Kim writes about the recent Beta announcement[1] at Windows Live! about them accepting Windows CardSpace InfoCards for authentication. Having gone through rolling out an extensive public new and experimental Identity System deployment myself (Lauren is currently writing about that), I can appreciate the work that Kim and his colleagues are putting in.
In the interest of distilling use cases for Project Concordia and other venues it seems worth pointing out that – in this deployment – Windows CardSpace is being used solely as an authentication system: You can associate any Windows CardSpace card (only PPID is required) with your account – all other attributes are still being handled by the backend systems of Windows Live!. Any additional attributes that your Windows CardSpace card can provide will not be used for authentication or authorization.
This is very much in line with my description of the “glorified HTTP Redirect” use case of Windows CardSpace: here the secure UI on the client can actually help in preventing phishing attacks. The biggest competitor for this use case is OpenID which offers (roughly) the same features, but employs a radically different approach at solving the authentication problem. With PAPE it is somewhat more phishing resistant, but at this point, the CardSpace-based identity systems have – from my perspective – a clear lead in this area over OpenID.
Both authentication technologies face however that same issues: they allow delegation of responsibility for authentication and a rudimentary attribute exchange mechanism. But they do not address the need of service providers to maintain ownership of attributes about their users, except in trivial cases. For these – business driven – issues you need a framework that allows advanced models of federation and account linking and – most importantly – goes beyond protocols and addresses the non-technical aspects of identity management as well.
I think it will be quite interesting which authentication technology (OpenID and Windows CardSpace) will get how much market space. OpenID has a head start as far as IdPs and community acceptance goes, but Windows CardSpace has the backing of Microsoft and – starting with Windows Server 2008 – a REALLY large number of relying parties.
tag: identity, OpenID, WCS, interoperability
[1] The service has been available for some time now.