Identity

I have recently been reading the discussions between Kim Cameron and Dick Hardt, not to mention the outside commentary as well, concerning the use of client sided security and where it fits in. I found this very interesting due to the fact that when I initially began playing with InfoCards, this was one of the features that drew me in. I am neither an identity nor security expert, nor have I had much time to play around with OpenID (that will be changing soon), so I am going to assume my final understanding of what I read is correct and that OpenID currently needs an additional third-party plug-in to perform the same client sided security as InfoCards. If I am incorrect in this assumption, someone please correct me.

If this really is the identity revolution, power to the people and all that jazz, then it really needs to be done correctly from the start. Personally, how it all works or what protocols are used is of much lesser concern to me than what will happen when the technology gets in the hands of my Dad. You can all stop wondering WTF I am talking about as I'll elaborate on that.

Yesterday I upgraded my firefox identity selector plugin to find an interesting new addition. Of course I'm not talking about the managed card support added last month, or that the missing plugin dialog no longer appears, or even the fact that this plugin runs on both my Windows and Fedora 5 x86_64 machines. No..... instead, what caught my attention was the callout to the form button that kicks off the selector (Go figure).

Anyone who has looked at my registration or login page might have noticed that I really suck at graphics and all that I have is a tiny button labeled enter. Not very informative on its purpose, eh? After installing the latest version of the plugin (0.8.5 at the time - a lot of activity happening so this might already be outdated), I was pleasantly surprised to find my page looked a little different.

If you look at the screenshot to the left, you should notice the "What's this?" callout in green. The plugin automatically added this to callout my infocard enabled form. Currently clicking on the image is still a work in progress. It pops up a box where additional information about infocards will be provided and allows the callout to be turned off. Right now it can only be disabled for the current session. Once firefox is restarted, it will appear again. In any case I think its a great feature. There is no current standard image for indicating the login, so if you are graphically challenged like me then it at least provides people with an indication of what your button is for.

The one feature I am really waiting for is the ability to backup and restore infocards using the plugin. Chuck Mortimer recently added the code and utility for working with a Windows Cardspace backup file. Hopefully this feature will be added to the plugin so that I will be able to share my cards between Windows Cardspace (the selector when using IE 7) and firefox (on all my platforms). Currently when using Windows I prefer to use Windows Cardspace just for the fact that it is feature rich, but don't have that option when using Fedora. With the rate features are being added to the firefox plugin though, it shouldn't be too long before it's going head-to-head with Cardspace (at least feature wise).

Last month I released some prototype code for working with XMLSEC and XMLDSig in PHP and also mentioned that I would not be actively maintaining it. A few weeks ago I was asked by Pat Patterson, one of the Federation Architects at SUN, about incorporating the library for use in a PHP based SAML 2.0 service provider within the OpenSSO project. The code will probably recieve more attention there than I currently have time to provide, so you might want to check out what they are doing within their repository (note: the code located there is subject to the Common Developement and Distribution License). They are also looking for help from any PHP developers who might be interested in working the project.

So what does this mean to people already using the code or do not want to worry about any potential licensing issues?

The xmlseclibs code located on my site (including any changes I might make to it) currently is and will remain to reside within the Public Domain. Basically if you get the code from here you do not need to worry about any licensing legal mumbo jumbo (there is none). You will however be on your own for any bugs or problems you might encounter when using the code from here.

So what's in the future for working with Encryption and Digital Signatures in PHP?

We, Alexandre Kalendarev and myself, are close to being ready to add our xmlsec implementation to PECL, but are still working through some issues - especially in the Digital Signature area. Currently it can process almost the same files as when I use the xmlseclibs library, but is still lacking when trying to create signatures with multiple references.

For those who might want to try it out in its current state, you can Download the Pre-Alpha code, which includes some examples. Also, Alexandre has some documentation in Russian available, for those of you who can read it. It has taken us a while to get the code to this state, so hopefully we will be able to have an alpha release in the near future.