As I said here, I want also to look at a second strange claim by Eve:
On another issue, she noted that OpenID 1.0 has a vulnerability in that it leaves users’ identities open to possible correlation by unauthorized third-parties.
But that CardSpace has a vulnerability of an opposite but equally problematic nature. Given that each CardSpace is associated with a particular client device (i.e., a particular desktop, laptop, or mobile phone running Vista), and given the fact that each user might have multiple such devices, each with a multiplicity of cards running on them…that the more such devices, cardspaces, and i-cards multiply for a given user, the more difficult it will become for a particular user to correlate the various fragments of their identity across their own personal “space.”
This really strikes me as bizarre. Maybe Eve was asleep while the entire world learned to copy mp3s onto their music players and carry them around? Duh. We know how to move files from device to device. In fact there are probably many hundreds of millions of people who can do it better than either Eve or I can.
The idea that this is the big vulerability of CardSpace boggles my mind. The whole criticism “Does not compute.”
Then again, I actually use Information Cards, and move them from device to device, so maybe that's why it's so clear to me how easy it is to do.
Let me share the exact experience I have installing the Information Cards from my PC's CardSpace onto my mobile phone.
Moving Information Cards from device to device
1) I open up CardSpace and select Back Up Cards. This will create a file containing my cards. I decide to call it “cardset”.
2) I copy ‘cardset’ to my phone and click on it:
3) The phone asks for the password I used to protect my file
4) It verifies I'm importing the right cards
5) And now I have the same cards on my phone device as on my PC.
How hard is that? It would be the same process copying the file to some other device. It works fine. As easy as getting a word document or powerpoint or mp3 from one place to another. Dongle anyone? How about email?
Still, the uberpoint is this: once Information Cards live on my phone, they go whereever I go.
There are lots of ways phones can potentially talk to other devices. So who says we have to copy our cards to all our devices once they live in a secure, personal device like a phone that we always have with us?
NOTE: I want to point out that the mobile implementation of CardSpace I'm showing here is NOT a product. It's a way of learning about the issues, and collaborating with colleagues in the world of telecom and secure portable devices. But hey! It's still a lot of fun. More later.
Um, I think one of the scenarios Eve might have had in mind is the use of smart cards. A lot of people think that the “proper” way smart cards should operate is that secrets (e.g. private keys) are generated an the card and will reside on that card for their entire life and cannot be copied anywhere else. I'm not commenting on whether that's really proper or not, but
there sure are a lot of folks who think it is, and there are manufactures that are creating smart cards do indeed exhibit that behavior.