X

Information Card Foundation launched

A weighty group of industry leaders coalesces around new standards for online authentication.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi
2 min read

A group including Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community announced on Monday the creation of the Information Card Foundation (ICF) with the goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards.

"We need to come together in a neutral body to continue to promote the adoption of this technology," said Paul Trevithick, CEO of Parity and chairman of the ICF.

Information cards are online equivalents of physical ID cards, such as a driver's license. The basic idea is that customers would have an electronic wallet with various information cards. This would allow customers to bypass typing in user names and passwords. One example for how it could work is a student accessing a university network would simply present his or her electronic student information card.

That basic concept isn't new. Various vendors have introduced variations on this before. Microsoft recently introduced its own CardSpace concept with the Windows Vista operating system.

However, there are "still too many user names, too many passwords," said Kim Cameron, an architect of Identity and Access at Microsoft. "There's this endless digital baptism of filling in forms and logging in everywhere, and it creates a wonderful environment for the criminal element through phishing attacks and what have you because on the Internet no one does know you are a dog."

What ICF hopes to introduce instead is a tripartite system. In real time, a user would sync via encrypted connection with an ID provider (say a bank or credit card issuer), and also with a reliant party (a university network, a financial site, or an e-commerce site). Unlike having a credit card number, which anyone on the Internet can use anytime, the ID card model proposed by the ICF requires that all three players (user, provider, reliant party) be synced in real time before the transaction could proceed. The addition of a trusted third party in real time should make the new proposal more secure.

Trevithick said that nearly 50 companies participated in discussions at the RSA 2008 conference in February. Additional discussions are planned for upcoming security conferences through the end of 2008. The idea is to bring together as many players in the identification card space as possible. Currently, the ICF steering currently includes Trevithick, Cameron, Drummond Reed (VP of infrastructure at Parity), Mary Ruddy (founder of Meristic), Axel Nennker (consultant at T-Systems Enterprise Services), Pamela Dingle (consultant for Nulli Secundus), Ben Laurie (of OpenSSL and The Bunker), Andrew Hodgkinson (embedded software engineering consultant and contractor), and Patrick Harding (CTO at Ping Identity).

The foundation's site with more information will be live on Tuesday.