Back Draft

Is CardSpace in the Cards for Your Web Site?

By Jonathan Goodyear

I?m sure you?ve heard about the release of the .NETFramework 3.0 by now (http://www.netfx3.com).It comes standard on Microsoft?s new client operating system, Windows Vista,but is also available for Windows XP and Windows 2003. The .NET Framework 3.0is comprised of four main components. The first three are fairly well known andunderstood: Windows Presentation Foundation (WPF), Windows CommunicationFoundation (WCF), and Windows Workflow Foundation (WF). The fourth component,Windows CardSpace, is a bit more enigmatic. It almost seems out of placealongside the others. Perhaps that?s because it isn?t labeled as a ?Foundation?for anything.

In many respects, CardSpace looks like a feature that wasbolted onto the .NET Framework 3.0 at the last minute because the deploymenttime frame made sense. In reality, though, CardSpace plays a pivotal role inMicrosoft?s security strategy, tying into the other components of the .NETFramework 3.0 ? as well as other key Microsoft technologies like ASP.NET andWindows Forms.

The question you may be asking yourself right now is, ?doI need CardSpace?? To answer that, let?s take a look at what it provides. Thecore function of CardSpace is to broker trust relationships between Web sitesand the users who consume their services. It does this by providing services toboth parties involved in the relationship. For users, CardSpace providesverified information about the Web site with whom they are about to providetheir personal information. This information is available from the CardSpacedialog that appears when the user elects to register or log in to a Web sitethat supports CardSpace. It?s not likely that a fraudulent Web site will haveobtained an Extended Validation (EV) certificate from a certificationauthority, so users can be more confident that they are dealing with alegitimate business. CardSpace also allows a user to see exactly what data fromthe information card that they elect to use is going to be sent to the Web site.They can then determine whether they want to proceed. Because the CardSpacedialog launches in a separate desktop process, it is also much more difficultfor spyware or trojan horse applications to hook into the CardSpace servicesand do anything malicious.

CardSpace also provides plenty of benefits to Web sitesthat elect to support it. For instance, CardSpace information cards are muchharder to steal or duplicate, so Web sites can be more confident that the userlogging in is the person who created the account. This will lead to fewerfraudulent transactions or identity theft. CardSpace also allows Web sites tocreate and issue their own information cards to their users (or support cardsissued by companies that they trust). This creates the added benefit that acompany can use whatever methods it deems appropriate to validate a person?strue identity before issuing them an information card that can be used to log into its Web site. That information card can be protected using a strong passwordto prevent someone who manages to obtain access to a PC with an informationcard on it from using that card to access the Web site for which it isassigned.

CardSpace offers many benefits to both users and Web sitesin addition to the ones mentioned here. For example, it enables secure login toWeb services brokered through Windows Communication Foundation and Smart Clientapplications built using Windows Forms and Windows Presentation Foundation. Ihave no doubt that applications and Web sites in the corporate space will adoptCardSpace rather quickly.

The big question, then, is whether CardSpace will gaintraction with the general public and public Web sites. After all, there are afew drawbacks. First, while the CardSpace engine was developed using allindustry standard WS-* protocols as part of The Identity Metasystem, andsupports the Laws of Identity (http://www.identityblog.com/stories/2004/12/09/thelaws.html),the CardSpace implementation is currently only supported on Microsoft Windowsoperating systems. Other operating system vendors will need to get on boardwith their own implementations before CardSpace really takes off. Second, usingCardSpace to log in to Web sites from public computers is currentlyproblematic. Basically, you have to export your information cards from yourmain PC to something like a USB key, and import them to the public computer (rememberingto delete them after you?re done).

It is safe to assume that most public Web sites that arenot financial or medical in nature will for the foreseeable future continue tosupport user name/password combinations even after adopting CardSpace. I thinkCardSpace is a big step forward in the fight against online fraud and isrelatively easy to implement, so it should definitely be on the technologyroadmap for your organization?s Web sites. I am following this guidance myselfby building CardSpace support into my Web site (http://www.angrycoder.com). Online fraudand identity theft will never be solved by a single technology, but the toolsavailable to us to continue the fight (including CardSpace) are getting betterand better. It would be a shame for those tools to remain underutilized.

For more onCardSpace see ASP.NETMeets CardSpace by Michele Leroux Bustamante.

Jonathan Goodyearis president of ASPSOFT (http://www.aspsoft.com),an Internet consulting firm based in Orlando, FL. Jonathan is MicrosoftRegional Director for Florida, anASP.NET MVP, a Microsoft Certified Solution Developer (MCSD), and co-author of ASP.NET 2.0 MVP Hacks (Wrox). Jonathan also isa contributing editor for asp.netPRO.E-mail him at mailto:jon@aspsoft.com orthrough his angryCoder eZine at http://www.angryCoder.com.