CF: This is another thing that came up in my conversation with Kim Cameron on .NET Rocks!, which is RFID tags and as soon as I said RFID he - I could hear the hair on the back of his neck bristle. He said RFID is not a security device. It's not secure. Anybody with an RFID reader can walk up to you with your FOB and read what is coming out of it and then give it an answer and so there is no cryptography and there is nothing. You've seen people going around with laptops with RFID readers and RFID units or whatever they call it, reader-broadcaster or reader-writer; I don't know and they can go up to a car like a Prius, which uses - I am giving away that people can hack my car now - but uses an RFID tag on the FOB and they can just sit there and within an hour they can not only get into it, but they can start the engine.

SH: Right. RFID is just broadcasting a GUID for a lack of better way to phrase it. I mean it's in a no space and no way if it claims to be any kind of security.

CF: Right.

SH: Definitely, but the idea that someone could use a flexible token and create something unique to a USB key and turn that into a smart card-like device. That's a powerful thing.

CF: Yeah,

SH: Now, there have also been a number of examples - there are chunks of code online - will it be in Java or in PHP on how to do these things? There's an example decoder at www.shrinkster.com/jko where you can basically see what was sent; it will actually show you what happened on the wire, because all this happens only under SSL right now.

CF: Right.

SH: And that decoder will show you the assertions in the underlying Web Services and - if you like that kind of stuff, you can see it - and there is a very good article at MSDN at www.shrinkster.com/jkp that will explain kind of step-by-step how this works, and actually the Wikipedia article - I know that Wikipedia is a little dodgy but at the time that I read it, it was quite up-to-date - at www.shrinkster.com/jkr. Many people are getting excited about this. Now, I had planned to enable DasBlog for information cards.

CF: Cool.

SH: But, Kevin Hammond beat me to it by about a week.

CF: No kidding.

SH: He has taken a casadehambone - that's his Web site - it's the casadehambone and that's at www. shrinkster.com/jks and he has taken an instance of DasBlog and he has enabled it for info cards. So, this could really change the way people do identity over blogs. Leaving comments and he also now uses that information card to log into the administration of his blog.

CF: Wow!

SH: In this case no password being required. So Kevin has enabled DasBlog using this personal private identifi er that is sent as one of the claims. Basically, when you're sending an information card you can insert a series of claims in that object tag that say, "Here are the requirements." You might say, "I'm going to need from you an info card that has fi rst name, last name, personal private identifier, and your e-mail address." And each of these claims is described using a URI, a Uniform Resource Identifier.

CF: Yup.

SH: You just list these things out in your object tag, saying, "These are the things I'm going to need." And that Personal Private Identifi er is actually unique to the card and the site. They are actually using some of the information within the SSL certifi cate to hook you up with the site. If I visited Franklins.net under SSL or Hanselminutes.com under SSL, I would get a cryptographically signifi cant and different Personal Private Identifier. That unique ID couldn't be stolen by a phisher because it's different on a per-site basis. Starts to get interesting now, right?

CF: Yeah.

SH: For example, we have an application here at work that is a name and password kind of a thing, but we also have this notion of a single sign-on, the idea that you might have some other external system that's going to manage your identity. We can put in unique identifi ers that we call "aliases" and a lot of single sign-on systems do this. They are basically saying you can login with your name and password or one of these Alias Identifi ers and a lot of systems that have implemented this alternate identity can just take that personal private identifi er and use that straight up as an alternate way to login. That - a kind of thing that I think you'll see are sites that include the support for logging in the classic way or in the info card way.

I could envision a time when I might go to Amazon one day, log in with my name and my password and then go to my main account management page, say, associate an information card with my account, send them an info card and then they would take that private identifi er, that personal private ID that's unique to Amazon, because it's a combination of some of the stuff in the SSL certifi cate and some of the stuff on my certifi cate and it's going to stick that number, I think, it's like a 32-character-long kind of GUID-like thing, stick it in their database and then I could actually shut off name and password support. I would say, "I don't want anyone allowed to log into Amazon anymore by name and password. Info cards only." Then it starts getting interesting. Right?

CF: Yeah.

SH: Now, that's just with a self-managed card. One of the things that self-managed cards don't really supports the notion of revocation. This is the idea that you want to cancel your card when someone steals it.

CF: All right.

SH: Now, if Amazon issued cards from their own security token service and they said, "Well, you have an Amazon identity so we're going to give you an Amazon card" - just like they would give you an Amazon credit card with the Amazon logo branded on it. I could go to Franklins.net and say, "Hey! Here's my Amazon card" and if you have a trust relationship with Amazon, you could use these WS Trust Web Services to actually ask Amazon, "Do you know this guy?" When I hand you an information card and you would say, "And I need these claims. I need this guy's fi rst name, are you going to provide that to me?" and Amazon would say whether or not that was cool. But, if I had done something naughty and Amazon had, maybe, revoked my card, you could say, "I'm sorry. Amazon has revoked your card just like browsers can now revoke SSL certifi cates."