Windows CardSpace … what’s stopping you?

re: Windows CardSpace … what’s stopping you?

MathiasR — Fri, 20 Apr 2007 17:17:56 GMT

I'm using it at one web site so far (my blog).

I'm not using it at other web sites yet because I would either have to buy another SSL certificate (too expensive for personal / user group web sites) or use my blogs domain for the login page.

The SSL requirement is probably the biggest reason that CardSpace is not used for non commercial web sites. Depending on what type of web hosting you have, the SSL certificate is usually more expensive than the web site hosting. Non commercial web sites will use OpenID instead (less secure, but security is not that important if all you can do after signing in is leaving a comment in a blog or something like that).

Mathias

re: Windows CardSpace … what’s stopping you?

brantgurga — Fri, 20 Apr 2007 19:04:37 GMT

I haven't seen it used though I do want to try it as a client. Microsoft's sites aren't using it yet from what I can tell.

re: Windows CardSpace … what’s stopping you?

richardt — Fri, 20 Apr 2007 23:20:27 GMT

Interesting ... I keep hearing about the claim that "SSL certs are too expensive", but at $18 per year (https://www.godaddy.com/gdshop/ssl), I'm confused. Is $18 a year to improve your user's safety and ease-of-use REALLY that much of a barrier?

re: Windows CardSpace … what’s stopping you?

Oran — Sat, 21 Apr 2007 02:52:19 GMT

I started down the CardSpace / federated identity route, but there's just too much you've got to do yourself to get CardSpace, username/password, and Windows identity all working together for a single service or set of services, especially when you want to be able to log in with any of these authentication mechanisms from either a smart client or a web client. I wanted to roll my own STS, but it's a pain to piece it all together, and there aren't full-featured samples for the latest bits.

So my request would be to provide a well-documented open/shared-source STS implementation under a very permissive license (and keep it current with the latest bits), and provide guidance on using CardSpace with cached STS tokens for occasionally connected smart clients (queued async messaging).

re: Windows CardSpace … what’s stopping you?

MathiasR — Sat, 21 Apr 2007 13:15:00 GMT

Richard, $18 is nothing for a commercial project. However, for a private web site, blogs, or for projects I do in my spare time (like my .net user group web site), it's simply too much. For such a project, $18 is more than the web hosting costs.

Even if you were willing to spend these $18, it would be very hard or impossible to use CardSpace with the shared hosting providers that such sites normally use. They either don't offer SSL at all, or they charge extra $ for enabeling ssl, which makes it even more expensive. And how do allow your asp .net account to read the private key of the certificate if all you have is ftp access to your web site? So yes, SSL certs are a very big barrier for non commercial projects.

The internet does not consits only of big commercial sites like ebay, amazon, or this other search engine with the colored letters ;). Most of the web sites I use daily when I'm online are blogs and projects that people do in their spare time without earning any money for it. Such sites will simply continue to use usernames + passwords or they will use openid.

I really love CardSpace (hey, I'm even writing a book about it, which will be published in December in Germany :) ), but the SSL requirement in v1 is a really big problem. It should be possible to use CardSpace without spending any extra money and without any extra requirements for the web space I use (like being able to grant access to my ssl certificates private key, for example).

re: Windows CardSpace … what’s stopping you?

richardt — Mon, 23 Apr 2007 00:02:45 GMT

brantgurga - if you'd like to play with CardSpace, go visit http://sandbox.netfx3.com. Regarding Microsoft (and other sites) offering CardSpace support ... keep your eyes open ... there's lots in the pipeline! ;)

re: Windows CardSpace … what’s stopping you?

richardt — Mon, 23 Apr 2007 00:05:35 GMT

Matthias (& everyone who mailed me privately)

Can I ask what your thoughts are on the "data privacy" angle. Do you feel that people area aware and/or concerned that when they log-in to non-SSL sites that their username and password are being sent across the internet in the clear? Especially when that username and password is probably the-same/similar-to the username and password to every other site they log into ... including their bank etc?

re: Windows CardSpace … what’s stopping you?

MathiasR — Mon, 23 Apr 2007 20:26:21 GMT

I think the avarage user doesn't think about such things.

For CardSpace, I think encryption would still be possible without ssl certificates. You would just need an additional parameter for the object tag that contains the sites public key.

That encryption requires ssl certificates is a general problem, not one only related to CardSpace. SSL certificates = encryption + verifying someones identity. Encryption is free, verifying someones identity costs money. However, you can only get both toegther, and not encryption only, so encryption always requires money.

The internet could be safer if there was a way to get encryption for free (without red address bars and warnings because a web site uses self signed certificates).

re: Windows CardSpace … what’s stopping you?

reinux — Tue, 24 Apr 2007 02:30:24 GMT

-Loading the CardSpace window takes several seconds.

-Normal login/password authentication is more straightforward; the normal user can know intuitively that to maintain an identity, they need a name and a way to prove their claim. It's as easy to understand as "open sesame".

-When you create a card it gives you a whole bunch of fields, and it's hard to tell which ones you need to fill in and which ones you don't.

-When you log in, you're presented with a whole bunch of cards; finding the right one to log in to each site is a pain, often moreso than just memorizing your username and password.

