Steve Plank, Microsoft, splank@microsoft.com

- Players:
 - Identity Provider
 - Relying Party
 - Subject
- Specs:
 - WS-Policy
 - WS-MEX
 - WS-Security Policy
 - Ws-Security
- Relying Parties can be web services or web sites but usually are web sites
- Using web services makes things more flexible, we could use a WPF application as a relying

party, for example
- An Identity Selector gives:
 - Consistent User Experience: there is no dodgy warnings on the internet
 - CardSpace runs in a separate desktop with no API access, we can not use SendKeys to

interact with it
 - Opening CardSpace is like opening your wallet, you'll imediately recognize it
- Version 2 of CS will have the possibility of having our custom authentication mechanisms
- There is an Open Source Identity Selector
- There is an implementation for Firefox on Windows
- Red Hat has an Identity Selector as well
- Someone did an Identity Selector for Safari
- There is a project from IBM
- Check IdentityBlog for details
- But... the problem is that all those Identity Selector are looking different so the user

experience advantage is beeing lost considering all those different implementations
- For version 2 of CardSpace there will be a layer abstracting the communications between the

identity selector (CardSpace interface) and the card store. This way will be possible to save

cards in USB, use an external web service. This will allow to use a phone number to get a card,

for example. Other example will be to use the phone itself as a card store (!)

Questions:

- Q: Does it makes sense to integrate all those implementations around in one single system at the

enterprise (OpenID, CardSpace, Shibolet, Liberty Alliance, etc)?
- A: It seems to make sense abstracting the identity authentication process in a module that maps

requests according to their formats (open ID, WS-Trust, Shibolet, etc.) because many decisions at

this time are driven by politics and having this module basing a custom STS could be a way of

ensuring the possibility of future easy replacement and extension

- Q: What about mixed environments, like supporting CardSpace and at same time username and

passaword?
- A: There are already real implementations supporting both mechanisms. Just have an additional

column in the database to support both, issue in the same way (see http://www.otco.de). In the not

so near future maybe we will see that using username and password will get so old fashioned that

sites will start to use only cards.

Summary:

- Identity System 1.0:
 - Runs on .NET 3.0 on XPSP2, Vista, next Windows Server
 - Can have Identity Providers on .NET 3.0/Windows Server, using WCF
 - Relying parties can be using Web Services implemented with .NET 3.0/WCF, check sample

Token_Process.cs on cardspace.netfx.com

- ADFS2 (released next year, with next Windows Server):
 - Identity Provider built-in support
 - Cards provisioning

- CardSpace 2:
 - Portable STS, Token Store on the phone and Identity Selector on the Phone
 - Identity Providers will support named values and transactions