The Problem


Users are confronted with a few problems when dealing with electronic identities:


  • Inconsistent, proprietary identification mechanisms. Some sites require the combination of username and password, other the combination of email and password, other use an additional security code, other…
  • “Password fatigue”. The number of login information that an average user has to remember is increasing drastically, generating some “management issues”: How many times have you forgotten your login information?
  • Security. Phishing and phraud attacks that aim to steal identities for malicious purposes have been growing constantly. You can find the latest statistic on


These are all negative aspects that make the internet a less pleasant place to be.


The Solution


Windows CardSpace aims to solve these issues, enabling users to provide their digital identities in a familiar, secure and easy way. In the real world, we have business cards, credit cards, membership cards, and so on. Online we should have the same possibilities. CardSpace offers us the ability to use a variety of virtual cards to identify ourselves in a secure way, without struggling with usernames and passwords.


The Basics


CardSpace-enabled sites (also called Relying Parties) request the users who want to access them to deliver a security token with the claims they need. In a Microsoft Windows environment (other vendors are preparing similar solutions), Internet Explorer 7 recognizes that the site is requesting a CardSpace Info(rmation) Card and kick-off the Identity Selector. The Identity Selector is a kind of portfolio for these cards that starts in an isolated and therefore more secure mode. When it opens, it highlights the cards that can be used to transmit the information requested by the claims. The only operation that the user has to perform is to select one of the highlighted cards and send it to the relying party, completing the authentication process.


More Secure


Info Cards are more secure than sending usernames and passwords over the net, even if SSL is used. In fact, the Security Token is hardened against tampering and spoofing by providing it with a time stamp and encrypting it before sending it over the wire.


Self-Issued Cards, Managed Cards, and Identity Providers


Self-Issued Cards are Info Cards that are defined by the user and stored locally within his/her Identity Selector. These are very useful cards for situations where a third party doesn’t have to validate the contained information. If I am member of a service that delivers personalized news letters based on my preferences stored in a profile, the use of a self-issued card to access my profile is a more than adequate solution.

However, if I want to access my tax declaration, then a self-issued card is definitely not secure enough. The tax department needs to be sure that the person requesting my tax declaration is really Me. This can only be obtained, if a third party (the Identity Provider) that we both trust, guarantees that I am Me. This is exactly what happens in the real world. My government issues mine pass and when I try to enter a bar in the US, the gentleman who stands in front of the door trusts my government and the date of birth that it stamped on my pass.

Exactly the same can be done with Managed Cards. Identity Providers like governments but also credit cards providers, insurances, banks,… will generate their own Info Cards. Some of them, will be used by several Relying Parties. If I have an Info Card issued by my government, I am quite sure that I could use it to authenticate against several sites. Similar discussion can be done if I have an Info Card issued by a Credit Card provider: Every time I would need to pay my electronic shopping, I would be able to use this card to validate my identity and to guarantee, through the Identity Provider, that I am a reliable customer.

Other companies, like insurances or supermarkets, may want to generate their own cards and act as an Identity Provider, to better manage the Identities of their customers, with the claims that they really need. This way, I may end up having a Info Card issued by my insurance to access my patient record and one or more supermarket Info Cards.


Managed Cards


The contents (Claims) of the Managed Cards are stored within the Identity Provider. If I am requested to submit my Pass Card to the Liquor Delivery Service, CardSpace will request the adequate Identity Provider (my government) to deliver the Security Token that it has to forward to the Relying Party (Liquor Delivery Service).

All this will happen in a secure way and based on open WS* standards, namely WS-SecurityPolicy, WS-MetadataExchange, WS-Trust, WS-Security. What makes this an open technology that can be used by every potential Identity Provider and Relying Party.


A few good references


To deepen your knowledge around the concepts of CardSpace, I kindly suggest you to start from an article written by David Chappell (Chappell & Associates) in April 2006 on MSDN: Introducing Windows CardSpace.  


Otherwise, you will find plenty of information under:

CardSpace Homepage on .NET Framework 3.0

CardSpace on MSDN

The Identity Blog

The Laws of Identity