Skip to navigation
   
Simon Bisson & Mary Branscombe's Blog
RSS

When will Windows Live stop treating CardSpace as the unwanted stepchild?

By Simon Bisson & Mary Branscombe in Editorial

Posted in Privacy, Identity, Networking, Server, Microsoft on October 29, 2008 at 2:50 am

Permalink | Author Profile

The cloud demands identity. Microsoft has a strong, secure, privacy-friendly identity technology that’s open, easy to federate and will transform the Web and the cloud. So why is Windows Live ignoring CardSpace?

OpenID is a great tool for logging in to a Web site that you want to use but don’t need to trust. You wouldn’t want to use OpenID to get into your banking site because it’s just not secure enough, but it’s great for not having to remember passwords for LiveJournal, Dopplr, Plaxo and the like. You log into one site and tell the others to ask that site who you are. OpenID is getting less vulnerable, but it’s simply not intended to protect really important information.

The information card system is secure; it’s protected by cryptographic keys, it’s got a user interface that makes it very clear when you’re being asked to log in to a site, what the site wants to know about you and it lets you choose from a ‘wallet’ of cards to prove your identity. That gives you security and privacy and ease of use together (which improves security by stopping people using the same password everywhere. Microsoft put it into Vista and Internet Explorer 7 as CardSpace (information cards are the generic system and there are implementations that you can use in Firefox and Safari, on Macs and Linux machines, CardSpace is just the Microsoft implementation).

And since then, I’ve been waiting for Microsoft to deliver the next pieces. A token server that a business can use to issue its own information cards, and to validate them so you can use them for access to internal apps, preferably federated so you can also validate partners. And a public service that issues not just the self-certified cards that anyone can create with their public details but managed cards that have useful information that you want to protect. When you wave your passport or driving licence in an American bar, the bar doesn’t - or shouldn’t take a copy of it; they just need to know you’re old enough to have one.  Put your birthday into a managed card and you can prove that you’re over 16 for a shopping site without handing over details that could help someone hack your bank account if the site loses its customer details on a USB stick, because the site only gets the assertion that you’re old enough, not the actual day, month and year.

Issuing cards was going to be a function of ADFS at one point, because it fits with where enterprises store identity information; for development and resource reasons it went on and off the feature list and now it’s going to be a free component in Windows Server 2008 (and maybe other versions), code-named Project Geneva. Currently in beta at www.microsoft.com/geneva, there will be a feature-complete beta in the first half of 2009 and a final version in the second half. It leverages AD and SAML and x509, it interoperates with a wide range of line of business applications and it makes using secure identities easy in a business.

That just leaves a managed card service for those of us who aren’t in a big business and I’m still waiting. And in the PDC keynote today, Microsoft announced that Windows Live ID would be issuing a new kind of identity - but it’s not information cards.

So why is Windows Live ID proudly announcing that it’s issuing OpenIDs but not CardSpace IDs? Is it because OpenID is accepted by a lot of sites? So are information cards, and if you could get an identity you could trust from Windows Live other sites would be more likely to adopt them - because it’s easy to use Windows Live ID instead of running your own username and password system.

Is it because OpenID is, well, open?
CardSpace is the most open project Microsoft has ever done. The architect, Kim Cameron, has almost single-handedly changed the perception of Microsoft in the identity community, which isn’t bad for a company that was so roundly derided for Passport. The open nature of information cards “just isn’t up for discussion” Cameron said to me (before plunging into a discussion with senior VP Bob Muglia about why you can’t constrain the scope of identity to just in the cloud or just on the server or just on the Web or just on the desktop).

Is it because CardSpace 2 is going to better than CardSpace 1? It will let you transfer information cards from one PC to another, and when you go back to a site you’ve used an information card with before, CardSpace 2 will show you the card you used last - which means that even if a phishing site accepts information cards to try and fool you, you’ll be able to tell (and the phishing site isn’t going to get the details out of your card so scammers can’t steal it). But Microsoft has adopted the first version of plenty of its own technologies even when there has been something new and better just around the corner. And issuing managed cards today, cards that have been verified and are backed by an identity provider, would be a huge step forward.

