View Full Version : Microsoft InfoCard

February 18th, 2006, 03:30 PM
PCWorld.com Article - Gates Outlines ID Management for Vista, XP (http://www.pcworld.com/resource/article/0,aid,124712,pg,1,RSS,RSS,00.asp)

Basically, inside XP there will be a "InfoCard Manager" or something like that. It will have all of your information that you've ever used to sign up for a site, since its purpose is so that you wont ever have to have multiple online aliases online. That means things like your name, your address, your email, and your bank account. Yes, your bank account, because this is going to be used for e-commerce. Also can be used for online banking, so any information you have for loans and such, that'll be on there to. Any website that wants to use it, in fact, I'm sure will be able to. So all those forums that ask you your hobbies, whether you're single, your smoking habits, your sexual preference. It's on there, and your bank will then be able to see it.

Oh, and that's all in your Windows operating system. Doesn't that make you feel nice and warm and cosy inside like the dead of winter with a wide open door?

"Daynah, why on Earth would you want to switch from Windows?"
"Cause I don't have any siblings, especially not a Big Brother."

Supposedly I'm freaking out about this too much. But I'm quite content right now to stick with my Ubuntu and pray that websites don't -require- you to use this.

February 18th, 2006, 08:10 PM
There's no way I'd use an MS-InfoCard because:

1. It will be a proprietary closed-source technology that will only work on Microsoft Windows. If this technology is adopted worldwide, it has the potential to lock consumers out of using anything but Microsoft Windows + Microsoft Internet Explorer + Microsoft InfoCard to do business online. If InfoCard is not going to be a W3C standard or some other standard that is controlled by an international standards body or is not demonstrably platform neutral (i.e. can run on something like a Mac or Linux), there is no way I'd use it.

2. I see this opening up a whole new bag of security risks; everything from a rogue standalone application that can read your InfoCard without your permission to a webpage that contains a drive-by-download spyware component, that, just by visiting the webpage, silently reads information off your InfoCard and transmits it back to a server, to who knows what. Right now, if someone stores sensitive information on their computer (like passwords, bank account numbers, credit card numbers etc...) it may be in a text file, a document, a spreadsheet, a database, or some other program. Without a priori knowledge and some serious text engineering, it is near impossible for a program to autonomously extract such information because it doesn't know where to look, what format the information is in, how to identify it, etc... But with InfoCard, everything will be stored in a presumably consistent location and format that a program may be able to hack. While an InfoCard may be prove to be convenient, if I were to use it, at the very least, there are some serious security concerns that would need to be addressed, and the technology would have to be mature, and have a proven solid security track.

Lord Illidan
February 18th, 2006, 08:16 PM
I have to agree.
If someone manages to crack it, then he will have access to my most private stuff, including my bank account number. No thanks.

I'll remain with Ubuntu, thank you very much, Bill.

June 5th, 2007, 03:43 AM
Normally I would agree with the sentiments posted here. However, after recently learning more about Windows CardSpace (it's version of InfoCard), as well as learning that Novell is taking the same technology OpenSource for Linux and Mac, I am now truly intruiged. What this means is that this system is not Windows-based or -dependent, rather, it is a new technology that can be implemented by the website developer or provider without having to worry if the user is using a certain technology or not.

I do appreciate the concerns for privacy, as mentioned above. However, if you store your passwords in your browser as cookies, even encrypted cookies, you will be less secure than using InfoCard technology. Moreover, using infocard technology is more secure than using a Username/Password sign-in process on a web-page, since that exposes your username AND password (possibly encrypted, or more likely, not) to potential sniffers and malware.

I will be keeping my eyes open for more info on this technology, especially how it integrates into Ubuntu, and other flavors of Linux, as well as MAC, and Windows platforms. After all, the only point in using this technology is if it is feasable for public web sites without having to rely on users using certain technologies. It needs to work OOTB (out of the box) while providing superior security and placing identity management into the users hands. Plain and simple.

Mike Bronner

June 7th, 2007, 08:54 PM
Microsoft CardSpace is one instance of the Identity Metasystem, as defined by Kim Cameron. Kim is the Identity Guru from Microsoft. Don't let that fool you, he is responsible for Microsoft freeing some patents on identity stuff.

Kim Cameron also defined the Laws of Identity, that form the basis for the Identity Metasystem. Lots of development is going on. For instance, the open source Higgins project (Novell ea) will be compatible, as is OpenID.

Read all about it at Kim Cameron's Identityblog (http://identityblog.com). Be ware: It will take all your spare time.

I really hope that there will be a low impact linux version of CardSpace. There are already some identity selectors that plug into Firefox, now they only need to tap into a linux CardSpace variant (http://virtualsoul.org/blog/2007/03/23/all-your-infocard-are-belong-to-us/). Bandit anyone (http://www.bandit-project.org/)?

