Information Card Foundation launched

A group including Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community announced on Monday the creation of the Information Card Foundation (ICF) with the goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards.

"We need to come together in a neutral body to continue to promote the adoption of this technology," said Paul Trevithick, CEO of Parity and chairman of the ICF.

Information cards are online equivalents of physical ID cards, such as a driver's license. The basic idea is that customers would have an electronic wallet with various information cards. This would allow customers to bypass typing in user names and passwords. One example for how it could work is a student accessing a university network would simply present his or her electronic student information card.

That basic concept isn't new. Various vendors have introduced variations on this before. Microsoft recently introduced its own CardSpace concept with the Windows Vista operating system.

However, there are "still too many user names, too many passwords," said Kim Cameron, an architect of Identity and Access at Microsoft. "There's this endless digital baptism of filling in forms and logging in everywhere, and it creates a wonderful environment for the criminal element through phishing attacks and what have you because on the Internet no one does know you are a dog."

What ICF hopes to introduce instead is a tripartite system. In real time, a user would sync via encrypted connection with an ID provider (say a bank or credit card issuer), and also with a reliant party (a university network, a financial site, or an e-commerce site). Unlike having a credit card number, which anyone on the Internet can use anytime, the ID card model proposed by the ICF requires that all three players (user, provider, reliant party) be synced in real time before the transaction could proceed. The addition of a trusted third party in real time should make the new proposal more secure.

Trevithick said that nearly 50 companies participated in discussions at the RSA 2008 conference in February. Additional discussions are planned for upcoming security conferences through the end of 2008. The idea is to bring together as many players in the identification card space as possible. Currently, the ICF steering currently includes Trevithick, Cameron, Drummond Reed (VP of infrastructure at Parity), Mary Ruddy (founder of Meristic), Axel Nennker (consultant at T-Systems Enterprise Services), Pamela Dingle (consultant for Nulli Secundus), Ben Laurie (of OpenSSL and The Bunker), Andrew Hodgkinson (embedded software engineering consultant and contractor), and Patrick Harding (CTO at Ping Identity).

The foundation's site with more information will be live on Tuesday.

[tech_crazy]

How is this different from Sun's Liberty Alliance or Microsoft's Passport system?

[swallac2]

Sun doesn't own LA, it is an alliance of many companies. LA was sort of folded into SAML 2.0. This is sort of like a follow on to Passport. The failure of Passport was that people did not want to supply MS with their personal information. CardSpace (formerly InfoCard - I think the open source version from Bandit/Higgins/Novell retains this name) allows any identity provider to issue a "card." Doing so allows a user to avoid using a password in the future. Think of it like an x509 soft cert, however (from what I have seen) it is more user friendly. On the backend it is using standard federation protocols (either SAML or WS-*).

[jlcgrp]

Fascinating that these brilliant minds have decided to compare notes, especially given that several have recently had the opportunity to review a very compelling (and patent-pending) approach developed by Connecticut-based 'upstart' KeyID. The founder is a former developer for amongst others, Computer Associates and was a captive consultant to Goldman Sachs. .Perhaps the "not invented here" mindset remains the primary obstacle to innovation and problem solving..

.At least one of the 'founding members' mentioned in the release had indicated that ".. phishing isn't a problem for us, as the costs relating to phishing, fraudulent purchases and/or identity theft are passed along to merchants--and that the costs associated with identity theft "isn't our problem....so introducing a new approach [http://that can address the variety of problems and otherwise shut the doors to phishers, aggregate password access, be portable (i.e. application that can be integrated into the variety of internet access devices), provide easy integration into existing security technology platforms, be user friendly and require nominal maintenance, and offer a standard protocol by which the industry at large can benefit|http://that can address the variety of problems and otherwise shut the doors to phishers, aggregate password access, be portable (i.e. application that can be integrated into the variety of internet access devices), provide easy integration into existing security technology platforms, be user friendly and require nominal maintenance, and offer a standard protocol by which the industry at large can benefit] doesn't offer us a justification i.e. return on investment..."

[dbheiser]

This sounds similar to public key infrastructure (PKI). Entrust's implementation, in particular. Any connection?