Craig Burton

Logs, Links, Life and Lexicon: and Code

Craig Burton header image 2

The Clay Feet of Giants

February 18th, 2011 · 5 Comments · feature, Identity, Innovation

go ahead and share

It’s been a week since Microsoft announced that it was never going to release the next version of CardSpace. The laughable part of the announcement is the title “Beyond Windows CardSpace” which would leave you to believe that Microsoft has somehow come up with a better architecture.

In fact Microsoft announced its discontinued development of CardSpace with absolutely no alternative.

Just further evidence of just how irrelevant Microsoft has become.

The news that Microsoft had abandoned CardSpace development is not news to those of us who watch this space, Microsoft hasn’t done Jack with CardSpace for over two years.

It’s just that for some reason Microsoft PR decided to announce the matter. Probably so the U-Prove group could get more press.

A Little History

In early 2006, Kim Cameron rolled out the Laws of Identity in his blog. Over next few months as he rolled out each law, the impact of this powerful vision culminating in the release of the CardSpace architecture and Microsoft’s licensing policy rocked the identity community.

Two years earlier Microsoft was handed its head when it tried to shove the Passport identity initiative down our throats.

Kim Cameron turned around and proposed and delivered an Identity Metasystem—based on CardSpace—that has no peer. Thus the Identity Metasystem is the industry initiative to create open selector-based digital identity framework. CardSpace is Microsoft’s instantiation of that Metasystem.  The Pamela Project, XMLDAP, Higgins Project, the Bandit Project, and openinfocard are all instantiations in various stages of single and multiple vendor versions of the Identity Metasystem.

Let me clear. The Identity Metasystem has no peer.

Anything less than a open identity selector system for claims-based digital identity is simply a step backwards from the Identity Metasystem.

Thus SAML, OpenID, OAuth, Facebook Connect and so on are useful, but are giant steps back in time and design when compared to the Identity Metasystem.

Interpreting Vendor Speak

Two years ago when I had the chance to ask the people making the decision to abandon CardSpace what was driving their decision, here was the answer:  “We will invest in CardSpace when our customers ask for it.”

To understand this statement, one needs a short course in  “Vendor Speak.” Vendor Speak is the language all vendors seem to somehow learn to use when cornered and asked about sensitive topics. Examples of Vendor Speak to questions are as follows:

Tough Question: When are  you going to release such announced product or feature?

Vendor Speak Answer: We will ship that product in Fourth Quarter.

Interpretation: Engineering will be burning the late night candles on December 31st.

Tough Question: What is the status of delivering a promised or much needed product feature.

Vendor Speak Answer: We will build that feature when the customer demands it.

Interpretation: There is no one working on that feature and there is no budget available to get it done.

So when the Program Manager gave me the “we will deliver when the customer demands it” I knew we were in for a dry spell with CardSpace. I probably should have kept quiet instead of telling him what I thought as in the end in made no difference.

Hey, Microsoft is not alone in this. ALL of the big vendors that made a commitment to the Identity Metasystem have stopped their funding of development.

When I ask each one of them why, the ALL give me the same Vendor Speak answer:  “We will be happy to work on this when the customer demands it.”

Where does this leave us?

The bad news:

For now, we are going to continue to wallow without an identity layer for the internet. This will continue to bring security and scam woes down on the heads of companies and individuals for the foreseeable future.

The good news:

I am glad Microsoft is out of it. The company’s lack of leadership and innovation have rendered it irrelevant anyway. Microsoft has become the IBM of the past. A crumbling giant with feet of clay.

This means there is an opening for someone or a some group with a bit of vision and leadership to tack up the task.

I have no doubt that this will happen.

Conclusion

Microsoft blew it when it dropped CardSpace development. Microsoft is a company without leadership, vision, or innovation. In terms of digital identity—and most other core technologies—Microsoft has become irrelevant.

Making infrastructure—like the Identity Metasystem—is a tough thing to do and understand.

But mark my words, we WILL have a selector-based identity layer for the Internet in the future. All Internet devices will have a selector or a selector proxy for digital identity purposes.

I predict this inevitability by simply examining the choices:

  1. Use an alternative. This isn’t going to happen, there isn’t one.
  2. Invent a new alternative. This could happen, but it would be insanely difficult and probably end up almost the same anyway. It isn’t like these people haven’t thought through the issues.
  3. Use the Identity Metasystem. This is the best idea. It will probably not be called an Identity Metasystem or CardSpace, and certainly have less connection to Microsoft. But it will be the Identity Metasystem nonetheless. OpenID and OAuth could evolve to meet the challenge. They do not in their current state.
  4. Do nothing and hope things work out.

The work of Kim Cameron—and countless others involved with the Identity Metasystem—has changed our understanding of what is needed for digital identity forever. The genie is out of the bottle. There will be no going back to the ad-hoc identity system we are stuck with for now.

I just don’t know how long it will take.

Tags: ··

  • Pingback: Tweets that mention The Clay Feet of Giants | Craig Burton -- Topsy.com

  • http://twitter.com/Steve_Lockstep Stephen Wilson

    No doubt there is some politics and vendor psychology going on behind the decisions, but there is an alternative theory behind Cardspace's woes: It's just not as great an idea as it first seems. The Metasystem is way over-engineered. It tries to solve stranger-to-stranger “trust” (as did Big Fat PKI in the 1990s) and seeks to allow parties to confirm one another's *un*anticipated identity assertions.

    These are almost academic problems. By far the most economically important transactions on the Internet occur between parties that already have their local “metasystem” in place. Payments, e-health, share trading, e-government etc. all take place within overarching risk management and legal arrangements that involve registration protocols, formal credentials, terms & conditions, liability allocation etc. Parties in these different niches know precisely where they sit. They know their roles & responsibilities *before* they transact, even before they've installed whatever extra software and authentication devices are required according to the local risk analyses.

    The “price” we pay for this level of crystalline certainty is that our different identities are brittle: they highly context dependent, which is exactly what the Laws of Identity teach us. On the other hand, the utopian Identity Metasystem tries to teach us to re-use a smaller number of identities across contexts, as if this will have relatively minor impact on all those local risk management arrangements, and result in a lower total cost of ownership of IDs. Well, it doesn't.

    Identities have evolved to fit their respective niches in various real world business ecosystems. Federating brittle context-dependent IDs increases TCO. You can no more take for instance an identity from a phone company and use it at a bank (as the Whitehouse waxes lyrical under NSTIC ), than you can take a tropical reef fish and drop it into a cold fresh water tank. Some organisms can do well in different ecological niches, and some identities likewise can be re-used; in Scandinavia they introduced legislation so certain prescribed bank issued IDs (not all IDs by any means) can authenticate individuals for certain G2C e-business. It took a lot of effort, and it’s still a very tightly controlled in-country federation.

    Occasionally you find things going gangbusters in alternate ecological niches. We call them weeds. An example is Facebook Connect.

  • http://www.craigburton.com craigburton

    I love this comment.

    It shows the traditional confusion that we have surrounding digital identity.

    For some reason, it keeps being locked in to single sign on.

    Granted Facebook Connect is a more simple system. But is not a claims-based identity model. We need to go beyond sso and make client-based user-controlled assertions that are separate matters than just loggin in.

    Facebook Connect isn't even in the running.

  • Pingback: IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer

  • Pingback: Johannes Ernst’s Blog » On the Demise of CardSpace