Written by Jitendra Gupta of Karmaweb
and edited by Richard MacManus
Bill Gates of Microsoft just
announced a deal with Jan Rain, VeriSign and Sxip to develop integration between Microsoft CardSpace
and the open source project, OpenID. This is an
interesting deal between the software giant in Redmond and a popular open source project,
which deservers a closer look. For those already familiar with OpenID and Microsoft, jump
directly to the takeaway section. For others, the next two sections will provide you with
a quick introduction to two new technologies that will likely have a significant impact
on the future of Internet.
What is OpenID
OpenID is an open, decentralized, free framework for user-centric digital identity. It
is aimed at solving the problem of Web single sign-on. How does the problem of web single
sign-on affect you? Well, if you struggle with keeping track of different usernames and
passwords at different websites where you have an account, OpenID can help you. With
OpenID you will be assigned a standard username (typically a URL or an i-name, similar to
an email address) that you can use on all sites that support OpenID.
To get started using an OpenID, get one at myopenid. Once you have an OpenID, you can use
it at a number of sites. For example, try your new OpenID at Zoomr.
Microsoft CardSpace
Windows CardSpace is an authentication product, embedded in Vista (also available for
XP via a service pack), which puts the power of managing multiple identities in the hands
of the user – via an easy to use UI and an underlying technology that supports a number
of web and enterprise authentication standards. It is an authentication technology
because it uses cryptography and a tight integration with the Windows platform, to
securely deliver various verifiable claims for the user. The UI of Microsoft CardSpace
tries to mimic – online for digital identities – the use of business cards, credit cards
and membership cards.
CardSpace
Key takeaways
1. The announcement
For a high profile Bill Gates announcement, the follow up plan seems pretty skimpy on
the details of work to be done. All it seems to commit Microsoft to doing is to help out
the open source community, as most of the work needed here will be done on the OpenID
side of things. Microsoft, for its part, seems to be committing to “support OpenID
in future Identity server products” – which doesn’t really mean much.
2. What’s in it for OpenID
The OpenID specification is simple and light, which accounts for its recent
popularity. As such, the OpenID 2.0 specification does not specify any authentication or
multiple identity management capabilities.
This deal provides the OpenID community with another authentication vendor that makes
enterprise adoption a possibility.
Also, one of the downsides with the flexibility provided by OpenID, is that it opens
up the user to some potential phishing attacks. The most worrisome scenario here is when
an evil site posing as a service provider, redirects users to a fake site to enter their
OpenID password. With the user entered password, the evil party can pose as the user at
any number of sites that use OpenID. See more details on this issue at Kim
Cameron’s blog. This is a pretty
big security threat that the OpenID community has been grappling with for some time. They
have developed some interesting solutions, like browser plug-ins and customized login
pages at OpenID provider sites – to make it hard for evil parties to pose as a real site
– but a reliable solution has not emerged. Microsoft CardSpace with its vast reach (it is
integrated with Microsoft Vista and is also available for XP via a patch) provides a
reliable and effective way for users to authenticate with the OpenID provider, without
needing a password that can be phished. The CardSpace based authentication is based on
Windows client generated tokens that cannot be fabricated or reused. So this integration
with Microsoft CardSpace ensures that the OpenID community can eliminate a major barrier
to even wider adoption.
3. What’s in it for Microsoft
Microsoft CardSpace is a well thought out technology that addresses the needs of both
enterprise and individual users, by putting the power of managing multiple identities in
the hands of users. The integration with OpenID enables Microsoft to get some early
customers and potential buzz, in addition to a lot of good PR and some community
cred.
4. Web vs Desktop debate revisited
Another angle to evaluate here is the old desktop vs Web OS debate. Microsoft
CardSpace is tied to a Windows desktop, whereas OpenID enables users to have more
portable web based identities. By tying Microsoft CardSpace with OpenID, Microsoft is
trying to participate in the emerging WebOS [Ed: or ‘Web as OS’ is perhaps a better
term for it].
And by using a desktop based solution, the open source OpenID community is at least
temporarily accepting the benefits of a desktop based solution – to solve the chronic
phishing and authentication problems pervasive in the Web OS.
5. How will it look 18 months down the line?
At the heart of it, Microsoft CardSpace could provide the same functionality as
OpenID. In fact, some of the Microsoft literature even talks about the issues with
managing multiple usernames and passwords; and how CardSpace can alleviate these issues.
So potentially one of the calculations for Microsoft could be that once users start using
CardSpace to log into their OpenID provider, they might decide that they like it better
then OpenID.
On the other hand, the open source community will probably start looking at better
ways to address the authentication issues of OpenID, via some combination of browser
improvements and a central authority for establishing trust. In fact, OpenID integration
is already a priority for Firefox 3.
Overall, this high profile announcement marks the importance of single sign on
identity technology to the future of the Internet. Let’s see how things evolve in
the next few months in this exciting arena.
