Executive Summary:
Windows CardSpace, part of Microsoft’s Identity Metasystem, offers a valuable alternative to the classic username/password scheme and puts users back in control of their identity interactions on the Internet. The widespread adoption and success of CardSpace will largely depend on the number of websites and applications that support it. |
While using Windows Vista, you might have noticed a new Control Panel applet called Windows CardSpace and wondered what it's for. Windows CardSpace is a brand-new client-side identity-management tool that lets you create and manage personal information cards, or InfoCards. These InfoCards are digitally signed XML constructs that you can use to identify yourself to CardSpace-enabled websites.
CardSpace is part of Microsoft’s Identity Metasystem, the company's Internet-centric vision for identity management. With the Identity Metasystem, Microsoft abandons the notion of a universal and single-user identity for the Internet. Remember the early days of Microsoft Passport? Instead, Microsoft now focuses on the creation of a universal framework that can connect existing and future identity-management systems and provide interoperability between these disparate systems. For a broader introduction to the Identity Metasystem, see the Microsoft article
"Microsoft's Vision for an Identity Metasystem".
Let's take a look at CardSpace and its interface and begin to understand the value of what CardSpace can provide the average Windows user. Let's also see what happens behind the CardSpace scenes.
What CardSpace Can Do
CardSpace offers a user-friendly and secure alternative to using simple usernames and passwords for identification and authentication on the Internet. Even though usernames/passwords are still the prevailing identification and authentication paradigm on the Internet, they have many weaknesses. Many users wrestle with password fatigue. They have to deal with too many passwords—a situation that results in password reuse, insecure passwords, and forgotten passwords. Bad password-management practices also create more opportunities for malicious users. Add to that the increasing number of password thefts through counterfeit websites and man-in-the-middle attacks, and you understand why usernames/passwords are far from an ideal solution.
CardSpace can resolve those problems. Users with InfoCards no longer need to remember various username/password combinations; they can simply select an InfoCard from the CardSpace interface to identify themselves to CardSpace-enabled websites. InfoCards are also more secure than passwords because they're securely stored and sent across the network through strong Advanced Encryption Standard (AES) cryptography.
There are always three participants in a CardSpace interaction: the user, an identity provider, and a relying party. The user controls all interactions that involve his or her InfoCards. He or she chooses which InfoCards to create and which to use for identifying to a given website.
Identity Providers issue InfoCards to users. For example, businesses can issue identities to their customers, and organizations can vouch for the identities of their employees. InfoCards that businesses, online services, organizations, or governments issue are called “managed” InfoCards. Managed InfoCards are site-, organization-, or business-specific. They're issued by third-party identity providers that might—depending on usage—charge the user for issuing the InfoCard. An InfoCard provides claims about a person on the person's behalf. A claim is the Identity Metasystem term for facts or statements about a user. The name and gender of a user, or proof that a user’s identity has been verified by a certain authentication authority, are examples of claims that can be stored in a managed InfoCard. In terms of vouching for a user’s identity, InfoCards are comparable to the SSL certificates we use today for identifying ourselves to websites.
But individuals can also be their own proper identity provider, and issue their own proper InfoCards, which are called self-issued InfoCards. As opposed to managed InfoCards, self-issued InfoCards are general-purpose and can be used against various applications and/or websites. Not all websites and applications accept self-issued InfoCards. As part of the CardSpace exchange, a website might require that a user’s InfoCard be a managed card issued by a trusted identity provider such as the VeriSign Certification Authority (CA).
Finally, relying parties accept and consume the InfoCards a user provides. These are typically websites that use InfoCards to identify and/or authenticate users or to personalize web content.