Thursday, January 18, 2007

Identity Management and CardSpace

Identity Management is not one of my priorities, but it's a subject I've been interested about for sometime, and which is very related to the work I am doing at the moment. It all started with Kim Cameron's Identity Blog and his Laws of Identity.

The most visible face of this whole Identity Management issue is the multiple logins people have to make while browsing the internet, creating accounts at several sites to access their services or contents. I've had to resort to password-management software, but the problem is deeper than memorizing your multiple logins and passwords, especially when financial transactions are involved.

Probably the best description of the problem, or at least an introduction (and also a demonstration of what great presentation skills are), is 2005's Dick Hardt's Identity 2.0 introduction to the concept of Digital Identity.

Yesterday I listened to Hanselman's Identity podcast, and came home to read more and try Windows CardSpace (.Net's 4th pillar). CardSpace is included in .Net 3.0, but if you are using Windows Vista, it's build in (just type "card" on the start menu and "Windows CardSpace" shows up :-)). I started it and created a simple card with some of my information, and went looking for a place to use it. I found one at .Net 3.0's site, the SandBox. The SandBox is a Community Server installation with CardSpace support for user registration and login. When I registered, I got into Vista's Secure Desktop mode, with CardSpace open, selected the card I wanted to present to the SandBox (I got shown what field the SandBox would get from the card), and BAM, I was registered and logged in. All I had to do was to pick a nickname. Later I got an email with an username and password, just in case I want to log in using "traditional" methods.

CardSpace is based on some of the WS-* standards, such as WS-Security and WS-Trust, which supposedly make it both "safe and standard", but what I like the most is really the end user experience. For me, the idea of no longer having to create logins everywhere, and being able to select the specific pieces of information I want to share with each site I visit, is a very interesting prospect. The question is, obviously, if there will be acceptance to this outside Microsoft, or if this will be another Passport/Hailstorm situation. A major difference, the way I see it, is that information is stored in your computer, not at Microsoft somewhere, so the trust obstacles are aleviated.

As to this being available in public sites, I have no idea. I found a comment in a blog saying that Community Server 2.1 should include full CardSpace support soon, for all users to install, but found no details on this having happened yet, and found no major implementation of it yet (time to throw out Passport).

One final note, out of curiosity: when the screen greys out in Vista, you are in what MS calls "Secure Desktop" mode. This is Windows' mode that is used, for example, when you log into your Windows computer (running Xp, Vista, 2003, ...) . This mode is designed to block out processes from execution, to make sure you are inserting your password in a secure environment where no keyloggers or such can work. In Vista, you get a greyed out/transparent background when you are in this mode (which is just a UI thing, the grey is really a screenshot with transparency :-) Human Factors stuff). More information about this here and here.

Just before I go: there's already Firefox support for CardSpace, and Kim Cameron has an implementation of the identity system in Php. Also note that CardSpace can be used for much more than simple site login, I just wanted to blog about it because the first impression it leaves was really positive.

No comments:

Post a Comment