On the Demise of CardSpace


If you like slugfests between respected people, go no further than the recent yelling contest between Craig Burton (of Novell fame) and Kim Cameron (Microsoft) on what went wrong with CardSpace. Craig for sure has reasons to be angry because he’s been on the board of the Information Card Foundation that was set up by, among others, Microsoft, to promote information cards, and, as he writes:

Microsoft didn’t even bother to let the ICF board know it was going to announce the discontinued development of CardSpace until AFTER the press release was distributed.

But that’s only the last of the very many hiccups that have plagued Microsoft’s user-centric identity efforts for years:

I know first-hand, because Microsoft toted the OSIS project (that I started) for a long time as the primary evidence that the market adopted their point of view. That always looked rather odd to me: yes, we had lots of impressive company affiliations in OSIS, but just because you assemble a bunch of your friends in an open-source/interoperability project, it does not mean that the companies they work for have anything serious in mind. In particular in the face of having CardSpace distributed with each and every copy of Windows. And little OSIS is the poster child?

I gave up on the whole information card idea a la Microsoft several years back — silently, as not to upset too many people, when the following discussion transpired in an OSIS working session at IIW:

“So what do we do if X Y Z in this particular use case?”

“Oh easy — we just fall back to the password reset functionality”

If technologies and their technologists dismiss millions of dollars in additional customer support costs as “oh easy”, isn’t it very, very obvious, that no business person will ever adopt the technology? I’m pointing out this one particular exchange because it was so memorable to me; the entire project was, from the beginning, totally disassociated from any understanding what problems normal customers actually wanted to have solved, and what constraints they were facing. And over time — that’s the bad part — there were no lessons learned that could have acted as a course correction. There were plenty of people who had relevant insights that would have been useful.

For right now, Facebook has won the identity wars. Not because they were brilliant (although they have been smart), but because the rest of the industry, from Microsoft on down, has been asleep at the wheel or dream walking. And when they had something (like OpenID at some point) it seems like they were hell-bent on killing it off, by, among other things, fighting over a $0 billion market such as whether it should URLs or cards, pull or push, or by inventing so many more incompatible ways of doing the same thing.

A sad state of affairs. Hopefully that will change again, but not this year and probably not next. For now, user-centric identity is dead.


One response to “On the Demise of CardSpace”

  1. Johannes, really interesting blog, thanks.
    I am no fan of Cardspace, and I appreciate your interesting account of how people wouldn’t really commit to technological improvement. Yet I think it’s only part of the story. There are fundamental business-architecture problems around Cardspace (and OpenID). I fear we’re not debating the deep structural issues and so the IAM industry will go on repeating the same mistakes for another 10 years.
    I don’t think it’s fair to say that user-centric identity is dead. Arguably, Facebook Connect is VERY user centric. Empirically it must be because it’s proving so popular!
    So when you say ‘not user centtric’ do you really mean that it doesn’t conform to the ideals of the Identity Metasystem? My analysis is that the Id Metasystem model itself is the real problem. It is much too complex and abstract for the problems we’re trying to solve, namely the password plague and ID theft. See also http://lockstep.com.au/blog/2011/01/11/id-over-engineered.
    Most modern federated identity models are just like old fashioned Big PKI insofar as they attempt to create trust between strangers online. That is such a hard problem that we end up with multiple liability exclusions and all sorts of fine print (which is what killed off Big PKI). I don’t even think that stranger-to-stranger e-business is economically or socially important; it’s utopian. So the goal of the metasystem is too lofty, too distracting, and it creates too many costly complexities, especially legal complexities.
    I think user centric identity management should start by taking the perfectly good identities we have in the real world (employee IDs, name-and-address, credit card numbers, health identifiers, professional registration numbers, student numbers etc etc.) and render them in a user-friendly and non-replayable form. Smartcards and/or smartphones, carrying *multiple* embedded public key certificates will do the job very nicely indeed. We can reasily manage portfolios of personal smart hardware-based identities (via the wonderful InfoCard selector GUI). We do not need to complicate matters by introducing weird and wonderful new third party IdPs, or making banks and telcos re-engineer themselves into IdPs with radical new business models.
    The true reason open identity struggles in serious e-business is that it changes simple bilateral relationships between service provider and customer, into novel new multi-lateral relationships with extra IdPs. The Identity Metasystem is a radical new way of doing business.