So I presented "An Introduction to CardSpace" earlier today at WebDD, with poor Pat acting as a foil in my attempts to get the audience to laugh.
The more I attempted to draw the presentation materials together the more I am coming to view CardSpace as unfinished. Aside from crashing when I cancel sending an information card the CardSpace paradigm leaves open questions. The main sticking point for me is around managed cards. It's all very well saying that trusted parties will issue managed Information Cards, but how do you measure the trust you should apply to those cards? Passport failed because people were not willing to hand over authentication for their sites to Microsoft; why would this change with CardSpace? You're hardly likely to see slashdot.org trusting a Microsoft issued managed card. This means that sites are going to check the card issuer and assign a level of trust, or not to it, which opens a massive can of worms, both for site operators and visitors. As a resource provider you are going to want to review your trust levels for identity providers on a regular basis and will probably have a default standpoint of not trusting an issuer you have never encountered before. As a user you're going to be peeved if a site rejects a card because of a lack of trust. I can't seem to find any discussion around this; between that and the requirement for EV SSL it's going to cause problems in take up.