We’re excited to share news about the next version of CardSpace with you.  In this post we’ll discuss the feedback customers shared with us about the first version, the goals we’re working towards, and the work-in-progress beta that you can download and try out today.

 

First and foremost, we’re proud that CardSpace is no longer an only child! We’ve announced two new siblings:  Geneva Server for IT Pros and Geneva Framework for.NET developers.  Both can help you deploy CardSpace for user access or can implement claims-based access without CardSpace.  It’s your choice to tailor how the pieces work together for your needs.  All three are available to download from Microsoft Connect.

 The CardSpace “Geneva” beta available today responds to feedback we’ve received about the first version CardSpace download size and user experience.  This early version of CardSpace is a brand new code base and we are still early in the development cycle.  While it is far from feature-complete today, we wanted to get this out to you now so you can understand the directions we’re going with CardSpace and have an opportunity to give us feedback.

When less is more

Quite logically, users who didn’t have CardSpace installed on their system wanted the download to be as small as possible. With that goal in mind, the current beta version has been re-factored to a download that’s as small as 6MB for x86 systems, compared to the greater than 50MB required for the original CardSpace. The final version of CardSpace “Geneva” will work with the .NET Framework, but due to our refactoring work, CardSpace “Geneva” can now be downloaded separately and does not have a dependency on .NET Framework anymore.

 

We heard from web developers and users about the CardSpace user experience. The Information Card metaphor is powerful and resonates with anyone who has too many passwords or who understands the benefits of claims-based identity. At the same time though, both users and web developers told us that Information Cards should be a means to an end and not a distraction from the user’s original task. 

 

In this beta, CardSpace “Geneva” takes on a minimalist form. Users now have a small, fast and straightforward prompt to choose their Information Card. Some users may recognize the prompt as the standard Windows Credential UI, and based on results from our usability studies, users will understand the context of the prompt at a glance. If the user decides to use an Information Card, sign in and claims presentation can be as simple as a single click. As you might expect, users still have the ability to review the claims from their card issuer before they release them. New in this version, the prompt also offers a “use this card automatically” option to bypass the prompt on future visits to the same site.

 

When users return to a site where they have already used a card, web sites can display the new CardSpace “CardTile” to show the image of the last card used, directly in the site layout. CardSpace doesn’t give out the image to the site; it simply shows the card image on behalf of the site as visual cue that lets the user know that they’re returning to a site where they’ve used a card before.

 

CardSpace “Geneva” still releases digitally signed security tokens to web sites. If a phishing site lured a user to accidentally use a card and submit a token, that token would not be “redeemable” at any other site and therefore is not useful for impersonating the user. Also, in the same way that offline card issuers can protect against fraud, Information Card issuers can help detect malicious use of a card and notify users before they interact with a known dangerous site.

 

 

What we think about the road ahead

 

It’s important to point out that the final version will include a lot of the functionality from the previous version missing from our current beta. Please hang tight while we work on our next update!

 

CardSpace v1 always ran on top of a “private desktop” that darkened the screen to help focus the user’s attention, similar to the security experiences in Windows Vista. We heard clear feedback that when signing into a website, the darkened screen could be too distracting. CardSpace “Geneva” does not use the “private desktop” but in the next beta, we plan to provide the option to run CardSpace on the Windows “secure desktop” for the high security scenarios where users or card-providers deem it necessary.

 

Much of the plumbing needed to support existing cards isn’t available yet in this beta, including the code to import and export cards from .crds files and support for personal (self-issued) cards.  When included, self-issued cards will offer privacy conscious users or developers the ability use their own cards rather than downloading cards from a provider. We think of these as analogous to a business card, serving as an excellent introduction, but offering no third party verification of your identity.

 

Card issuers can enable retrieving the information that CardSpace needs to use a card either via the WS-MetadataExchange protocol or via HTTP GET over HTTPS.  This beta only supports retrieving this information via HTTP GET.  We will look into the support for WS-MetadataExchange for the next public release.   This release continues to support the standard version of WS-Trust (version 1.3) for its interactions with an Identity Provider.  This beta will not import the cards you may have currently installed with CardSpace v1. You will have to download and install those cards again to work with this beta.

 

We have not yet implemented support for the “PIN” codes a user could add to their cards in CardSpace v1. We also deferred validating SSL certificates with the Windows certificate store with the expectation that developers experimenting with this beta might use test SSL certificates with our beta.

 

Finally, we heard feedback that Relying Parties need more flexibility to choose what type of cards they can accept, such as being able to specify a list of issuers. We’re investigating how we can incorporate that flexibility, amongst many other important features not mentioned here, into a future update.

 

 

Tell us what you think!

Thanks,

Rob Franco, Mike Jones, Tariq Sharif, and Anand Sivaramakichenane for the Geneva Team