If it’s because Microsoft wants somebody else to issue managed cards because a supermarket or a post office or a government already has relationships with people and systems for handling information - or because they look like a more natural place to prove your identity because they can prove that you have a loyalty card or a post office box or a passport - then I’d say yes, but you can’t wait for that to happen. Once the first managed identity provider proves its value then banks and services that sell you certificates will join in, but you can’t keep on waiting to go first them to go first.

I wonder if it’s the legacy of Passport. Maybe the Live team wants to be extra sure they don’t rush out with an implementation that could have problems and create another Passport backlash. Or maybe they aren’t comfortable with the way that CardSpace takes the power of identity away from the provider and gives it back to the user; issuing managed information cards would be admitting once and for all that Microsoft is never going to own user identities in the way that Passport envisaged. Everyone I’ve met from the Windows Live team so far is smarter than that, which leaves me confused. Because it’s ludicrous that Microsoft has a far superior identity technology to OpenID that it’s getting ready to offer to businesses and it hasn’t even talked about how to bring it to everyday Web users who need it just as much.
-Mary

12345
Rated: 60% (4 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Tom - October 29, 2008 on 10:36 am

You say, “That just leaves a managed card service for those of us who aren

Comment by Simon Bisson & Mary Branscombe - October 30, 2008 on 2:37 am

Thanks for the link Tom, that’s definitely useful. But it also begs the question even further of why Ms isn’t doing that itself as well.

Pingback by In Context » CardSpace is not Information Card - November 5, 2008 on 5:03 pm

[…] an otherwise excellent article entitled When will Windows Live stop treating CardSpace as the unwanted stepchild? Simon Bisson and Mary Branscome confuse a technology with an implementation. They refer to […]

Pingback by IT PRO: Blogs: Simon Bisson & Mary Branscombe: Things Windows Live gets wrong - February 13, 2009 on 1:35 pm

[…] Messenger client and some of the other Live apps, especially Windows Live Photo Gallery. I do keep nagging the Live team to add information card support to Live ID- I actually pursued GM Brian Hall down a corridor at CES to say it again - but now I have a new set […]

