User Centric Identity Management

In March 2007, the executives behind these two initiatives have explained that their goal is a close cooperation and a complete interoperability between the two technologies. I highly appreciate this step, it will be helpful for both sides and for all users.

OpenID starts from the assumption that users in the Internet should be able to prove their identity just as websites do, i.e. by using a so-called URI (Uniform Resource Identifier), comparable to the URL of a web document. For authentication, OpenID uses standards such as Yadis, a protocol and file format allowing information about supported services of a http URL to be described and recalled within the concept of an URI-based identity. The result is that the user uses his URI as a user name, whereas his “password” is kept safe with the OpenID Provider. By the way, everybody can act as an OpenID Provider, but I assume that a group of specialized and trustworthy Service Providers will emerge from this development.

In contrast, Microsoft CardSpace – formerly called “InfoCard” – focuses on virtual identity cards stored and managed in the operation system, and the user is free to deposit on them any identity data he likes. Whenever a website requires personal information, CardSpace will draw the correct card, showing it to its owner and asking him for permission to pass on the data. Behind the whole thing, some sophisticated security and authentication mechanisms are at work, hardly visible for the user. OpenSpace for example works with a PKI certificate for the local account (self-signed) and a certificate which is signed by the certificate authority of the Active Directory. In short, Microsoft´s focus is on the exchange of information.

Now the initiators of these approaches Dick Hardt of Sxip and Kim Cameron from Microsoft have announced that they were striving for total compatibility of their standards. Microsoft has promised, among other things, its support in connection with phishing problems. On the other hand, Open ID will be able to take advantage of CardSpace´s InfoCards when it comes to the exchange of identity information.

So far, so good. But here is the really exciting question: What is the user´s profit of all this? The answer is, as Franz Beckenbauer would put it: Schaun mer mal – or: time will tell. It will take some time until both systems will become an accepted standard in the market. From today´s perspective, this is what the most probable scenario looks like: OpenID will establish itself as “public identity”, whereas CardSpace, as predicted by KCP some time ago, has a good chance of becoming the world standard of user-oriented storage of digital identity information.

And then there is AOL´s announcement to implement OpenID at once – another incident emphasizing the importance of the alliance between OpenID and Identity 2.0 for the Internet of the future. Also Ping Identity supporting OpenID as well as CardSpace in its brand-new release of PingLogin points to the same direction. In addition, Ping has lately come up with an open source CardSpace module for Apache 2. These approaches together with initiatives of other companies such as Verisign and Microsoft´s commitment to interoperability and support make this issue one of the most exciting of today´s IT.

For owners of websites worldwide, the question is no longer if or if not to support Identity 2.0. It´s only a question of time. Enterprises must start now to be concerned with possible strategies, and during the next 12 to 18 months they will have to work out a creative and practicable strategic plan for accepting open identities and being able to realize the best of possible customer services. Those who do not react in time, will probably find themselves left far behind.

On the KPC`s European Identity Conference from May 7-10, 2007 open identities was one of the main topics. Among the referees were some of the leading representatives of this movement, for example the”father” of Identity 2.0, Dick Hardt from Sxip Identity, but also Johannes Ernst from netMesh and Don Schmidt from Microsoft. It was the perfect opportunity for our participants to get actual information about the latest development in this field and to discuss their own strategies for customer communication with highly respected experts. A highlight for those who are mainly interested in CardSpace was the contribution regarding the first German CardSpace implementation at Otto Versand, including a workshop. For further information please contact www.id-conf.com.