Windows CardSpace

Welcome to Windows CardSpace

Tasks :

Frequently Asked Questions

Digital Identity

What is digital identity?

A digital identity is a set of characteristics (or “claims”) by which a person or thing is recognizable or distinguished in the digital realm. Digital identity allows us to address an individual or thing without confusing it for someone/something else.

What is identity theft?

Identity theft is the appropriation of another person's personal information (e.g., name, Social Security number, credit card number, or passport) without that person's knowledge. Identity theft manifests itself in many different forms in both the physical world and online. Frequently, online identity theft comes in the form of “phishing.”

What is phishing?

Phishing schemes trick individual consumers into releasing banking and other identity-related information. They take advantage of consumers’ inability to confirm the identity of who they’re dealing with (their Bank, a credit card company, an online business, etc).

How big is the identity theft problem?

Internet fraud such as phishing cost banks & credit card issuers $1.2B in 2003. Over 200,000 complaints of Internet-related fraud were reported in 2004. $250 billion lost in 2004 from exposure of confidential info. 13,776 unique types of phishing attacks reported in August 2005 by Anti-Phishing working group.

What do these identity-related terms mean:

· Claims – A claim is an assertion of the truth of something, typically one which is disputed or in doubt. Several claims can be made as a set. For example, someone may claim that their last name is “Smith”, their first name is “John” and that their date of birth is “June 17^th 1965”. These claims can be corroborated by a trusted third party to provide some level of assurance as to the accuracy of a claim.

· Tokens – a token is a corroborated set of claims, cryptographically signed (to ensure that the contents of the token have not been tampered with) by a trusted third party (such as a bank, Credit Card company, insurance company, etc) who is able to assert that the information contained within the token is accurate).

· Federated identity – The notion of having several independent identity providers, each able to assert that the claims that they know about a person are true and accurate. Federated identity does not involve the notion of a central identity provider as many historical systems have attempted to promote.

· Federated Trust – The trust relationships between the parties involved in the secure exchange of users’ identity information.

· 2-factor authentication – requires two requires two forms of identification in order to access a system, e.g.: a PIN and a credit/smart-card. There are three forms of identification “factor” generally in use today:

1. Something you know: a password, PIN, etc.

2. Something you have: a credit card, smartcard, hardware token,.

3. Something you are: biometric information; eg: fingerprint, retina scan, etc

In most systems, at least two of the above “factors” are necessary to identify an individual. Sometimes, n-factor authentication requires an increasing number of factors to be presented in order to identify a person beyond reasonable doubt.

· Secure Token Service (STS) – a service which is responsible for releasing cryptographically signed token containing corroborated claims about an individual.

· Relying Party – The requestor and eventual consumer of the token asserting some claims about an individual in order to uniquely identify the individual concerned.

· Identity Provider – An organization who acts as a trusted provider of identity information through an STS.

What is the Identity Metasystem?

From: http://www.identityblog.com/stories/2005/07/05/IdentityMetasystem.htm

The Identity Metasystem is an interoperable architecture for digital identity that assumes people will have several digital identities based on multiple underlying technologies, implementations, and providers. Using this approach, not only will individuals be put in control of their identity, but organizations will be able to continue to use their existing identity infrastructure investments, choose the identity technology that works best for them, and more easily migrate from old technologies to new technologies without sacrificing interoperability with others.

What are the laws of identity?

From: http://www.identityblog.com/stories/2005/07/25/thelaws.html

1. Users remain in control of, and consent to the release of, their identity: The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution

2. Minimal disclosure for a constrained use: only information necessary to identify a given party for a given task or scenario should be released at any time … and this information should not be cached and/or stored.

3. Justifiable parties: Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship

4. Directed Identity: A universal identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles

5. Pluralism of Operators and Technologies: A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers

6. Human Integration: The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks

7. Consistent Experience Across Contexts: The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies

CardSpace

What is CardSpace?

