September 6th, 2007

Where are the InfoCard sites?

Andrew Arnott
Principal Software Engineer

InfoCard is the greatest invention since the web browser!  In my opinion anyway.  If you don’t agree or you haven’t heard of InfoCard, please read from the www.identityblog.com, and in particular the post on the Laws of Identity.  It’s really quite impressive what engineering problems InfoCard has been able to solve.

I’m just getting impatient with web sites to start accepting InfoCard.  It’s not that hard to accept InfoCard on your site.  Microsoft has released tools to help.  There are also 3rd-party implementations already available for ASP.NET, Ruby, PHP, Python, and Java.

But what’s really scary…

But what is really scary (to me), is this tendency that is picking up for web sites to say “Log in with your Google Account” or “Log in with your PayPal account” or Amazon account, or Windows Live ID or whatever.  What assurance do we have when we pass our private credentials to some rogue site that those credentials are being safely passed to the site they claim? 

If I’m logging into blogger.com, I’m asked for my Google Account username and password.  Ok, so I happen to know Google owns Blogger, so I’m going to feel comfortable (mostly) passing my Google credentials to Blogger.  But if phishing is so successful already, what’s to stop me from putting up an impressive-looking site and putting up a login that says “Don’t create another account to manage!  Log in with your Google Account now!”  How many people will just assume I have a partnership with Google? 

Amazon is going to be sharing their login system, and Windows Live ID recently shared out theirs as well.  This problem is just getting bigger.

The solution is already here

Now if we just switch to InfoCards, we can completely safely pass our cards to any web site.  Since they are encrypted, we could even pass our card encrypted for PayPal to eBay.com for eBay to pass onto PayPal to verify our identity for payment without eBay ever knowing our PayPal credentials.  (Again, eBay happens to own PayPal but you get the idea… other sites use PayPal in the same way).

Let’s get to adding InfoCard logins to our web sites, people.  Let’s build a safer community for everyone.

Author

Andrew Arnott
Principal Software Engineer

Principal Software Engineer and OSS contributor. Visual Studio Platform.

0 comments

Discussion are closed.