Gartner Blog Network

Cardspace – where do things stand now?

by Robin Wilton  |  February 18, 2011  |  2 Comments

Via @ggebel on Twitter, I got a pointer to Mike Jones’ thoughtful retrospective on Cardspace here. I have to say, I always had mixed feelings about Cardspace. As someone who had been involved – from inside Sun Microsystems – in the evolution of the Liberty Alliance, SAML and Federation (as a counterpoint to mediated centralised architectures like Passport), Cardspace often struck me as a ‘reaction against a reaction’, and primarily an attempt to regain the marketing high ground. On that basis I was inclined to write it off as a well-resourced solution looking for a problem.

There was a lot on the plus side, though. I have huge respect for Kim Cameron for many reasons. First, he was the person who single-handedly did most to involve Microsoft in the industry discussion about how technology can represent identity. He broke down a lot of barriers, and while I didn’t necessarily agree with the formulation of the “laws” of identity, I can’t deny that they moved the debate forward. Second, I also had a very high regard for Kim’s willingness to listen intelligently to comment and criticism of the Infocard concept, and to adapt it accordingly – even if that adaptation couldn’t always survive the subsequent product management cycle.

I also had direct experience of the professionalism and technical capabilities of Microsoft’s development staff in the UK, as – in response to customer demand – they undertook joint work to implement the Liberty Alliance’s Identity Federation Framework (ID-FF), a protocol which, in some respects, was a direct competitor for their own WS-Fed specification.

But it’s also clear that neither Kim’s vision and understanding nor the field development staff’s abilities were enough to get Cardspace as far as a 2.0 release. So where do we stand? Well, I have two comments, one retrospective and one anticipatory.

Looking back, 20:20 hindsight affords us the usual unique perspective. There are doubtless customers whose future returns on investment in Cardspace now look limited. There are also customers who will now be saying that they made the right call in deciding to wait and see… though I appreciate that there’s an implicit ‘chicken and egg’ dilemma there.

Looking forward, what are we to make of the transfer of marketing focus from Cardspace to U-Prove? Microsoft itself says that one of the issues with Cardspace was that the client software was released before there was an ecosystem of services for it to interact with. Mike Jones also says there was too big a conceptual breach between what the technology did, and users’ understanding of what they were trying to achieve.

I don’t see U-Prove overcoming either of those obstacles as things stand today. In fact, U-Prove is conceptually far harder to grasp than Cardspace, and I think there’s a greater gap between what the technology can do and what users perceive as the privacy problems they need to fix. If Microsoft couldn’t make Cardspace work as a user-facing technology, I have serious doubts as to whether a U-Prove solution can fare better.


Robin Wilton
Research Director
26 years IT industry

Robin Wilton is a research director with a particular interest in digital identity and privacy (and their relationship to public policy), access control and single sign-on, and the productive use of public key infrastructures. Read Full Bio

Thoughts on Cardspace – where do things stand now?

  1. […] This post was mentioned on Twitter by Paul Madsen, Robin Wilton. Robin Wilton said: @ggebel @paulmadsen Blogged on the Cardspace 2.0 cancellation: […]

  2. The real trouble with U-Prove is that it is a sophisticated solution to a relatively unimportant problem. It allows parties to verify unanticipated identity claims, yet what matters most in e-business today are anticipated claims, like credit card numbers, health identifiers, proof-of-age, name and address, even SSNs. These identities can be protected against theft/replay/counterfeiting using conventional asymmetric cryptography rather than new zero-knowledge methods. So U-Prove is terrific tech but it’s over-engineered, like the Identity Metasystem itself, which seeks to create trust between total strangers. If we start from a simplifying assumption that most people in routine e-business actually know each other in some way already, then we can maintain relative simple bilateral arrangements instead of bringing in radically new multilateral arrangements between Customers, Service Providers and brand new IdPs.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.