InfoCard is Microsoft's name for the WinFX components comprising its next kick at the identity management can.

An InfoCard is a little XML file with a CRD extension that provides information that allows your identity to be confirmed. The CRD file contains digitally signed metadata which describes where and how to get your authenticated identity information, and what supported claims the card can provide (for example, your membership number from the automobile association, or your credit limit from a credit card company, or your user ID and password).

It does not contain the information itself. You can have a collection of cards issued by various providers (Verisign, for example, or eBay, or your employer, or even self-issued cards), each describing a different identity or supporting different claims.

There are three entities involved in the use of InfoCards. The first, of course, is the subject. That's you: the individual who wants to provide his or her identity to complete some transaction. The second is the identity provider (IP), the issuer of the card who asserts that the information on it is true; and the third is the relying party (RP), who accepts that card as proof of your identity.

When you visit a site that accepts InfoCards, a little electronic chat goes on behind the scenes to discover what information the RP wants (this is contained in its policy). The policy describes which security token formats the site supports, and what claims should be contained in those tokens. Some sites may only want your e-mail address, for example, while others need account information, or proof of age, or other information.

From that exchange, the system knows which of your InfoCards can satisfy the site's requirements and presents them to you in a simple UI as distinct images (currently, they look like credit cards, often displaying the issuer's logo). You pick the one you want to use, and confirm that the required information may be sent. The InfoCard requests the token from the IP, then sends it off to the RP, which receives only the information it needs (which is not necessarily everything that particular InfoCard can provide) in encrypted form. An IP can also send merely a unique Personal Private Identifier (PPID) to an RP, if all it wants to do is track users without receiving any personal information.

You can also generate self-issued InfoCards containing the stuff you'd normally have to type into a form when you register on a site. The site would have accepted what you typed without further authentication; the InfoCard just cuts down on the keyboarding. And yes, for those irksome sites that demand more information than you really want to give, you can still use a little, shall we say, poetic license when supplying the information used in generating the card. It's amazing how many people's phone number is 555-1212!

Since InfoCards are installed on the user's PC, it would appear that they tie the user to one computer. However, they can be exported and installed on other systems. And, to protect the exported data, the InfoCard is encrypted using a user-selected passphrase.

However, there is still a shortcoming in the first release: you can't securely use InfoCards on public machines, say, in Internet cafés, because you'd have to install your cards on the machine to use them. Microsoft plans to enable a way to run InfoCards directly off a USB key in the near future.

InfoCard is scheduled to be released in early 2007, but you can play with it before then. Check out Kim Cameron's Identity Blog; he allows the use of InfoCards for authentication of those making comments. There are also links to demonstrations of InfoCard implementations in Firefox.

Windows Vista will contain native InfoCard support (according to reports, Windows XP users will be able to download the necessary components). Microsoft also offers A Guide to Supporting InfoCard 1.0 within Web Applications and Browsers, which describes the process in detail.

When you're developing your own sites, with the help of a digital certificate and a little code, you, too can accept InfoCards. Kim Cameron has developed a simple InfoCard tutorial and demo, written in PHP to illustrate that InfoCard is not restricted to use with Microsoft technologies. For Windows developers, the Microsoft Federated Identity and Access Resource Kit Sept 2005 Community Technology Preview includes samples of Security Token Services and step by step instructions on how to build WCF applications/services that integrate with InfoCard.

Finally, for the latest on InfoCard, visit Microsoft's WinFX site.