Open letter to the CardSpace team

Noticed from Kim’s blog that the CardSpace team is blogging. I’m just back from DIDW where I had some good discussions while presenting our Payment Card Demo. So I figured it might be a good idea to compile a list of the things that I heard and share it with the CardSpace team. If I have missed anything, please let me know and I’ll update the list.

  • Too many clicks
    In our demo, we showed how can you use a card to make an online purchase with a merchant e.g. Amazon. Once I have my profile setup at Amazon, it takes “1” click to make the payment. With Information cards, it takes “5” clicks. Everytime.
  • UI too techie
    The whole CardSpace UI is too techie especially the error messages. Messages like “Personal Card is encyrpted…” and when to ‘retreive’, ‘preview’ or ‘send’ a card are all technically correct… but explain that to my grandmother in Omaha. (My grandmother doesn’t live in Omaha nor do I think that people from Omaha are dumb…but you get my point).
  • Too slow
    This is my personal pain point. Since launching SignOn.com in July, I haven’t used the username/password option while logging on to SignOn.com. However, the CardSpace client is too slow (especially during the first invocation). At times, I wonder if I clicked it or if the site crashed. The auto-form-filled username/password option is so much more convenient.
  • CardSpace Distribution
    Relying parites see no reason to support CardSpace at this time, since there is hardly any user adoption. “<grin>I’ll implement it when more than 5% of my user base can use it</grin>” is the standard response from the application providers. From the user perspective, “<chuckle>I’ll install it when there are more than 2 websites where I can use it.</chuckle>”. It’s a Catch 22 but someone has to bootstrap the process. Vista adoption has been slow. One can download it for XP, but the download is over 50MB and there is no reason for an average user to go through this. My suggestion ( talk is cheap :-) ) is to break the CardSpace component out of the .NET 3.0 framework and then push it down to the user’s desktop via Windows update. I know this is probably wrong and breaks a few of the identity laws (user consent etc) but it’s not like you haven’t done something similar to this in the past. Plus it’s for the user’s own good. They just don’t know it yet.
  • Submit it to a standards body
    You have done a great job in opening up the specifications. Other identity selectors like xmldap and DigitalMe are proof that you can have an end-to-end deployment without any Microsoft technologies. However, the CardSpace profile (I don’t know if this is the right term. It was used by one of the attendees) on how the selector gets invoked and how the message gets encrypted, the 14 self-issued claims are still under your control and it will be nice to submit it to a standards body and let others collaborate/contribute.
  • Open up your road map / bug list
    I understand that you have a lot on your plate and you are working as hard as you can to get the next version out. However, it will be nice to get some transparency into your roadmap / bug list on what and when you are planning to release. I’m not asking for an exact date for the CardSpace 2.0 release, but it will be nice to get what month/quarter do you plan to release and what are the top 5 features that we can expect. If you can open up you backlog/bug list to the public, that would be awesome.
  • Get some awareness
    Something on the likes of spreadfirefox.com. The OpenID foundation did a great thing by starting the bounty program. Native plugins for Joomla, Drupal, WordPress and the likes will really make it easy for the site owners/deployers. I understand some of this is in progress. The Catalyst event in June and the one coming up in Barcelona are a step in that direction. But it will be nice to get the ‘13 year old army’ (learned this term while attending a Boulder Barcamp) behind you. BTW…last time I checked spreadcardspace.com is still available.
  • Open/Free RP toolkits
    This relates to the previous point. It takes a weekend to get an OpenID library, deploy it and test it. It takes over a week to understand the specs around Information Cards. Some drag and drop library where the installer/deployer doesn’t really need to know the inner workings will really help.
  • Cards Portability
    This issue has to be addressed (if not resolved) before calling CardSpace a real, production-ready, mature, ready for mass deployment technology. I know that cards can be exported and imported but it’s not practical. A way to carry my selector on a USB key or a smart card based selector or a mobile based solution or a service in the cloud with one click sync.
  • Get the terminology right
    I understand the difference between CardSpace, Information Cards, Infocard, Idenitity Selector, Identity Agent, Digital Me etc, but it causes confusion. When building SignOn.com FAQ, we looked around for an official definition for ‘Information Card” and found none. Our tech writers eventually came up with this. Have an official one page to explain the terminology and then heavily reference that page everywhere.
  • Features
    This is at the bottom of the list. You can always add features and still have some more to add. I don’t think it’s the features that’s hindering the adoption. All of the below items will be good to have but some real world deployments even with limited use cases should be higher priority. Here is a partial list of the features that came up:

    • Allow for mutiple issuers for the RP.
    • Allow for RPs to transfer information to the IdP at runtime. I know this can hacked a bit by setting ‘RequireAppliesTo’, but I would like to be able to pass proper data structures both ways.
    • Ability to either modify or extend the CardSpace GUI.
    • Ability to allow for other type of authentication methods e.g. OTP.
    • Allow the user to shut-off the cardspace invocation on a per RP basis. I agree with the user consent et all but it does get annoying on frequent use.

I strongly believe that CardSpace/Information Card is a great technology. Kim, Mike and the rest of the Microsoft folks have been very open and supportive in sharing information and resources. Most of the people I talked to, shared the same sentiment. We even had a round table on CardSpace/OpenID during our User group session after DIDW and everyone can see the potential. I hope we all will be around to see that happen :-) .

3 Responses to “Open letter to the CardSpace team”

  1. [...] Ashish Jain posted an “Open Letter to the CardSpace Team” that I’d highly encourage everyone interested in Information Cards to read. As I replied to [...]

  2. [...] also means that Open letter to the Bandit team is [...]

  3. [...] frequently heard feedback points was to make the user experience less disruptive. For instance, Ashish Jain wrote about “Too many [...]

Leave a Reply

Image | WordPress Themes