CardSpace Is Dead. Long Live Back-Channel Access.

Microsoft announced during last week's RSA conference that it would not be shipping Windows CardSpace 2.0. A lot of design imperatives weighed on that one deliverable: security, privacy, usability, bridging the enterprise and consumer identity worlds – and being the standard-bearer of the "identity metasystem" and the "laws of identity" to boot.  Something had to give. What are the implications for security and risk professionals?

The CardSpace model had nice phishing resistance properties that cloud-based identity selectors will find hard to replicate, alas. But without wide adoption on the open Web, that wasn't going to make a dent anyway. We'll have to look for other native-app solutions over time for that.

More significantly, I think neither CardSpace nor its IMI protocol have lived up to the "claims-based identity" mantra anyway, being too focused on fixed aggregations of claims from a single source. A more productive future path will be the OAuth pattern, of which Facebook Connect and Twitter are familiar examples.  In this pattern, relying parties can score user-delegated access directly to each source of truth on a secure back channel, and can continue to pull fresh data even after the user disconnects. Several efforts are building on top of OAuth and JSON Web Tokens to respond to a variety of consumer-scale personalization and authorization use cases, cloud-oriented access management use cases, and even enterprise-strength use cases. Interestingly, Mike Jones of Microsoft – who was an early evangelist for CardSpace and penned the first public reflections on its passing – also has a key role along with other major Web-scale IdP players in drafting these newfangled specs. Check out his blog for lots of relevant links.



Hi Eve, can you clarify the distinction you are making with "cloud-oriented access management use cases, and even enterprise-strength use cases"?

Does not the first presume the second?



Aha, you're right. Naturally, that was the last little tweak I made to the post and I should have thought harder about how to put it. I was thinking of stronger-auth and higher-"assurance" use cases, which require applying a lot more digital-signature techniques all over the place. So strength is a part of it, but enterprise isn't quite the right qualifier. I should edit the post to clarify. What would you suggest as a replacement?...

you could have argued that

you could have argued that your definition of cloud was not exclusive to enterprise (including TripIt pushing vacation travel into Google calendar etc). Bit late for that given your comment :-)

For me, beyond the simple 'enterprise cloud' OAuth use cases (where the client might authenticate with a password) are those with less static trust & authn models, as enabled by signed SAML & JWTs like I think you are implying


Cloud Selectors, etc.

Hi Eve,

we purposely set out to do a Cloud Selector that has enhanced privacy features AND can pull in claims from various sources. We did this because we recognised that without a highly accessible, zero install selector, this type of ID wouldn’t be able to be mass adopted - which is what we need. Also you have to offer verification of a persons ID from a number of sources (you may not use them all, but you have to support it) because of offering choice to id owners: I think the debate about ID ownership, i.e. the move towards user centricity has been instrumental in the design implications for Information Cards and any other online identity system.
By the way, absolutely couldn’t agree more regarding IMI which if anything stifled the uptake of the technology by tying it back to the desktop through desktop based selectors/agents.

Cardspace has taught us a lot about how not to do identities - we need to move forward with the knowledge and get highly accessible, mass adoptable, verifiable online ID's

Paul, you got me

There I go, buying into your apparent premises again. :) Yes, you're right about the upper end of the possibilities: possibly "SAML-initiated", and also with needs for Holder of Key strength, such that the incoming SAML token (if there is one) and the OAuth-generated token/claim are more usable for more sensitive use cases.

Susan, thanks for writing in too. I really appreciate your comments about flexibility, accessibility, quality, and adoption. Now that we're several generations into the Internet identity era, it's good that the industry is learning how to improve, optimize, and adapt.

RIP Cardspace


Did you see Paul Madsen's observation about the death of Cardspace?

My blog:


ConnectID rocks

Hi Mark-- Yes indeed! I encourage everyone following the ins and outs of IAM trends to check out his posts. They're generally in must-see territory...

Microsoft CardSpace

I’m trying to import a card I generated into Microsoft CardSpace identity selector that comes with IE-7. But I’m blocked by an error which states that cardspace encountered an error in verifying the identity of the Private Tutoring site.