|
|
| |
Review Details |
|
 |
Also see
Reviews and
How To Review. |
|
|
| |
|
| |
|
| |
Review
|
|
|
 |
| |
Reviewed: April, 2008 |
| |
Reviewer:
Howard J. Cohen |
| |
|
| |
Not a “how to” book ….
This book does an excellent job of discussing the
problem of Identity Security and the use of Digital Securities. We all know
that one of the biggest problems of the WEB is security. Everyday there is
another warning of a virus, denial of service attack, phishing, etc.
Although the title of the book is Understand Windows CardSpace, the authors
do not limit themselves to this Microsoft Technology. In fact the subtitle
of the book (An Introduction to the Concepts and Challenges of Digital
Identities) would probably be a better title for this book. The authors take
a good deal of time to discuss what the problem is, various previous
attempts to solve it, the problems with the present solutions, and what the
future may bring in the way of a solution to this problem. In fact the book
is 342 pages long, and the first 169 pages are used to present exactly what
the problem is and what steps have been taken to solve it.
The authors take extensive time to define and explain
the various terms they will use such as “IP” for Identity Provider, “RP” for
Relying Party, etc. They discuss various protocols such as SOAP, SSL, HTTPS,
etc. that are presently being used and newer protocols/standards for token
keys such as SAML, Kerberos, WS-* that are just coming into use. Solutions
are presented for both Websites and in house network applications. The
solutions do not exclusively use CardSpace but do promote the use of
Identity Cards for digital identity. On the negative side none of the
solutions were presented in depth. This is not a “how to” with examples that
you can easily use.
User Identity today is primarily handled through a User
ID and Password. The authors discuss why this is no longer the safe and
secure method it started out as. They present the problem from both sides.
The user’s desire to be sure he is looking at the “real” website when he
provides information, and the website in knowing that the user us really who
he/she says they are. They discuss the necessity for encryption to safeguard
any and all information transmitted. They make a good case for using the
“Card” solution. My own experience in the real world is that no one,
including Microsoft, is actively adopting this solution. In fact what I have
encountered is a second layer of verification. This has included a security
question and/or “personalized picture”. The first is for the website to know
the user is really who they are and didn’t just obtain the username/password
and the second so the user can recognized that the site they have reached is
really the website they expected and not a spoofed site. The authors do
address why this may not be the best solution in the third section of the
book.
One of the best items, the authors present is the
“Seven Laws of Identity”. The very first law is “User Control and Consent.”
This is explained and referred to in later chapters as the very important
necessity to include the User in considering how information is sent to the
RP by an IP and exactly what is being sent. In fact the Third Section of the
book covers in detail Practical Considerations of Digital Identity, and what
the responsibilities of each party is, in a thorough and concise way. It
lays out what we as users may expect if a transition to Card Identities
eventually takes place.
This book is not the ultimate answer to the Digital
Identity Problem, but it is an excellent introduction for anyone who may be
interested in getting educated on this problem and what may possibly be done
about it. |
|
|
|
 |
|
Copyright © 2000 - 2013
Denver Visual Studio User Group™.
All Rights Reserved. Please see
Notice. |
|
