In a previous blog post I pointed out that Information Cards and especially Microsoft’s CardSpace implementation of the card idea were having a bit of a tough time. Now people like Dave Kearns have gone a bit further and have shared with the wider web world what insiders already knew or suspected that Microsoft was about to drop the CardSpace system and throw its lot in with the OpenID foundation. Dave interviewed two key people and I don’t disagree with his and their analysis of some of the reasons behind CardSpace’s demise. It looks like the Information Card Foundation will throw in its lot with Identity Commons and continue some of the excellent work around ‘claims based’ access control, specifically in a new working group (Claims Agent) to be created at IC for that purpose.
What most analysts seem to agree on, is that just like with PKI, the ‘user experience’ proved to be CardSpace’s Achilles heel. “You just can’t change the user” said one commentator. Users want that ‘one click’ experience. In fact you could state that users needn’t be constantly reminded they are using a trusted piece of middleware. We can educate the user, for instance by providing explanatory pop-ups on first use, but equally we must provide a tick box not to be reminded so every time we use a trusted Identity Provider.
From the Relying Party end, if we look for instance to Government as an organisation that should be queuing up for this stuff, they never were all that enamoured of having sensitive credentials stored on unsecured desktops like Personal Computers or smart phones. It was not for nothing that the UK’s Technology Strategy Board published a competition for R&D funds called ‘Trusted Services’.
So where do we go from here? Microsoft has proven twice they cannot provide a lead here. Dave Kearns also said: “We’ll be watching to see if anyone picks up the torch”. Surely the torch must point to the Middleware battleground where a few Identity Providers with a trusted public profile must come up with real innovative solutions to give the users that ‘one click solution’ that will take away their security head aches and identity theft worries.
Is it possible that here in Europe our users may accept and go for that one extra click and for that bit of extra peace of mind involved in first opening a trusted cloud wallet before asserting our Identity? After all we are already used to it when it comes to safe Internet Banking?