As the Gurus of User-Centric ID Management have discussed here and here, the idea of using CardSpace and special "Managed Cards", issued through the use of the Microsoft Acrtive Directory, InfoCards could actually become sort of an authentication token not only for your self, but for you being am employee of said issuer of the respective InfoCard. As managed Infocards are designed to be used as sort of community/customer ID, why not use it to verify if somebody IS actually working for the company he claims to work for.
Impersonation still is a threat today. I experienced this during the Microsoft Security Tour that I recently attended in Hanau, Germany. One of the main reasons was, that my successor with the position as Chief Security Advisor, Michael Kranawetter, was about to present CardSpace to the mainly developer-oriented audience. After sharing a coffee or two, Michael stepped up to the stage and prepared for his presentation.
The big surprise came without a single bit of a warning: Michael greeted the audience and said: "Welcome to this session, my name is Sebastian Rohr, and I am the Chief Security Advisor for Microsoft Germany!" Well, there was only one guy in the audience who got puzzled besides myself, my friend Stefan, sitting right next to me! Michael easily showed, that in todays business you should not trust everybody who is wearing a "speaker" badge :-) one should ask for proof of the claims stated.
Anyway, back to the point: using a "Business InfoCard" issued by your employer does not only make it easier to access, say, the company online-store and authenticate yourself. It can also be used in B2B situations, where you hand over your card and your communication partner can easily check that your name, title and affiliation are, in fact, valid. In addition, corporate information such as tax ID, location of the company and the official (and pretty up-to-date!) info on board members and the Chairman could be included. Nice!
Sitting over a nice glass of wine, one could drift off and, as thoughts come and go, get creative. Be it the impact of the heavy Merlot or too much sunshine: IF we have an established technology that offers easy issuing and management of credentials, spiced with corporate information and used in an interoperable environment that supports easy "online check" if the information presented is still valid... and all this cross-company...with an extensible range of re-use... wouldn`t THAT be the dream of all those PKI guys?
Lets face it: PKI has been struggeling all these years to become and remain an important part of the IT infrastructure of all large organziation. Sometimes the struggeling lead to the "near-death", sometimes PKI managers still hunt for the killer-app that will put their technology investment to use. Even IF the PKI was put to good internal use, leveraging it outside the company was rarely successful. Now, using the above mentioned managed Business Cards, we would really be able to do all the things we failed to achieve with using x509 certificates - well, besides encrypted email maybe!
I am really looking forward to your replies, either to be sure that it WAS too much sun and Merlot, or to kick-off a new thread on mis-using user-centric ID management in the enterprise ID management space!