June 7th, 2007, 09:11 PM
I have the most secure means of securing my personal info, its called..... My Brain! Nobody can crack it, nobody can read it and nobody can get at my info from it except me. Oh and yes, I do actually remember each and every account I sign up for and its password.

Oh and there is no force anywhere in existence that could posses me to trust a Microsoft (or any other technology for that matter) with my bank number and pin (or any other info, like my full name, address...). None.

June 7th, 2007, 09:34 PM
This reminds me of what ".NET" was supposed to be when announced in 2000-1. Hmmm.

June 7th, 2007, 09:55 PM
I have the most secure means of securing my personal info, its called..... My Brain! Nobody can crack it, nobody can read it and nobody can get at my info from it except me. Oh and yes, I do actually remember each and every account I sign up for and its password.

totally agree! the only safe way to keep your data secure is keep it off your computer. i would like to see some honest facts and figures from the banking fraternity about how much computer fraud actually goes on, obviously they don't advertise their data and account detail thefts, with the rise of identity fraud, peoples personal info is worth big money now. there will be methods created to bypass any security layers sooner or later. will ms, or whoever, compensate people if due to their infocard software being compromised, they lose money?

Tundro Walker
June 8th, 2007, 06:41 AM
I can understand the reasoning behind it...to allow folks who surf and purchase over the web not to have to remember tons of logins and crap.

But, it's like letting the wolf guard the hen house. You'll have all these folks relying on this technology to enable them to remain oblivious to what their computer is doing, then some hacker type will create some program to farm user info off their computers with a trojan or something. If you put all your eggs in one basket, it's just that much easier for a criminal to steal all your eggs.

Didn't MS try something like this before with their stupid MS Passport idea?

June 8th, 2007, 08:48 AM
why would somebody want to use something like this? I don't even write down anywhere in my pc my passwords...not talking about bank accounts and stuff...
I have a pretty good memory and until, proved contrary, it's the hardest thing to crack in the world ;)

June 8th, 2007, 09:07 AM
Didn't MS try something like this before with their stupid MS Passport idea?

Yep, they managed to make Passport a technological success, but they failed in making it a standard. The miserable track record of Passport resulted in the Laws of Identity as identified by the identity community.

First: I love open standards, open source and open you name it. Microsoft is not in that league.
Second: I love the ideas behind Identity 2.0. It's all about the user being in control. It's not about "all your identities are belong to Microsoft".

The ideas behind Identity 2.0 are not only about replacing user id and password for a user, but also about removing the need for identity management for service providers, websites, blogs, you name it. You may still use a userd id and password, but all other options are free as well.

It's also about claims based authentication. Just prove that you are competent to excercise some rights by using a digital identity that you got from an identity proivider who provides you with a digital identity that proves just that you are competent.

There is much more to it than just replacing userid and password. if that's how you feel about it, you didn't understand it. CardSpace is not a replacement for just userid and password. It's part of identity heaven.
And if you don't like CardSpace, check out OpenID. Also Identity 2.0.

Firefox 3.0 will support both CardSpace and OpenID. So, I need a linux CardSpace like client, so that I can use an Idenity Selector.

June 8th, 2007, 09:21 AM
lol, what if you have a multi personality disorder and use different names for different sites? they didn't think that one through.

June 8th, 2007, 10:47 AM
I won't trust this to a Ms OS. I use Windows every day at work and I still duel boot with Ubuntu but my god do I not trust Ms with this.

The number of attempts to hack this will be huge and Ms have a bad track record.

Ms had a security hole in XP that allowed someone to take over your computer using their CHM viewer or help program.

December 13th, 2007, 09:54 PM
Still noone interested in creating a bandit/higgins/osis package for ubuntu?

It seems that infocard stuff is getting more attention, microsoft's live stuff, myopenid identity provider all supporting infocards. I'd love to have my infocard wallet on my ubuntu laptop.

December 14th, 2007, 01:00 AM
This reeks of 1984.

Simply incredible. And what frightens me the most about this is the overall complacence regarding this, people missing the point and even acknowledging it may be useful.

Simply incredible. Big Brother is watching indeed.

December 14th, 2007, 05:32 AM
its pretty useful, and if implemented correctly and with the right security measures it could a great thing

its just with microsofts track record of invading privacy and their lackluster security, keeping all your important info in that info card is just asking for it to be stolen

i personally keep all my passwords in my revelation password database, which is encrypted with something, but it works well.

December 14th, 2007, 07:07 AM
i have all my most sensitive details written down and hidden. 2 copies 2 places. just hope I dont forget where I hid them.

December 14th, 2007, 01:22 PM
even if this was implemented, where does it say it'll store stuff without your consent? how is this different from Kwallet or whatever that's called (because i really don't know)

December 14th, 2007, 02:47 PM
The problem with all of this is the threat of identity theft. When people get it into their heads that their signature is not their identity, they will begin to see the huge, gaping holes in the 'identity industry' (best phrase I could come up with).

