Written by Jitendra Gupta of Karmaweb and edited by Richard MacManus
just announced a deal with Jan Rain, VeriSign and Sxip to develop integration between Microsoft CardSpace and the open source project, OpenID. This is an interesting deal between the software giant in Redmond and a popular open source project, which deservers a closer look. For those already familiar with OpenID and Microsoft, jump directly to the takeaway section. For others, the next two sections will provide you with a quick introduction to two new technologies that will likely have a significant impact on the future of Internet.Bill Gates of Microsoft
What is OpenID
OpenID is an open, decentralized, free framework for user-centric digital identity. It is aimed at solving the problem of Web single sign-on. How does the problem of web single sign-on affect you? Well, if you struggle with keeping track of different usernames and passwords at different websites where you have an account, OpenID can help you. With OpenID you will be assigned a standard username (typically a URL or an i-name, similar to an email address) that you can use on all sites that support OpenID.
Windows CardSpace is an authentication product, embedded in Vista (also available for XP via a service pack), which puts the power of managing multiple identities in the hands of the user - via an easy to use UI and an underlying technology that supports a number of web and enterprise authentication standards. It is an authentication technology because it uses cryptography and a tight integration with the Windows platform, to securely deliver various verifiable claims for the user. The UI of Microsoft CardSpace tries to mimic - online for digital identities - the use of business cards, credit cards and membership cards.
1. The announcement
For a high profile Bill Gates announcement, the follow up plan seems pretty skimpy on the details of work to be done. All it seems to commit Microsoft to doing is to help out the open source community, as most of the work needed here will be done on the OpenID side of things. Microsoft, for its part, seems to be committing to “support OpenID in future Identity server products” - which doesn’t really mean much.
2. What’s in it for OpenID
The OpenID specification is simple and light, which accounts for its recent popularity. As such, the OpenID 2.0 specification does not specify any authentication or multiple identity management capabilities.
This deal provides the OpenID community with another authentication vendor that makes enterprise adoption a possibility.
Also, one of the downsides with the flexibility provided by OpenID, is that it opens up the user to some potential phishing attacks. The most worrisome scenario here is when an evil site posing as a service provider, redirects users to a fake site to enter their OpenID password. With the user entered password, the evil party can pose as the user at any number of sites that use OpenID. See more details on this issue at Kim Cameron’s blog. This is a pretty big security threat that the OpenID community has been grappling with for some time. They have developed some interesting solutions, like browser plug-ins and customized login pages at OpenID provider sites - to make it hard for evil parties to pose as a real site - but a reliable solution has not emerged. Microsoft CardSpace with its vast reach (it is integrated with Microsoft Vista and is also available for XP via a patch) provides a reliable and effective way for users to authenticate with the OpenID provider, without needing a password that can be phished. The CardSpace based authentication is based on Windows client generated tokens that cannot be fabricated or reused. So this integration with Microsoft CardSpace ensures that the OpenID community can eliminate a major barrier to even wider adoption.
3. What’s in it for Microsoft
Microsoft CardSpace is a well thought out technology that addresses the needs of both enterprise and individual users, by putting the power of managing multiple identities in the hands of users. The integration with OpenID enables Microsoft to get some early customers and potential buzz, in addition to a lot of good PR and some community cred.
4. Web vs Desktop debate revisited
Another angle to evaluate here is the old desktop vs Web OS debate. Microsoft CardSpace is tied to a Windows desktop, whereas OpenID enables users to have more portable web based identities. By tying Microsoft CardSpace with OpenID, Microsoft is trying to participate in the emerging WebOS [Ed: or 'Web as OS' is perhaps a better term for it].
And by using a desktop based solution, the open source OpenID community is at least temporarily accepting the benefits of a desktop based solution - to solve the chronic phishing and authentication problems pervasive in the Web OS.
5. How will it look 18 months down the line?
At the heart of it, Microsoft CardSpace could provide the same functionality as OpenID. In fact, some of the Microsoft literature even talks about the issues with managing multiple usernames and passwords; and how CardSpace can alleviate these issues. So potentially one of the calculations for Microsoft could be that once users start using CardSpace to log into their OpenID provider, they might decide that they like it better then OpenID.
On the other hand, the open source community will probably start looking at better ways to address the authentication issues of OpenID, via some combination of browser improvements and a central authority for establishing trust. In fact, OpenID integration is already a priority for Firefox 3.
Overall, this high profile announcement marks the importance of single sign on identity technology to the future of the Internet. Let’s see how things evolve in the next few months in this exciting arena.