Why PKI leads to Information Cards
9 views
Skip to first unread message
Anders Rundgren
Apr 14, 2012, 2:32:34 AM4/14/12
to icf-m...@googlegroups.com, Kim Cameron Personal
Although Microsoft spokesmen claim that they have shelved
Information Cards for good, I believe Information Cards will rise
from the dead anyway.
Why? The core consumer authentication technical problem is that anything "cryptographic" requires integration in the client platform.
But didn't Microsoft actually integrate Information Card support in the Windows platform? No they did not. Since Microsoft never got consumer- PKI to work, Information Cards were effectively diminished to painfully complex "Password Amplifiers". In addition, Information Cards do not even conceptually offer a better solution for on-line banking than PKI.
So far it looks like Information Cards have absolutely no value, right? Wrong!!! If you ever had the "pleasure" (eh) using the Financial Industry's contribution to secure on-line payments, i.e. 3D Secure (aka Verified by Visa), you probably agree that if 3D Secure represents the future, we might rather stick to unsecured credit card credentials forever!
However, when you look inside of the 3D Secure stack, you will notice that a modified Information Card scheme (like a "profiled" Information Card protocol) could make 3D Secure much more convenient even than existing on-line payment systems. In fact, this was showcased by Ping Identity years ago.
What's [still] missing is a useful PKI solution for authentication to the issuing bank.
When client-side PKI is finally in place, an enhanced Information Cards scheme will provide a user-friendly and secure federation solution. 3D Secure is a prime example of a federation scheme in desperate need of a better platform!
There are plenty of other use-cases for secure federation and attribute (claims)-based assertions but nobody will bother about Information Cards until they are properly married to client-side PKI because the latter is what [non-US] banks and government agencies actually are investing in. Since more than a decade back they write their own client software due to the fact that the platform vendors do not see any business case in making consumer PKI useful. Really, how hard can it be???
Anders Rundgren
Why? The core consumer authentication technical problem is that anything "cryptographic" requires integration in the client platform.
But didn't Microsoft actually integrate Information Card support in the Windows platform? No they did not. Since Microsoft never got consumer- PKI to work, Information Cards were effectively diminished to painfully complex "Password Amplifiers". In addition, Information Cards do not even conceptually offer a better solution for on-line banking than PKI.
So far it looks like Information Cards have absolutely no value, right? Wrong!!! If you ever had the "pleasure" (eh) using the Financial Industry's contribution to secure on-line payments, i.e. 3D Secure (aka Verified by Visa), you probably agree that if 3D Secure represents the future, we might rather stick to unsecured credit card credentials forever!
However, when you look inside of the 3D Secure stack, you will notice that a modified Information Card scheme (like a "profiled" Information Card protocol) could make 3D Secure much more convenient even than existing on-line payment systems. In fact, this was showcased by Ping Identity years ago.
What's [still] missing is a useful PKI solution for authentication to the issuing bank.
When client-side PKI is finally in place, an enhanced Information Cards scheme will provide a user-friendly and secure federation solution. 3D Secure is a prime example of a federation scheme in desperate need of a better platform!
There are plenty of other use-cases for secure federation and attribute (claims)-based assertions but nobody will bother about Information Cards until they are properly married to client-side PKI because the latter is what [non-US] banks and government agencies actually are investing in. Since more than a decade back they write their own client software due to the fact that the platform vendors do not see any business case in making consumer PKI useful. Really, how hard can it be???
Anders Rundgren
Reply all
Reply to author
Forward
0 new messages