my.info.card: my Infocard Identity Selector Plugin Development Blog

nothing special here. This is what the xmlToken that the Identity Selector send across to a Relying Party looks like.

more soon...

Chuck Mortimore has just deployed the world first Java Based Infocard Relying Party app. I'm following up soon with a PHP based Relying Party app... (Chuck beat me to it.. even though we've been constantly communicating and collaborating.. Guess Chuck's had the advantage of time... But However, We played tag-team and managed to get it to work !!!) Getting Java to work was easy.. PHP seems to be a bit harder with decoding and parsing encoded XML. I always thought that PHP was easier.. But was proven wrong this time... I'm trying to do exactly the same thing in PHP as the Java code and all I get is garbage. There must be something different in the urldecode / base64_decode functions in PHP and the way in which it handles "special characters".

HOWEVER: Chuck's the one who deserves 100% credit for deploying it first.

Kim, Please publish your code... not the relying party provider (RP) code, We got that already.. We would like to see the WinFx Identity Invoker Code... (please... please... please... please... please...)

For those who appreciate HARD WORK. Take a moment to toast Chuck. Infinite cheers Chuck !!! You ROCK !!!

Open Source rocks !!!..... Kim.. break down those walls. Let East Meet West. Let infocard be really "open". Please do not restrict us to work within those "infocard walled gardens"... please let us open up channels to securing the identity space. & ah !! in-ter-oh-por-ate !!

PS: When I say "us".. I mean "we the people", @the "open source community".... blogs.sun.com/images/smileys/wink.gif" class="smiley" alt=";-)" title=";-)" />

Next Stop: How to Federate your "infocard" authentication token.

LOL... had some time to kill..... and so I made a few images that you could use as your infocard image to help you identify the different infocards you create and distinguish between them instead of relying on the infocard super-imposed name.

And here's John Doe's Infocard. Use the password "password" to import the infocard.
This distribution of John Doe's infocard could probably make John Doe a "celebrity" again.

remember to save John Doe's infocard with the extention .crds

I know that most of the sites that would accept this card would also have a "confirm registration" email sent out. Well, I shall soon do something to address that too. The email address registered on this card is john.doe.infocard-AT-gmail-DOT-com. So, what I shall also do is setup gmail forward to forward all emails to a_secret_email_address@blogger.com, and then setup a blog to publish all those emails received. Well, then I could probably write a javascript or any utility to auto-click & confirm all url's in the posts, or to parse the contents of emails received and to a HTTPrequest.get() on all URL's that the blogpost contains. But since that would take some effort, and is not something I am too keen on doing anyway, and also since I currently do not have too much stale time on my hands, I shall do that only if I see the card being used... or I may also decide against it and keep this as "insider" info

Guess I would be wasting too much time on this. so the idea is now officially canned.
ROTFL.

NOTE : This is in no way an attempt to initiate a world-wide attempt to present John Doe's infocard as a mechanism to break all web service's/application's that may someday accept infocard as it's auth medium. I received a few emails and phonecalls to clarify the intent here..
So Here's a public post of the intent. If you see that this can be used as a way in which tens of thousands of folks use a "common" credential (with User Control and Consent) to authenticate, and even deceive the "registration confirmation" system into accepting the credential, then I hope you see the big picture. These AuthN mediums are not for a person to person authentication system but for a "automated" system. I see this as a means in which hackers have a platform to authenticate into systems, initiate a new breed of DoS attacks, Hijack Identities, & misuse the system. Please see this not as an attempt to "attack" but as an attempt to show you that there can be several ways in which a system's stability can be compromised using extremely simple means. It does not require a rocket scientist to do such tasks. & mind you there are several folks "out there" who do this just for the kicks. So when you folks read about infocard and it's capabilities in all its basking glory, please remember not to tie yourselves down to a "infocard walled garden" and think outside of the BOX.
As "WE" work on securing the system/'s even more, the "outsiders" would always find innovative ways of breaking it. Therefore "WE" need to work as a "TEAM" and CO-LAB-OH-RATE!!
Please... Lets not work on "proprietorizing" IDENTITY. We got to have a solution that the industry sees as something that is SECURE, OPEN & more importantly INTER-OPERABLE. Remember it takes 2 to tango.

UPDATE : Build 5299 did not work. I'm now hunting for Build 5296. Because the Build that works on my desktop is Build 5296. If anybody has a downloaded copy of Build 5296. Please please let me have a copy.....

OK. OK..... I've tried and tried and the march 20th release of ie7 just does not work (Kim had pre warned me/us about it, But I just didnt heed his advise.). The ONLY ie7 release that works with infocards is BUILD 5299 (for now). Now I had a desktop with Build 5299 installed, but unfortunately I had not saved a copy of it. I just finished rebuilding my virtual infocard test environment and was having a extremely hard time trying to download ie7 Build 5299. I desperately wanted Build 5299 for testing purposes. I am aware of all the security flaws that come along with it, but I just dont care about them for now. All I wanted is a browser that worked with infocards. So after much effort, I did find a ie7 Build 5299 download on rapidshare. So in case you would like to use ie7 Build 5299, here are the download links.

1. IE 7 build 5299 (link 1)
2. IE 7 build 5299 (link 2)
3. IE 7 build 5299 (link 3)

WARNING: USE AT YOUR OWN RISK Also read the whole list of ie7 security flaws & vulnerabilities prior to proceeding.

UPDATE : Build 5299 did not work. I'm now hunting for Build 5296. Because the Build that works on my desktop is Build 5296. If anybody has a downloaded copy of Build 5296. Please please let me have a copy.....

This " - night - Graveyard-shift " infocard project of mine is working out to be an expensive affair for me, in the $$ terms. I travel around so much (every mon-fri) that in order to work on it at nights, I needed to have WinXP with SP2 and ie7 on it. There's no way I would risk putting my endeared Ferarri through the BSoD (Blue Screen of Death) trauma. Well There was no way for me to carry all my desktops around when I travel. So came VMware to the rescue.

My VMWare Workstation costs US$199, and then another WinXP Pro license was another US$299. And another CD$100 for bribing my wife with a L'Occitane gift pack to entice her to let me spend this money. Whew!!.

I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run.

Now I have a "infocard" ready system in addition to a development environment, and a webserver with me all the time. Hopefully in the coming weeks, (with my new set of ammunition), I should be able to blog more on my discoveries...

So stay tuned...

A FYI Reminer & a cross-post from superpatterns. The reason I'm crossposting this is because I believe that this is something important and something that everybody should participate in as the info that this webcast would provide you would prove extremely valuable.

There's a lot of buzz around 'user-centric identity' right now the notion of involving users in the management of their personal information and its use, rather than leaving it to some enterprise or other organization. The folks at the Liberty Alliance have written a whitepaper entitled 'Personal Identity' that shows how Liberty's Identity Federation Framework (ID-FF) and its successor SAML 2.0 can be used to implement user-centric identity for example, a user providing their own identity services via a Liberty-enabled device such as a cellphone. It's a good read. it starts from the basics, so you should be able to follow it even if you're new to Liberty and SAML.

vOn the same topic, John Kemp of Nokia and my esteemed colleague Hubert Le Van Gong will be presenting a webcast on April 12 2006 at 8am Pacific. PLEASE NOTE: Registration is required and limited to the first 100 respondents! The last webcast on the Liberty People Service 'sold out' very quickly, so get in there straight away if you're interested. If you're too late, don't despair - the webcast will be available in archive form after the event. I'll update this entry with the URL once it's online.

To register for the webcast, follow these steps.

1. Go to http://projectliberty.webex.com
2. Under the heading Attend a Meeting, click Register
3. Search for centric
4. Select User Centric Identity: Success Today and click on the Register Button. (Don't bother clicking on the link - it doesn't lead anywhere useful!)
5. Fill out the required information and click Register Now at the bottom of the page.

Please email Tricia DeHart of the Liberty Alliance Project with any questions.

Self issued information cards support only a select number of claims. Each of these claims is associated with an URI that one could use to look up the claim inside the token.

