Executive Summary:

Windows CardSpace, part of Microsoft’s Identity Metasystem, offers a valuable alternative to the classic username/password scheme and puts users back in control of their identity interactions on the Internet. The widespread adoption and success of CardSpace will largely depend on the number of websites and applications that support it.


While using Windows Vista, you might have noticed a new Control Panel applet called Windows CardSpace and wondered what it's for. Windows CardSpace is a brand-new client-side identity-management tool that lets you create and manage personal information cards, or InfoCards. These InfoCards are digitally signed XML constructs that you can use to identify yourself to CardSpace-enabled websites.

CardSpace is part of Microsoft’s Identity Metasystem, the company's Internet-centric vision for identity management. With the Identity Metasystem, Microsoft abandons the notion of a universal and single-user identity for the Internet. Remember the early days of Microsoft Passport? Instead, Microsoft now focuses on the creation of a universal framework that can connect existing and future identity-management systems and provide interoperability between these disparate systems. For a broader introduction to the Identity Metasystem, see the Microsoft article "Microsoft's Vision for an Identity Metasystem".

Let's take a look at CardSpace and its interface and begin to understand the value of what CardSpace can provide the average Windows user. Let's also see what happens behind the CardSpace scenes.

What CardSpace Can Do
CardSpace offers a user-friendly and secure alternative to using simple usernames and passwords for identification and authentication on the Internet. Even though usernames/passwords are still the prevailing identification and authentication paradigm on the Internet, they have many weaknesses. Many users wrestle with password fatigue. They have to deal with too many passwords—a situation that results in password reuse, insecure passwords, and forgotten passwords. Bad password-management practices also create more opportunities for malicious users. Add to that the increasing number of password thefts through counterfeit websites and man-in-the-middle attacks, and you understand why usernames/passwords are far from an ideal solution.

CardSpace can resolve those problems. Users with InfoCards no longer need to remember various username/password combinations; they can simply select an InfoCard from the CardSpace interface to identify themselves to CardSpace-enabled websites. InfoCards are also more secure than passwords because they're securely stored and sent across the network through strong Advanced Encryption Standard (AES) cryptography.

There are always three participants in a CardSpace interaction: the user, an identity provider, and a relying party. The user controls all interactions that involve his or her InfoCards. He or she chooses which InfoCards to create and which to use for identifying to a given website.

Identity Providers issue InfoCards to users. For example, businesses can issue identities to their customers, and organizations can vouch for the identities of their employees. InfoCards that businesses, online services, organizations, or governments issue are called “managed” InfoCards. Managed InfoCards are site-, organization-, or business-specific. They're issued by third-party identity providers that might—depending on usage—charge the user for issuing the InfoCard. An InfoCard provides claims about a person on the person's behalf. A claim is the Identity Metasystem term for facts or statements about a user. The name and gender of a user, or proof that a user’s identity has been verified by a certain authentication authority, are examples of claims that can be stored in a managed InfoCard. In terms of vouching for a user’s identity, InfoCards are comparable to the SSL certificates we use today for identifying ourselves to websites.

But individuals can also be their own proper identity provider, and issue their own proper InfoCards, which are called self-issued InfoCards. As opposed to managed InfoCards, self-issued InfoCards are general-purpose and can be used against various applications and/or websites. Not all websites and applications accept self-issued InfoCards. As part of the CardSpace exchange, a website might require that a user’s InfoCard be a managed card issued by a trusted identity provider such as the VeriSign Certification Authority (CA).

Finally, relying parties accept and consume the InfoCards a user provides. These are typically websites that use InfoCards to identify and/or authenticate users or to personalize web content.

The CardSpace Interface
CardSpace stores references to users' different digital identities and presents these to users as visually attractive InfoCards. In Identity Metasystem-speak CardSpace is also referred to as an “Identity Selector”: it provides a nice interface that enables people to easily select and use their different identities in applications and on websites.

To play around with the CardSpace interface, you can simply log on to a CardSpace-enabled website. Examples of CardSpace-enabled sites are signon.com or Kim Cameron’s Identity Weblog—Kim is the author of The Laws of Identity project. At the top right corner of this website, you'll notice the CardSpace logon icon (the purple “i” inside a purple rectangle).

When you click the icon—and if it's the first time you're using CardSpace on this website—the Do you want to send a card to this site? dialog box that you see in Figure 1 appears. This dialog box lets you identify the website prior to sending one of your personal InfoCards to the site. From the Tasks pane on the right, you can view the website’s X.509 certificate details or check the site’s privacy statement. This illustrates a key security advantage of the CardSpace system: server authentication. Server authentication is also one of the reasons why CardSpace can better protect users from phishing. Phishing attacks consist of malicious attempts to acquire sensitive user information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity.



Based on the trust you have in the site’s identity information, you can then decide to select one of your personal InfoCards (by clicking the Yes, choose a card to send option) or to stop the CardSpace exchange (by clicking the No, return to the site option).

