<rant>
One of the problems I have when extolling Information Cards is the severe lack of real world implementations, beyond those Vittorio has had a helping hand in. A common question is where does Microsoft use it themselves? The honest answer is "Nowhere, beyond a pathetic nod at it with Live ID™, using self issued cards to protect the Live ID login page, and only if you’re in Internet Explorer, oh and it’s beta support, and has been for over 6 months".
A recent post by an EMEA Architect Evangelist is making me bang my head against the wall. One of the first points I make when speaking is that Information Cards != Passport. Passport failed for a number of reasons one of which was no-one liked giving Microsoft control over authentication to their web site; the "Justifiable Parties" in the "Laws of Identity" and yet here we someone extolling Live ID™ because it makes life easier.
Let’s look at this;
... it is much easier to handle user authentication but still, you have to manage the login process, privacy, have to keep password safe, provide a service for forgotten password and have to consistently evolve as authentication vehicles evolve as well - here I am talking about SAML support, Windows CardSpace™ (CardSpace) support and potential federation with other Identity Provider.
So an advantage of Live ID™ is that they are keeping on the cutting edge of authentication vehicles? Really? Oh. So aside from the awful "beta" support, with which you can tie a self issued card to your account (and remember portability for self issued cards sucks right now) where exactly is the Live ID™ for evolving authentication methods? Where is OpenID support? Higgins support? Oh no, we’re still stuck with a Live ID™ login page which this week went bang. So hand over your authentication to Live ID™ and match their downtime; excellent selling point. Is that valid enterprise architectural recommendation, depending on something with no visible SLA and a bunch of downtime recently?
Emmanuel makes a good point about password fatigue; but fails to address phishing and pharming; two things Information Card was designed to fight against; when he talks about the worries about account highjacking that’s where Information Cards should be; but they currently aren’t.
Indeed, why using your own storage and building your own application programming interface (API) for offering community and social networking functionality when Windows Live™ is already providing it to you and your developers?
There is a Live ID™ SDK; it’s available right now, and there’s even a Connect program for it; however a proprietary SDK against a published standard? A published standard that doesn’t limit you to a single identity provider as the Live ID™ SDK does? So why a 3rd party API when you can use SAML, a open standard?
He continues
After reviewing how Windows Live™ ID can be a substitute to your home made Authentication mechanism, ease life of your consumer’s account management and help the Identity Management becoming even safer using CardSpace (emphasis added)
We have a problem here. If the Live™ ID were serious about Information Card support they wouldn’t be just protecting the Live™ login with a self issued card, they would be issuing managed cards, letting the Identity Selector do all the heavy lifting, the protection, the issuing of information, the consent and control of what information is sent (something Live™ ID and Passport lacked, the "minimal disclosure for constrained use" law).
Of course it’s good to see someone passionate about their product; but I am at a loss over why you would use Live™ ID to control access to your web site when, if they did it right, you could simply support Information Cards and Live™ ID could be just another provider in the cloud.
Of course if we saw easier integration stories; officially supported ASP.Net controls (instead of leaving the slack for others to pick up), updating of the standard membership providers so it was there out of the box in VS2008 and making it just a matter of dragging and dropping then maybe we might see more take up on web sites generally. It’s a hard thing to "sell" right now, it won’t reach critical mass until people use it, people won’t use it until it reaches critical mass; preferably via an unconnected 3rd party. For heaven’s sake identity team go help PayPal use it or something. Otherwise I’m going to start to cry.
</rant>