The claims that are supported are:

1. Given Name = "http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname";
2. Email Address = "http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress";
3. Surname = "http://schemas.microsoft.com/ws/2005/05/identity/claims/surname";
4. Street Address = "http://schemas.microsoft.com/ws/2005/05/identity/claims/streetaddress";
5. Locality = "http://schemas.microsoft.com/ws/2005/05/identity/claims/locality";
6. State/Province = "http://schemas.microsoft.com/ws/2005/05/identity/claims/stateorprovince";
7. Postal Code = "http://schemas.microsoft.com/ws/2005/05/identity/claims/postalcode";
8. Country = "http://schemas.microsoft.com/ws/2005/05/identity/claims/country";
9. Home Phone = "http://schemas.microsoft.com/ws/2005/05/identity/claims/homephone";
10. Other Phone = "http://schemas.microsoft.com/ws/2005/05/identity/claims/otherphone";
11. Mobile Phone = "http://schemas.microsoft.com/ws/2005/05/identity/claims/mobilephone";
12. Date of Birth = "http://schemas.microsoft.com/ws/2005/05/identity/claims/dateofbirth";
13. Gender = "http://schemas.microsoft.com/ws/2005/05/identity/claims/gender";
14. PPID = "http://schemas.microsoft.com/ws/2005/05/identity/claims/privatepersonalidentifier";

One could use the URIs with the TokenHelper class to extract out the values for the claims.

..... more later.....

Here are a few thoughts on "authentication" and "authorization" in my own words.... (I hope you can understand what I am trying to say or imply). Please read this if you know how to differentiate between jokes and serious stuff....

I am Rohan Pinto, also known as "rohan" to some, by an "employee ID number" to my employer (you wish I published that number, didnt you ?), "ldapguru" according to folks who use my website, "Mr. Pinto" to those who look up to me (no kidding.. there are a few... a very few...), "Sir" (to the world, If I ever get to do better in life than Sir, Richard Branson), "baby" to my wife, "daddy" to my kids, "thengdi" to some, "ron" according to a few, "kramer" to some, "attacker" according to Kim, "hey you" to others who just dont care...

Anyway, the point is, I have several identites, each for a "specific" use-case blogs.sun.com/images/smileys/wink.gif" class="smiley" alt=";-)" title=";-)" />
Now, my wife would never accept the credential "daddy", nor would my kids accept anything other than "daddy". Similarly, others too have their own criteria for whats accepted and whats not.

The "criteria" is NOT something set or asserted by me. It's something that the "Relying Party" sets for themselves.

I probably do have the ability of presenting another credential to my "Relying Party", But would the "Relying Party" BUY THAT ?

Nothing stops me from presenting my "self asserted identity" to any of the "Relying Parties". I being a "human-component" have the ability to understand and know the (sometimes partially, and sometimes everything: based on how much info I have about the "Relying Party") criteria for acceptance by these "relying parties". Based on that info, I could establish an identity that closely matches the "acceptance criteria" of my "Relying Party", and probably get my "Relying Party" to open doors and welcome me in.

Hey, this whole exercise about "identity management" is to make the world a better/safer/secure place, aint it ?. I think that providing a platform whereby "identities" can be spoofed, and "created" is just silly. Who are we really helping? "ourselves" or "somebody else" ?

The way I look at it is, that the "Relying Party" has this box of treasure. I would like to see that treasure and claim my share.... In order to do so, the "Relying Party" has their own set of criteria of acceptance. If "my authenticated & authroized identity credentials match their criteria, I am given a key. I can use that key and open the treasure box anytime, however many times I want to". The point is, that the key is "GIVEN" to me after the fact that I have "successfully" authenticated and also "authorized" myself in a one step or a multi step process. (usually a multi step process). However even If I have a "pre-authenticated/pre-authorized" "key", I still need to present it to the "keeper" of the treasure and authenticate myself again every time I need to gain access. Even after authenticating myself all over, the "keeper" would still need to "authorize" me every single time.

The first step is gonna be to ensure that the "identity" is who he/she or even an "it" really is. There's no way that the "Relying Party" is gonna take the "presented secure identity token" and rely on it. One may say that the "secure token presented" can be validated against a specific set of criteria, But hey thats "authorization". Why would the "Relying Party" take the pain of "authorizing" a fake to begin with... If the "Relying Party" has assurance that the "identity" is valid, then the "authorization" step begins....

One not only needs to ensure that the "identity" is not a "fake" but also needs to ensure that the "identity" is stepping in from the front door, and then also have the ability to validate the "identities" other unique "characteristics" prior to even cross checking if the acceptance criteria matches the "identities" profile.

Am I selling something her... maybe... maybe I am....
Have you heard of nFactor Authentication yet ?? Well, if not, you will... soon... (I'm in the process of patenting and trademarking it) Trust me. you will hear from me.....

