It’s been awhile since I’ve heard anyone talk about Windows CardSpace, the Microsoft client software Bill Gates has pushed as the best way to do away with passwords. But at the CSI 2007 conference in Arlington, Va., Tuesday, attendees got an in-depth look at what CardSpace is about from none other than Kim Cameron, the software giant’s chief privacy guru.
Windows CardSpace allows users to provide their digital identity to online services in what Microsoft calls a “simple, secure and trusted way” and is what Cameron calls an identity selector.
The Microsoft Web page on CardSpace explains: “When a user needs to authenticate to a Web site or a Web service, CardSpace pops up a special security-hardened UI with a set of “information cards” for the user to choose from, he explained. Each card has some identity data associated with it — though this is not actually stored in the card — that has either been given to the user by an identity provider such as their bank, employer or government or created by the user themselves.”
Cameron offered CSI attendees a very detailed breakdown of the concept and ended by declaring, “We need an ID metasystem that’s open, inclusive and protects the user’s privacy.” CardSpace is the answer, he said.
The crowd seemed receptive to his argument and I’m not surprised. In all my reporting about identity and access management, the common complaint among IT administrators has been that passwords are a very weak link in the security chain.
The CardSpace concept is a solid one, most seem to agree, but those who have to manage the technology have expressed concern over Microsoft’s ultimate execution. My colleague Mike Mimoso captured that concern at the RSA conference back in February, writing that while some security managers accept the notion that, at a high level, Gates’ vision is solid, execution may be another matter.
“We’re seeing the need for everything he talked about, but executing and converting it all to reality; that’s the difficult part,” David Porubovic, security engineer with Marriott International, told Mimoso at the time. “It’s the right direction, provided that it can be implemented, it’s cost effective, transparent to the user and easy to manage. That’s the big headache.”
The pros and cons of CardSpace is something I plan to write more about in the next couple weeks, and I’m looking for some IT administrators to share their experiences on the matter. Offer some initial thoughts in the comment section of this blog and we can go from there.