YAF? (â€œYet Another Foundation?â€) Some in the identity community have had that reaction to the announcement of the Information Card Foundation (ICF) today at the start of the Burton Catalyst conference in San Diego.
As one of two members of the ICF board who also serve on the OpenID Foundation (OIDF) board (Mike Jones is the other), and also wearing my Identity Commons steward’s hat, let me share some perspective on this.
Last spring I had the pleasure of working with Eve Maler on an IEEE article called the Venn of Identity, based on Johannes Ernstâ€™s original diagram of the three â€œpillarsâ€ of Internet identity development: SAML/ID-WSF, OpenID, and information cards. The paper was an opportunity to compare and contrast the strengths and weaknesses of all three approaches. I could not leave it without the feeling that the ultimate solutionÂâ€”the â€œTCP/IP of identityâ€ as it is often calledâ€”lies somewhere in the overlapping middle.
Exactly where, Iâ€™m not sure anyone can say yet. What we can say, to borrow an analogy from OIDF board discussions, is that if you want to climb the Internet’s never-been-summited Mount Identity, itâ€™s best not to ignore any promising route.
(As I write this I have firmly in my mind a picture of the glorious Mt. Rainer, the Northwest icon that anchors the southwestern skyline of Seattle. Though I have never climbed it myselfâ€”I hope to someday with my two sonsâ€”many of my high-school classmates have, including one friend whose ascent with famed mountainer Willi Unsoeld ended in tragedy when Willi and a student were killed in an avalanche at Cadaver Gap.)
In this decade we have made great progress up that mountain. An early, well-equipped group of explorers have pushed steadily up the SAML couloir. Then a second party banded together to attempt the OpenID ridge. Now a third group is navigating by way of the Information Card snowfields.
The closer we come to the last and steepest slopesâ€”the hardest and most dangerous part of the journeyâ€”the greater the chance we can all help each other take the peak (a lesson Willi would have preached in spades). In fact paths of intersection are starting to appear everywhere. OpenID information cards. OpenID login to ID-WSF. SAML SSO with OpenID. Relationship cards.
Iâ€™ll sum it up this way: ever since the â€œi-cardâ€ session at the Berkman Identity Mashup in June 2006, Iâ€™ve been convinced that identifiers (OpenID) and claims (information cards) are both essential tools for scaling the mountain. And Iâ€™ve always felt that assertions (SAML) and identity services (ID-WSF) could not be left behind either.
So while it may appear from a distance like introducing the Information Card Foundation adds another divergent element to an already confusing landscape, I see just the opposite. It fills in a key piece of the trail that will help us connect other routes and advance everyoneâ€™s efforts. Until pretty soon (shall I go out on a limb and say the end of the decade?) weâ€™ll break through the last ice shelf and summit the mountain.
And just imagine the view from there.
The name “Information Card” is a deception – behind it’s veil it is only a piece of Software, not any Card in your hands at all! And everybody knows meanwhile what can be done with Software!
Information Cards will only be secure if there are real cards in use:
Not only passwords, every security measure running only directly on a PC is vulnerable, and virtual ID-Cards (which are only data stored on your computer), are an invitation to pishers! They only have to upload this ID-Card from your Computer, and they have everything
they like to have! Why? There is a not curable flaw:
Everything running directly on a PC (specially with MS-Software) can be faked or spied on.
The only thing which helps is an external ID (Card or USB-Dongle) with embedded Microprocessor which handles all the login communication with embedded cryptography and refuses to be spied on.
I worked with the European eEurope Smart Card Initiative in 2000 and we discussed all the security problems – there is only one solution for real security: a device outside the computer, communicating with, but not affected by the Computer and/or the Internet!
It is a myth that data on your computer are safe, even if big companies are involved and