CardSpace is a new feature of Windows that gives individuals unprecedented control of their digital identities, while also helping users to manage their privacy. Users download cards from identity providers such as their bank, employer, government agency, or membership organization, or create their own self-issued cards. When a Website or Web service requests a user’s credentials, CardSpace will be invoked and allow the user to select a card to present. CardSpace then retrieves a verifiable credential from the selected identity provider, or the self-issuing authority as the case may be, utilizing interoperable protocols. It then forwards the credential to the target application. This provides users with a simple, secure and familiar sign-on experience that is consistent across all Websites and Web services.

How is CardSpace used?

CardSpace helps consumers reduce the need to remember long lists of usernames and passwords, and helps prevent the theft of personal information through phishing schemes. Consumers will use their CardSpaces to identifying themselves with applications, websites and online services. It is the first step in enabling millions of Web sites to provide a safer, more secure experience to customers.

What are the intended scenarios for CardSpace?

CardSpace will provide consumers with a simpler and safer digital identity experience that is very similar to the experience they have in the physical world. It will provide a common way for people to manage their digital identities (similarly to how we use wallets or purses to hold the different physical identity cards we have today); a common way to know when to use which digital identity (similar to seeing a sticker on the window of a store that says which credit cards they accept for payment); a common way of increasing the assurance that the party asking for a users digital identity is who they say they are (similarly presenting your bank account number and state ID to a teller at a bank when withdrawing funds and knowing that it is the bank you are presenting this information to).

Will Microsoft store personal information in CardSpace on my Windows PC?

Microsoft does not provide a universal, centralized identity store, but leaves it up to the issuing Party (Bank, Government agency, Credit Card Vendor, Insurance company, Hotel Chain) and identity providers to decide how and where to store that information. Consumers can also create self-issued cards with the information they are willing to store and submit.

Is CardSpace targeted at consumers or businesses?

CardSpace was designed to support Microsoft’s vision of an Identity Metasystem, which spans personal, commercial, and government scenarios. The CardSpace user experience will be consistent and predictable across B2B, B2C, and B2E applications.

Can CardSpace prevent phishing and identity theft?

While no single technology measure will absolutely prevent identity theft, CardSpace mitigates the risks of the most commonly deployed attacks, including phishing, by eliminating the need for passwords and replacing them with cryptographically strong credentials.

What is the difference between CardSpace and Smartcards?

Smartcards and CardSpace can work in concert with one another. CardSpace is a digital representation of a user’s identity as issued by a particular Identity Provider. When the customer selects an CardSpace to use such as when logging into an online account or performing an online paymet, it results in sending a request to a Security Token Server (STS) at the Identity Provider to generate a security token of a requested type. Sometimes the user needs to provide a credential, such as a PIN or password, to the Security Token Server. A Smartcard may be used as such a credential.

With CardSpace, do passwords go away?

Passwords will be in use for years to come. CardSpace will provide a more secure method for users and organizations to establish relationships. Over time, CardSpace will reduce the reliance on passwords.

How would a typical end-user make use of CardSpace?

CardSpace will provide the consumer with a simpler and safer digital identity experience that is very similar to how we use wallets or purses to hold the different physical identity cards we have today. Consumers will use CardSpaces the way we use ID and payment cards today. For example, a user might use one of their CardSpaces in order to log into online websites or services. These cards might be self-issued (containing uncorroborated claims) or provider-issued (containing claims corroborated by a third party such as a bank or an insurance company). After adding several items to their shopping cart, a user might opt to pay for the products by selecting a card issued by a bank or credit card company.

What are the benefits of using CardSpace?

Consumer:

Increased confidence – Customers can interact with Websites and Internet applications knowing that their identity is secure.

Consistent experience – Customers get the same easy-to-use, recognizable & trusted user experience across Websites.

Control - Consumer always remains in control of their identity

Businesses:

Reduced costs – associated with fraudulent purchases

Customer intimacy – Build better relationship with identified customers

Be seen as taking active interest in protecting customer’s identity

ISVs and IHVs:

Improved security – Deliver applications that help protect users’ identities

Improved customer relaionships – Boost customer’s confidence by delivering apps that provide a standard, consistent, secure identity model

Increased sales – through increased customer confidence and trust

Developers and IT Pros:

Reduced Code - Reduces amount of code & effort required to enable secure identity features

Productivity - Offload the hard work of identity management to generic platform infrastructure, saving time, effort and money

What Websites and businesses support CardSpace?

