Understanding OpenID and CardSpace

User-centric identity, which puts users at the center of identity transactions, is fast capturing the attention of the Web-minded world. In fact, many traditional organizations are looking to blend user-centric technologies with traditional identity solutions in pursuit of federation.

[Podcasts: Listen to Microsoft's Kim Cameron and Burton Group's Mike Neuenschwander discuss federation and user-centric identity]

Here's how user-centric identity works. Each transaction involves three actors: the user, the IdP (identity provider), and the RP (relying party). When the user needs to transact business with the RP, the RP asks for an identity credential. The user selects which credential to use and informs the credential-issuing IdP of the pending transaction. The IdP then sends a trustworthy message to the RP that the user is entitled to the credential he or she has selected.

Two technologies are at the forefront of this movement: CardSpace and OpenID. The two systems differ in their approach to the above steps, yet they share one critical aspect: Both carve out a central role for users in identity transactions and require the users to be actively involved whenever credentials are exchanged.

CardSpace

Developed and promoted by Microsoft, CardSpace differs from Microsoft’s earlier identity efforts in that it is not a centralized identity product but is rather a protocol for building distributed identity systems. Microsoft offers products that implement CardSpace-compatible identity providers and relying parties, but so do other vendors.

CardSpace is a token-based system, meaning that the credentials are cryptographic messages that the IdP creates and the RP can verify. These tokens are created on the fly by the IdP at the request of the user and include a subset of the attributes contained in the parent credential.

The central feature of CardSpace is the identity selector. Just like your wallet, the selector allows you to pick the credential you would like to send to an RP. The CardSpace protocol limits the available credentials to those that meet the RP’s requirements. For example, if the RP wants payment, nonpayment cards would be excluded and your selector would show only the credit cards you have stored.

The selector allows for two kinds of cards: self-issued and managed. Self-issued cards are useful for activities such as authenticating into a blog commenting system and similar low-risk transactions. Managed cards might include a credit card from your bank, an ID from your employer, or even an online version of your driver’s license from your state government.

A CardSpace identity selector is included in Vista and can be downloaded for XP as part of the .Net Framework 3.0. Card selectors for the Mac and Linux are available from Novell as part of its Bandit project. You can try them out by logging in to Microsoft Chief Identity Architect Kim Cameron's blog.