W3C home > Mailing lists > Public > public-identity@w3.org > April 2012

Information Cards - The Resurrection

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Sat, 14 Apr 2012 08:47:35 +0200
Message-ID: <4F891D87.80403@telia.com>
To: "public-identity@w3.org" <public-identity@w3.org>
 Although Microsoft spokesmen claim that they have shelved Information Cards for good, I believe Information Cards will rise from the dead anyway.

Why?  The core consumer authentication /technical /problem is that anything "cryptographic" requires integration in the client platform. 

But didn't Microsoft actually integrate Information Card support in the Windows platform?   No, they did not.   Since Microsoft never got consumer-PKI to work, Information Cards were effectively
diminished to painfully complex "Password Amplifiers".   In addition, Information Cards do not even conceptually offer a better solution for on-line banking than PKI.

So far it looks like Information Cards have absolutely no value, right?  Wrong!!!  If you ever had the "pleasure" (eh) using the Financial Industry's contribution to secure on-line payments, i.e. 3D
Secure (aka Verified by Visa), you probably agree that if 3D Secure represents the future, we might rather stick to unsecured credit card credentials forever!

However, when you look inside of the 3D Secure stack, you will notice that a modified Information Card scheme (like a "profiled" Information Card protocol) could make 3D Secure much more convenient
even than existing on-line payment systems.  In fact, this was showcased by Ping Identity years ago.

What's [still] missing is a useful PKI solution for authentication to the issuing bank.

When client-side PKI is finally in place, an enhanced Information Cards scheme will provide a user-friendly and secure federation solution.  3D Secure is a prime example of a federation scheme in
desperate need of a better platform!

There are plenty of other use-cases for secure federation and attribute (claims)-based assertions but nobody will bother about Information Cards until they are properly married to client-side PKI
because the latter is what [non-US] banks and government agencies actually are investing in.  Since more than a decade back they write their own client software due to the fact that the platform
vendors do not see any business case in making consumer PKI useful.   Really, how hard can it be???

Anders Rundgren
Received on Saturday, 14 April 2012 06:48:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 14 April 2012 06:48:17 GMT