Stork & InfoCard (and maybe U-Prove)

Paul Madsen twittered this networworld article about what i guess must be one of the first public appearances of the EU Stork project.

Kim Cameron and MSFT seem to be shopping InfoCard and Geneva all over the place these days so their comments about Stork shouldn’t be surprising to anyone. The article claims that InfoCard has seen solid industry uptake which may be true but according to the recent Concordia Survey on Federated Identity InfoCard has a very small deployed base.

Nevertheless I think it reasonable to think that InfoCard will get deployed more, even in the R&E community where federated identity is already a Big Thing (TM).

InfoCard shares important infrastructure with SAML making it fairly easy to deploy alongside SAML (even though the semantics and user experience of SAML WebSSO and InfoCard differ quite a bit), namely SAML metadata which, when deployed “the right way” becomes the primary trust fabric of an identity federation. Microsofts Geneva was apparently designed around the same principles of how SAML metadata should be used as is fast becoming best practice among R&E identity federations.

So we learn that STORK will consider SAML 2.0 and holder-of-key as the primary way to interface national eID solutions in the European countries. I really hope they understand that the devil is in the details and design metadata management and trust fabric management in a sensible way.

One can only wonder what lies behind Microsoft pushing Geneva all over the place. Typically Microsoft aren’t happy just following where others lead. Perhaps the idea is to include the U-Prove technology they bought with Credentia last year in Geneva and embrace and extend the identity federation framework…

Then again once you can see the threat it is suddenly less of a threat. The famous embrace and extend tactic is precisely that: famous. People who are interested in open standards and open implementations should recognize where the ball is being played and start to think about how to implement U-prove.

1 Comment

Filed under Identity

One Response to Stork & InfoCard (and maybe U-Prove)

  1. As someone who attended that meeting (I’m a member of the STORK industry group) I have a couple of comments.

    First, I think it’s fair to say that Microsoft applied quite a lot of pressure to the project representatives: there were at least 7 Microsoft people in the room (that I recognised… maybe others too), all of whom asked variants of the question “Why aren’t you using Infocard for this project?”. Over 2 1/2 hours that not only became quite wearing, it also made it quite difficult for anyone else to raise substantive questions/issues.

    Second, as you say, there are legitimate questions about the scale of adoption of Infocard, and whether it can genuinely claim to be an established, proven technology which represents a technological industry consensus. There is a timing issue too: as the project team pointed out, it took 2-3 years of work to even get to the point where STORK could be launched as a project. For much of that period it simply wasn’t tenable to say that Infocard/Cardspace was viable for a deployment on the scale envisaged – certainly not tried-and-tested.

    Finally, there’s the question of whether the project team made the kind of commitment which is suggested. I am not sure I remember it the same way. The crucial word is “consider”. After all, you can consider a technology without ever implementing it. Maybe that’s what they agreed to do. I think it would be premature to imagine that the STORK team are about to revise their architecture, at this stage of the project, to such an extent that it will accommodate Infocards in the foreseeable future. But then, the EU Framework Programmes look at the long timescale.