We are working with a broad range of businesses, organizations and vendors to understand how they can leverage the benefits CardSpace and offer these benefits to their customers and partners.

Have any governmental security agencies (NSA, GCHQ, MI5, etc) been involved in CardSpace? Are they aware of it?

Yes. We have been, and will continue to work with several government agencies and businesses around the world to understand the identity metasystem as well as our implementation of CardSpace.

Is CardSpace a way of doing single sign on (SSO)?

Yes, CardSpace could be used as part of a single-sign-on solution

How does CardSpace relate to SOA?

CardSpace is an essential component of any application which needs to identify the user, regardless of any given architectural perspective.

Will CardSpace help content providers prevent theft/piracy of copyrighted materials?

Potentially, yes. Since CardSpace provides a way to identify individuals, it could be used as part of a Digital Rights Management solution.

Could CardSpace provide the basis for a national ID system?

While we are still in the early development phases of CardSpace, it could potentially be used within a national ID infrastructure.

How does CardSpace allow businesses to comply with national regulations on identity storage?

These regulations differ widely around the world – some are more restrictive than others. We’re working to understand the role that CardSpace could play within such regulations.

Does CardSpace enable micro-payments?

CardSpace provides a powerful identity management system. Should a micro-payment provider require the ability to securely identify the parties involved in a payment transaction, then they could certainly use CardSpace for this purpose.

How does CardSpace relate to Microsoft’s broader security efforts?

CardSpace is one of the many activities Microsoft is engaged in to ensure the security and confidentiality of individuals’ identities and information and is a key component providing user-controlled authentication facilities.

Relationship to Other Microsoft Technologies

Is CardSpace built into Windows?

CardSpace is included within Windows Vista and is available as an optional add-on for both Windows XP SP2 and Windows 2003 Server SP1.

Is CardSpace supported by IE7 in both Windows XP and Windows Vista?

Yes. Web applications are one of the primary use cases for CardSpace and Microsoft’s goal is for all browsers, including IE 7, to support it.

How does CardSpace relate to .NET Framework 3.0?

CardSpace is one of the next-generation technologies exposed as part of the .NET Framework 3.0 APIs, along with Windows Communication Foundation, Windows Workflow Foundation and Windows Presentation Foundation.

How does CardSpace relate to Windows Communication Foundation (WCF)? Is it a feature of WCF or is it just an app built on WCF?

CardSpace and WCF are two distinct technologies that are delivered within .NET Framework 3.0. CardSpace provides an end-user focused technology that allows users to create and choose security claims that naturally span trust domains and mitigate several security issues (e.g. phishing) that exist today. CardSpace was built using WCF and integrates into WCF’s security subsystem. Using an explicit credential type, CardSpace can be easily integrated into a WCF-based application.

How will the identity metasystem change technology development?

While WCF was being built we formed a core security team that closely examined how
previous identity and access models had been built. It became clear that a very
similar set of scenarios were repeatedly implemented time and again in
different technology silos.

Rather than repeat this pattern, we began a process of collaborating with other groups
to jointly define a suite of WS-* specs that abstracted the security protocols
necessary to enable federated security, identity and access control. It was
very important that this family of protocols would support the encapsulation
and exchange of various identity tokens such as x509, Kerberos, SAML, etc.

There are several key pieces to the suite of security protocols:

A person makes claims about their identity
(e.g. my username is “foo”, my password is “bar”, etc) to an authentication
engine. How a user validates their identity claims is dependent on the
authentication engine they’re using such as Kerberos, x509, etc. Once the
person’s claims are validated, the authentication engine returns a
cryptographically secured token representing the assertion that the person’s
identity is valid.

WS-Security uses these tokens in order to sign and/or encrypt messages in order to provide message integrity or privacy.

WS-SecureConversation provides a way to to establish a secure “conversation”
between two parties while reducing the cost of security to the minimum.

WS-SecurityPolicy provides a way to tell other parties what claims to use in order to secure messages. This is an extremely important facility and essential to simplifying the development of secure distributed systems.