Anyway, back to the topic on hand... USER-CONTROLLED-IDENTITES.
I personally think that it's not a good thing. But I cannot force everybody to agree with my views. Like I have a right to my own view, you have your rights too. So all said and done, I see that the industry is making this huge "noise" about user-controlled-identities. Why fight it, I'll flow with it....

But in the process...., instead of just accepting the fact, I thought of making user controlled identites a wee bit more secure... and easier to implement and use. So I've comeup with my own "ANTI Laws of Identites" explanations...(No Offense Kim, I'm having fun with terminology. It's been a long hard day today...)

1. User Control and Consent: The user sure can consent, but control NO !!!. I meet my wife, she recognizes my "pre-authenticated" characteristics and "identity" and says, Hi "baby". I only consent my saying "yes love".
   LOL... I'm having fun today.. aint I ??
   
2. Minimal Disclosure for a Constrained Use: Minimal Disclosure NO !!!. With my wife there's no "minimal disclosure". I'm not sure if your's does.
3. Justifiable Parties: True Very Very True. I Concur. Both me and my wife need to constantly justify our commitment to each other. Trust me. We really really do. no kidding honest.... Dont you ? It's not because we distrust each other, it's reassurance. Just like folks like to reassure themselves about how good they look by repeatedly asking for opinions...
4. Directed Identity: In my case (example) the "identity" assertion is a two-way street. Not only would the "identity" need to assure itself of the authenticity of the "Relying Party", but the "Relying pArty" also needs assurance that the "identity" is a "trustWORTHY" "Identity".
5. Pluralism of Operators and Technologies: If I see myself as the "Relying Party" I need to not only recognize an identity called a "wife" but also recognize and know the difference in characteristics between identites like "daughter", "son" "employer", "mom", "dad", "friend" etc...
6. Human Integration: I Disagree than human Intervention needs to be a Law. Human intervention is necessary but not always. My coffee maker can brew only coffee and not make chicken soup. If I try to add chicken strips and water, I do not get coffee. My coffee maker is intelligent enough to know the difference between coffe beans/powder (the 2 characteristics of a presented identity that it can relate to, and is in it's list of criteriea to brew good coffee).
7. Consistent Experience Across Contexts: emmm.. how do I go about this one.. This is a hard one... Lets see.... How usable would today’s computers be had we not invented icons and lists that consistently represent folders and documents. Hey I really do not care about icons. I live in a "shell". Even though i'm not "Born Again" I live in a shell, a "Bourne shell". In my world, there are no "icons". However I am classified as an "attacker". How could you relate to me, and prevent me from doing what I (probably) could do, If I didnt care about "icons". You need to relate to me... the "threat". And if you succeed in doing so, that would be a HUGE step forward in making the world a better/safer/secure place.

that was fun... I just hope and pray that Kim takes this as a joke in good stride... This is plain old "food for thought" with a humourous twist. (it's sounds humorous to me at least. If it's not; maybe my taste in jokes is real bad...)

Next topic is "Secure User Controlled Digital Identities" and my version of enabling it's usage without having to implement or assert the adoption of a new "proprietary" standard or protocol. (if not the immediate next blog post, it would be a topic that I would soon post something on)

Kim said that I was wrong on the cookie phenomena when "infocard" authentication was used...

well, I'm not too sure about that.. Here's my exercise details to crosscheck if I really was wrong.

I cleared by browser cache, cookies..... everything to start with a clean slate...
The following screenshot shows the existing cookie list from my browser.. (note: no identityblog.com cookies)

Then I logged into identityblog using my "infocard" ID, And tried to post a comment. The screenshot below shows that the comment form was not filled out with my info.... However after the comment posted, it showed that the comment was posted by me... using the info that my "infocard" had...

The following screenshot shows the cookie list in my browser AFTER infocard auth. Notice that the cookie name is wordpressuser_MYSESSIONID & wordpresspass_MYSESSIONID

Then I logged out and the cookies disappeared... Neat stuff. Kim was right, the cookies get established when one logs in and then destroyed when one logs out.... or closes the browser, which is a nice thing because it was session based... usually the cookies exist for a period of time till the session timeout value exceeds the set limit. But in this case the session was immediately destroyed regardless of whetherI logged out or closed my browser... nice... really nice... IMPRESSIVE....

Then I posted a comment without authentication, and by filling out info in the comment form. The following screenshot shows what I did.

