Double-check Infocard section [Re: Social Web XG Extra Meeting Wed. Oct 6th (12:00 Boston/16:00 London) - Wrapping up Final Report Take 2 from Harry Halpin on 2010-10-07 (public-xg-socialweb@w3.org from October 2010)

From: Harry Halpin <hhalpin@ibiblio.org>
Date: Thu, 7 Oct 2010 15:02:04 +0200
To: Paul Trevithick <ptrevithick@gmail.com>
Cc: Kaliya <kaliya@mac.com>, Dick Hardt <dick.hardt@gmail.com>, Mischa Tuffield <mischa.tuffield@garlik.com>, "public-xg-socialweb@w3.org" <public-xg-socialweb@w3.org>
Message-ID: <AANLkTi=JHGSX_nN72QAmbkSsw_PNey6Kw42MPXCTiMiv@mail.gmail.com>

Paul,

 Here is the Infocard section - it's had some light editing to make it
shorter, so if you can make sure it's right:
InfoCard

Infocard is a user-centered identity technology based on three
interrelated concepts: the card metaphor, active client software, and
the OASIS IMI protocol for identity authentication [INFOCARD!!]. As
such, it is a multi-layered integrated approach and infrastructure in
of itself. Active client software integrated with the local browser,
sometimes called a selector, acts as a local digital wallet for the
user. Each card in this wallet supports a set of profile attributes
called claims. Personal cards can be created directly by the user and
hold self-asserted claims and values. Managed cards, on the other
hand, are issued by identity provider websites that act as the
authority for the claims supported by that card. The interactions
between the active client and external services are defined by the
OASIS IMI standard [IMI!!]. Under IMI, an infocard-compatible relying
party website, usually via HTML extensions passively expresses its
policy: the set of claim URIs that it requires, the card issuer it
trusts, etc. When the user clicks on an HTML button, extensions with
the browser trigger the invocation of the active client which displays
a set of cards that support the claims required. If a managed card is
selected by the user, the user authenticates and the client fetches a
security token from the card issuer site using IMI protocols, and
POSTs it to the relying website where it can be validated and the
claim values extracted. The Infocard architecture provides phishing
resistance, eliminates the need for per-site passwords, provides a
familiar card/wallet metaphor, provides on-the-fly privacy
enhancements (e.g. attribute minimum disclosure and generation of
pseudonyms). Microsoft's Cardspace, is built into Vista and Windows 7.
Open source projects including Novell's Digital Me, OpenInfocard, and
Eclipse Higgins provide clients for MacOS, Linux, Window, iPhone as
well as support for popular browsers. Commercial and open source card
issuing services and relying party enabling technology is also
available from a number of providers.

While much has been achieved, Infocard remains a work in progress. Its
main disadvantage is the perceived complexity of interlocking
standards and technology needed to support the architecture, so
current work is on driving adoption via focus on applications in the
government sector. Infocard's relatively secure architecture and
privacy-respecting characteristics when compared with most
browser-redirect-based identity technologies are compelling this
marketplace. On the technology side, work is underway (e.g. within
[1]) on active clients that move a considerable distance beyond the
first generation clients that came to market in 2007-8. These new
clients, while implementing the IMI protocol will also add support for
other protocols is to make them interoperable. These Infocard-aware
clients incorporate Web services to at the least provide "card
roaming" across browsers and devices and can provide a "Personal Data
Store." New kinds of relationship cards that create continuous data
feeds vs. one-shot attribute conveyance are under development. It is
expected is now moving into "identity in the browser" work.

On Thu, Oct 7, 2010 at 2:58 PM, Paul Trevithick <ptrevithick@gmail.com> wrote:
>
> On Oct 7, 2010, at 8:34 AM, Harry Halpin wrote:
>>
>> We can just ditch this "profile provider" term then as it seems
>> redundant. But we want to remain studiously neutral to data formats
>> for attributes :)
>>
>> "Identity providers make claims (at least one) by providing attributes
>> and so also function as providers of profile attributes, and may or
>> may not authenticate the identity of a user.
>
> Well yes. The whole purpose of an identity provider is to provide "identity"--and in this specific, narrow context the term "identity" means nothing more nor less than "a set of attributes" (often called claims) about some digital subject.
>
>>
>
>
>
>
>
>

Received on Thursday, 7 October 2010 13:02:38 UTC