Goodbye, CardSpace; Hello, U-Prove!

Last week, Microsoft announced:

• The cancellation Version 2.0 of its Windows CardSpace identity service, thus deprecating CardSpace; and
• The immediate availability of Release 2 of the Community Technology Preview of its U-Prove identity service.

These announcements are just the latest moves in Microsoft's decade-long struggle to solve the Internet's "identity problem."

One aspect of the identity problem is unified login: the ability to log into any compliant website using credentials from (say) Google, facebook, MSN, eBay, etc.

Without unified login, you have to come up with a unique username and password combination for every website registration. If you use the same username/password credentials on more than one website, your exposure to identity theft is higher. For example, if your username/password credentials were stolen from Gawker, and you used that same username/password combination on other websites, then you could be impersonated on those other websites, too.

This is not Microsoft's first dance with "unified login." A decade ago, it proposed its much-criticized Hailstorm/Passport system, in which only Microsoft could act as an identity provider—that is, only Microsoft could issue username/password credentials, and all relevant personal information was stored centrally by Microsoft. Although this system formed the basis of today's Windows Live ID, its centralized and proprietary characteristics prevented its wider adoption.

In response, Microsoft delivered CardSpace as the client of a "federated" identity management system, in which many different entities could, in theory, act as back-end identity providers. However, Microsoft didn't make it easy for other identity providers to participate in the federated system. As Microsoft's identity guru, Kim Cameron, stated in 2008, "We've tortured developers. We ourselves didn't have any server software that would work with it. There was no product on the back end." Microsoft's Windows Identity Foundation (née Geneva Server, née Zermatt, with its first beta in 2008) lowered this barrier, and its Active Directory Federation Services 2.0, released in May 2010, lowered the barrier even more.

Still, CardSpace was not widely adopted outside of Microsoft's Internet Explorer browser, and other problems became clearer over time. To quote this week's blog post that officially announced CardSpace's deprecation:

"Windows CardSpace was initially released and developed before the pervasive use of online identities across multiple services. Perhaps more importantly, we released the user component before we and others had delivered the tools for developers and administrators to easily create claims-ready services. The identity landscape has changed with the evolution of tools and cloud services."

That same blog post went on to describe Microsoft's U-Prove system as "a user agent that takes account of cloud computing realities and takes advantage of the high-end security and privacy capabilities within the extended U-Prove cryptographic technology," which Microsoft acquired from Credentica in 2008.

The other primary criticism of Microsoft's previous efforts was their closed-source, proprietary nature. Microsoft has attempted to address this by offering its U-Prove CTP SDKs (in C# and Java) under the Apache 2.0 open-source license, with patent rights granted under Microsoft's Open Specification Promise.

The market opportunity for a Microsoft-driven approach may wider than it was a year ago, because the leading open standard for unified login, OpenID, has recently been widely criticized as having actually made things worse for both users and developers.

One of the major advantages of a federated approach (of which Microsoft's is just one example; the open-source Higgins Project is another) is that it can offer additional benefits beyond unified login, such as minimal disclosure, unlinkability, and untraceability. These features have the potential to significantly increase online privacy and security.

On the one hand, those who profit from tracking online activity could see these limitations as a significant downside, slowing their adoption of a federated system. On the other hand, consumers love these limitations, and politicians are starting to listen. Late last year, the Obama Administration's Commerce Department issued a report calling for "increase[d] protection of consumers' commercial data," in ways that could be easily addressed through use of a federated system. The European Union is considering similar moves.

Large commercial enterprises, too, have much to gain from the use of a federated identity model. Security remains one of the biggest issues blocking enterprise migration to the cloud. While identity management is just one aspect of cloud security, its resolution could be a big step in the right direction.

The wheels of legislation grind even more slowly than those of large enterprises, however, so neither Microsoft nor anyone else should count on legislation to drive the word towards federated identity management anytime soon. Even if such legislation were to pass tomorrow, Microsoft's technology might not prove to be the best available. However, it has the virtue of being available today, at least in CTP form.

Conclusion: If your .NET-based website requires logon, take a look at the just-released U-Prove CTP, to see if its services meet your website's needs.