InfoCard (i.e. CardSpace) has been out for a bit, but does not get much joy yet. I think probably cause a lot people just don’t know about it or don’t care yet. But the other day I created a OpenID and started using it for identi.ca. identi.ca is a good example of a site that uses OpenID well and makes it easy. That got me thinking all sites should use OpenID. Then I rediscovered CardSpace because OpenID also always you to attach an InfoCard to your id. So that got me thinking more about CardSpace and using it for my web site.
In general, I am starting to think InfoCard (or the idea of InfoCard) is almost the perfect security model for the following reasons:
1) You control your cards locally. You don’t have various names and password strung out all over the INET.
2) You can use same card on multiple sites.
3) You only share the info you want in the card.
4) You get to pick your card at login using a picture and named card. This makes it easy to remember what card you used at what site. Vista actually has a nice CardSpace control for this and it works well (can download for XP).
5) People can’t hack your password on a site using normal hash tables (rainbow) or brute force. I am not sure yet if it is possible to brute force an InfoCard.
6) It moves the security model to a standard and tested model. Today, each site may (or may not) protect your password with all kinds of good or no good hash and/or encryption methods. Point it, you don’t know what method is used – it could be stored in the clear! InfoCard removes many of the server side variants and acts almost like an agent on your behalf.
7) The framework it there where in the future you can time limit your card and revoke it from use.
Given the upsides and the fact that I am in control of the card, I am starting to wonder if OpenID is the right model.
That said, AFAICT, there is one primary down side – you have to have your card on each machine you use. That means if you are on some random machine, you need to figure our how to get your card and have to worry about removing it from the machine when you done. Maybe what we need is password protected Temp Proxy Card. When you are at a "public" PC, you create a Proxy Card that includes the URL of your real card (stored at a public URL that is encrypted AES with your known password). Then browse to web site that requires a card, the Card selector will popup and you select your Proxy card. The framework will download and decrypt your real card and use that and cache it in memory only in encrypted form using your same password as your proxy card. Maybe it also has a time limit on it.
Make your web site InfoCard enabled. I have looked at a couple solutions, but found Dominick’s control the best fit and ease of use. It also supports non-SSL mode, as many web sites (i.e. blogs) do not use SSL. Having the option is nice.
Dominick Baier’s IC Selector at: http://www.codeplex.com/InfoCardSelector/Release/ProjectReleases.aspx?ReleaseId=12626