I’ve had the pleasure of meeting Kim Cameron from Microsoft. He’s the champion of Microsoft’s new paradigm for identity management, namely “Infocard”.

For those unfamiliar with Infocard, here’s the 50,000 foot description. It’s a way to prove various facts (claims) to a third party (reliant party). In today’s world you login to sites with a username and password. In tomorrow’s world you’ll present a secure token using the infocard UI and the Identity Metasystem (WS-*).

Here’s how it might work:
A user running WinXP, Win2003 or Vista visits a site (Relying Party). The site tells the user the claims it needs (think username/password in today’s world). It might say “you can only login if you’re 21 or older”. The user’s PC launches the “Infocard” experience presenting “cards” to the user. Each card contains meta data pertaining to various claims (e.g. “I’m a card from Verisign and I know how to prove your age”). The user choses a card and in a secure manner the card goes out to Versign (the Identity Provider in this case) and gets a token proving the claims in the card. The user gets a chance to review the card before sending it on to the reliant party. The reliant party takes the token, extracts the claim information and either grants or denies access to various content.

The problem: Perhaps I’m missing something but this makes no provision for the notion of Semantics as it pertains to claims. To give an example: Imagine a relying party requires the claim “firstname” and “lastname” and has these defined in it’s policy. The user has an infocard which has metadata to provide “fullname” from an IP. In this case the user would never gain access to the site since the claims don’t match despite the obvious semantical match. The infocard UI would never know you have a card that can be used.

So I raise two questions
a) Is there a mechanism or provision to define the semantics of claims?
b) Is there any provision to allow the COMBINATION of claims (e.g. firstname + lastname = fullname) to form new claims?

Not sure if this is more of an infocard problem than an identity meta-system problem. Might be solved in any number of ways but I wonder if anyone has already considered this?