The CardSpace Value Prop

Last night I took in the Calgary .NET User Group presenation on CardSpace. It was great to see Michele Leroux Bustamante again as she's an awesome presenter. CardSpace is a relatively new technology but basically it makes identity easy for end users. You can find out more about CardSpace in general here.

The thing that I'm not sure about is the value prop for this. Currently CS is really only happening behind the firewall. There's very little penetration in the "real world" so we're not seeing CS logins on Visa sites, PayPal, or even Facebook or Yahoo Groups. That was the one thing I got when I was looked at CardSpace awhile back. I thought it was neat and perhaps solved a few problems (mainly around phishing and issues of users entering ids and passwords in clear text) but there was very little implementation out there.

Discussing it last night Michele brought up an example of how she's using it behind the firewall with a client. Essentially they're looking for a SSO layer that allows them to identify users across multiple disparate data sources, and remove the issue of managing identity on each instance of a data source. If you have SharePoint installed (2007 but 2003 will work to a certain extent) and combine their SSO services with the BDC (Business Data Catalog) you essentially get something like this. However there's the issue of tracking so if you're interested in who actually logged the request this might take some work, whereas CardSpace would help solve this problem.

However behind the firewall I have a problem with CardSpace in general. I already know the user. Sure, sure. In hetrogeneous environments where my users are Mac, Linux and PC I have problems. I also might have problems in environments where I have corporate employees that I can identify (say via ActiveDirectory) but non-empoyees (contractors or external customers) that I can't. Do I force my non-employees to be members of Active Directory? Do I create a cross-trust to other forests or domains to identify them? How do I handle federated identity in the enterprise. Maybe this is the place where CardSpace helps.

Outside the firewall I see there's benefit. There's benefit for managed cards for sure so when Visa, Mastercard, and PayPal come on board (and I'm sure they will) it will make signing into sites certainly easier, and perhaps a little more secure (I'm still debating if there's more security from CS given SSL enabled sites when you're doing banking but there are other advantages). Certainly for managed cards issued by banks and other places, I'm all over that like white on rice. Everyone does it but probably doesn't admit they use fairly weak passwords and probably share the same passwords across multiple institutions. With something like CardSpace in place, it becomes a non-issue for managing paswords (the card is my password, verify me) and really all I have to do is manage my cards, much like how I manage my credit cards in my wallet now. For the geek type we know that an SSL enabled site, a valid URL, etc. all gives us a warm and fuzzy that we can enter our credit card info on ThinkGeek and not expect charges to appear at Phil's House of Bondage. For the non-geeks out there, having them select a card from a friendly UI knowing that it's pretty safe makes me feel better (and cuts down on calls from the Father-in-law about this PayPal site he's never been to).

Of course there's still the roaming issue that needs to be address but that's a different problem. The poor mans solution right now is exporting cards and importing them around (or carrying them around on say a fingerprint enabled USB drive), however it's not a happy-happy-joy-joy scenario for someone like Jason Bourne who just wants to pop into an Internet cafe and log on (okay, bad example as Jason really doesn't want to be identified, but you get the idea).

All in all CardSpace looks fun and secure and will help solve some problems of both external sites and internet identity as well help deal with issues of FedSpace and complex corporate user identification. It's not the silver bullet (has there ever been one for anything?) but it's certainly an enabler. I'm planning on doing some cool stuff with it in the SharePoint space so stay tuned on this towards the end of the year. There's also some neat stuff that I think I'm going to do on a personal level like enabling some of my own sites with it. Even though it's not widespread, it is out there and easy enough for you to just create a personal card to save you the hassle of tracking user ids and passwords all over.

Things I learned last night at the session (maybe not completely related to CardSpace):

• Michele is Canadian! That just rocks.
• The iPhone really kicks the llamas butt (thanks JP for the look-see) but not sure if I'm going to ditch my CrackBerry for one just yet.
• Michele used to work at Canadian Pacific Railway about 4 years before I started in 96 (this was Michele's pre-developer days)
• CardSpace is simple to implement (web based or services) but does take some code to get tokens and decrypt info. This is all code Michele provides in her demos but will eventually make it's way into the core platform.
• Garrett Serack wrote the identification code for CardSpace and worked at CP with me for a short time (he's now at Microsoft in the Open Source space)
• It's a small freakin' world
• I finally learned how to properly pronounce Michele's full name (and in French too!)

In any case, an interesting technology to track and some cool stuff for developers to try out. Check out CardSpace for yourself and be sure to check out Michele's demos and code as it's one of the few resources out there today for playing around.