For every product, there are thousands of sentences which result in the reply “well, why didn’t you just say that?” The answer, of course, is that there are thousands, and often its not clear which is the right one. For me, the useful sentence is that ‘Infocard is software that packages up identity assertions, gets them signed by a identity authority and sends them off to a relying party in an XML format. The identity authority can be itself, and the XML is SAML, or an extension thereof, and the XML is signed and encrypted.’
Why didn’t you just say that? (Actually, Kim Cameron says just about that in the video linked to in “The Infocards For PHP Tutorial.”)
More seriously, I’m unsure if Infocard is the software, the protocol, or some combination thereof. But I do have a much better understanding of how it works, so I’m glad to have watched the short movie demo.
A couple of thoughts:
- First, Stephan Brands of Credentica has comprehensively analyzed the privacy issues in this sort of scheme in his book, “Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy.” The essential point to be aware of is that the certifying authority can track every site you visit. Infocard includes a self-signing authority, so you’re aware of every site you visit. If web sites start demanding certificates from other organizations, they have a deep view into your web activities.
- Finally, there’s a card which is greyed out, which Kim helpfully explains is greyed out because it doesn’t include an email address. I’m expecting there’s an easy way for the user to discover this?
Anyway, I’m glad that Kim produced the video, and if you’ve been like me, watching and not having time to dig in, go watch it.
[Update: Kim has a response, “ADAM ON DEMYSTIFYING INFOCARDS,” that I won’t be able to respond to until tonight or perhaps tomorrow. Since trackbacks are off (spam), I figured I’d link.]