Microsoft Seeing Dev Activity Around CardSpace
Microsoft CardSpace identity management client attracts development activity, new SDKs.
Six months after Microsoft rolled out its CardSpace identity management client, Redmond says at least three third-party firms are writing software development kits (SDKs) for the technology, and large corporations are evaluating potential implementations with proofs of concept.
Thom Robbins, Microsoft's director of .NET platform product management, says the perceived demand for SDKs is a sign that dev shops see CardSpace as a potential security enhancement for their apps.
"People are definitely looking at it," Robbins says.
Microsoft introduced CardSpace a little more than a year ago at the RSA 2006 trade show in San Jose, Calif., and then released it with the .NET Framework 3.0 in November.
German software engineer Sergey Shishkin, who's coded CardSpace-enabled apps and is wrapping up work on a CardSpace SDK for the .NET development services firm Newtelligence AG, says he expects the identity management client to quickly become ubiquitous on desktops in the enterprise and beyond.
"CardSpace ships with Windows Vista and is available as a separate download for Windows XP. There's a similar cross-platform open source implementation for Linux and Mac OS. And more products will come," Shishkin predicts.
A Question of Identity
CardSpace is part of Redmond's vision for an overall Identity Metasystem to protect privacy, stymie phishers and foil identity thieves, while simplifying the jumble of usernames and passwords that consumers and businesses rely on to protect themselves.
Rather than attempt to replace numerous digital identities with a single uber-identity, the metasystem instead seeks to organize them into a rational portfolio. Software implementations such as CardSpace manage information cards created by users themselves or issued to them by services providers such as banks.
Robbins and Shishkin see plenty of potential uses for CardSpace in the enterprise beyond public-facing Web sites.
"In the past I had my Active Directory and you had your Active Directory," Robbins explains. "In the new world of business, I may want you to have access to my Active Directory."
CardSpace allows one company to grant another access to specific resources on its network, and nothing else, by issuing information cards that specify a partner's privileges.
To CardSpace-enable existing .NET programs -- so users can log on via information cards -- takes only a few lines of code within Windows Communication Foundation (WCF). Software not running on WCF can be manually enabled through the CardSpace API, Shishkin says.
But Microsoft's existing framework for developing with CardSpace has limitations, he notes. "If you want to issue your own information cards, you need to format a special XML document with identity metadata and deliver it to the users as a file. But to support your information cards you will also need to implement a security token service," Shishkin says. "This task isn't covered so well by Microsoft and community code samples. Ideally, a configurable and customizable security token service should be a part of the next version of the Windows Server platform."
Robbins says Redmond is open to the possibility.
"As we hear that from our customers, we're absolutely looking at how we want to proceed with that," he says.
Microsoft plans to issue its own CardSpace documentation and guidelines in the near future, and Robbins says he knows of two outside companies working on SDKs in addition to Newtelligence.