go ahead and share
Drummond Reed was so generous to respond to my recent post about how to recognize an Identity Implementation Fail. The following paragraph in Drummond’s post set me to thinking:
Even Microsoft with their design for Information Cards (which are the closest we’ve ever come to full asymmetric key-based security infrastructure) never fully solved that problem.
Is that true?
No. It is not. Drummond, don’t you remember? Kim told us how he solved this problem. It was just never talked about very much.
There is a solution to asymmetric key management that was included with the original release of the Identity Metasystem by Microsoft under the Open Specification Promise (OSP).
Here is how it works. The CardSpace IP included a mechanism for minting a public key pair (asymmetric keys) from a password. This happens at the endpoint, not the server. With this little algorithm, the user can generate their own key pairs. This totally solves the asymmetric key distribution problem.
Further, since it is licensed under the OSP, anybody can use the source with a guaranteed commitment (in writing) that Microsoft will never take legal action to stop its use or require remuneration—forever.
What Kim Cameron did with the Identity Metasystem was brilliant and will be incredibly difficult to reproduce or replace. I shake my head and kick the dirt in disgust—even shame—when I think about how CardSpace fell victim to the petty personal fiefdom wars inside Microsoft.