When I was a small boy (hush at the back, I know a lot of you think I still act like one) two friends and myself had a secret club, with handshakes, codes and membership cards we spent a day one and which were left in back packets and destroyed when mothers washed jeans.

selfIssuedSelectorInformation Cards come in two flavours, self issued and managed. Self issued cards are ones you can created yourself, just like we did with our club membership cards. They contain what is referred to as "Phone Book" information; data that a user creates themselves and can edit at any time (excluding the PPID claim).

But information cards promised security I hear you cry. Well yes, kind of. Self Issued cards are perfect for low risk scenarios; for example retrieving an email address and name to pre-fill a form for posting a blog comment, but they’re not that suitable for logging into your bank account. If we want a higher level of trust behind claims we use managed cards.

So what is a managed card? Well it is a card issued by a third party authority. You cannot create managed cards using your identity selector, you must download them from whoever is providing it. So your bank would issue you with a managed information card to control login to their web site then only accept those cards. The claim information is not held on the local computer, when you elect to use a managed information card the identity selector talks to to a web service whose URL is embedded in the card information which returns the claim information. Managed cards aren’t limited to the standard claims either, they can support custom claims which could represent anything, from example the vibro.net sts could issue a claim about hair length. There’s another advantage, managed cards require authentication. Now this brought up a question during the geekspeak webcast I did last week;

Isn’t CardSpace supposed to do away with passwords?

My answer is sometimes. Even with self issued cards you can protect them with a PIN, so you have to enter a "password" to use it. With managed cards there’s more choice; managed card providers can protect their cards with usernames and passwords, certificates (usually contained on smartcards), kerberos (for corporate scenarios) and by requiring the presence of a self issued card. The last option provides a way to do away with a password requirement; if the self issued card is in a user’s card store then the managed card will not prompt for any authentication (unless that self issued card is locked with a PIN).

As the transatlantic bandwidth sucked last week I promised I’d do a quick demo this weekend;

So should you trust managed cards? Well it depends how much you trust who issued them; anyone can issued managed cards; would you trust one I issued with the same trust you give one from Visa? I would hope not ...