With Passport, Microsoft had exactly the wrong approach as the software maker needlessly stepped between businesses and their customers--so says Kim Cameron, the identity expert who leads Microsoft's current effort, known as InfoCard.
Microsoft Chairman Bill Gates on Tuesday touted InfoCards as one of the technologies that could finally help cement the death of the username and password as the means of verifying identity on the Internet.
RSA: Consumer trust and the government's thrust
But before InfoCard can supplant anything, Microsoft will have to line up Web sites to use it, banks and credit card companies to support it and then get consumers to buy in, too. Cameron sat down with CNET News.com this week to talk about InfoCard, how it works and what Microsoft needs to do to make sure it doesn't whiff again.
Q: What makes this attractive to others--to, say, Web site owners?
Cameron: When you first go to a Web site, their mantra, somebody told me, is "acquire, acquire, acquire." I didn't know what that meant. But what that means is: Get that customer relationship going. At that moment, a lot of people will want to accept any InfoCard they can, then later, they get pickier. For example, if you want to buy something they will probably want something from a credit card company or a bank.
It's a bit of a chicken and egg thing. How do you guys get enough of the right people on board, build enough of an ecosystem?
Cameron: One of the things is people don't have to throw out their current authentication mechanism for InfoCard. And you don't have to change much at your site. It's just one very small component of the site that changes. The rest of the site all just stays the same. So, the investment required is small. And it becomes easier to acquire (new customers).
Now the question is: "Can we as Microsoft put together the right partnerships?" It?s hard. I've never worked on anything this hard, but the payoff is huge if it can be done. Then the question is: "Does the industry want to do it?" Microsoft can't do it by ourselves. Nobody can do it by themselves.
If I'm a user of Vista (the next version of Windows). How do I get an InfoCard. Is it something that is just there?
Cameron: A self-issued one you create yourself. If you get one, say from your bank, you go to your bank's Web site and you double click on it. It will give you your InfoCard--you might have to enter a one-time password or something that they have given you. It just appears in your InfoCard collection. You go through the verification process and it will appear in your InfoCard collection.
Is it limited to Internet Explorer. You have talked about it being implemented in the browser, but is it limited to that?
Cameron: It's not implemented to the browser. It?s integrated with the browser. The browser uses it, but it's an underlying platform service. Mozilla can use it just as well as IE (Internet Explorer). That's key. If that isn't the case, it just won't get the reach that we need.
It seems like the intent is for there to be multiple and compatible things there, a mechanism that keeps it so that when Apple does it, it's compatible with InfoCard?
Cameron: This is the nice thing. It's built on these standards that a lot of companies have adopted, Web services standards. It's really a precise collection of standards--WS-Trust, WS-Security, WS-Security Policy.
What about the whole Liberty Alliance specification?
Cameron: This is not positioned against Liberty. I am an admirer of Liberty. Liberty has done a lot of great things around policy, leadership on federation. This is something that a Liberty-enabled site can use for interacting with their customers.
Now, in terms of WS standards and Liberty, currently Liberty runs on the SAML (Security Assertion Markup Language) protocol, and WS standards are slightly different, although they share components. We're also working to try and align those things. But those things don't impact InfoCard.
See more CNET content tagged:
Microsoft Windows CardSpace, credit card company, bank, credit card, Microsoft Corp.
- Wheres the security in InfoCards
- by OneWithTech February 19, 2006 5:47 AM PST
- I just finished the interview and was wondering if Microsoft <br />could actually answer the real question being asked here. How is <br />the InforCard security differ from that of say -- server <br />certificates that allow authentication?<br /><br />As my InfoCard deck builds and E-Com sites come and go how <br />can I ensure that InfoCard will remain a secure alternative?<br /><br />Will InfoCard be subject to phishing and web site spoofing?<br /><br />I ask these questions as a web developer / designer, computer <br />repair man, marketeer and media guru; with an interest on how <br />you, Microsoft, plan on accomplishing a feat like this when the <br />very operating system and browser that will be powering this <br />feature is severely FLAWED!<br /><br />It is a proven fact that you can't build a stable software package <br />against an unstable software base. So how does Microsoft plan <br />on alleviating this problem?<br /><br />As a person that writes copy and has some marketing <br />background I could answer all of those questions posted in this <br />article without ever seeing InfoCard! Why don't you release some <br />viable, valid, information on the workings of InfoCard? <br /><br />Where is the Information that we as users and media can use to <br />ensure that InforCard will do as stated in the article. Because <br />frankly we as a Tech society have heard and seen so much <br />******** from Microsoft over the years -- how is this any <br />different?<br /><br />These are only some of the questions. The rest of them we'll <br />have to answer at www.TechViewsToday.US in time!<br />~Justin
- Like this Reply to this comment
-
(9 Comments)