Tuesday, February 06, 2007

Cardspace inside (OpenID)

The identity world is a flutter due to the announcement of Cardspace-OpenID integration (Johannes described it as a marriage, I wonder if there was a pre-nup?)

If I'm reading correctly between the lines, the announcement puts some meat on the integration scenario that was described by Kim a few weeks back - namely how Cardspace authentication could mitigate the much discussed OpenID phish attack.

For this to work, OpenID providers need to support Cardspace self-asserted cards (thus the commitment from OpenID vendors to add Cardspace) so that the OPs can bridge between the two worlds. Ping already demonstrates this working (importantly, as Ashish points out, if Cardspace authentication is going to be of value to an OpenID RP, there will need be mechanisms in OpenID to differentiate such an authentication from a lesser form. AQE is one option).

Interestingly, this is pretty much the same scenario (Cardspace authentication embedded within a SSO sequence) as previously portrayed in Ping's demo showing Cardspace and SAML integration (as commented on by Kim). Strange, no keynote announcement for that integration, I guess it didn't sufficiently excite Bill?

No comments: