Nick Shelness on CardSpace

The strangest thing just happened.  I was following a link that had just appeared from vowe.net  – a site published by Volker Webe.  An interesting site, for sure – and on it, I read this piece by Nick Shelness:  

Establishing identity and authenticating on the web are a mess. I doubt I’m alone in using the same user id and password over and over again. If they’re hacked once they can be employed a hundred times over. Yeah, some sites make you change your password at regular intervals, but how do you remember them? I write them down, and carry them with me. OK, they’re somewhat encoded, but …

For some time now, there has been the possibility of improvement under the “Identity 2.0” banner. To the surprise of some (many?), a significant chunk of Identity 2.0 innovation has come from Microsoft, and no, no, no, it’s not “Passport”. It is expressed in two seminal papers: The Laws of Identity and The Identity Metasystem, both by Kim Cameron.

But this is not all. There is a Microsoft product. It’s called “CardSpace” (it used to be called “Info Card”). It ships as part of Vista. It also ships as an automatic XP upgrade, and there are a host of alternatives, including open source ones.

CardSpace and its analogues, on their own, are not a solution. They are a component, albeit a key one, of an Identity Metasystem. What needs to come next is for web sites (“Relying Parties”) to start requesting and employing CardSpace-managed security assertions. This in turn will create a demand for Identity Provision (yes, this is where ActiveDirectory and son of Passport come in).

Will this happen? It’s too early to say. But by seeding the digital world with CardSpace, Kim and Microsoft have taken us a long first step down this path, and IMHO done us all a big favor.

It took me a minute to click in to the name Nick Shelness.  He is a great visionary – CTO at Lotus and later an IBM fellow (now with his own practice in the UK).  His support means a lot to me. 

As for his “will it happen?” question, I've asked it too on a hundred ‘bleak and dreary days’.  But I continue to think there are historical inevitabilities at work here.  

Distributed computing is dammed up behind a wall of identity friction.  The one good thing about the friction is that it limits phishing and cyber crime as much as it limits business.  Remove the friction with something like single sign-on and you massively increase the attraction of the digital honeypot, providing a one-stop attack surface for evil.  The more consolidated identity initiatives succeed, the more they will fail – unless there is a paradigm change like CardSpace that compensates for risk aggregation.  

Few may understand these dynamics through theory alone, but Professor Reality will come to tutor them before too long.  Meanwhile, there are more and more people with enough vision that they don't have to “go over Niagra Falls in a barrel to know it hurts.” 

Day after day, week after week, month after month, CardSpace “sockets” are appearing on desktops.  One day – not too far into the future – it will be present on 50% of them.  Then on 75%!  Meanwhile the software will get slicker and slicker, with multiple versions and choices by people like our friends at Higgins running on Mac and Linux.  This is a historic thing we are doing together, and we can't be impatient.  But this baby is going to light up big time.