The other night, I logged into the Azure services portal to add a certificate to my solution, so that I could run one of the labs that used that credential type to authenticate to the Access Control Service. As you can see from the screenshot below, a Verification Code was needed to upload the certificate.
To create this, the lab manual instructed me to export the private portion of the certificate that I intended to use. After doing so, I was further instructed to input this private key portion of the certificate into a tool called RegCert.exe. The output of this was the necessary verification code.
The fact that I had to perform this task using the private portion of the cert really troubled me. The next day, I talked to Justin Smith of Microsoft about what the code was, the tool, and the process overall. He explained to me that the code was needed because of an underlying premise that guided the design of Access Control Service. In it, an identifier representing a user (e.g., a hotmail email address) is separate from the credential used to authenticate them (e.g., a cert). Because of this, there needs to be some way to marry the credential with the identifier. In the case of the certificate, this is done by hashing the private key, uploading the cert, and providing the hash.
I don't understand how this digest of the private half of the cert allows Microsoft to tie the public half to my Live ID though. However, these different aspects of a digital identity were clarified for me after reading Fernando Gebara Filho's recent article The Evolving Role of the Identity which was recently published in the Architect Journal. In it, he explains that a digital identity has four layers:
- Main profile, and
- Context-based profile
I can't say I fully understand the second and third, but examples of the first and second would be my hotmail email address and the certificate that I was trying to upload, respectively. He illustrated these different aspects of a digital identity with the following figure:
After playing around with the portal and labs a bit, reading this article, and talking with Justin Smith, I understand the Access Control Service enough to use it for toy applications, but not enough to launch a mission critical application. I feel very uncomfortable having to upload anything to Microsoft that is the product of a private key. I'm sure I'm not the only one that feels this way, and I wouldn't be surprised if a credential is tied to an identifier in a way that does not require the byproduct of private information by the time the Access Control Service RTMs.