WS-Trust enables federated identity scenarios by providing a way for an entity’s claims to be securely obtained from a Security Token Service (STS). This means that an individual’s credentials to be federated across a number of providers rather than stored in a single central engine.

The net result of this approach is that it enables existing systems and new systems to work together through a set of simple principles, regardless of which platforms and technologies are involved.

On top of this suite of protocols, Microsoft has built a security technology platform consisting of WCF, CardSpace and Active Directory Federation Services (ADFS) and is built into the core of the Microsoft platform. This will enable Windows developers to deliver more secure, robust and flexible applications
with far less effort than ever before.

CardSpace and Microsoft’s Online Services

How does CardSpace relate to Passport / Live ID? Will Live ID be a provider of CardSpace?

Microsoft’s Passport/Live ID engine is a very successful identity and authentication engine for Microsoft Web sites and applications. In addition to working with various other identity providers across the industry, we are working with the Live ID team to incorporate the necessary features into Live ID to enable it to issue identity tokens.

How will CardSpace impact Live ID?

Passport and MSN plan to implement support for the identity metasystem as an online identity provider for MSN and its partners. Live ID users will get improved security and ease of use, and MSN Online partners will be able to interoperate with Live ID through the identity metasystem

Will MSN implement CardSpace support?

MSN uses Microsoft Passport for identifying users. Because Microsoft Passport will issue CardSpace tokens, MSN will offer an integrated CardSpace experience.

How does CardSpace intersect with Windows Live positioning?

For consumers using Microsoft’s new Windows Live Internet-based services, CardSpace will provide enhanced security by helping users better manage their personal identity information and control its release.

Will Windows Live ID work with CardSpace?

Yes, we do plan for Windows Live ID to work with CardSpace in the future.

Ship Schedule and Vehicles

Considering the number of security vulnerabilities associated with the Windows client and Internet Explorer, why would a customer trust this technology to handle their digital identity information?

Microsoft has made very deep investments and made huge advances in securing not only the core Operating System, but also the subsystems and applications that run on top of the OS. Managed Code (.NET) is significantly less prone to many of the problems experienced by traditional native code … regardless of which OS the native code is running on.

Since CardSpace and all of WinFX is implemented in Managed Code on top of Windows’ secure, trusted Operating Systems, users of CardSpace can be sure that Microsoft has gone to extreme lengths to ensure the security of their identity information.

Can CardSpace be used on non-Microsoft OSes?

CardSpace is Microsoft’s implementation of an end user experience for managing their digital identities, based upon the open WS-* protocols. Therefore, other platform vendors, browser vendors, etc, are free to implement their own version of CardSpace for non Windows clients.

How will customers get CardSpace?

CardSpace will be shipped as part of WinFX, built into Windows Vista and simultaneously shipped as a redistributable for Windows XP and Windows 2003 Server.

On what versions of Windows will CardSpace be supported?

Windows XP SP2+, Windows Server 2003 SP1+, and Windows Vista.

Features and Implementation

Where is personal information stored?

Each Issuing Party (Bank, Government agency, Credit Card Vendor, Insurance company, Hotel Chain) determines the information stored within each card. Sometimes, little more than a name and an ID number are stored. Other Issuing Parties may store more/less/different information. It is the responsibility of the Issuing Party to store this information and to return this information on users’ request – this is the basis of a federated identity metasystem. Microsoft does not provide a universal, centralized identity store.

What happens if the device running CardSpace is lost or stolen?

All information stored within cards is encrypted and can also be protected with a pin or password to prevent theft.

How do I transfer digital identity from [Web/computer] and put it onto the [card/USB/etc]?

Cards can be exported and imported to and from secured files stored on a host PC.

What other platforms will support CardSpace?

Because CardSpace is implemented on top of open, standard WS-* protocols, other vendors are free to build equivalent implementations of CardSpace on other platforms.

Will CardSpace run on non-Microsoft platforms?

CardSpace is Microsoft’s implementation of a secure identity system built on top of open, standard WS-* protocols. CardSpace therefore will only run on Microsoft’s platform, but there is nothing to stop other vendors offering equivalent implementations on other platforms.

What Internet browsers will support CardSpace?

Microsoft’s Internet Explorer 7 will support CardSpace and we’re working with other browser vendors to investigate their support for CardSpace.