Actually I made a small error at this point.. I had posted a comment without logging out. I simply forgot to hit the "logout" button in the process of ALT-TABBing between this blog post and his blog. So I Hit the logout button and THEN posted the following comment:

As soon as I did that, I noticed that Kim's blog server set 3 cookies as the following screenshot depicts: (note the cookie names, they start with comment_author_MYSESSIONID, comment_author_email_MYSESSIONID, comment_author_url_MYSESSIONID.

Now I login with infocard again... and post a comment as the following screenshot shows:

I checked my cookie list and saw that in addition to the cookies priorly set without infocard auth, there were 2 more cookies... The following screenchot shows that....

...In short, Once a user uses the forms to post comments, the regardless of the "infocard" auth, the cookies persist in the browser....
However the form gets posted by the "authenticated user" regardless of the info one fills in the comment form.... But after the user logs out, he still can post comments without authentication and the persistent cookies take precedence....

INFERENCE: Kim's wrong 50%, I am wrong 50%. We are both 50% wrong.... ROTFL...

AH! with these screenshots, I do not think I need to explain more, You dear readers of my blog/s, can be better judges of what works and what does not

Cheers for now. That was a fun exercise...

update/note : Please refrain from sending me emails that the cookie list screenshots were not from using ie7, but were from Firefox. Do not ask me how I did it (not right now), I shall announce how to use Firefox to authenticate using infocards in due time... when the time is right...

With the infocard buzz going around..., and the possible opensourcing of it's components and code that enable users to easily deploy infocard, I thought that it would be nice if there could be more folks from the community who could actually try it out from a "deployment" perspective rather than from a "user's" to better understand how the whole thing works. But unlike me, not everybody has access to servers, and other necessary resources to deploy such a solution.

I thought of making it easier for those who do not have servers but just a desktop and/or a laptop to install a webserver (ie: Apache), php, perl, sendmail, mysql DB, a FTP server (ie: filezilla), a mail server (ie: mercurymail), webdav, a mysql DB administrator (ie: phpmyadmin), a weblog analyzer (ie: webalizer), OpenSSL, etc.. at the click of a button..

No, No, I didnt develop anything new, but am pointing you to something that exists out there that would enable you to do ALL OF THE ABOVE.

introducing: XAAMP from Apache Friends.

The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on.

The default configuration is not good from a securtiy point of view and it's not secure enough for a production environment : please don't use XAMPP in such environment.

Since LAMPP 0.9.5 you can make your XAMPP installation secure by calling »/opt/lampp/lampp security«

XAMPP for Linux
The distribution for Linux systems (tested for SuSE, RedHat, Mandrake and Debian) contains: Apache, MySQL, PHP & PEAR, Perl, ProFTPD, phpMyAdmin, OpenSSL, GD, Freetype2, libjpeg, libpng, gdbm, zlib, expat, Sablotron, libxml, Ming, Webalizer, pdf class, ncurses, mod_perl, FreeTDS, gettext, mcrypt, mhash, eAccelerator, SQLite and IMAP C-Client.

XAMPP for Windows
The distribution for Windows 98, NT, 2000 and XP. This version contains: Apache, MySQL, PHP & PEAR, Perl, mod_php, mod_perl, mod_ssl, OpenSSL, phpMyAdmin, Webalizer, Mercury Mail Transport System for Win32 and NetWare Systems v3.32, JpGraph, FileZilla FTP Server, mcrypt, eAccelerator, SQLite, and WEB DAV & mod_auth_mysql.

XAMPP for Mac OS X
The distribution for Mac OS X contains: Apache, MySQL, PHP & PEAR, SQLite, Perl, ProFTPD, phpMyAdmin, OpenSSL, GD, Freetype2, libjpeg, libpng, zlib, Ming, Webalizer, mod_perl, eAccelerator, phpSQLiteAdmin.
WARNING: This version of XAMPPis still in the first steps of development. Use at you own risk!

XAMPP for Solaris
The distribution for Solaris (developed and tested with Solaris 8, tested with Solaris 9) contains: Apache, MySQL, PHP & PEAR, Perl, ProFTPD, phpMyAdmin, OpenSSL, Freetype2, libjpeg, libpng, zlib, expat, Ming, Webalizer, pdf class.
WARNING: This version of XAMPP is still in the first steps of development. Use at you own risk!

XAMPP is free of charge
We don't like overpriced commercial software and XAMPP is our attempt to do something that shows free software doesn't have to be bad.

