Looking to ease the way customers manage their digital identities, Microsoft has begun working to integrate its InfoCard authentication technology with Internet Explorer and is in discussions with the Firefox and Safari browser developers to have them include the technology on their platforms.
According to Microsoft officials, InfoCard integration could show up in Internet Explorer 7.0 even though InfoCard is currently not on the feature list. The goal is to improve security and privacy on the Internet using the InfoCard model, which puts users in control of their personal identity information and would eliminate the need for user names and passwords to sign into a Web site.
"We are still working on if there is enough time to get this done" for Internet Explorer 7, says Michael Stephenson, Microsoft's group product manager for Windows Server. "We expect many different applications, smart apps, Web apps and browsers, to use InfoCard. Our own browser will take advantage of it."
In addition, Microsoft is hoping others will adopt its InfoCard model on the Web to help improve security and privacy with a common identity layer.
"We are having concrete discussions with Firefox and others about specific mechanisms that would communicate between a Web site and the browser so we can enable credential selection such as InfoCard," says John Shewchuk, CTO of distributed systems for Microsoft. "If we do this right, all browser vendors could provide a common mechanism for identity."
Experts say that would improve security on the Internet.
"Adoption of a common user-friendly metaphor for identity can only help," says Daniel Blum, an analyst with Burton Group.
In June, Microsoft unveiled its identity metasystem, which includes user-centric privacy controls in the form of InfoCard, a middleware technology called Windows Communication Foundation, Active Directory and a slate of Web services-based protocols led by WS-Trust that Microsoft and IBM have been developing.
WS-Trust is key for creating Security Token Service (STS), lightweight gateways for servers and clients that negotiate the exchange of security tokens, such as Kerberos or the Security Assertion Markup Language (SAML). IBM supports the technology in its federation server, and Ping Identity has an open source implementation of WS-Trust.
In the browser model, Web sites would need to run an STS in order to signal browser users to provide their InfoCard identity credentials.
"If there is useful information from the InfoCard work that doesn't necessarily require InfoCard technology and makes browsers more secure then we would like to see that happen," says Scott Cantor, who works on the Internet2's Shibboleth identity project and the SAML technical committee at the Organization for the Advancement of Structured Information Standards (OASIS). He also is the author of OpenSAML and the security architect at Ohio State University.
Another key to recruiting partners is standardization of WS-Trust. Microsoft's Stephenson says the company and partner IBM are finalizing the language on a charter to get WS-Trust, WS-SecurityPolicy and WS-SecureConversation submitted this month to OASIS for standardization.