Ben Laurie blathering

Has Cardspace Become Passport?

I reviewed an article about identity management the other day. It got me thinking about what is really used out there, and what for?

People like to hail OpenID as a huge success, but as far as I can see its popularity is entirely on the provider side. There are no consumers of note.

Similarly, Cardspace appears to live in its own little world, supported only by Microsoft products.

Funnily enough, the only thing that seems to really be used much is SAML, widely used in enterprise SSO and in Shibboleth.

So why does this make Cardspace like Passport? Well, the fear with Passport was that Microsoft would control all your identity. The end result was that Microsoft was the only serious consumer of Passport. When Cardspace is deployed such that all providers and consumers of identity are really the same entity, then all its alleged privacy advantages evaporate. As I have pointed out many times before, when consumers and providers collude, nothing is secret in Cardspace (and all other standard signature-based schemes). So, there’s no practical difference between Cardspace and Passport right now.

(Sorry, no links today, I’m in a hurry)


  1. […] was rather surprised today to read a post by Ben Laurie where he writes that “there is no practical difference between Cardspace and Passport.” Please read the whole post to understand the context. It’s not […]

    Pingback by dale olds’ virtualsoul » 100% Open Source information cards, and how Ben might win an iPhone — 28 Sep 2007 @ 23:06

  2. Hi Ben,

    This post struck me so odd that I started to comment, but it became a blog post here:

    Since you’re specifically mentioned several times, I thought you should at least know. I may not have understood you correctly and would be glad to discuss it more if you’d like.

    Comment by Dale Olds — 29 Sep 2007 @ 3:02

  3. There was a slightly different take on handing over personal information to MS in yesterdays Help Desk:

    Comment by Mads — 29 Sep 2007 @ 9:35

  4. […] I took Ben Laurie’s recent piece on CardSpace as an invitation to review one more time what can go wrong with Information Cards and […]

    Pingback by IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer — 4 Oct 2007 @ 10:09

  5. […] the clouds. Based on Kim´s mind related to What if we fail, Dale Olds of Novell and Ben Laurie’s recent piece on CardSpace I decided to start the ultimate "Show me your CardSpace Application" poll. I´ll […]

    Pingback by Did you build a Windows CardSpace enabled Website or application? - Secure Place — 4 Oct 2007 @ 12:25

  6. Hello Ben,

    I wonder what the potential is for MS to extend their exclusionary LAN authentication environment to the greater Web by getting people to login to websites through the OS instead of the browser.

    The concern here is not that they would possess user identification, but would exclude competitors from the Web server market by making Windows Server the only ‘safe’ bet for processing logins without the kind of ‘gotchas’ that Samba experiences on a typical Windows-dominated LAN.

    It also seems that with so many web properties now like Facebook, MSN and soon Yahoo!, MS can not only make it seem like this is the only ‘normal’ way to login, but also set themselves up as a primary Certification Authority in the process.

    Comment by Burz — 7 Feb 2008 @ 22:10

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress