As innovators we need to think about what happens if our systems fail.\u00a0 I've argued, for example, that the starting point for designing a secure system is to recognize it will be breached.<\/p>\n
So I took Ben Laurie's recent piece on CardSpace <\/a>as an invitation to review one more time what can go wrong with Information Cards and CardSpace.\u00a0<\/p>\n For those who don't know him, Ben has been a leading innovator in terms of open source SSL, and currently works at Google.\u00a0 In his piece he writes that OpenID isn't gaining much traction.\u00a0 Then he turns to CardSpace, which he says “appears to be supported only by Microsoft products.”<\/p>\n A number of people gagged on this, including Dale Olds of Novell <\/a>(who none the less retained his unflappable charm).\u00a0 Dale had just released his new DigitalMe product <\/a>providing Information Card support for Mac <\/a>and Linux.\u00a0 In fact, at Digital ID World, the open source Bandit Project had launched a \u00e2\u20ac\u0153Control Your Identity\u00e2\u20ac\u009d campaign<\/a> to promote awareness and use of information card technology. Hmmm.\u00a0 I wonder if Linux is a Microsoft product?\u00a0 That phone might actually be a good idea because Ben could stay in closer touch with all the people working on information cards…\u00a0 But hey – let's give credit where it's due:\u00a0 the next thing Ben did was to roll up his sleeves and start to compile his own BSD version of Digital Me.\u00a0 Cool.\u00a0\u00a0 He writes about it here<\/a>.<\/p>\n Analyst Neil Macehiter gets into the fray <\/a>by pointing out the obvious:\u00a0 current rates of uptake for OpenID and CardSpace are “to be expected given that we are still in the early stages of both.”\u00a0<\/p>\n After all, where do you get your relying party and identity provider software?\u00a0 At the corner store?\u00a0 Even the CardSpace <\/a>team finds itself on a Microsoft blog where, although it's definitely part of the plan, Information Card support hasn't been released yet.\u00a0 Windows Live ID's beta is still bleeding edge.<\/p>\n The strangest part of Ben's post is a speculative paragraph worrying that if no one but Microsoft adopts CardSpace, and if people just use CardSpace to connect to Microsoft,\u00a0 then it will be no better than Passport.\u00a0<\/p>\n Beyond being convoluted, the premise is all wrong.\u00a0 The original Passport was aimed at employing a single identity across many different sites.\u00a0 This problem simply doesn't arise in Ben's failure scenario,\u00a0the scenario in which only one site has adopted the technology.\u00a0\u00a0 If there are multiple sites, Ben's failure premise goes away… (There are good reader comments explaining all this here<\/a>).<\/p>\n The bottom line:\u00a0 if CardSpace were to be used only at one site, it would still be no worse than Google or Yahoo or Live ID – or any other system that is only used at one site.\u00a0 And\u00a0as it succeeds across more sites, it provides progressively more advantages.<\/p>\n Will Ben's alternate future come to pass?\u00a0 No.\u00a0 Because CardSpace will be integrated into many enterprise and web products, it will offer significant advantages to the organizations that adopt it, including the ability to mix and mash personal, enterprise and hosted solutions through multiple shared identities.\u00a0<\/p>\n As the number of CardSpace and DigitalMe and other Card Selector sockets grows towards a tipping point; as the software for building relying parties becomes widely available and understood;\u00a0 as the early software\u00a0put out by Microsoft and others is\u00a0refined and perfected; as leading applications raise the competitive bar by adopting the technology;\u00a0 CardSpace and its sister implementations\u00a0will be used across many different contexts and their ability to support minimal disclosure and prevent the use of universal identifiers will become increasingly valued and apparent.<\/p>\n","protected":false},"excerpt":{"rendered":" Ben's alternate future will not come to pass.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,46,10,7,4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/866"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=866"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/866\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=866"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n
\nDale ended his response to Ben by saying, “Ben, please check it out. You might win an iPhone. You can use information cards to access the site, or even deploy your own identity provider or consumer using 100% open source software.”\u00a0<\/p>\n