostly because it didn't address stakeholder interests (that's a
polite way of saying it!). Infocard is something very different, and
we believe it will address peoples interests much better. Infocard involves a couple of things:

  • protocol specifications - that describe the messages
    that travel between applications (like a browser and a web server) and identity providers (like a
    directory server).
  • an actual implementation of these protocols -
    running on Windows, packaged as a DLL, and mated to a user
    interface for the client - the latter is a dialog box that pops
    up within the context of a browser experience, and asks, do you
    want to provide your credentials to the requesting server? and
    if so, which credentials?

Is Infocard Passport v2 ?

Both Passport and Infocard deal with identity. But philosophically they are quite different in approach to a solution. Passport was a single-identity system -where a single identity for a person is shared among many different services. Infocard is expanded to reflect the reality that people have multiple, compartmentalized identities - credit card holder, registered voter, frequent flyer on Airline X, etc. And Infocard is designed with the understanding that
you may not want your credit card provider to know your political party affiliation, or your Frequent flyer status. *You* have multiple independent identities, and *you*, the user, control how you distributed the credentials for those identities.

About Interop

The protocols used by Infocard are pretty simple, and are based on WS-splat, including
WS-Trust, and WS-Security. What this means is, any application
that does WS-* can implement the Infocard protocols and can
participate in this identity meta-network.

To the extent
that your Java environment supports WS-{Trust,Security}, Java apps built on that environment will
be able to participate in the Infocard system. In practice, it means a website powered by Java servlets or JSP (or PHP or ...) will be able to "talk the Infocard talk" and request identities securely. The user will get a consistent user experience, and a consistent security semantics, regardless of the back-end server s/he is authenticating to. It also means a Java-based client-side app could use the same protocols to authenticate to any sort of server.

This is not just a theory - there are implementations already emerging of the Infocard protocols in Java and other systems. Phil Windley gave a review of the IIW2006 conference where some people from UNC implemented an Infocard client in Java. And there's also a Firefox plug-in for Infocard.

This is only interesting if Infocard catches on - if the community vets it and likes it and people start using it very broadly. We're hopeful that Infocard provides the right balance of usability, privacy, and security, and that broad adoption will happen fairly quickly.

-Dino