Microsoft Visual Studio
 Denver Visual Studio User Group
"mobile first, cloud first" - "any developer, any app, any platform"


 Review Details

Denver VS UG - Home    

     Also see Reviews and How To Review.
Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities (Addison-Wesley, Pearson Education)
Author(s):  Vittorio Bertocci, Garrett Serack, Caleb Baker
Published: December, 2007, Copyright 2008,
ISBN-13: 978-0-321-49684-3 IBSN-10: 0-321-49684-1
, 356 pages
Publisher (more . . .):  Addison Wesley Professional, Informit
Part of the Independent Technology Guides series.

 Four out of Five Stars
  Reviewed: April, 2008
  Reviewer: Howard J. Cohen
       Not a “how to” book ….

     This book does an excellent job of discussing the problem of Identity Security and the use of Digital Securities. We all know that one of the biggest problems of the WEB is security. Everyday there is another warning of a virus, denial of service attack, phishing, etc. Although the title of the book is Understand Windows CardSpace, the authors do not limit themselves to this Microsoft Technology. In fact the subtitle of the book (An Introduction to the Concepts and Challenges of Digital Identities) would probably be a better title for this book. The authors take a good deal of time to discuss what the problem is, various previous attempts to solve it, the problems with the present solutions, and what the future may bring in the way of a solution to this problem. In fact the book is 342 pages long, and the first 169 pages are used to present exactly what the problem is and what steps have been taken to solve it.

     The authors take extensive time to define and explain the various terms they will use such as “IP” for Identity Provider, “RP” for Relying Party, etc. They discuss various protocols such as SOAP, SSL, HTTPS, etc. that are presently being used and newer protocols/standards for token keys such as SAML, Kerberos, WS-* that are just coming into use. Solutions are presented for both Websites and in house network applications. The solutions do not exclusively use CardSpace but do promote the use of Identity Cards for digital identity. On the negative side none of the solutions were presented in depth. This is not a “how to” with examples that you can easily use.

     User Identity today is primarily handled through a User ID and Password. The authors discuss why this is no longer the safe and secure method it started out as. They present the problem from both sides. The user’s desire to be sure he is looking at the “real” website when he provides information, and the website in knowing that the user us really who he/she says they are. They discuss the necessity for encryption to safeguard any and all information transmitted. They make a good case for using the “Card” solution. My own experience in the real world is that no one, including Microsoft, is actively adopting this solution. In fact what I have encountered is a second layer of verification. This has included a security question and/or “personalized picture”. The first is for the website to know the user is really who they are and didn’t just obtain the username/password and the second so the user can recognized that the site they have reached is really the website they expected and not a spoofed site. The authors do address why this may not be the best solution in the third section of the book.

     One of the best items, the authors present is the “Seven Laws of Identity”. The very first law is “User Control and Consent.” This is explained and referred to in later chapters as the very important necessity to include the User in considering how information is sent to the RP by an IP and exactly what is being sent. In fact the Third Section of the book covers in detail Practical Considerations of Digital Identity, and what the responsibilities of each party is, in a thorough and concise way. It lays out what we as users may expect if a transition to Card Identities eventually takes place.

     This book is not the ultimate answer to the Digital Identity Problem, but it is an excellent introduction for anyone who may be interested in getting educated on this problem and what may possibly be done about it.
Copyright © 2000 - 2018 Denver Visual Studio User Group.
All Rights Reserved. Please see Notice