Cardspace B2B

CardSpace, Microsoft´s implementation of so called InfoCards, is delivered with Vista. The InfoCards, on which information about users can be deposited and by use of which user attributes can be exchanged, are also supported in many other projects, especially in the open source field. This makes them very likely to become a de facto standard.

The typical scenario for the use of CardSpace and InfoCards is the B2C field. A.T.E. Software for instance, a Microsoft partner, has presented a CardSpace solution on the European Identity Conference 2007 in Munich, which is in use at OTTO Group. OTTO´s customers can deposit their specific data on InfoCards and have them automatically transferred to the website for authentication.

In this business area, CardSpace is capable of gaining influence quite fast. For users it offers a more comfortable und transparent way of providing personal data, without the necessity of having to fill in registration forms on websites over and over again. For a number of purposes, InfoCards issued by the users themselves will be sufficient, just as typing in one´s personal data is generally accepted as well.

Although not yet obvious, it seems there is much reason to believe that also extern Identity Providers will turn up offering “managed cards”. These cards are capable of taking up much more information than the InfoCards issued by users. The Identity Provider stores the data and takes the job of authentication. Depending on the trustworthiness of the Identity Provider this model also allows to realize more challenging solutions. We think of credit card providers who might act as Identity Providers seeing to secure e-commerce. At present, Microsoft is conducting negotiations with several possible Identity Providers. However, the business models securing an efficient management of the virtual cards still need to be developed. On the other hand, OTTO is it’s own provider of managed cards – you don’t need a 3rd party.

A completely different field will open up with CardSpace 2.0, a version being provided within the “Longhorn wave”, i.e. some months after the delivery of Windows Server 2008 (code name “Longhorn”). CardSpace 2.0 will, among other things, support the integration with Active Directory – with the result that enterprises will be able to issue cards without much effort. Providing cards from Active Directory is quite an interesting idea. The open question is whether the combination of CardSpace 2.0, Active Directory and ADFS allows complete automation or if additional solutions have to be figured out. Moreover, Microsoft partners might have provided suitable Add-Ons in due time.

The use of the cards will allow to centrally provide role-specific data or additional information about staff members. These data are reliable, because the authentication is run via Active Directory. The cards may also be used to make sure that employees of enterprises carry out registration in websites always in the same way. Another future application of the cards might be the provisioning of additional information such as the allowed limit for online purchases or data for order handling. A number of other processes in enterprises could be facilitated as well. And the enterprise could be sure that staff members – by using the data on the InfoCards – present themselves to the “outside world” in a clearly defined consistent way.

This is an aspect of CardSpace still neglected in enterprise environment. But its potential in this field is considerable – also with respect to the precise definition of federation relations. This point is worth being deliberated about.