David Coder comments on my recent reflection on “novel auth” technology:
Kim, I very much agree with everything you wrote.
But there is another thing I don't understand lately. CardSpace is shipping now for almost half a year in its RTM version. And yet, I have never come across a production site (except this one) that uses it. You post all these fantastic anouncements of new groups that will support this, but out there on the web, very little adoption seems to take place. And in particular, there seems to be not a single Microsoft site that uses it. Why? Contrary, the one huge MS group where I would have thought they might use it (Windows Live ID and all the sites that use it) seems to be even implementing their own identity selector.
Quite frankly, right now my impression is that what is needed most is some highly visible commitment from MS itself to this idea and to implement it widespread on its platform. I am just quite sceptical that anyone else will use this widespread, unless you do the first step.
Make no mistake: you will see deep Microsoft support. But you need to give us time to roll it out, just as we need to give others in the industry time to do the same.
Using your example of Windows Live ID, it is a huge production system handling a billion authentications a day. There are strict requirements for introducing new software. In fact, some of them arose through input from policy makers. Much more is involved than “wanting to do something” and coming up with “bits” suitable for use on such an enormous site. There is Process.
The same is true in terms of integrating the new technology into our federation product, Active Directory Federation Service (ADFS). There is a whole team working on CardSpace support, so administrators will be able to give their Active Directory (AD) users Information Cards at the flick of a switch. But we want to do it as well as we can, and in the most secure way possible, and we can't do that over night.
My colleagues and I wanted to see CardSpace bits get into circulation as early as possible – even if service offerings weren't ready yet. Why?
Socket and Ecosystem Days
The problem with identity is getting the infrastructure in place. Some great talent – I don't know who – pointed this out when he said, “The Public Key Infrastructure (PKI) is great except for one thing: the public has no keys”…
CardSpace eliminates the need to “give the people keys”. But the bits still have to “get out there” before it will work. We are still in “Socket and Ecosystem Days”, when sockets start to appear on desktops and people running web sites can move past “but nobody has information cards” and get to “hey, everyone is going to have them”.
Our first job was to ship CardSpace V1.0 so Information Cards became “real”. Now we need to distribute bits. And finally we need to lead in adoption, just as you say.
CardSpace can't succeed without its sister implementations on other platforms. It also needs relying party software in a dozen languages to run on all platforms. And identity provider software.
These are just starting to emerge. But all this is happening in a methodical and persistant way. I think of it as “ecosystem time”.
I'll post the report that appeared on the OSIS wiki describing the Connect-a-thon held at a recent IIW. You will see the degree to which the ecosystem is growing.
Meanwhile, Windows Live ID plans to introduce Information Card support this summer. At that point, all the Microsoft properties will be enabled. The integration will grow progressively stronger over time.
Now, that is a clear statement about Live ID support this summer! Good to hear that.
I find your argument about the need to distribute the bits first also very convincing. And finally, I expect that once at least one really large IP is online (i.e. Live ID) things will really take of with small sites as well. Why? Well, right now the use of CardSpace introduces friction for a small site. Most people will not yet have any card, so using CardSpace over username/password as a small site will mean that new users of a site will have to go through many more steps to register etc. But once something like Live ID is up with CardSpace support, CardSpace might actually simplify authentication for small sites, i.e. once users can use a managed Live ID card (or from someone else), CardSpace will actually take away some of the hard details of user management for small sites. And once that is the case, the economics is right for small sites to use CardSpace. In the end most sites will not use CardSpace because they believe in the benefits to the eco system, but rather it has to make things simpler and lower cost for them, and I can very much see that once large IPs are online.
Thanks a lot for answering my comment in such length!