The recent announcements about OpenID made enough impact that I've had a number of people ask what our interest in OpenID means for Information Cards in general and CardSpace in particular.
The answer is simple. OpenID provides Single Sign On to social networking sites and blogs. It means we can use a public personna across sites, and just log in once to use that persona.
But OpenID doesn't have the privacy characteristics that would make it suitable for government applications or casual web surfing. And it doesn't have the security characteristics necessary for financial transactions or access to private data. In other words, its good for a specific set of purposes, and we are interested in it for those purposes, but we remain as committed to more secure and privacy-oriented technologies as ever. In other words, we are interested in OpenID as part of a spectrum.
Information Cards are a way of safely organizing a palette of digital identities into a “digital wallet”. Over time, some of these identities will be very valuable, controlling access to government information, bank accounts, and corporate resources. Other identities will be very private, like those associated with health information or perhaps dating. Others will be the kind of public personas we are talking about with OpenID.
These different identities will co-exist in a metasystem with contextual separation but a similar use model. Importantly, the metasystem won't replace the underlying technologies – it will unify them and provide a consistent experience.
The relation between OpenID and CardSpace provides a good example of the issues involved here. OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become. I've created a visual demo to help explain how this works – and how CardSpace works with OpenID to solve the problems.
My takeaway is that OpenID leads to CardSpace. I don't mean by this that Information Cards replace OpenID. I just mean that the more people start using cross-site identities, the more the capabilities of CardSpace become relevant as a way of strengthening OpenID and put it in a broader technology context.
Information Cards were created to put in place an infrastructure that can solve the security problems of the web before they explode in our faces. It's a serious technology and involves secure high-strength products emerging across the industry. The recent announcement by Higgins of the new user-centric identity framework for Eclipse is a great sign of the progress being made. And there are other important announcements coming as well.
[In this demo I use my favorite OpenID provider, which is myOpenID.com. It is super important to point out that I think the company is great. None of my analysis is a critique of myOpenID – I'm explaining some of the “browser-redirect” problems that face all OpenID providers (as well as SAML and Shibboleth providers). Importantly, myOpenID have supported Information Cards for a long time – and their implementation works well. So they are at the forefront of working these problems. Try using their Information Card solution.]
5 thoughts on “Why OpenID leads to CardSpace…”
Nice video Kim and I love that you used my diagram. It makes me want to go build an evil password page though, just to see how many would fall for it 😉
Hey Now Kim,
Great post, I was wondering about this topic for some time now.
Thx 4 the info,
Hi Kim. Nice video! However, you failed to mention that some providers give you the ability to prevent attacks to these by prevented redirected logins. If I am not logged into my provider and I am ever presented with a log in screen when I did not explicitly navigate to my provider's log-in page, I know that it is a forgery.
That said, I do like Cardspace and use it to log into my providers. What I would like most of all is a provider that supports RSA Mobile or equivalent (i.e. a one-time passkey delivered by SMS). That way I only have one device to lug around, and one call to make if ever it gets lost. It is much easier to replace a mobile phone than it is a bunch of hardware tokens.
I agree with your premise that password-based OpenID authentication is inadequate speicifically because of the social engineering exploitablity you discussed. However, I disagree with the conclusion that Cardspace is necessarily the most appropriate alternative.
Indeed, any other asymetric encryption technology would be sufficient, and browser certificates (supported by myopenid.com alongside cardspace) is easily up to the task. Furthermore, deployment of the technology behind client SSL certificates is already fully deployed across a wide range browsers and platforms, from Windows to Linux to Blackberry. It's rare to find a browser that doesn't support SSL, and it's rare to find an SSL implementation that doesn't support SSL client certificates.
In contrast, Cardspace remains a very new, very Microsoft-centric technology. Cardspace is currently unavailable on a signifcant portion of client machines. Furthermore, because it is a Microsoft exclusive, it will remain unavailable on all non-Microsoft operating systems in the future.
So, while I think you're correct in the assertion that Cardspace is a technology that can satisfy this need, I do not think that it will be the technology that ultimately fills that role.
Francis, I use the diagram everywhere and normally I credit you. Should have done so here too – just had my mind on other things because of the complexity of doing the video. I think I'm going to make a page of cool slides / diagrams and you'll be at the top of it.
Thanks for the comment, Chris Cato. Chris Hills, I agree it is a better idea to log in to your OpenID provider, get a cookie, and then go to OpenID enabled sites. It works for sophisticated users. However, I assume we want OpenID to be a mass phenomenon.
Tyler, there are other technologies that work – like carrying a dongle around. Or even a soft cert. I don't think these have very good usability characteristics. At some point we'll get the usability and distribution of CardSpace to the point where it will be present on most Windows boxes. I disagree, however, that it is a Microsoft-centric technology. You should check into the new Higgens release. Note to self: I should blog about it.
Comments are closed.