Technical FAQ

Note: For user-related questions, please see our user FAQ. For business questions, please see our business FAQ.

Q: Are all the technical standards for Information Cards set at OASIS?
A: Currently, yes. The Identity Metasystem Interoperability (IMI) Technical Committee at OASIS is the home of the standards for Information Cards. The Information Card Foundation and its Working Groups also help create additional interoperability specifications (such as the ICF Claims Catalog), best practices and documentation. In addition the ICF and its members participate in regular public interoperability events.

Q: Are the IMI specifications an OASIS Standard?
A: Not quite, but this is expected shortly. The IMI 1.0 specification is a OASIS Committee Draft that completed its required 60-day public review in April 2009. It is expected to become a Committee Specification in May 2009 and be submitted for an OASIS Standard vote during the calendar month of June 2009.

Q: How precisely do Information Cards protect users from phishing?
A: First, a selector automatically checks the URL (and if applicable the SSL certificate) of any website that asks you for an Information Card. It also explicitly warns the user the first time the user submits an Information Card to a site the user has never submitted a card to before. So it is hard to fool a user into giving an Information Card to a phishing site. Even if a phishing site is successful in obtaining an Information Card submission, the resulting security token is only useable at that specific receiving site. So the phished card does not give the attacker anything they can use to impersonate the user at a legitimate site.

Additional content for this technical FAQ is under preparation by ICF Working Groups and will be added as soon as it is ready.