CardSpace Vs OpenID
I have just begun to dig into OpenID. I like the lightweight simplistic model but I’m still not convinced if this should be the defacto for internet identity. Why?
- Not sure if there is consensus on the end objective…is it simply for no value services (e.g. commenting on blogs) or does it have future aspirations to be used in financial transactions.
- I doubt if there is incentive enough for RPs to adopt this model. They still have to do account management. It alleviates the user’s registration pain (which I agree will help in increasing new user count), but there isn’t a liability model. And by default, RPs will be liable. So….no technical benefit, expected to accept authentication from an unknown IdP and still be liable
- If I’m reading the spec right (1.1), SSL at the end point and shared secret between the IdP and RP are both optional. If makes the barrier to entry lower, but it will also raise concerns from RPs that have something to protect.
I have also been spending some time looking at CardSpace. “Discovery”, “Key Negotiation” and “SSO Token” seems to be the major building blocks behind both the protocols.
CardSpace on one hand decided to solve that with Identity Selector, PKI and SAML. Both PKI and SAML have been there for a while and IMO that Microsoft did the right thing (not that they asked me) by leveraging existing standards.
OpenID, I believe was invented to solve a different problem…blog commenting and is moving in the direction of being used for something else. Hence reinventing / learning a few things in the process. Paul recently commented on the missing parameter to convey authn mechanism (equivalent of SAML Authentication Context).
I also noticed a comment from Eddy on the mailing list that I’m reposting with his consent:
“By encouraging the world to integrate OpenID into their software, obviously to spread OpenID, WITHOUT providing adequate protection by the standard itself, to the relying parties is almost criminal! This might be gross negligence and intent by the sponsoring parties”
Net/Net… one looks like an engineering marvel and the other one looks like the tower of Pisa.
In the end, both will be world attractions.
CardSpace, Identity, Infocard, OpenID | Ashish Jain | 
November 10, 2006 4:45 pm
Subscribe
to loosen up on the security/encryption/signing requirements of xmlToken. AOL and OpenID: AOL announced that it will be working as the IdP and doesn’t yet act as an OpenID relying party. Going back to the concerns I (and a few others) have raised earlier that there is a lot more to loose for the relying party. It will be interesting to see if/when AOL opens up their gates for the outside OpenID providers. Google and SAML: As Google enters more partnerships in the consumer space, will they continue to
to loosen up on the security/encryption/signing requirements of xmlToken. AOL and OpenID: AOL announced that it will be working as the IdP and doesn’t yet act as an OpenID relying party. Going back to the concerns I (and a few others) have raised earlier that there is a lot more to loose for the relying party. It will be interesting to see if/when AOL opens up their gates for the outside OpenID providers. Google and SAML: As Google enters more partnerships in the consumer space, will they continue to
[...] AOL and OpenID: AOL announced that it will be working as the IdP and doesn’t yet act as an OpenID relying party. Going back to the concerns I (and a few others) have raised earlier that there is a lot more to loose for the relying party. It will be interesting to see if/when AOL opens up their gates for the outside OpenID providers. [...]