The recent announcements about OpenID made enough impact that I've had a number of people ask what our interest in OpenID means for Information Cards in general and CardSpace in particular.
The answer is simple. OpenID provides Single Sign On to social networking sites and blogs. It means we can use a public personna across sites, and just log in once to use that persona.
But OpenID doesn't have the privacy characteristics that would make it suitable for government applications or casual web surfing. And it doesn't have the security characteristics necessary for financial transactions or access to private data. In other words, its good for a specific set of purposes, and we are interested in it for those purposes, but we remain as committed to more secure and privacy-oriented technologies as ever. In other words, we are interested in OpenID as part of a spectrum.
Information Cards are a way of safely organizing a palette of digital identities into a “digital wallet”. Over time, some of these identities will be very valuable, controlling access to government information, bank accounts, and corporate resources. Other identities will be very private, like those associated with health information or perhaps dating. Others will be the kind of public personas we are talking about with OpenID.
These different identities will co-exist in a metasystem with contextual separation but a similar use model. Importantly, the metasystem won't replace the underlying technologies – it will unify them and provide a consistent experience.
The relation between OpenID and CardSpace provides a good example of the issues involved here. OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become. I've created a visual demo to help explain how this works – and how CardSpace works with OpenID to solve the problems.
My takeaway is that OpenID leads to CardSpace. I don't mean by this that Information Cards replace OpenID. I just mean that the more people start using cross-site identities, the more the capabilities of CardSpace become relevant as a way of strengthening OpenID and put it in a broader technology context.
Information Cards were created to put in place an infrastructure that can solve the security problems of the web before they explode in our faces. It's a serious technology and involves secure high-strength products emerging across the industry. The recent announcement by Higgins of the new user-centric identity framework for Eclipse is a great sign of the progress being made. And there are other important announcements coming as well.
[In this demo I use my favorite OpenID provider, which is myOpenID.com. It is super important to point out that I think the company is great. None of my analysis is a critique of myOpenID – I'm explaining some of the “browser-redirect” problems that face all OpenID providers (as well as SAML and Shibboleth providers). Importantly, myOpenID have supported Information Cards for a long time – and their implementation works well. So they are at the forefront of working these problems. Try using their Information Card solution.]