-Not many people have .NET 3.0 yet.

-Too clunky in the way it looks and behaves, especially with the UAC-ish blackout. It's really disruptive particularly on Windows XP.

-Not much documentation other than the sample applications and a few articles that you can find on Google, most of which are only introductory.

All in all, the biggest thing is that the UI needs a cleanup. It needs to be more wizard-ish. More of the Windows Neptune inspirations. It needs to look fun (not in a toyish way) and cool to use, as dumb as that may sound.

Lastly, it needs to be marketed BETTER, not MORE.

re: Windows CardSpace … what’s stopping you?

lfoust — Wed, 25 Apr 2007 01:51:54 GMT

The big thing that hold me back when considering cardspace as a viable authentication method is who is issuing the cards?

I have heard talk of big companies like Visa, Mastercard, Amazon, etc being good candidates for being trusted issuers of cards, but that has been only speculation as far as I can tell.

So if I am going to go through the effort of using cardspaces on a site, are all the cards just going to be self issued? If so, does that really increase security?

re: Windows CardSpace … what’s stopping you?

jonflanders — Wed, 25 Apr 2007 06:48:54 GMT

To me I think one of the biggest problems is portability. What happens when my customer uses CardSpace - and then wants to sign-in from another machine? (this is for self-issued tokens of course)

Now I have to support a backup authentication mechanism?

What happens when a user's machine dies and they lose all their self-issued tokens?

re: Windows CardSpace … what’s stopping you?

dominick — Sat, 28 Apr 2007 15:36:05 GMT

+1 to Jon. This is question #1 i get when i speak about CardSpace at conferences or to customers. We need mobile STSes.

As described here:

http://www.leastprivilege.com/InfoCardsAndIdentityStability.aspx

People planning to use CardSpace have to put more thought into SSL cert selection. It is not sufficient to choose the cheapest SSL cert around. If the CA goes down - all users are lost.

This was indeed a problem when i tried to implement CardSpace at a customer site (well - it became one after i told the IS staff about this).

re: Mathias

Yeah it would be a cheapo workaround to simply supply some public key (and may work for low security sites) - but CardSpace is about Identity. And before i sent anything sensitive to a website, i want to know about the application identity (or does it makes sense to send and encrypted "attack at dawn" message to your enemy?)

But even if the site does not use SSL, how do you want to roundtrip the identity identifier after the login (think FormsAuthentication)?? Again this may not be an issue for low security sites - but if you care about the integrity and confidentialiy of the authentication data and/or other data that is exposed by your site - you need SSL anyway.

my 2c

re: Windows CardSpace … what’s stopping you?

MathiasR — Sun, 29 Apr 2007 21:06:53 GMT

Dominick: Not every site needs high security. Many of the web sites I usually log into are low security sites like forums and blogs. This blog is a good example for such a site. The worst thing that could happen if my identity for this site was stolen is that somebody who claims to be me writes something stupid.

People who want to protect such low security sites cannot offer any safe authentication method today, because ssl certificates are usually too expensive for such sites. So they use username + password without encryption. That is a security risk that could be avoided if CardSpace could be used without ssl. Even if CardSpace would not use any encryption at all, it would still be more secure than what such sites use today (username + password, probably the same password as for many other web sites), because if somebody steals the security token it can only be used for this single web site, and not for any other web sites.

re: Windows CardSpace … what’s stopping you?

richardt — Mon, 30 Apr 2007 02:52:38 GMT

Thanks for posting your thoughts here guys - PLEASE KEEP YOUR THOUGHTS COMING! :) I's really valuable for us to understand where the world is in understanding not only Windows CardSpace, but also identity overall.

I'm going to collate these comments and others I've received privately into a subsequent post to rationalize the arguments.

How do you prove who you are with a password passed in the clear?

Welcome to The Metaverse — Mon, 30 Apr 2007 03:38:45 GMT

In my last post , I asked you to share your thoughts on what is stopping you adding support for Windows

re: Windows CardSpace … what’s stopping you?

Buddha Dude — Tue, 15 May 2007 20:52:40 GMT

We were all hyped up to put Card Space in a new site, if it worked well, we would slowly migrate it to our other sites (65 million hits per month total for all sites). The ONLY reason we stopped development; No Fire Fox Support.

Stop shooting your self in the foot Microsoft...No commercial site will restrict what a user may or may not use to view the site. If we restrict users to only use IE, we will lose business and that is not going to happen.

re: Windows CardSpace … what’s stopping you?

dominick — Mon, 28 May 2007 10:58:18 GMT

There is an identity selector plugin for Firefox

http://perpetual-motion.com/

dominick

New and Notable 159

Sam Gentile — Tue, 25 Sep 2007 09:50:36 GMT

Financial and Banking I work with a bunch of people that used to work in Collateral at ABN Amro, so it

New and Notable 159

Sam Gentile's Blog — Wed, 03 Dec 2008 06:16:20 GMT

Financial and Banking I work with a bunch of people that used to work in Collateral at ABN Amro, so it was interesting to see Mike's news that ABN Amro agreed Monday to be acquired by Barclays of Britain for 67 billion euros (nearly $91 billion), creating