Easy installation and deinstallation
To install XAMPP you only need to download and extract XAMPP, that's all. There are no changes to the Windows registry (not true if you use the Windows installer version of XAMPP ) and it's not necessary to edit any configuration files. It couldn't be easier!
To check that XAMPP is working some sample programs are included, there is a small CD collection program (written in PHP using MySQL) and a small guest book software (written in Perl) and several other demonstration utilities.

If you decide that XAMPP isn't needed any more just delete the XAMPP directory and it's completely removed from your system.

If you use the Windows installer version of XAMPP it's recommended to use the uninstall feature. As every installer do the installer will make registry entries to remember the install.

The license
XAMPP is a compilation of free software (comparable to a Linux distribution), it's free of charge and it's free to copy under the terms of the GNU General Public License. But it is only the compilation of XAMPP that is published under GPL. Please check every single license of the contained products to get an overview of what is, and what isn't, allowed.

In the case of commercial use please take a look at the product licenses (especially MySQL), from the XAMPP point of view commercial use is also free.

Happy LAMP... oops... XAMPPing.

Hi Everybody. Here's a request. I'm trying to decipher a file with the header a follows:

The body of this XML file has a tag block as follows:

If anybody knows anything about this, please let me know... by either posting a comnent here ( which obviously is as good as telling the world blogs.sun.com/images/smileys/wink.gif" class="smiley" alt=";-)" title=";-)" /> ) or by emailing me -AT- myFIRSTname.myLASTname@sun-DOT-com

Anybody ???

pursuant to my prior post on Kim's php code release, I predicted that the php code would be no magic. The real "magic" is in the browsers capability of invoking the "identity Selector" and passing data packets back and forth between the infocard enabled website using the OBJECT tag and the "Identity Selector". More on the browser side later. This post is about what Kim's php code "may" look like.

Please Read Update 2 at the bottom of this post

First and foremost, infocard requires SSL. So What Kim may have done on the serverside is force SSL usage on his admin pages. This "probably" is accomplished by seting up Rewrite Rules on the "insecure" host.

In the .htaccess or virtual host stanza in httpd.conf www.identityblog.com, Kim may have the rewrite rule to automatically go to the secure host when you browse to http://www.identityblog.com/wp-admin/. It's pretty evident because it does just that.

RewriteRule ^wp-admin/(.*) https://www.identityblog.com/wp-admin/$1 [C]

If Kim is using permalink rewrite rules, this line would probably appear before RewriteRule ^.*$ - [S=40]

I also noticed that Kim does not restrict access to the "public" www.identityblog.com over SSL. But if he chooses, he could restrict access to the secure site only to administrators, and force the public site to be served over non SSL.

Well, his httpd.conf file may look something like the following:

It is probably a good idea to utilize SSL for user logins and registrations apart from administration. I hope Kim consider's the following substitute RewriteRules. He currently does not do that.

Insecure
RewriteRule ^wp-(admin|login|register)(.*) https://www.identityblog.com/wp-$1$2 [C]
Secure
RewriteRule !^/wp-(admin|login|register)(.*) - [C]

Now as far as the php code goes: Here's what I believe has been done.

• He's enabled External Auth. (ie: not MYSQL, but infocard auth)
• Modified the following Files:
  1. infocard/* : Contains all the infocard functionality
  2. wp-login.php : Contains the infocard authentication code and modified cookie content
  3. wp-admin/auth.php : This is modified to take account of the infocard cookie marker
  4. wp-config.php : Contains some infocard definitions
• wp-includes/functions.php:wp_login() : modified to do infocard authentication and check for the infocard marker in the cookie
• wp-includes/functions.php:wp_setcookie() : modified to set the infocard marker instead of the password in the cookie
  

NOTE: The directory /infocard is not really called infocard. I have no idea what the directory name is. I assume that it's infocard. I cannot crosscheck it because He probably has a .htaccess file there that does not allow directory listing. So for all you know the directory may be called "unknowndirectory".

The file wp-config.php probably contains an "infocard" switch define(’INFOCARD_ENABLED’, true);. Setting INFOCARD_ENABLED to TRUE turns on "infocard" authentication. Setting it to FALSE turns it off and normal WordPress authentication takes over.

NOTE : I'm trying this on my own test box and not directly on www.identityblog.com. And since I have my own private network, and am doing this on my own boxes (offline). I edited the file contents to "identityblog" to relate to what kim's doing on his site.