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

optical interconnects Istanbul 965 switch 2.0 security paradox conference wifi Skyfire teched radeon mms 2009 mscape Trolltech open system center open source camera mythbusters web SBS workflow Treo Pro TSA ipsec transcoding RBL hyper-v power cuts maps power supply Mini-Note traffic Beacon Chrome virtual desktop server sprawl ucsd OQO accelerator legislation accessories bbc iplayer Mercury rich client tennis DLP mobile Internet Explorer NAS Opsware cables national museum of computing Embarcadero Internet Explorer 8 Girl Geek Dinners mobile ofcom network Magny-Cours hard drive Ray Ozzie disk anti-virus 3G etech oracle Palladium spam Trend Micro Windows Server 2008 drivers O'Reilly business intelligence Windows Mobile SKU WinHEC lockdown patch Tuesday Tripit smartphone Opera networks Apple disaster recovery downturn insert SIM thermo screencam fingerprint griffin storage october cloud lost server IM IT value education hacking g-2 enterprise architecture twitter Google uninstall turing HTML 5 power acquisitions media Credentica pixetell cellcrypt Clear RX d2c Tablet Kiosk WEI Mono dual display eu user interface natural interface Dopplr competition Location Google Spreadsheets data centre deborah adler Moonlight utilities analytics Ask.com p2v CIO Tombstone Objects Express Gate display ATI cisco hardware tele atlas robot quiz TNT mobile network RSS search battery life goview Trampoline Microsoft rtm Netscape hp microsoft research appzero Vista QWERTY hold music screen Intel adfs it pro fault claims i-mate ballmerbot flash offload Crossfader colossus history congestion charge TechEd 2008 london city IBM HMT CERN HP multiple monitors IIW2008b lawsuit international roaming voice troubleshooting business model pen computing relocation IDF installer ports IT policy wave fire geek tourism GPU Adobe IT transformation WPF community mysql wubi CUDA moscow Web 2.0 forensics Motorola National Insurance christmas remove back disk space data centre transformation future in review Ruby On Rails ClipMate Numenta business technology automation nvision08 NexT installation Volume Shadow Copy deperimeterization AMD BBC Dell Nokia OpenID police voice recognition isp cracking desktop. PC SSVAGENT.EXE codec M&A Google Sets MING RSA 2008 social networking Wimbledon Greasemoneky Mozilla parallel computing spam fighting exabytes upgrade navteq designer android Delphi BES images html benchmark Safari MIX amherst collaboration terabytes bletchley park Salesforce timezones Vodafone cloud service google online applications MWC Gears macbook Toshiba Portege R500 Hugh Thompson Tom Hogan windows 7 mobile working EMC people Large Hadron Collider AuthenTec Seagate todo list OFCOM ontier licensing development demo firewall Firefox Corsair aws MAX venture capital ipv6 SapphireSteel case cloud computing mobile Linux LiveID BitLocker IT automation ruggedized RIA laptop virtualisation netiquette numbers Sony processors gaming ec2 Internet pre-boot service oriented enterprise office politics fibre Windows Live Gartner monitor Itanium merger applications backhaul Lenovo HTC Pal CES high performance computing microsoft research electricity price Previous Versions task bar video icons Bill Cheswick telecoms ADFS 2.0 EEE navigation cosmic rays greenplum Jeff Jones distributed computing design AskEraser security geocaching netbooks database Acrobat Pro ANR connectivity logitech business continuity Palm CPU Loki management culture mapping ProCurve secure O2 AdaLovelaceDay09 visualisation encryption augmented reality migration streaming media private cloud target evernote VSSAdmin data loss dvi consolidation rc business wireless USB green IT system management cold fusion biometrics SSD Live Mesh vulnerabilities amazon mobile data tariffs trends vmware wildfire annotation xT9 politics enterprise bandwidth DSL Facebook macro ultraportable beta mainframe machine learning security theatre data calit2 identitity LHC identity metasystem T9 mobility BT business technology optimisation Silverlight ubuntu Google IO web 2.0 expo Secunia Verbatim T-Mobile advertising isps dual boot support g-1 Linux Reqall MIX08 instant messaging CTO hdmi outlook geneva RIM magic Visual Studio Hp 2710p .NET NVIDIA Xobni data tariff Fire Eagle Wyse MacWorld 2008 market share usb hierarchical temporal memory netbook WWW MRDA pgp project 64-bit utility Mark Hurd geotagging Quest phone management SMB 2 Asus anti-patterns developer MacBook Air OEM social engineering active digitiser thin client iPhone Windows 7 vs Windows Vista demo09 media center direct access public cloud network privacy Bill Gates Ruby exchange productivity virus credit crunch Opteron performance gameboard server Tablet PC Eee PC no signal Windows Server docking station control panel IO HSDPA browser software wes bug Tim Berners-Lee flex patent identity theft training yahoo Enterprise 2.0 bombe NGSCB DisplayLink UMPC citrix whitelist information cards Netscan Active Directory catalyst Barracuda bea green printing conferences SP1 Frauenhofer mash-up BlackBerry power saving gamer web2expo GPS sun regulations keyboard RAZR cam phone settings TouchSmart regulation CardSpace infrastructure Xen co-processor innovation windows server 2008 r2 safend Nuance how do I get the back off? beta test information interoperability email windows routing fingerprint scanner user experience flash drive office 2009 toshiba Jeff Hawkins digital signature winhec2008
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement