CardSpace / Identity 2.0

Man, I hate these cliché technology terms. Anyways, at one of my clients we are using CardSpace with SharePoint, and it is working great, users really love it as the whole experience for both internal and external use is the same. Best of all we were able to eliminate the dual authentication prompts with office clients dropping the login token when invoked from SharePoint with the CardSpace OM. We use a common WebPart library that exposes the required common CardSpace API calls to build out something that we call “IdentityPoint” which manages all the InfoCards within the enterprise. All in all it is very neat, very manageable, and very cool. I spent a lot of time on it.

Then I was in a meeting today, and one of my co-workers was talking about how we were identity 2.0 cutting edge, compliant, or some other phrase that made no sense. I reached over the table and I punched him. Well, ok, I didn’t punch him, but we had a verbal argument.

Identity 2.0, as coined by Dick Hardt (which really isn’t that clever of a term when you think about it), people feel is the principal enabler for Web 2.0 implementation. Reason being, Web 2.0 will highly integrate the concept of people / identities, and therefore an identity metasystem is a pivotal concept to take into consideration with Web 2.0. This I can agree with.

CardSpace alone can’t build an identity metasystem, that’s not how it works. CardSpace provides an interface into an open standards identity architecture, agnostic towards vendor or protocol (that is why we are using WS* standards). CardSpace is central to identity metasystem realization because the reach of the Windows OS is massive, and being native with the packaging of CardSpace within Vista (and most of your SharePoint users being on IE anyways), it is something that should generally be embraced. An identity metasystem, on the other hand, is the collaboration of a huge amount of parties to subscribe to this theme. It is an Amish barn building process, whereby everyone that chooses to subscribe to this concept participates in putting up the necessary segments that lead to the final product. Once the final barn is finished, then we can add new horses to it to move things around, move horses back and forth, or remove horses as we see fit.

I think that metaphor sucked but it was the only thing that I could think of that fit.


Personal and Managed InfoCards

In recent posts, there was the discussion of the different types of InfoCards that CardSpace provides. There have been some questions that I have been receiving in regards to this, so I thought I would provide some clearer answers.

There are two types of InfoCards that CardSpace currently supports. Although there are some differences between the two, the main thing to keep in mind is that both cards contain the relevant metadata to obtain security tokens that can get the encrypted information that is required. Meaning, both types of InfoCards know the correct location to point to.

The first of the InfoCards that we should look at are Personal cards. Personal cards, as the name implies, are those issued by yourself, by your person. They are cards that are self-issued, so the maintenance of these InfoCards is up to the owning user that initially self-issued the card to themselves. Whereas with the second card that we will discuss shortly, Managed Cards, there is no external identity provider. Rather, the user is the identity provider and is responsible for the creation of the card. The InfoCard and its associated metadata are stored on the user machine. A personal InfoCard will also have a finite amount of claims associated with it, usually nothing very robust. This is the most typical type of InfoCard in environments with loose website registration, such as ones that you are used to normally filling out registration forms for where there is no account provisioning architecture that would normally take care of this task.

Managed cards are a little different that personal cards. Managed cards are given by a third party and then installed into the CardSpace UI. These cards are transferred to the user with a signed file with the .CRD extension from the identity provider. Whereas with Personal InfoCards the amount of claims that was located within then was not very robust, the amount of claims with managed cards is only really up to the identity providers imagination, so can contain a large amount of claims. Personal information with managed cards is stored with the identity provider. These types of InfoCards are generally used with high-risk environments such as banks, shipping, and misc. large commercial web applications.

I hope that gives you a better idea on the two types of InfoCards that you will experience. Except more posts on CardSpace, because it ROCKS!


Eh, What? CardSpace Is the Most “Revolutionary”

Last night I went out with a kindred .NET developer buddy to grab some drinks and play pool (I have been practicing for about 6 months now). We got into discussing work that we have been doing with NetFx3, like WCF, WPF/E (or whatever it is called this month, SilverLight I think), along with some general development stuff that we found neat (like our Orcas experiences thus far). So, we started to discussing what, out of all these new technologies that are presented, which we felt was the most compelling and offered the most “revolutionary” introductions in regards to organizations that employ heavy .NET applications into their traditional development. Basically, what ones we thought would have and continue to have the largest footprint in the industry currently and for time to come.

My buddy said, without a doubt, WF is the one that is going to change the way that we approach customers with proposed solutions, and how those actual solutions are developed and maintained. He stated that things like the activity model and the rules engine are pieces of something that although needs to evolve slightly to be perfected, is going to change the way that businesses automate legacy business processes. That part I can agree with. I think that the WF is a very good start of something that all developers that do business development have been hungry for, for quite some time, and I will continue to use it heavily as made experiences thus far have been enjoyable.

But, on the other hand, I couldn’t disagree more with what is the most important, and will leave the largest footprint. Introducing a managed model for building workflow – aware applications is all fine and good, and will make functionality that normally had to be written manually much quicker to get pushed into a production environment and consumed by business users. Hell, I have been using it daily and find it very, very nice to program against, and am happy I don’t have to use a poorly constructed shared library I have been using for about three years. But, for myself though, CardSpace (and it’s inherent relation to WCF I suppose) is easily the most “revolutionary” piece included with NetFx3, albeit the most overlooked one and ones that people disregard the most. Maybe not in terms of development, but I am talking about a larger, more rippled industry footprint.

Why? Well, looks look at the business problems that each of these pieces my buddy and I are trying to solve when we are considering our arguments. CardSpace introducing a piece (by the means of an identity selector in Windows, because of the reach of the Windows OS is obviously rather vast) of an identity metasystem isn’t doing something like automating business processes or making your web applications look pretty. CardSpace is promoting a piece of an entire metasystem that would affect, and require the participation of, a large amount of groups, based on agnostic WS-* protocols so all types of systems can tap into it, changing the way that people interact with their, manage, and exploit their digital identities. We are talking about big stuff here, this is a “revolutionary” concept. Ok, maybe I am biased because I like the study of security more than business development, but, meh.

An identity metasystem is not a possibility IMHO, its an eventuality. It is going to happen, one way or another, identity problems are doing nothing but growing more and more of a concern for the general populous and organizations everyday. How often do you see in the news a headline saying “Criminals Acquire Sensitive Organization Information From Poorly Automated Business Processes” or “Company Is Mad Because They Had To Hire A Bunch Of Developers To Build Workflow Applications”. Um, not very frequently. It is a lot more common to find headlines about people stealing people’s identities, etc. and wreaking general havoc on peoples life’s following. I mean, lets look at just some a brief set of things that CardSpace is going to implement in terms of an identity selector plug into an identity management system.

User Managed and Control Over Their Identity Information From Origin to Destination

Self-Asserted Identity Information

Standard User Interface To Select Identity Cards (InfoCards)

Secure Housing To Store Identity Information

User Control! Empowering Users With Granular Control!

Etc. Etc. Etc.
Even management suits that are accustomed to pinching pennies can appreciate a cost/benefit analysis of the situation. Although building workflows a lot easier will save a company money, could it really save them more from the possibilities that would ensue if their corporate identity information was disclosed? I personally don’t think so!

I am not discounting the other things that are included with NetFx3, they are important, and really do make our lives as developers much easier. They are great for their purpose. But, I can’t stand when people discount CardSpace as nothing by a glorified password manager, and don’t look at the real benefits and problems that it is attempting to target.

I guess I can end this rant now. :)