CardSpace : is it yet another discovery service (YADIS) !! :)

Disclaimer : The views represented in this blog are completely personally and do not necessarily represent the views of the company I work at..


Hey Sriram,

OpenID, LID, SAML, WS-Fed, iNames... and the list seem to growing. All these protocols are trying to broadly achieve federation of users, and consequently Single Sign On.
To discover them all exists YADIS !! In addition there exist frameworks like Higgins, Bandit and Pamela, all trying to give concrete shape to Identity Metasystem. Despite all this efforts, federated identity systems have not really become widely used, and has not used its potential.
Enter CardSpace, and things look promising again. One of my friends even called it the "Face of Federated Identity", a term that very appropriately describes its link to the offline world. However, after reading and re-reading a lot of material, watching podcasts by Arun Nanda on its architecture, and Andy Harjanto , a few questions seems to trouble me.
As I see it, I am still missing the novelty in CardSpace.

Identity Discovery:
Apparently, it looks more like a Identity Provider (IDP) Discovery service, allowing people to select cards. In all cases, the user just selects an identity provider, like the IDP Discovery Service as in SAML.

Card Selector:
It claims to be user-centric, but thats what protocols like OpenID, or more generally YADIS and SAML were already doing.
In CardSpace, the user selects a Card from a UI.
In SAML, a list of IDPs are displayed using common domain cookies.
In YADIS, the user types in the URL of the IDP. This also allows the selection of protocol.
If only the UI look and feel is an enhancement, it may be easier to develop cross platform UI in HTML rather than putting a software written in native and managed code.

Location of the Cards;
CardSpace locally stores the cards, with the UI providing additional features like export/import of cards, and protecting them with PIN for shared computers. SAML saves this information in a Common Domain Cookie. However, in case of YADIS, the user has to remember the IDP url / name. The cards are stored using double encryption at the System and User level, using native windows libraries. Would it not be simpler to store them at a server, and use a cross platform getter protocol like https for the user to use ?

IDP authentication:
CardSpace authenticates the user by showing the login form as a part of the secure desktop. This may become a little limiting as the different ways the IDP may want to authenticate could be theoretically infinite. Typically, building systems like biometric authentication, Smart Card, SecurID, Virtual Keyboard or others may not be possible, and hence the Secure Desktop may have to provide extensions for this. SAML and OpenId seem to take the easier approach redirecting the user to the IDP page. The argument against phishing can be countered by Passmark, mutual authentication etc. Hence, I am not sure about the gains by getting IDP authentication to the secure desktop.

Secure Desktop:
The login screen is a separate desktop that prevents any other programs from watching the data sent. The reason for doing this was to prevent spyware from getting the user data. However, once the authentication is done, all transactions that happen in the browser are at the familiar windows desktop. Given the fact that spyware can listen to this data, and steal the user cookie may actually defeat the purpose of the secure desktop. If the requirement was really securing against malware, then why even have the ability for one program to watch another ?

Privacy:
One impressive point about CardSpace is that the IDP may or may not know about the Relying Party (RP). The concept of display claims, and encryption at the CardSpace do cater to these needs. This is a feature that SAML and OpenID may not provide as this would mean making the browser more intelligent using javascript.

Non-Web Scenerio:
SSO in non-web scenario could be done using Liberty ID-WSF or Web Services. In the ID-WSF specification, there is a frequent mention of the need of a desktop agent to perform various tasks like credential collection for IDP, user consent etc. The uniformity of CardSpace would help such a desktop agent easy and possible.

Protocol Payload:
CardSpace only allows different type of payloads; the protocol for data exchange is similar to WS-FED. This reduces the concept of Identity to possession of Token. This may be a serious concern, considering the fact that passing a single token may in one single exchange may not be sufficient for all authentication mechanisms. An example scenario that I can think about is Risk Based authentication, where the RP may want to exchange multiple messages to verify the user, and the IDP itself.
YADIS on the other hand passes to control to the protocol once the discovery is done. This seems simpler as the protocols now have more independence.

Pseudonyms:
The concept of pseudonyms or Name Identifiers have not really changed. This pseudonym is required to uniquely identify users. The user having a unique number per card-RP pair. In case of SAML and OpenID, where there is no concept of a card, the IDP and the SP share a nameID to uniquely identifier a user.

Well, so this is my comprehension on CardSpace, and let me see if time and talking to people fills gaps in my understanding of the technology that seems promising to bring Federation to the common janta !!!

