piątek, 30 listopada 2007

CardSpace xor OpenId - trends

Mood: My skis are packed, holidays incoming!

About CardSpace
CardSpace (formerly “InfoCard”) is the solution introduced within .Net Framework 3.0 side by:
- Windows Workflow Foundation (WWF)
- Windows Communication Foundation (WCF)
- Windows Presentation Foundation (WPF)
It is Microsoft’s standard for authentication and digital information transport. MS did in here 180 degree turn. Predecessor, Microsoft Passport was central type of the solution, where Microsoft severs possessed all the information about authenticated users. It did not become popular outside Redmond servers. Now, the user is the one who possess the information and the one who decides which information (Information Card) from his personal PC are passed to which web site. CardSpace is so the distributed solution, where MS provides just the standard of exchanging data and it has much bigger chance of success.

How it works, it is described in details on many, various pages to name just the one.

Fig1 – CardSpace model
If you know polish, you should also read this.

Personal Information Card – first steps
CardSpace defines two types of Information Cards:
- Personal Cards, which contains the standard, defined by MS set of information
- Managed Information card (use the package if you want to play with them)
At the beginning it is suggested to play with Personal Cards and install your personal one like it is described in here. Important note is though that you do not need Vista and it is working also for XP SP2 and Windows 2003 SP1.

You may register your card in WindowsLive or MyOpenId. MyOpenId is the interesting authentication mid-service for number of other web portals controlling your “sign in” action there with one assign id. After you sign in on these services for the first time, you are transferred to MyOpenId page and you may decide about your nickname there plus you are asked if you want to allow the action forever, once or deny it.

Fig2 – MyOpenId service

Nevertheless, after registration in both services you may transparently get to WindowsLive service, but MyOpenId will require from you sending your Personal Information Card during each Sign In action! The second situation is probably due to other model and high security level as any changes in MyOpenId affects the way of accessing number of other.

After these and the other actions you may always check usage history of your card.

Fig3 – History of Personal Information Card

CardSpace enabled Web page
When you want to create your own web page, which is CardSpace enabled (like MyOpenId) there is couple of tricks like:
- You need to create and install your some “X” High Assurance certificate issued by “Y” CA to enabled SSL (*.pfx file)
- Add “Y” CA certificate into list of Trusted Root Certificate Authorities (*.sst file)
- Specific page for choosing, displaying and registration the Personal Information Card
- Authentication mechanism for your page
All these things are described in details in couple of places, just to name one.

Further more Fireworks 3.0 (likely) supports CardSpace.

The other standard on the market is OpenID by OpenID Foundation. You may get and use your OpenID in various services enlisted on the page. OpenID is more widely distributed standard than CardSpace, but… Microsoft is not willing to compete with it, but they has announced they are willing to integrate! Furthermore myOpenID mentioned above seems to be already the service integrating both possibilities CardSpace and OpenID.

If you are willing to use the standard you should visit the OpenID source page (OIDS), where you find all necessary downloads (documentation is not available though) and information about on-going projects. Generally there are two ranks of participants:
- OP : OpenID providers (the plan is to have at least one per country, but the coverage is currently quite poor) – it is counterpart of MS’s IP
- RP : Relying party (the users of OpenID basing on OIDS license – for example web site owners)
The whole idea seems to be a good, open campaign to organize chain of trust between the identity providers and web sites owners, to avoid the uncommon phishing attacks like the one described in here. There is quite intriguing business model presented by the organization:

Fig4 – How OIDS works

It seems like OpenID is a step forward CardSpace as it starts to build already its net of providers, users and partners. If you write in Google “How to become Identity Provider”, among 10 first findings, there is no information about CardSpace or any other Microsoft service, but there are two linkages (VeriSign and Public OpenID providers) linked directly with OpenID enterprise. If there is not some visible promotion of Information Card providers the whole idea may end in a similar way to Microsoft Passport – it will be used mainly on Microsoft pages J

The other problem is that there is not too many visible places where you can get the Managed Information Card. Even the one, which you can find on the web does not work often, like the one. Furthermore even basic Personal Information Card does not work in some web services, like SignOn. Funny thing is that it works for some people or it worked in the past. Of course, the error might be (and probably is) in web site, but annoyed non-techie people may blame CardSpace.

The interesting option though for Microsoft is to provide “presentation layer” and use the OpenID as a “transport layer”. As there is cooperation planned for both and myOpenID already goes in that direction it is quite possible that future Windows (Vista) user my authenticate with CardSpace to get widely distributed and popular OpenID in the network.

Brak komentarzy:

web metrics