identity metasystem

An infrastructure that enables different Internet identity systems to work in a secure manner with a consistent user interface. The identity metasystem was first developed by Microsoft and was embodied in the now-defunct CardSpace system (see Windows CardSpace). Higgins is an open source identity metasystem that supports all platforms and is compatible with CardSpace (see Higgins project).

The identity metasystem is designed to prevent identity theft on the Internet by providing a secure framework for authentication as well as give users control over the data they share on websites. If and when fully implemented, it would provide a system that eliminates the myriad usernames and passwords for each user. It would replace the browser password manager with a more secure system.

Multiple Authenticators
The identity metasystem lets multiple organizations authenticate a user's identity just as a driver's license and credit card serve as two forms of ID in day-to-day life. The user confirms what should be used to satisfy a website's request for authentication.

The Wallet Metaphor - Information Cards
The metasystem uses "information cards," which are the digital counterpart to the plastic cards people keep in their wallets. The user is presented with a window full of card images to choose from, just like you might remove all your business, ID and credit cards from your wallet and lay them out on a table.

Personal cards (p-cards) are self-issued and hold the data users typically type into website registration forms. A person can create multiple p-cards, with one card having more data than another.

Managed information cards (m-cards), such as membership ID cards and credit cards, are issued by organizations. M-card data are stored on the managed card provider's site, while p-card data are stored on the user's computer. However, transaction history for all cards is stored on the client side.

The identity metasystem also supports the OpenID authentication system, and one of the cards in the card selector can be an OpenID card (see OpenID).

Relying Parties Rely on Identity Providers
A website that accepts information cards is known as the "relying party," because it relies on a third-party "identity provider" for authentication, rather than authenticate the user directly as is common today.

The software in the user's computer that orchestrates the interaction between the relying party (RP) and the identity provider (IdP) is the "card selector," also called the "identity selector." The CardSpace and Higgins software in the user's computer is the card selector.

When a user visits an information card-compliant site, the site (the relying party) states its identity requirements, and the user's card selector highlights the cards that meet those requirements. The user confirms the selection, and a request is sent to the identity provider. The identity provider sends back a digitally signed token that the user can inspect to be sure it is genuine before releasing it to the relying party for authentication.

In the case of a personal card, the card selector functions as the identity provider and sends a secure token to the relying party.

Claims
The identity metasystem uses the term "claims" to refer to any data that is captured in information cards. Although the term "assertion" has been traditionally used, "claim" implies that it has to be proven.

Web Services Protocols
An identity metasystem relies on the Web services protocols for interaction between the relying party (RP), the identity provider (IdP) and the card selector. See Windows CardSpace, Higgins project, Web services protocols and Identity 2.0.

The Authentication Process

The card selector highlights the card that satisfies the site's identity requirements and sends it to the identity provider (IdP) with the user's approval. The IdP returns a security token that is forwarded to the relying party, once again, via the user's confirmation. The PIN exchange in step 5 is optional.