Security Bites 121: What Microsoft's Geneva means for online IDs

In this week's Security Bites podcast, CNET's Robert Vamosi talks about user authentication with Kim Cameron, chief architect with the Identity and Security group at Microsoft.

At this year's PDC and again at WinHec, Microsoft certainly talked up its new Windows 7. It has also been talking about Geneva, the code name for the next version of CardSpace, the Microsoft user authentication system. One goal of Geneva is to extend the reach of its predecessor, Active Directory Federation Services.

To help developers, Microsoft unveiled at PDC and WinHec the Geneva Server and the Geneva Framework. To play well with other system, Geneva accepts industry standards WS-Trust and WS-Federation, as well as the SAML 2.0 protocol.

Windows CardSpace Geneva releases digitally signed security tokens to Web sites, and allows multiple sites to accept the same tokens, so users don't have to be authenticated for various related sites. On the other hand, if a phishing site lures a user to accidentally use a card and submit a token, that token would not be "redeemable" at any other site and therefore is not useful for impersonating the user in any other context.

Another example of its use might be that an enterprise could have its employees use their Windows Live ID to access various assets within the company.

In addition to working on Geneva at Microsoft, Cameron is part of the Identify Card Foundation, a group that is advocating open standards around the use of ID cards for authentication.

Listen now: Download today's podcast