If anyone is wondering what the new Infocard registration and login links are on my blog, let me explain. As I mentioned in my last entry, I am working on libraries to work with XMLENC and XMLDSig in PHP. Being complicated technologies, the code produced so far has been just trying to design a API that uses PHP's KISS approach before moving on to writing bindings for the XML Security Library. In order to test out the APIs I wanted to use real world scenarios, such as building a class to handle WS-Security using the routines from the API. A few months ago I came across another technology leveraging XMLENC and XMLDSig: Infocards (aka Windows CardSpace). I am getting really sick of long blog entries showing up almost in their entirety in aggregators, so I am truncating this here and you can read the full entry for the rest of the story.
Windows CardSpace is a technology being released with Windows Vista and also is available if you are running IE 7 beta and grab the .NET 3.0 Framework. Note you must be running at least the July CTP version and cannot be using Vista beta2. The Infocard stuff has changed a bit in those older versions). My current setup that works with all this is Win XP, IE 7 beta, .NET 3.0 July CTP and the latest updates to all of those. Before anyone dismisses this as a Microsoft only thing, you should know that there is an initiative by the OSIS Working Group to produce an open-source identity selector. I had played successfully with an early version of one written as a firefox plug-in, so this initiative shouldn't be written off as one of those that will drag their feet and go nowhere.
Update: A good introductory presentation on InfoCard can be found here
While I wont go into details on the intricacies of Infocard (you can find all that from those more knowledgeable than I), you should at least understand that it is an attempt at solving the digital identity problem. For those of you who like those buzz words, feel free to search on Identity 2.0 (a complimentary and some say necessary technology for Web 2.0). Although I am interested in the concepts of identity and privacy - and hate all the buzzwords - I was initially interested in the fact it used XML and wondered if I could process it with using the API I was working on. Most of what I learned about Infocard came from Kim Cameron's blog. Being a Microsoft developer (and also considered the father of Infocard), I thought it was really cool how he integrated Infocard with Wordpress using PHP. I figure if a Microsoft guy did this in PHP, then I surely had to give it a shot - no offense Kim. It would be a good exercise to see how easily it would be to work with my in-progress API.
Luckily, I had most of the bugs worked out of the library having used many of the examples and test cases from the xmlsec library to test my code. In fewer than 100 lines of code I was able to create routines to decrypt the submitted XML structure (XMLENC part) and Verify (XMLDSig part) the underlying SAML token (not bad considering that includes blank lines and error handling). This is where I got slowed down a bit. I am a novice in the SAML area and to add to the difficulty, I was unsure about how to handle self-asserted tokens providing a public key from which I had no idea was derived (so wasn't sure what level of trust I could give it). I had gone back and forth with Kim about this particular piece and finally decided upon using the privatepersonalidentifier assertion to identify a user within Serendipity. Supposedly this piece of information is unique between the card being used and the site it is used with, so this still prevents sites from trying to tie personal information together. I am still learning many of the finer details of working with Infocard, so take anything I say here regarding it with a grain of salt.
The code within Serendipity was also not too difficult to integrate with. I began by leveraging the Self-User Registration plug-in and the External Auth plug-in. I did gut them a bit, but much of the functionality they provided was exactly what I needed. Due to requiring SSL in certain areas and trying to prevent a mixture of SSL and non-SSL content on the pages that caused those pesky warnings, I also did have to hack some of the internal Serendipity code (not very much mind you) to work exactly how I wanted it to. After all was done and said, I now have a working Serendipity system that allows for self-registration and login all using Infocards.
So what does this get you? Anyone who registers using an Infocard will receive a confirmation email. Just click on the link within the email to activate your account - I am just verifying that you are registering with a valid email account. These accounts are then managed the exact same way regular accounts are managed in Serendipity. While the default access limits capabilities to simply not having to deal with captchas or entering in username/email when posting a comment, a site administrator can simply go into the Manage Users section and grant any type of access desired; the same way you normally manage accounts in Serendipity. One this to be aware of is that the initial surname, givenname and email address are used to create the initial user account (as well as make it possible for an administrator to be able to figure out what user they are granting different rights too), this information is not used anywhere else in the system. The information is used directly from the assertions made when logging in, so if it is changed in the card it is reflected when you log into the system.
As far as the code in Serendipity that allowed me to integrate Infocards, I need to do some cleanup on it and am trying to find a way that the changes can all be done within a plug-in and not require any modifications to the core Serendipity code. (This is my first experience playing with Serendipity plug-ins so may take a while). In the end though, I have to say this was a good experience. I was able to validate that the API I am envisioning is going in the right direction, though there are some aspects of it I still don't like. It also was pretty cool playing with some new technology and getting it working with PHP.