Welcome to The Metaverse

I'm using it at one web site so far (my blog).

I'm not using it at other web sites yet because I would either have to buy another SSL certificate (too expensive for personal / user group web sites) or use my blogs domain for the login page.

The SSL requirement is probably the biggest reason that CardSpace is not used for non commercial web sites. Depending on what type of web hosting you have, the SSL certificate is usually more expensive than the web site hosting. Non commercial web sites will use OpenID instead (less secure, but security is not that important if all you can do after signing in is leaving a comment in a blog or something like that).

Mathias

I haven't seen it used though I do want to try it as a client. Microsoft's sites aren't using it yet from what I can tell.

I started down the CardSpace / federated identity route, but there's just too much you've got to do yourself to get CardSpace, username/password, and Windows identity all working together for a single service or set of services, especially when you want to be able to log in with any of these authentication mechanisms from either a smart client or a web client.  I wanted to roll my own STS, but it's a pain to piece it all together, and there aren't full-featured samples for the latest bits.

So my request would be to provide a well-documented open/shared-source STS implementation under a very permissive license (and keep it current with the latest bits), and provide guidance on using CardSpace with cached STS tokens for occasionally connected smart clients (queued async messaging).

Richard, $18 is nothing for a commercial project. However, for a private web site, blogs, or for projects I do in my spare time (like my .net user group web site), it's simply too much. For such a project, $18 is more than the web hosting costs.

Even if you were willing to spend these $18, it would be very hard or impossible to use CardSpace with the shared hosting providers that such sites normally use. They either don't offer SSL at all, or they charge extra $ for enabeling ssl, which makes it even more expensive. And how do allow your asp .net account to read the private key of the certificate if all you have is ftp access to your web site? So yes, SSL certs are a very big barrier for non commercial projects.

The internet does not consits only of big commercial sites like ebay, amazon, or this other search engine with the colored letters ;). Most of the web sites I use daily when I'm online are blogs and projects that people do in their spare time without earning any money for it. Such sites will simply continue to use usernames + passwords or they will use openid.

I really love CardSpace (hey, I'm even writing a book about it, which will be published in December in Germany :) ), but the SSL requirement in v1 is a really big problem. It should be possible to use CardSpace without spending any extra money and without any extra requirements for the web space I use (like being able to grant access to my ssl certificates private key, for example).

I think the avarage user doesn't think about such things.

For CardSpace, I think encryption would still be possible without ssl certificates. You would just need an additional parameter for the object tag that contains the sites public key.

That encryption requires ssl certificates is a general problem, not one only related to CardSpace. SSL certificates = encryption + verifying someones identity. Encryption is free, verifying someones identity costs money. However, you can only get both toegther, and not encryption only, so encryption always requires money.

The internet could be safer if there was a way to get encryption for free (without red address bars and warnings because a web site uses self signed certificates).

-Loading the CardSpace window takes several seconds.

-Normal login/password authentication is more straightforward; the normal user can know intuitively that to maintain an identity, they need a name and a way to prove their claim. It's as easy to understand as "open sesame".

-When you create a card it gives you a whole bunch of fields, and it's hard to tell which ones you need to fill in and which ones you don't.

-When you log in, you're presented with a whole bunch of cards; finding the right one to log in to each site is a pain, often moreso than just memorizing your username and password.

-Not many people have .NET 3.0 yet.

-Too clunky in the way it looks and behaves, especially with the UAC-ish blackout. It's really disruptive particularly on Windows XP.

-Not much documentation other than the sample applications and a few articles that you can find on Google, most of which are only introductory.

All in all, the biggest thing is that the UI needs a cleanup. It needs to be more wizard-ish. More of the Windows Neptune inspirations. It needs to look fun (not in a toyish way) and cool to use, as dumb as that may sound.

Lastly, it needs to be marketed BETTER, not MORE.

The big thing that hold me back when considering cardspace as a viable authentication method is who is issuing the cards?

I have heard talk of big companies like Visa, Mastercard, Amazon, etc being good candidates for being trusted issuers of cards, but that has been only speculation as far as I can tell.

So if I am going to go through the effort of using cardspaces on a site, are all the cards just going to be self issued?  If so, does that really increase security?

To me I think one of the biggest problems is portability.  What happens when my customer uses CardSpace - and then wants to sign-in from another machine? (this is for self-issued tokens of course)

Now I have to support a backup authentication mechanism?

What happens when a user's machine dies and they lose all their self-issued tokens?

+1 to Jon. This is question #1 i get when i speak about CardSpace at conferences or to customers. We need mobile STSes.

As described here:

http://www.leastprivilege.com/InfoCardsAndIdentityStability.aspx

People planning to use CardSpace have to put more thought into SSL cert selection. It is not sufficient to choose the cheapest SSL cert around. If the CA goes down - all users are lost.

This was indeed a problem when i tried to implement CardSpace at a customer site (well - it became one after i told the IS staff about this).

re: Mathias

Yeah it would be a cheapo workaround to simply supply some public key (and may work for low security sites) - but CardSpace is about Identity. And before i sent anything sensitive to a website, i want to know about the application identity (or does it makes sense to send and encrypted "attack at dawn" message to your enemy?)

But even if the site does not use SSL, how do you want to roundtrip the identity identifier after the login (think FormsAuthentication)?? Again this may not be an issue for low security sites - but if you care about the integrity and confidentialiy of the authentication data and/or other data that is exposed by your site - you need SSL anyway.

my 2c

Dominick: Not every site needs high security. Many of the web sites I usually log into are low security sites like forums and blogs. This blog is a good example for such a site. The worst thing that could happen if my identity for this site was stolen is that somebody who claims to be me writes something stupid.

People who want to protect such low security sites cannot offer any safe authentication method today, because ssl certificates are usually too expensive for such sites. So they use username + password without encryption. That is a security risk that could be avoided if CardSpace could be used without ssl. Even if CardSpace would not use any encryption at all, it would still be more secure than what such sites use today (username + password, probably the same password as for many other web sites), because if somebody steals the security token it can only be used for this single web site, and not for any other web sites.

In my last post , I asked you to share your thoughts on what is stopping you adding support for Windows

We were all hyped up to put Card Space in a new  site, if it worked well, we would slowly migrate it to our other sites (65 million hits per month total for all sites). The ONLY reason we stopped development; No Fire Fox Support.

Stop shooting your self in the foot Microsoft...No commercial site will restrict what a user may or may not use to view the site.  If we restrict users to only use IE, we will lose business and that is not going to happen.

There is an identity selector plugin for Firefox

http://perpetual-motion.com/

dominick

Financial and Banking I work with a bunch of people that used to work in Collateral at ABN Amro, so it

Financial and Banking I work with a bunch of people that used to work in Collateral at ABN Amro, so it was interesting to see Mike's news that ABN Amro agreed Monday to be acquired by Barclays of Britain for 67 billion euros (nearly $91 billion), creating