Rohan writes:
InfoCard or JavaCard // Identity Management
Kim had posted a nice article on A simple managed payment card example a while ago. So basicaly
what happens with a "issued" infocard is that the infocard only contains a pointer to where the
user information is to be obtained from (in this case as per Kim's example the issuer happens
tobe Bank Of America, and the requestor is amazon.com). Well, Kapil had a nicer post on
Smartcards and Federated Identity. Kapil quotes Smartcards are the actually the real enabler of
biggest network of identity federations world has known till date i.e GSM.
[...]
various standards like SAML, Liberty, InfoCard/WS-Trust, WS-Federation etc for identity
federationrespect and understand the usefulness of security devices like Smartcards. All
these standards propose the solution to same set of problems in almost same way and differ
mostly in wire protocols used. SAML and Liberty has a profiles ECP (Enhanced client proxy)
and LECP (Liberty enabled client or proxy) respectively which enables a Smartcard based
authentication where as InfoCard (a profile of WS-Trust) treats Smartcard as another Security
token service which can generate self issued security tokens.
nice... I see the light at the end of the tunnel. infocard treats a smartcard as a personal
security token service (PSTS) which can issue security token in form of SAML assertions.
and so i thought... or rather... continue to think...
Whats the difference between the long existent JavaCard/Liberty vs InfoCard/WS-Federation ?
JavaCard/Liberty vs InfoCard/WS-Federation : There is no comparison matrix like this because:
JavaCard technology is not tied to Liberty Alliance and vice versa. Liberty Alliance specifies that security devices (and smart card is one example) can be used to do the authentication. How to communicate to them is unspecified and which makes sense as they will have to specify the protocol for every device that is our there. Now, JavaCard is one type of smart card which has virtual machine, run time and libraries specified by SUN microsystems which we smart card manufacturers implement and put on top of our smart card operating system. There are other types of smart cards for eg. native smart cards which do not have capabilities to run managed code, there is a .NET Smart card which has a virtual machine, run time and libraries specified by ECMA [our implementation is a subset of ECMA specifications for .NET like JavaCard specifications are subset of core Java specifications], and there is one more type which is called Multos smart card.
That said, you could use .NET Smart card in products/implementations of Liberty Alliance. As a matter of fact all the demos that I have done with Liberty Alliance & InfoCard/WS-trust/WS-Federation are with .NET Smartcard. Reason for using .NET Smart card is because it supports richer set of APIs (Hashtable,ArrayList...), language features (strings,long..) and Xml parsing. These features are not availbale in exisiting JavaCards (2.2) and would be part of JavaCard 3.0.
Now, the way you put the matrix it seems that you are thinking of some relation between JavaCard & InfoCard. InfoCard does have a "card" as a suffix but it does not mean it is a smart card. InfoCard is a metadata expressed in XML which describes how a user could authenticate, where the identity provider/security token service is located and what are claims that are supported and JavaCard is a platform for which you could write applications that would store credentials and process requests to use them.
I remember sometime back I had read an article on Microsoft Employees Get Carded" by Karen
EpperHoffman via Kapil's Blog. Well, Scott made us use these along from a long time ago...And
Microsoft's views on smartcards are no different.
Smart card technology is a proven security technology and hope technologists around the world appreciate its importance for web security also.
Hubert has put together a nice demo of how a using Liberty’s ID-WSF protocols, we can create a
module that greatly helps the user in dealing with his digital identities. Currently laptops,
sunray 1g, sunray 170 and desktops ARE available with builtin smartcard readers.
and hence my dilema...
This is really an excellent demo, I am also working on a smiliar type of demo (Liberty Alliance) in which the authentication is done using a challenge-response algorithm (like CRAM-MD5) where the response is generated by Smart card instead of using username/passoword (as done in Hubert's demo). It is another thing that I will use a theme other than the famous wine shop example as I am a teetotaler :) .