Written by Jitendra Gupta of Karmaweb and edited by Richard MacManus
Bill Gates of Microsoft just
announced a deal with Jan Rain, VeriSign and Sxip to develop integration between Microsoft CardSpace
and the open source project, OpenID. This is an
interesting deal between the software giant in Redmond and a popular open source project,
which deservers a closer look. For those already familiar with OpenID and Microsoft, jump
directly to the takeaway section. For others, the next two sections will provide you with
a quick introduction to two new technologies that will likely have a significant impact
on the future of Internet.
OpenID is an open, decentralized, free framework for user-centric digital identity. It is aimed at solving the problem of Web single sign-on. How does the problem of web single sign-on affect you? Well, if you struggle with keeping track of different usernames and passwords at different websites where you have an account, OpenID can help you. With OpenID you will be assigned a standard username (typically a URL or an i-name, similar to an email address) that you can use on all sites that support OpenID.
To get started using an OpenID, get one at myopenid. Once you have an OpenID, you can use it at a number of sites. For example, try your new OpenID at Zoomr.
Windows CardSpace is an authentication product, embedded in Vista (also available for XP via a service pack), which puts the power of managing multiple identities in the hands of the user - via an easy to use UI and an underlying technology that supports a number of web and enterprise authentication standards. It is an authentication technology because it uses cryptography and a tight integration with the Windows platform, to securely deliver various verifiable claims for the user. The UI of Microsoft CardSpace tries to mimic - online for digital identities - the use of business cards, credit cards and membership cards.
CardSpace
1. The announcement
For a high profile Bill Gates announcement, the follow up plan seems pretty skimpy on the details of work to be done. All it seems to commit Microsoft to doing is to help out the open source community, as most of the work needed here will be done on the OpenID side of things. Microsoft, for its part, seems to be committing to “support OpenID in future Identity server products” - which doesn’t really mean much.
2. What’s in it for OpenID
The OpenID specification is simple and light, which accounts for its recent popularity. As such, the OpenID 2.0 specification does not specify any authentication or multiple identity management capabilities.
This deal provides the OpenID community with another authentication vendor that makes enterprise adoption a possibility.
Also, one of the downsides with the flexibility provided by OpenID, is that it opens up the user to some potential phishing attacks. The most worrisome scenario here is when an evil site posing as a service provider, redirects users to a fake site to enter their OpenID password. With the user entered password, the evil party can pose as the user at any number of sites that use OpenID. See more details on this issue at Kim Cameron’s blog. This is a pretty big security threat that the OpenID community has been grappling with for some time. They have developed some interesting solutions, like browser plug-ins and customized login pages at OpenID provider sites - to make it hard for evil parties to pose as a real site - but a reliable solution has not emerged. Microsoft CardSpace with its vast reach (it is integrated with Microsoft Vista and is also available for XP via a patch) provides a reliable and effective way for users to authenticate with the OpenID provider, without needing a password that can be phished. The CardSpace based authentication is based on Windows client generated tokens that cannot be fabricated or reused. So this integration with Microsoft CardSpace ensures that the OpenID community can eliminate a major barrier to even wider adoption.
3. What’s in it for Microsoft
Microsoft CardSpace is a well thought out technology that addresses the needs of both enterprise and individual users, by putting the power of managing multiple identities in the hands of users. The integration with OpenID enables Microsoft to get some early customers and potential buzz, in addition to a lot of good PR and some community cred.
4. Web vs Desktop debate revisited
Another angle to evaluate here is the old desktop vs Web OS debate. Microsoft CardSpace is tied to a Windows desktop, whereas OpenID enables users to have more portable web based identities. By tying Microsoft CardSpace with OpenID, Microsoft is trying to participate in the emerging WebOS [Ed: or 'Web as OS' is perhaps a better term for it].
And by using a desktop based solution, the open source OpenID community is at least temporarily accepting the benefits of a desktop based solution - to solve the chronic phishing and authentication problems pervasive in the Web OS.