Anyone with enough know-how can forge your identity, and things like this InfoCard idea just make it easier and easier. The bigger the database of information about you, the easier it is for would-be fraudsters to fool all of the systems out there which rely on your signature, address, date of birth etc as identity.

Your identity is you, as you exist physically. Software engineers and developers have created this identity mess, and they should now focus on fixing it for good rather than trying to pump water out of a sinking ship. I know InfoCard isn't designed to be a form of identity, just a repository of information about you - but the end result is that if someone has access to that information, they can pretend to be you.

Biometric ID cards, for all the uproar around them, are the closest we can get to the 'person as the identity' with our current technology. They're still too short-sighted. I think the ultimate issue is that the idea of 'identity' is broken. There is no common consensus on what identity is, and for the most part, all it means is 'the record the government has about you'. If you don't match up to their records, then you are not you, in the eyes of the law.

We need a different system, not another way to break our current one. Microsoft are being very irresponsible with stuff like this.

December 19th, 2007, 08:50 AM
I feel that some folks are missing the point. It is not just a Microsoft thing anymore. This is one implementation of Identity 2.0. Based on the Laws of Identity as defined by Kim Cameron.

I'm not asking for Cardspace to be built on linux, I want a Higgins/Bandit ported to Ubuntu. This is no Microsoft code, not one bit I dare say.

So, it is not about trusting or not trusting Microsoft. I prefer to be free to choose and I chose this platform.

And as for Infocard: this is nothing more or less than a digital ID, containing nothing more than a few (SAML) assertions and I am the only one in the whole world that has access to my digital ID. No big brother at all. There is less big brother in Infocard than in OpenID.
So, instead of bashing Microsoft, please think about Higgins/Bandit and let me use my ubuntu installation to provide relying parties with my selected digital ID

December 19th, 2007, 09:24 PM
Well put, meneer.


March 31st, 2008, 03:47 PM
Can anyone report any progress on this https://wiki.ubuntu.com/IdentitySelector issue?

Mr. Picklesworth
March 31st, 2008, 04:02 PM
I would like this if it had nothing to do with storing identity, per se, but instead was just an OpenPGP key adopted into web sites as a method to log in instead of usernames and passwords. For example, the browser signs a random login text, then when the server confirms that the user is allowed in.

The power of that technology amazes me; thanks to how I can seemlessly revoke the information using a printed revokation certificate (I am not at the mercy of the phone operator's competence) it feels way more secure an identification than even a birth certificate.
One's private key can easily become his identity, and that makes quite a bit of sense.

Actually sounds like CardSpace is a similar idea at its heart, but I do not see how storing actual information or 'multiple identities' becomes necessary. That sounds more like a job for OpenID (http://openid.net/).

March 31st, 2008, 04:11 PM
God bless the pirates of the information highway -- YAR MAITEE!! ALL HANDS ON DECK TO TEH STARBOARD SIDE! WE'VE GOT A MICROSOFT CHIP!

March 31st, 2008, 04:14 PM
I think this is just one more ploy by Microsoft to put its name in front of EVERYTHING they possibly can.

March 31st, 2008, 04:29 PM
"Old George Orwell got it backward. Big Brother isn't watching. He's singing and dancing...Big Brother's holding your attention every moment you're awake. He's making sure you're always distracted... it's worse than being watched. With the world always filling you, no one has to worry about what's in your mind. With everyone's imagination atrophied, no one will ever be a threat to the world. -- Chuck Palahniuk

March 31st, 2008, 04:39 PM

April 1st, 2008, 10:19 AM
I am not an MS fan, hardly even an MS user, at least not by choice. I'm an Identity Management specialist, call me a web 2.0 evangelist. Looking into Claims Based Identity and Authorisation. So please don't diss me with anti MS posts. They are so old hat.

Let me point to this older post (http://ubuntuforums.org/showpost.php?p=3978401&postcount=20).

I use OpenID, but OpenID providers know where I go, they know too much of me. So I need something else, Infocard is the solution. And Ubuntu not supporting Infocard is bad.
Just get me OSIS, Higgings, DigitalME for linux, or whatever. I will do the PR, but I can't do the coding, or I would have done so long ago.

July 16th, 2008, 09:12 PM

A month ago the bandit project published a .deb DigitalMe install package for Ubuntu. You can find it at the digitalme download site (http://code.bandit-project.org/trac/downloads?catfilter=DigitalMe).
And yes, it works. The package delivers a painless install of the digitalme identity selector. The package adds a DigitalMe entry in the tools section of the applications menu. You can manage you infocards from within the identity selector.

On the digitalme site you can also find a digitalme firefox add-on.

(update: I started a new topic (http://ubuntuforums.org/showthread.php?p=5401979))