Its always best to scold in native tongue !!!

Hey,

It has been a really long time since I have actually used Hindi for writing anything. I have kind of forgotten the script also. Neither do I know typing in Hindi.
The other day, Mrigank sent me the address of Quilpad and I was toying around with it for some time. It is the newer page that I was looking at. There were some widgets allowing you to do native language search, but I felt that it was missing the distribution that it warrants. Hence I picked up my tools, and here it is, the first version of GreaseMonkey transliteration.
On any page, any textbox, you doulbe click it, and a div opens in the bottom right. As you type words in English, sounding like Hindi, you get the Hindi script. It seems to working great with things like Yahoo mail, Orkut, Meebo, Gmail, Digg, and others. Please do let me know if it fails on sites.
I am also working with Anshuman to get our own transliteration service, and convert this to plugin. The current script is a little slow as I was too lazy to extract words and transliterate them; right now, i am doing it for the whole value of the text box !!
I think I would be working on all these issues, and releasing it by tomorrow (too wishful !!! )

Here is the location at UserScripts
http://userscripts.org/scripts/show/9473

Apollo + Meebo ?

Ram,

There is nothing that meebo offers over pidgin [formerly GAIM], but I was interested in the fact that on meebo, you can send messages on HTTP End points. Combined with the fact that it is in javascript, you can write a million mashups.
I did end up writing a lot of GreaseMonkey Scripts for meebo, that are available on userscripts.org. It was the same time that I was poking around with Adobe Apollo. So here is the idea. I am planning to convert Meebo to a desktop application using Apollo. An important feature that I am looking at something like pluggable GreaseMonkey emulator that will let people write plugins for meebo. That will sure give rise to a lot of mash ups.
Still exploring the idea....

Visionizzer

Hey Sri,

I finally got hold of the executables for Visionizzer, the college project. So much of evolution from a small GW-BASIC file to a complete GUI creator, the project definately has gone a long way. I have also included the various applications that were created Visionizzer. Here is a small demo of Visionizzer and how it works.



Check out the source code available for download here.

Small initiatives.....big results

Sriram,


Here is my stint at animation. During the good old times, when the computer had not invaded my personal space, I used to spend a lot of time drawing, with my pencil and paper. When I came across 3D Studio max, I felt that old passion return. So here is an animation that I produced.



The Story :

The theme revolves around how small things could lead to great things. There is a guy sitting on a bench when a speeding car throws waste paper near him. The guy, being good, picks up the waste and puts it into the thrash bin. A truck picks it up, and takes it to the recycling plant. That paper is converted to news print. Incidentally, it carries a news item about India being under attack, and calling upon the youth to defend the country.
Inspired by the words on the paper, young men join the army to defend the country. The scene now shifts where both sides agree to peace and a treaty is signed. Ironically again, the paper on which the treaty is signed, is the same paper !!!

Commentry :
Well, I realise that this was a little too much "filmy", but back then, I loved the ending, and the irony that I had put in. I downloaded many models from the net, and even got music ripped out of famous songs. I banked on the music form famous Tamil movies, with the action to spring emotions of patriotism !!!

Login Form Oddities.....

Sriram,

This is getting interesting by the day. I was checking out Sign On Manager for two sites that I commonly used, and the script failed for both. Looks like the number of variations will never cease.

Twitter.com : The submit button for the Login form has an id = "submit". Because of this, calling the document.forms[0].submit() links not to the function, but to the "Submit" Button. The error I get is obvious. Still looking for a way I can get a handle to the form.submit() function prototype.

Reddit.com : The Login form has a onsubmit=return login(this). The script looks at the onsubmit, sees that it is of function type, and does a form.onsubmit.call(). This fails as we have already lost the contest of this. I am presently working on fixing this, and checking if this just a symptom for a bigger bug.

Also, it is getting a little tough for me to activate SignOnManager for Ugenie.com as they construct their Login Page using javascript. I have not yet decided how do I solve this, a business descision that I need to take fast.

Sign On Manager Demo available

Hey Sriram,

I finally came up with the sign on manager demo. Here is the url http://n.parashuram.googlepages.com/SignOnManager.html


For your information, I've also embedded the page in here. Try it out, and let me know if you have any suggestions or improvements.
This page also demonstrates the use of the Grease Monkey Simulator in development.