Open Cardspace opportunity

Just learned from Craig Burton that¬† Microsoft has killed off Windows Cardspace. Here’s the report from Mary Jo Foley. Here’s the Twitter search. Plenty of pointage to follow there. Here are Mike Jones’ reflections on the matter.

I don’t have time to get my thoughts together on this right now, but here’s my brief take at this early point. As almost always with me, it’s optimistic:

Good.

What mattered most about Cardspace, or about Infocards (the non-Microsoft term) was the selector, which was something that the user operated, that was under user control. As Craig just put it to me on the phone, the selector tells a service that the client is not a machine, that the client has control, that there is human being who makes his or her own choices about identity and other variables that have always belonged under the user’s control, but that the cookie-based system to which the commercial web has been defaulted from the beginning can not recognize.

What we (that is, developers) should do now is look at what Microsoft has abandoned, and use what we can of it to do what Microsoft did not, and apparently will not.

Frankly, for all the great work that Mike, Kim Cameron and other Microsoft folks did in this space, the biggest problem has always been their employer. While Microsoft deserves credit for giving these good people lots of support and room to move — including open source development, no less — the legacy was always there. Microsoft was a hard company for the rest of the world to trust as a leader in an area that required maximum openness and minimum risk that BigCo moves would be pulled. Which is what Microsoft just did.

So let’s move on.

6 comments

  1. Stephen Wilson’s avatar

    I agree that the Infocard Selector is a crucial, perhaps seminal development. It’s also a brilliant GUI that reifies and normalises the vital idea of a plurality of identities.

    I don’t think the impediments to Cardspace have been commercial or political, nor do they relate to usability. Rather, there is a deep over-generalisation at the heart of the Identity Metasystem, that has complicated the concept of federated identity, and distracted, confused and demoralised many stakeholders who tried to give federation a go. I’ve seen four different well funded authentication broker schemes in Australia overpromise and underdeliver (or fail altogether). And of course OpenID hasn’t met expectations even in near trivial authentication settings. So, if we don’t learn some deep lessons here then NSTIC is going to go exactly the same way as Cardspace and OpenID.

    Infocards should never have been mashed up with the radical Identity Metasystem. If we simply used Infocards to take our perfectly good current identities online — like credit card numbers, social security numbers, health identifiers, and proof of age cards — we would achieve great things. But I suggest it was unhelpful, nay fatal, to get tangled up at the same time in federated identity and the attempt to re-cast banks, govts, telcos etc. as open Identity Providers. Inserting IdPs into otherwise bilateral relationships between customers and service providers is truly a massive change to the way we do business. Breaking open identity silos entails re-engineering risk management mechanisms, re-writing user agreements and contracts, and in the case of banking, re-legislating to modify Know Your Customer rules. Despite easy intuitions about re-using identities, federated identity is a dramatic paradigm shift that is simply not warranted in solving the problems of ID theft and the password plague.

    Mike Jones says that one problem with Cardspace was that it didn’t solve “an immediate perceived problem”. I believe we will find that the perceived problem of having too many identities will, on closer examination, never prove to be so grave as to justify the full blown identity metasystem. The total cost of ownership of identities will probably be optimum at around 10-20 ids, and a whole bunch of identity silos — or niches as I prefer to call them — in healthcare, banking, the professions, and government will steadfastly resist federation.

    Let’s move on indeed. Let’s improve the way that the perfectly good identities we have today are taken online, to resist counterfeiting and takeover. But while we’re at it, let’s not try to change the fundamentals of how transactions are authorised.

  2. Doc Searls’s avatar

    Thanks, Stephen. Good and thoughtful reply.

    As with all failures, there are many teachings. I spent some time on the Skype today with Kim Cameron, who will weigh in at some point too. The nice thing at right now is that there isn’t much finger-pointing, but rather a lot of pondering and learning, and gearing up for next steps, whatever they are.

    Will you be at IIW?

  3. Ravi Pinjala’s avatar

    This is a real tragedy. Infocard had so much potential to make the Web a more secure place – any of the major identity providers could have rolled out support overnight, and with clients available on several platforms already (including the one baked into Vista and Win7) we could have had secure passwordless login across a good chunk of the web without too much trouble.

    I’ll never understand why Microsoft didn’t roll out Infocard on Windows Live, since that could’ve given the technology the critical boost that it needed. Instead, they were content to invest in it for a few years, and then just let it languish and die.

    [disclaimer: I work for Microsoft, but not in any group that has a stake in CardSpace. Right now I'm just speaking as a disappointed techie.]

  4. Ric’s avatar

    Whither now for Kim Cameron? Will somebody else please give him a chance to keep working on this stuff?

  5. Doc Searls’s avatar

    Ric, Kim is fine. He’s still at Microsoft. I’ll let him take it from there. :-)

Comments are now closed.