There’s been some chatter lately in Identity 2.0 circles regarding Cardspace. Cardspace is Microsoft’s latest take at controlling participating in the nascent user-centric identity space.
The Cardspace metaphor seems harmless enough – you create a number of identity “cards”. The idea is just like you have an employee ID and a driver’s license with your home information which you keep in your wallet – you can have a number of virtual IDs (I’ll call them InfoCards in reference to Cardspace’s internal project name), which you store in your browser.
Actually, to take it a level deeper, there are two types of cards you can have: managed and self-asserted. The managed cards are like the drivers licenses and employee IDs of the Cardspace arena. Managed cards have the information on it locked by the issuing party. Just like you have to get your address on a driver’s license changed by the motor vehicles department – when you change your information on the managed InfoCard, you have to get the InfoCard provider to change the data. In contrast, there are self-asserted InfoCards, the equivalent of a business card. Anybody can go to Kinkos and get a business card printed up asserting that the holder is a certain person, at a certain address and working for a certain company. There’s no real trust involved here – it’s more of a way to speed up the exchange of commonly needed addresses so you can conduct basic business.
Now, in theory, the metaphor makes sense. I have business cards for my company, the firm I occasionally consult for, and personal business cards that I give to friends and people in the bar industry. I also have a drivers license which is my primary form of validated identity credential – and I keep both in my wallet.
This is where the Cardspace metaphor starts to break down. I can choose which wallet I put my cards in, and I can put that wallet into any pair of pants I own (or even a jacket pocket). Cardspace is Windows-centric, and not just Windows, but Internet Explorer only. Yes, there are homegrown plugins for Firefox, but they’re not technically supported by Microsoft. Though I have been able to jerry-rig Cardspace to work in Firefox on my Mac, it’s less than optimal.
Now, since the cards – even the managed ones – are loaded into the browser, it’s not very portable. If I only have one or two machines, managing these cards is not horribly challenging – but I have three different identities on my computer (home, work, development) and each of these have three browsers (Firefox, Safari, Opera) – that’s nine browsers. Then add in the Parallels environment and the three browsers there (Firefox, IE, Opera) and I suddenly have 12 different browsers where I could have to store these cards. Plus, there’s the browser on my smartphone – and I haven’t even started to think about what happens when I occasionally use a colleague’s machine or even a shared terminal at an airport or hotel.
It’s the equivalent of saying that I can only carry my drivers license in a State of California issued wallet, and if I use another wallet, my license may not fit or possibly will not always give the same information… and I’ll need another wallet for each pair of pants.
Even if I was primarily a PC user, the model still doesn’t work.
Dick Hardt, one of the real evangelists for the user centric identity movement has introduced Sxipper, for populating “business card data” into web forms and using OpenID for the authentication method. The challenge to make Sxipper truly useful will be the ability to store the ID information within a secure Sxipper server, and that when I log into skipper from any browser, it fetches the current information – and if there are any changes locally, it synchronizes back to the central server. Though I haven’t broached it with Dick, I would expect this sort of architecture will be made available as an option as the product matures. As a user, I may choose to keep some identities local, some cached to a local machine, and some only fetched as needed from the network – a perfect solution for shared or public machines.
Owning the amount of desktops as Microsoft could become the dominant, if flawed, metaphor for the next wave of identity. Then again, it might just be a house of cards.