Understanding OpenID and CardSpace

OpenID and CardSpace are at the forefront of user-centric identity. Here's how they work

User-centric identity, which puts users at the center of identity transactions, is fast capturing the attention of the Web-minded world. In fact, many traditional organizations are looking to blend user-centric technologies with traditional identity solutions in pursuit of federation.

[Podcasts: Listen to Microsoft's Kim Cameron and Burton Group's Mike Neuenschwander discuss federation and user-centric identity]

Here's how user-centric identity works. Each transaction involves three actors: the user, the IdP (identity provider), and the RP (relying party). When the user needs to transact business with the RP, the RP asks for an identity credential. The user selects which credential to use and informs the credential-issuing IdP of the pending transaction. The IdP then sends a trustworthy message to the RP that the user is entitled to the credential he or she has selected.

Two technologies are at the forefront of this movement: CardSpace and OpenID. The two systems differ in their approach to the above steps, yet they share one critical aspect: Both carve out a central role for users in identity transactions and require the users to be actively involved whenever credentials are exchanged.

Developed and promoted by Microsoft, CardSpace differs from Microsoft’s earlier identity efforts in that it is not a centralized identity product but is rather a protocol for building distributed identity systems. Microsoft offers products that implement CardSpace-compatible identity providers and relying parties, but so do other vendors.

CardSpace is a token-based system, meaning that the credentials are cryptographic messages that the IdP creates and the RP can verify. These tokens are created on the fly by the IdP at the request of the user and include a subset of the attributes contained in the parent credential.

The central feature of CardSpace is the identity selector. Just like your wallet, the selector allows you to pick the credential you would like to send to an RP. The CardSpace protocol limits the available credentials to those that meet the RP’s requirements. For example, if the RP wants payment, nonpayment cards would be excluded and your selector would show only the credit cards you have stored.

The selector allows for two kinds of cards: self-issued and managed. Self-issued cards are useful for activities such as authenticating into a blog commenting system and similar low-risk transactions. Managed cards might include a credit card from your bank, an ID from your employer, or even an online version of your driver’s license from your state government.

A CardSpace identity selector is included in Vista and can be downloaded for XP as part of the .Net Framework 3.0. Card selectors for the Mac and Linux are available from Novell as part of its Bandit project. You can try them out by logging in to Microsoft Chief Identity Architect Kim Cameron's blog.

An open standard, OpenID is the fruit of several folks' labor during the past several years. Originally developed by Brad Fitzpatrick as an identity system for LiveJournal, OpenID is now developed under the auspices of the OpenID Foundation.

OpenID identifiers are URLs. Any URL can be used as an OpenID. Rather than relying on tokens, OpenID is a relationship-based identity system. As a result, when I give a relying party my OpenID URL, the IdP asserts to the RP that I have provided sufficient evidence of a relationship with the IdP. What the evidence is and the nature of the relationship are undefined in the OpenID specification. Usually the evidence is a password authentication, but it may be based on a secure, physical token or a record that I had signed up for an account in the past.

This simplicity is OpenID’s strength and chief weakness. On the one hand, it makes OpenID incredibly lightweight and easy to deploy. On the other hand, RPs know almost nothing about the user except that the IdP and the user share a secret. Unless the IdP is trusted by the RP, it is difficult to use an OpenID for anything more than authorizing blog commenters.

OpenID is the subject of significant ongoing activity. It has a robust discovery mechanism based on XRDS (eXtensible Resource DescriptorS) and an attribute exchange mechanism contributed by Sxip Identity. These and other improvements are documented in the yet-unratified OpenID 2.0 specification.

OpenID is most at home on the Web when deployed on sites that allow users to self-provision accounts. By using OpenID, these sites free themselves from the burden of managing the authentication phase of the interaction with the user and the hassles that come with this, such as password reset.

There are an estimated 160 million OpenID-enabled URLs and nearly 10,000 sites that support OpenID log-ins. No special software is needed to use one. In fact, if you have an AOL account or screen name, you’re part of that 160 million because AOL has OpenID-enabled their identifiers. If your AOL screen name is “froam2,” then your AOL OpenID is http://openid.aol.com/froam2. You can use it to log in to any of the sites in the OpenID Directory.

Additional resources
Seven Laws of Identity
CardSpace libraries and samples
Using CardSpace on a blog
.Net Framework 3.0 selector for XP
OpenID Directory
OpenID providers
OpenID libraries

Copyright © 2007 IDG Communications, Inc.