Where do you get digital identities from? How do they get onto an CardSpace?

CardSpaces can be issued from various Identity Providers and imported into a user’s CardSpace using the CardSpace UI.

What are self-issued identities? How are they used?

Self-issued cards contain claims that an individual asserts about themselves, but are not corroborated by a third party. They can be used as a more secure alternative to usernames/passwords.

Is it possible to selectively release information from an CardSpace without exposing more sensitive data?

CardSpace can present the list of claims requested by a site / application before a user selects a card and also displays a “preview” of the token’s values prior to returning them to the requestor. Users therefore have two opportunities to disallow their identity information to be sent to requesting sites.

How can developers incorporate CardSpace into a WCF application?

Windows Communication Foundation has a flexible security infrastructure which is fully integrated with CardSpace as well as other forms of identity tokens including Kerberos and SAML. Developers can configure their WCF services to require authentication with CardSpace and the user will be seamlessly prompted to authenticate with CardSpace.

Can CardSpace be used in conjunction with winlogon to provide access to desktops?

This is not a currently supported scenario.

What types of hardware support CardSpace storage? Smart cards, RSA cards, biometrics, USB keys?

We are working with a number of identity storage vendors interested in building support for CardSpace.

Standards and Interoperability

Is CardSpace Microsoft proprietary?

CardSpace is part of Microsoft’s implementation of an identity metasystem supported by open standard WS-* protocols. While CardSpace runs on Microsoft Windows, it is compliant with the supported WS-* standards and with other vendors’ implementations on other platforms. In addition, other vendors can build implementations of CardSpace-like technologies to run on other platforms.

How does CardSpace relate to Web services and WS-* architecture?

CardSpace is part of Microsoft’s implementation of an identity metasystem based on standard protocols and composes seamlessly with the WS-* security protocol family (including WS-Security, WS-Secure Conversation, WS-SecurityPolicy, WS-MetadataExchange, WS-Trust, etc).

What other platform vendors will support CardSpace (IBM, Sun, Oracle, etc)?

We are working with a number of businesses, organizations and vendors to encourage their support and adoption of the identity metasystem.

What WS-* specs are supported by CardSpace?

CardSpace supports WS-Security, WS-Secure Conversation, WS-SecurityPolicy, WS-MetadataExchange and WS-Trust.

How does CardSpace relate to Liberty?

CardSpace is the codename for a new feature of Windows that gives individuals unprecedented control of their digital identities, while also helping users to manage their privacy. Liberty is focused on a subset of the issues involved in federated SSO. We continue to communicate with the Liberty organization and its members, as well as drive discussion in the Web services space to ensure that customers will be able to use secure, reliable, transacted Web services as a part of their identify management solutions.

How does CardSpace relate to the Sun/MS announcements about SSO?

The Sun & Microsoft announcement on SSO focuses more on the way in which Microsoft’s ActiveDirectory and Sun’s Java Enterprise System can exchange authentication tokens using WS-Federation. This scenario is enabled by ADFS, although the scenario could be extended to support CardSpace in the future.

How does CardSpace interoperate with existing security protocols?

CardSpace is part of Microsoft’s implementation of an identity metasystem conforming to Kim Cameron’s widely accepted “Identity Metasystem”. The metasystem is fully supported by the WS-* security protocols and is open to all parties. CardSpace uses these protocols to provide a secure way in which the release of identity claims can be controlled by a user and trusted by a receiving application or service.

In addition to Passport, which companies will be STSs?

We are working with potential identity providers across multiple industry segments to discuss the possibility of providing a range of STSs. Examples of potential identity providers include banks, government agencies (driver’s licenses, National Passports), Credit Card companies, Medical coverage providers, etc.

Does CardSpace provide end-to-end security features? In other words, with CardSpace, will users have to employ any other security mechanisms to share personal information securely? E.g security tokens, two factor authentication, etc.?

CardSpace is a useful substrate that provides much of what is needed to implement a secure identity infrastructure. Additional enhancements, such as n-factor authentication, biometrics, etc, are openly welcome and can be seamlessly integrated into the metasystem.

More Search Options