We've been teaching quite a few
.NET University sessions across the southeast over the past couple of months. Overall, these sessions have been a big hit. While of course we get a ton of great technical questions each session, the one that comes up quite a bit is regarding CardSpace and why it's a great solution (or is it?).
One of the problems we identify in the digital identity management space is that users, often in frustration, use the same usernames and passwords across multiple sites. When users do diversify, they often use an unencrypted file on their desktop to store their credentials -- after all, who can remember a dozen usernames and passwords. There's seldom little verification in the credentials users provide, and the end-user experience is inconsistent. The
claims that each issuer asserts (such as first name, last name, e-mail, etc.) varies greatly, but there's no centralized way to manage your information.
So, one of the biggest concerns people have after seeing us demo CardSpace is: what happens if my machine is stolen or has unauthorized use? Wouldn't this increase the likelihood of a problem by having all of the cards on that machine?
The answer is: maybe. CardSpace isn't about protecting your credentials on your machine (it's digital identity management vs. physical security), it's about: protecting your credentials from interception (phishing, which has increased dramatically over the years), it gives the end user more comfort in deciding who to trust with their information, it provides a consistent user experience across otherwise disparate systems, and it's built to support WS-* specs.
Your machine is much like your wallet. If your wallet is stolen, you have a certain degree of exposure. We do, of course, recommend that people enable pins on any cards that hold sensitive information. And, just like cards in your wallet, it's very easy to cancel cards through the identity provider, as well as track card usage -- something that is not so easy to do today. So what are we doing about physical security?
BitLocker. Bitlocker is a technology in Vista that allows you to encrypt your entire hard drive. Because this is implemented below the driver level, it is completely transparent to the end user, and has no performance degradation. In order to use BitLocker, you need either a TPM 1.2 (trusted platform module -- it's built into the motherboard typically) or a USB key. The USB must have be usable from the BIOS (that is, doesn't need a driver from the OS), as the the key must be read prior to boot.
Without getting into specifics (perhaps a future post?) what this does is prevent your drive from being booted on another machine, or even as a different volume on the same machine. The drive, without the proper key, will look like complete garbage. So, not only would your CardSpace cards be encrypted, but your entire drive would be as well. (And frankly, if my laptop was stolen, it's the contents on the drive -- source code, email, spreadsheets, etc. -- that would worry me more than my cards.)
So, there you have it -- BitLocker and CardSpace to solve the physical security and digital identity problems. One of the cool things you can do with CardSpace is create a self-issued card ... basically, you are asserting pieces of information about yourself in a noncorroborative way.
Why is this cool? Well, think about discussion forums or other places on the internet where having an account is important, but doesn't need any substantiation. (Even on my site, I allow anyone to create an account to set up a WorldMap account or view pictures. It doesn't really matter if the
claims made by these folks are genuine, only that they go through the process.) CardSpace allows users to create these self-issued cards ... so stay tuned ... I hope to post more in depth info on these and similar technologies.
Subscribe