Back Draft

Is CardSpace in the Cards for Your Web Site?

By Jonathan Goodyear

I m sure you ve heard about the release of the .NET Framework 3.0 by now (http://www.netfx3.com). It comes standard on Microsoft s new client operating system, Windows Vista, but is also available for Windows XP and Windows 2003. The .NET Framework 3.0 is comprised of four main components. The first three are fairly well known and understood: Windows Presentation Foundation (WPF), Windows Communication Foundation (WCF), and Windows Workflow Foundation (WF). The fourth component, Windows CardSpace, is a bit more enigmatic. It almost seems out of place alongside the others. Perhaps that s because it isn t labeled as a Foundation for anything.

In many respects, CardSpace looks like a feature that was bolted onto the .NET Framework 3.0 at the last minute because the deployment time frame made sense. In reality, though, CardSpace plays a pivotal role in Microsoft s security strategy, tying into the other components of the .NET Framework 3.0 as well as other key Microsoft technologies like ASP.NET and Windows Forms.

The question you may be asking yourself right now is, do I need CardSpace? To answer that, let s take a look at what it provides. The core function of CardSpace is to broker trust relationships between Web sites and the users who consume their services. It does this by providing services to both parties involved in the relationship. For users, CardSpace provides verified information about the Web site with whom they are about to provide their personal information. This information is available from the CardSpace dialog that appears when the user elects to register or log in to a Web site that supports CardSpace. It s not likely that a fraudulent Web site will have obtained an Extended Validation (EV) certificate from a certification authority, so users can be more confident that they are dealing with a legitimate business. CardSpace also allows a user to see exactly what data from the information card that they elect to use is going to be sent to the Web site. They can then determine whether they want to proceed. Because the CardSpace dialog launches in a separate desktop process, it is also much more difficult for spyware or trojan horse applications to hook into the CardSpace services and do anything malicious.

CardSpace also provides plenty of benefits to Web sites that elect to support it. For instance, CardSpace information cards are much harder to steal or duplicate, so Web sites can be more confident that the user logging in is the person who created the account. This will lead to fewer fraudulent transactions or identity theft. CardSpace also allows Web sites to create and issue their own information cards to their users (or support cards issued by companies that they trust). This creates the added benefit that a company can use whatever methods it deems appropriate to validate a person s true identity before issuing them an information card that can be used to log in to its Web site. That information card can be protected using a strong password to prevent someone who manages to obtain access to a PC with an information card on it from using that card to access the Web site for which it is assigned.

CardSpace offers many benefits to both users and Web sites in addition to the ones mentioned here. For example, it enables secure login to Web services brokered through Windows Communication Foundation and Smart Client applications built using Windows Forms and Windows Presentation Foundation. I have no doubt that applications and Web sites in the corporate space will adopt CardSpace rather quickly.

The big question, then, is whether CardSpace will gain traction with the general public and public Web sites. After all, there are a few drawbacks. First, while the CardSpace engine was developed using all industry standard WS-* protocols as part of The Identity Metasystem, and supports the Laws of Identity (http://www.identityblog.com/stories/2004/12/09/thelaws.html), the CardSpace implementation is currently only supported on Microsoft Windows operating systems. Other operating system vendors will need to get on board with their own implementations before CardSpace really takes off. Second, using CardSpace to log in to Web sites from public computers is currently problematic. Basically, you have to export your information cards from your main PC to something like a USB key, and import them to the public computer (remembering to delete them after you re done).

It is safe to assume that most public Web sites that are not financial or medical in nature will for the foreseeable future continue to support user name/password combinations even after adopting CardSpace. I think CardSpace is a big step forward in the fight against online fraud and is relatively easy to implement, so it should definitely be on the technology roadmap for your organization s Web sites. I am following this guidance myself by building CardSpace support into my Web site (http://www.angrycoder.com). Online fraud and identity theft will never be solved by a single technology, but the tools available to us to continue the fight (including CardSpace) are getting better and better. It would be a shame for those tools to remain underutilized.

For more on CardSpace see ASP.NET Meets CardSpace by Michele Leroux Bustamante.

Jonathan Goodyear is president of ASPSOFT (http://www.aspsoft.com), an Internet consulting firm based in Orlando, FL. Jonathan is Microsoft Regional Director for Florida, an ASP.NET MVP, a Microsoft Certified Solution Developer (MCSD), and co-author of ASP.NET 2.0 MVP Hacks (Wrox). Jonathan also is a contributing editor for asp.netPRO. E-mail him at mailto:jon@aspsoft.com or through his angryCoder eZine at http://www.angryCoder.com.