Information Cards: The reports of their death are greatly exaggerated

In a previous blog post I pointed out that Information Cards and especially Microsoft’s CardSpace implementation of the card idea were having a bit of a tough time. Now people like Dave Kearns have gone a bit further and have shared with the wider web world what insiders already knew or suspected that Microsoft was about to drop the CardSpace system and throw its lot in with the OpenID foundation. Dave interviewed two key people and I don’t disagree with his and their analysis of some of the reasons behind CardSpace’s demise. It looks like the Information Card Foundation will throw in its lot with Identity Commons and continue some of the excellent work around ‘claims based’ access control, specifically in a new working group (Claims Agent) to be created at IC for that purpose.

What most analysts seem to agree on, is that just like with PKI, the ‘user experience’ proved to be CardSpace’s Achilles heel. “You just can’t change the user” said one commentator. Users want that ‘one click’ experience. In fact you could state that users needn’t be constantly reminded they are using a trusted piece of middleware. We can educate the user, for instance by providing explanatory pop-ups on first use, but equally we must provide a tick box not to be reminded so every time we use a trusted Identity Provider.

From the Relying Party end, if we look for instance to Government as an organisation that should be queuing up for this stuff, they never were all that enamoured of having sensitive credentials stored on unsecured desktops like Personal Computers or smart phones. It was not for nothing that the UK’s Technology Strategy Board published a competition for R&D funds called ‘Trusted Services’.

So where do we go from here? Microsoft has proven twice they cannot provide a lead here. Dave Kearns also said: “We’ll be watching to see if anyone picks up the torch”. Surely the torch must point to the Middleware battleground where a few Identity Providers with a trusted public profile must come up with real innovative solutions to give the users that ‘one click solution’ that will take away their security head aches and identity theft worries.

Is it possible that here in Europe our users may accept and  go for that one extra click and for that bit of extra peace of mind involved in first opening a trusted cloud wallet before asserting our Identity? After all we are already used to it when it comes to safe Internet Banking?

About lasancmt

Passionate about Identity Management Disgusted at #ukip and #brexit
This entry was posted in Identity Providers, Relying Parties and tagged , , , . Bookmark the permalink.

4 Responses to Information Cards: The reports of their death are greatly exaggerated

  1. The comparison of Cardspace with PKI is very very apt, and more fitting than most analysts even realise. Because Cardspace with PKI both struggled for the same reasons but those reasons still aren’t properly understood. I agree that usability was problematic in both instances but I argue that there are even deeper problems that doom them because they seek to re-jig how trust is carried.

    I respectfully submit that original Big PKI and Cardspace (or more correctly, the Identity Metasystem) both tried in vain to support stranger-to-stranger transactions, mediated via third parties. In both cases, the “contractual privity” problem — where the RP has no contract with IdP — is near fatal (it’s funny that the term “privity” doesn’t get much airtime nowadays whereas it was very topical 15 years ago). The Identity Matasystem seeks to change the simple and well established closed bilateral arrangements and risk liabilities between Relying Party and Customer into complex and entirely novel multilateral arrangements between RP, Customer and IdP. Sorting out the legal problems is what really killed Big PKI, and it’s happening all over again in federated identity projects worldwide. They create intractable liability problems, and so much fine print that the identity assertions become worthless.

    Today PKI thrives in closed communities, where keys & certificates are embedded into easy-to-use devices, like EMV smartcards, student smartcards, TV set-top boxes, health cards, smartphones and GSM SIMs. In these closed systems, no technologist is seeking to change the findamentals of how parties know one another and manage their identification risks. As soon as you impose new third party attestation — whether it be by Big CAs or IdPs in newspeak — you create complexities that far outweigh the marginal benefits of user convenience.

    Cardspace is a fantastic GUI. It would do really well if detangled from the utopian complexities of the Identity Metasystem, so it just represented in digital form all the perfectly good real world IDs and relationships we already have.

  2. lasancmt says:

    I am not so sure liability is the killer issue it’s made out to be here. A new breed of Identity Service Providers (IdP) will emerge who will not accept liability, but nevertheless will agree Service Level Agreements (SLA) with Relying Parties (RP). The idea is that the cloud IdP service offering nevertheless will be taken up, because the IdP can provide the service better, with higher service levels and higher assurance levels and at the same time cheaper than it is possible for the RP to maintain and protect these Identity silos for themselves.

    Cardspace may be dead in the water, but cloud selectors and similar identity wallets on smart phones may very well carry forward the basic idea that it pays to ‘thingify’ digital identities with a card metaphor as illustrated in a previous post.

  3. Pingback: Aftershocks of an untimely death announcement | IdentitySpace

  4. Sandy Porter says:

    Not surprised CardSpace died and it needed to happen. It was good to have Microsoft pushing ICards but CardSpace/desktop selectors were a hurdle in moving forward. Geneva is domain specific, the limitations of a desktop selector on one platform which could not be custom configured, lack of support for realtime claims, no cross mobile device platform support and the desktop selector user experience being too similar to PKI. It was time to rip up the script and start writing the new one.

    The world is now about accessing Cloud/Web services from any device with a browser, which is very different from the day CardSpace was conceived. The market will principally be about easy authentication to a cloud service using Facebook connect, google etc…(even possibly an eID cert) then information cards (or other verified claims agents) which will deliver higher authentication levels (via sms, biometric etc..) and attributes/claims in real time to these online services. Zero desktop install is essential for both support in the millions of users and impact on the users. Mobile device support and user experience are key.

    The concept of ICards etc…that Kim Cameron came up with is brilliant and by far the best way to deliver mass market, online citizen identity. It was the implementation that sucked so they dumped it. In the future MS will return to the citizen identity play with user centric identity and claims in a cloud wallet. It is too big an opportunity for them to stay away from.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s