Thats all for now. I gotto run, My daughter (my everything) just had a fall and is bleeding... I'll follow up on this later...

I shall post PHP code itself shortly. Please note: I am not stealing Kim's code; nor have I obtained it from him in any form so far. I am doing something similar to what Kim "may" have done. and am posting that code here.

Since the code's distributed across several files and directories I shall post a link to a tar file download and installation instructions. If you would like to "infocard" enable YOUR "wordpress" installation you could just follow the instructions in the tar file and use it.

Also Note that This is not generic php. It's specific to wordpress.

The reason i'm doing this, is because the market coverage for this php code is so so much that it suprises me that folks do not realize that php aint magic. The code release I would like to really see is the "browser" bit.

releasing php code for wordpress does not make infocard opensource.

UPDATE: I'd be very curious to find out how closely my code would resemble Kim's actual code. Kim: If youre reading this could you give me an indication if i'm going down the wrong path ?

UPDATE 2: I tested this approach over and over... The php code DOES HAVE "some" magic in it. It needs to understand the MetaData and obtain the xml token that the "Identity Selector" sends across... more investigations underway... Will keep you posted..SORRY Kim, Sorry for saying there's no magic

Just an FYI discovery of the moment.. Infocard authentication (as I had blogged about earlier this week) currently works on Windows XP with WinFX CTP installed and with Internet Explorer 7 Beta 2 Preview only. I tried to install ie7 Beta 2 Preview on Windows Server 2003. But got an "installation" error as ie7 Beta 2 Preview is currently not supported on Windows Server 2003.

ie7 Beta 2 Preview release notes can be found here.

If anybody out there has been successful in installing ie7 Beta 2 Preview on Windows Server 2003, please let me know how you did it or if it was possible.

I have just completed a basic infocard plugin for firefox. Currently with my plugin, you can create infocards and save them. yeah... A hellava lot of work has gotten into it already...

Please remember, I have a day job too and this is my effort on a "time restrained" basis...

Some folks mentioned to me just yesterday that I am burning myself with "infocard". I want to put on record that this effort of mine is outside the boundaries of my day job. Well, if you think that I'm lagging in my "official work", your DEAD wrong. My utilization is in excess of 100% and hey !! I'm a revenue engine for my employer. (I just hope that they are aware of it and appreciate it) ~just kidding...

There are folks who go clubing, skiing, surfing, sailing, etc... for recreation. Well, I code for recreation... So.. All's good... I hope..

Well, the next step is to enable the HTML-OBJECT (enable the browser to recognize the application type "infocard") tag to invoke my "plugin" to enable the user to select an infocard (identity) and pass the security token representing the digital identity from the Security Token Service (STS) onto the requesting site using the HTTP(s)/POST operation.

I am not sure how the website would validate the token, but however I guess I shall find out shortly..

Screenshots of my Firefox Plugin are shown below:

Firefox Extension Installer/Update:

Firefox Infocard Options:

Firefox Infocard Editor:

PS: The plugin is in "alpha" right now. I shall keep you posted developments from my end.

UPDATE: I should have said, PRE-alpha rather than alpha. The plugin is way from close to completion. Please remember I just started working on this and it would take me time to complete it. (especially when i'm doing this after hours) I shall post updates periodically as functional modules get added.. And as soon as i have a "working" instance, I shall make it available for download both from here and also the mozilla downloads directory.

I just wanted to share with you the "browser" requirements for "browsers" to have the ability to invoke the Infocard Identity Selector (WinFX CTP Component).

For now, I know what the "browsers" should do. Would they do it... is another story altogether...

1. The browser InfoCard support code invokes the InfoCard identity selector, passing it parameter values supplied by the InfoCard HTML tag supplied by the site.
2. The user then uses the identity selector to choose an InfoCard, which represents a digital identity that can be used to authenticate at that site.
3. The Identity Selector uses the Identity Metasystem protocols to retrieve a security token representing the digital identity selected by the user from the STS at the identity provider for that identity.
4. The browser should post the token obtained back to the web site using a HTTP(S)/POST.
5. The web site validates the token, completing the user’s InfoCard-based authentication to the web site.
6. Following authentication, the web site would typically then write a client-side browser cookie and redirect the browser back to the protected page.

AH!! authentication, see... Infocard addresses "authentication" and NOT "authorization". I believe that my assumption is true. Could someone correct me if i'm wrong?