5. How will it look 18 months down the line?
At the heart of it, Microsoft CardSpace could provide the same functionality as OpenID. In fact, some of the Microsoft literature even talks about the issues with managing multiple usernames and passwords; and how CardSpace can alleviate these issues. So potentially one of the calculations for Microsoft could be that once users start using CardSpace to log into their OpenID provider, they might decide that they like it better then OpenID.
On the other hand, the open source community will probably start looking at better ways to address the authentication issues of OpenID, via some combination of browser improvements and a central authority for establishing trust. In fact, OpenID integration is already a priority for Firefox 3.
Overall, this high profile announcement marks the importance of single sign on identity technology to the future of the Internet. Let’s see how things evolve in the next few months in this exciting arena.
Listed below are links to blogs that reference this entry: Five Key Takeaways From Microsoft, OpenID Announcement.
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/1967
Here is a summary of the week's Web Tech action on Read/WriteWeb. Top Web News It was a relatively quiet week in Web news. There were various mobile announcements from the 3GSM conference in Spain and some product releases (e.g.... Read More
Written by Jitendra Gupta of Karmaweb and edited by Richard MacManus Late last week AOL announced its support of the open identity system OpenID, for all 63 million of their AOL/AIM Ids (for those looking for a quick introduction to... Read More
Written by David Lenehan of Polldaddy and edited by Richard MacManus. This is David's account of the first day of the FOWA conference in London. Photos in this post are by donkeyontheedge (I hope he doesn't mind me using them).... Read More
As David Lenehan reported today, Digg is the latest company to declare its support for OpenID - the decentralized single sign-on service. This follows on from recent announcements of support from Microsoft and AOL. And as Techcrunch noted, Yahoo, LiveJ... Read More
OpenID has gained two more high profile Internet company supporters, with Wordpress announcing their support today and also Chris Messina did a bit of snooping and discovered 37Signals support is nigh too. These two organizations join Digg, Microsoft, ... Read More
Comments
Subscribe to comments for this post OR Subscribe to comments for all Read/WriteWeb posts
Hello ,
we share your view that the announced OpenId-CardSpace wedding is big news.
In our view microsoft capitalizes on the buzz that OpenId has managed to create in the last months , but OpenId as a technology does not exist anymore.
CardSpace could succeed in delivering more secure in browser web application , it is however a pretty closed technology.
We believe that identity2.0 has somehow been highjacked.
You may read more on our thoughts in the following posts :
http://kerpass.wordpress.com/2007/02/08/holdup-on-openid/
Posted by: Marc | February 14, 2007 11:26 PMhttp://kerpass.wordpress.com/2007/02/14/infocardcardspace-getting-the-big-picture/
Thanks for summarizing the potential benefits for either party. I linked to this article from my opinions on how google and yahoo need to get aboard as well.
You may read my thoughts here:
http://sumolabs.com/blog/openid-microsoft-and-aol-are-yahoo-and-google-tow
Kind Regards,
J | sumolabs.com
Posted by: Jordan Willms | February 19, 2007 11:33 PM"..evil site posing as a service provider, redirects users to a fake site to enter their OpenID password"
But... there is no password, that's the whole idea behind OpenID: No password to remember.
Let me assume you meant "OpenID URI" instead of "password".
Posted by: John Galt | February 20, 2007 1:26 PM"But... there is no password, that's the whole idea behind OpenID: No password to remember."
Sort of right. But mostly wrong.
OpenID says nothing about how the authentication with the OpenID provider is done; it does not say that authentication is no longer a necessary part of the sign-in process. The provider doesn't HAVE to ask you for a password in order to authenticate you.
Of course, all the known providers do just that, and so it's relatively easy for a malicious site to forward you to a fake login page that looks *just like* the one you're used to signing in at.
Posted by: Chris | February 20, 2007 5:40 PM#3, the idea behind OpenID is Web SSO...which translates to no site specific username and passwords...the users are still going to need their OpenID password to authenticate themselves. Its just that it will the universal password, which kinda makes the phishing issue that much more significant.
Posted by: Jitendra | February 20, 2007 9:22 PM