If you want to proceed with the CardSpace exchange (and this is the first time you're using CardSpace on your system), you'll see the Create a card to send to screen, from which you can choose to create a personal card (i.e., a self-issued card) or install a managed card.

If you decide to create a personal card, you'll see the Edit a new card dialog box, which Figure 2 shows. Here, you provide a name for your new InfoCard, select an icon or picture to represent the InfoCard, and enter the values for a number of attributes that the InfoCard will store. When you create a new InfoCard to identify yourself to a website, CardSpace marks the attribute fields that the site requires in red. These represent the claims a website wants to get from the user before he or she is allowed access to the site’s content.



If you choose to install a managed card, CardSpace prompts you to provide a Managed Card Information file (i.e., a file with a .crd extension).

If you have used CardSpace before (meaning your CardSpace store already contains InfoCards), you'll see the Choose a card to send to… screen, which displays InfoCards currently available on your system, as you see in Figure 3. These include both self-issued and managed InfoCards.

To determine the exact details an InfoCard holds, you can select the card and click the Preview button. If you've used a particular InfoCard before, the preview screen will also contain card-use history and creation date, as Figure 4 shows.



Besides displaying all the card data, the details screen also lets you set an important optional InfoCard property: a PIN. This is a security feature that adds one more level of security to an InfoCard. In the Tasks pane of the Card Details dialog box, you can see the Lock this card option. When you choose to lock a card, you're prompted to enter a PIN. Afterward, each time you want to access or use the InfoCard, you'll be requested to enter the PIN. Locking InfoCards is an interesting option for shared computer systems, and in situations in which a card contains personal information or identifies the user to special websites such as online banking sites. Organizations that want an even higher level of security for securing access to their users’ InfoCards can require the presence of a certificate that is securely stored on a smart card. This means that prior to using and accessing the InfoCard, the user must insert the correct smart card and authenticate to it using the smart card PIN.

When the user selects a managed card, the CardSpace software contacts the issuer of the InfoCard (i.e., the identity provider) to obtain a digitally signed XML token that contains the requested claims.

Under the Hood
CardSpace is installed by default on Windows Vista. It's available as a download for Windows XP and Windows Server 2003 via Windows Update. To confirm that Windows CardSpace is installed on your system, open Control Panel and look for the Windows CardSpace applet, or look for the Windows CardSpace service in the Services section of the Microsoft Management Console (MMC) Computer Management snap-in.

Windows CardSpace is also bundled with the .NET Framework 3.0 and later versions, which runs on Windows Server 2008, Vista, XP, and Windows 2003; .NET Framework 3.0 is bundled with—but not installed by default on—Server 2008. So, the easiest way to add CardSpace support to Server 2008 is to install .NET Framework 3.0 Features.



To use CardSpace, you also need a compatible web browser. Internet Explorer 7 (IE 7) supports CardSpace natively, and third parties provide support to integrate CardSpace functionality into other browser platforms. For example, you can find a CardSpace plug-in for Firefox at the CodePlex IdentitySelector page.

Microsoft built Windows CardSpace atop the Web Services protocol stack (WS-*), an open set of XML-based protocols for web service communication. Any application or platform that supports WS-* protocols can integrate with CardSpace. For more information about the WS-* specifications, see the Microsoft article "Web Services Specifications Index Page".

To accept InfoCards on a website, a developer must add specific HTML tags to the web content that specify the user claims that the site requires. The developer must also implement code on the web server that decrypts the InfoCards and extracts the user claims. A quick Internet search yields code examples to integrate InfoCard not only with Microsoft-based websites but also with other web application servers—for example, Apache.

If an identity provider wants to provide managed InfoCards to users, it must have a Security Token Service. An STS is a security authority that can create managed InfoCards. An identity provider that doesn't want to build its proper STS can buy one from vendors such as Ping Identity. Another option is to wait for the release of Microsoft’s Federated Identity Server (code-named Geneva), which will provide an Identity Metasystem-compliant STS that can interface with CardSpace. Consider Geneva as the next evolution of Microsoft’s Active Directory Federation Services (ADFS), which is bundled with Server 2008 and Windows 2003.

A little more about interoperability: CardSpace and the Identity Metasystem can deal with various security token formats, which explains why CardSpace shouldn't be considered a competitor to other Internet-identity architectures such as OpenID and Microsoft’s Windows Live ID. You can use CardSpace InfoCards to sign in with your OpenID or Windows Live ID account. To link an InfoCard to your OpenID account, visit SignOn.com. To link an InfoCard to your Windows Live ID account, go here.

Secure Alternative
Through its user-friendly interface and its secure architecture, CardSpace offers a valuable alternative to the classic username/password scheme and puts users back in control of their identity interactions on the Internet. The widespread adoption and success of CardSpace will largely depend on the number of websites and applications that support it.