First session I attended was the session by Scott Golightly on Windows CardSpace. I've looked into CardSpace before, gone through the labs but haven't really thought about the "why it came about" side of the story. Fortunately for me, I attended this session and it did enlighten me on this subject.
As more and more people and businesses are going into the Internet space, more and more problems come about in relation to establishing identity online. Steve, in his presentation summarized the Internet Identity Crisis into the following:
1. Lack of Identity Online - this one is a given. We see it in chat rooms, blogs, and web sites. If there is one thing to bear in mind when delving into the Internet world, it's that not everyone who makes a claim about something, e.g. who they are, is telling the truth about it. It's difficult to establish identity online because the Internet abstracts the physical world into bytes or strings, without the convenience of "sensory validation", being able to see, hear, or even smell the person in real life, that we have in the physical world, taking over another's identity online is just a matter of knowing which sequence of keys he needs to punch to establish who he is.
2. Password fatigue - I'm definitely one of those people who have suffered from password fatigue. There's just too many sites and services that I need to establish a claim on my identity on, to have different passwords for each of them. So, like a lot of people if not most, I have the same password for most of the services I subscribe to online. Either that, or I keep a list of each username and password combination that I have for all my sites, which is going to be quite a tedious task since I'm definitely one of those people who will sign up for any and every service there is. And of course, having a physical copy of my credentials free for anyone to read if they get hold of it, is something I don't really want because I'm a type of person who easily looses track of her stuff :p I think as long as i don't limit my passwords to dictionary words, i'll be fine. The fact that I use a different keyboard layout helps too i guess. Sometimes when i'm "password fatigued", I switch to a normal keyboard, and type in my password as if i was still using a DVORAK keyboard, plus some punctuation marks and symbols here and there.
3. Lack of site validation - Although slowly we are resolving this problem by using what we call Extended Validation Certificates (EV-Certs) which are basically a way for sites to tell their customers that they are indeed who they claim they are. These are certificates that aren't easy to obtain. To get one, a company has to be well established for a certain period of time, visits to the company in question is actually part of the checking, and all sorts of "extended validation" activities. But because it's not so easy to obtain these sorts of certificates, some sites may not be able to implement this mechanism of validation to their customers. For some users, the URL is one thing that identifies as a legitimate one. The smarter users will know to trust http://www.paypal.com vs. http://www.geocities.com/paypal BUT, would the users with not so good eyesight learn not to trust http://www.paypa1.com or http://paypaI.com (http://WWW.PAYPAI.COM)? Some people argue that you should still be able to tell that it's a fake one from the original site based on it's look and feel. If you're talking about amateur spoofers, sure. They might be careless enough to just use notepad to code out a "Hello Paypal" site and try to fool it's users that it is indeed PayPal. But if people were really serious about spoofing a site, they could easily do so, and even if they don't get the exact same look and feel, the attacker can just put a "Check out the new site design!" and knowing that sites often change their look and feel for whatever reason, users will ignore the fact that the design has changed, as long as it looks professionally done.
4. Phishing & Phraud - growing exponentially in a matter of months, it's probably the easiest crime to commit. It's like setting up a trap in a room full of a bazillion people: someone is bound to step on it. And the reason these types of Internet crimes are up and about is the above: lack of site identity, credentials being 'typed-in' by the user, and inconsistent user experience. Even when the mechanism of logging-in changes for a web site, a user can simply dismiss it as a site upgrade.
The problem: Username and password as a security mechanism is a broken system. Hence, a new system of establishing identity is born. Implementation of a "passwordless" system of identity authentication is demonstrated with technologies such as OpenID and Windows CardSpace. Where as OpenID is more of a service that you make use of online, with Windows Cardspace, it's more of a software AND services story. CardSpace technology makes use of the software (Windows XP SP2+, Vista and Windows Server 2003 SP1) to manage your identity cards. Scott did mention the direction CardSpace was going was towards the idea of having your cards on USB keys/smart cards or basically devices that you would typically keep with you. (Status quo, you'd have to export/import cards to be able to use it across different machines)
I don't want to bore you with excessively long posts, so I think I'll take a break here. But if you want to learn more about Windows CardSpace, visit http://cardspace.netfx3.com and if you want to get a hands-on experience of how working with CardSpace would be like, visit the CardSpace sandbox at http://sandbox.netfx3.com/
3 more sessions to blog about for day 1. (must get some sleep first)
Technorati Tags:
techedsea07