Microsoft announced during last week's RSA conference that it would not be shipping Windows CardSpace 2.0. A lot of design imperatives weighed on that one deliverable: security, privacy, usability, bridging the enterprise and consumer identity worlds – and being the standard-bearer of the "identity metasystem" and the "laws of identity" to boot. Something had to give. What are the implications for security and risk professionals?
The CardSpace model had nice phishing resistance properties that cloud-based identity selectors will find hard to replicate, alas. But without wide adoption on the open Web, that wasn't going to make a dent anyway. We'll have to look for other native-app solutions over time for that.
More significantly, I think neither CardSpace nor its IMI protocol have lived up to the "claims-based identity" mantra anyway, being too focused on fixed aggregations of claims from a single source. A more productive future path will be the OAuth pattern, of which Facebook Connect and Twitter are familiar examples. In this pattern, relying parties can score user-delegated access directly to each source of truth on a secure back channel, and can continue to pull fresh data even after the user disconnects. Several efforts are building on top of OAuth and JSON Web Tokens to respond to a variety of consumer-scale personalization and authorization use cases, cloud-oriented access management use cases, and even enterprise-strength use cases. Interestingly, Mike Jones of Microsoft – who was an early evangelist for CardSpace and penned the first public reflections on its passing – also has a key role along with other major Web-scale IdP players in drafting these newfangled specs. Check out his blog for lots of relevant links.