Why did Microsoft CardSpace fail?

Edit

Microsoft announced this week they will not ship CardSpace 2.0. They give only a little bit of reasoning here: http://blogs.msdn.com/b/card/arc... . What went wrong?

Beyond Windows CardSpace

RATE THIS

Identity and Access Team 15 Feb 2011 7:59 AM

4 For several years Microsoft has advocated the claims based identity model for more secure access and use of online applications and services. With enhancements to our existing platform, such as Active Directory Federation Services 2.0 and Windows Identity Foundation, weve made progress in that initiative. Claims-based identity is used widely inside Microsoft and is now part of many Microsoft products, such as SharePoint, Office 365, Dynamics CRM, and Windows Azure.

Microsoft has been a leading participant in the identity community and an active contributor to emerging identity standards. We have increased our commitment to standardization activities and added support into our products for the SAML 2.0, OpenID 2.0, OAuth WRAP and OAuth 2.0 protocols.

There is one component of our identity portfolio where we have recently decided to make a change. Windows CardSpace was initially released and developed before the pervasive use of online identities across multiple services. Perhaps more importantly, we released the user component before we and others had delivered the tools for developers and administrators to easily create claims-ready services. The identity landscape has changed with the evolution of tools and cloud

services. Based on the feedback we have received from partners and beta participants, we have decided not to ship Windows CardSpace 2.0.

Claims-based identity remains a central concept for Microsofts identity strategy, and its role in our overall strategy continues to grow. Furthermore, we are not abandoning the idea of a user agent for exchanging claims. As part of our work on claims-based identity we are releasing a new technology preview of U-Prove. This release of U-Provewill take the form of a user agent that takes account of cloud computing realities and takes advantage of the high-end security and privacy capabilities within the extended U-Prove cryptographic technology.

Susan Morrow, Head of R&D in a company specialising... (more) Votes by Johannes Ernst, Inder Sethi, Doc Searls, and 3 more. It failed because of several reasons: 1. 2. It had very poor usability and required the user to either use Windows Vista orWindows 7 or install .net 3.5 It had accessibility issues and was desktop bound, i.e. couldn't be easily used across other operating systems and in particular mobile devices (yes a few iPhone prototype selectors exist but they didn't work on the BlackBerry for example) 3. 4. It was inherently tied to Active Directory and so made a consumer use model very difficult (if not impossible in reality) to implement It had no true facility for utilising verified claims through a trusted third party and then populating those claims in real time through a third party

Resolving those issues has been our goal in my company because the underlying technology of Information Cards is the best representation of a 'true' identity (i.e. something that can transact, in real time, verifying information about ourselves) we have at this current time. We now have a fully Cloud based cross platform/device implementation of Information Cards that is a new wave and fixes those issues and goes beyond the original remit of the system (Information Cards 2.0 if you like) Comment Share Thank Report 17 Feb, 2011

5 Johannes Ernst, Entrepreneur. Votes by Doc Searls, Inder Sethi, Carsten Ptter, and Dave Kearns. I guess here are some reasons I can think of: 1. Wrong product. This should have been a seamless feature of IE, not a separate product. 2. Wrong implementation. WS-* meant that half (or more) of the market wouldn't touch it. 3. No go-to-market strategy. Maybe there was one, but I never saw evidence of one. 4. No smooth upgrade/downgrade path. The brave new world did nothing but confuse users and developers alike who wanted to continue supporting their existing users with existing technology (i.e. username/password) 5. Misunderstanding of requirements. All sites want e-mail addresses. There's no point creating all this wonderful privacy-protecting technology if it is used each time to exchange globally unique e-mail addresses. Comment Share Thank Report 17 Feb, 2011

4 Stephen Wilson, Digital identity & privacy specialist. Votes by Johannes Ernst, Devon MT Loffreto, and Susan Morrow. Cardspace suffers from being associated with a deep over-generalisation at the heart of the Identity Metasystem, that has distracted, confused and demoralised many stakeholders who tried to give federated id a go. Ive seen four different well funded authentication broker schemes in Australia overpromise and underdeliver (or fail altogether). A proper post mortem of Cardspace will look at its common problems with that other recent casualty in the identity wars, OpenID (which struggles to meet expectations even in near trivial authentication settings). Infocards are a brilliant UI. They reify and normalise the important notion ofplurality of

identity. But a great new UI should never have been mashed up with the radical Identity
Metasystem. If we simply used Infocards to take our perfectly good current identities online - like credit card numbers, social security numbers, health identifiers, and proof of age cards we would achieve great things. But it was unhelpful for Infocards to get tangled up at

the same time in federated identity and the attempt to re-cast banks, govts, telcos etc. as open Identity Providers. Inserting IdPs into otherwise bilateral relationships between customers and service providers is truly a massive change to the way we do business. Breaking open identity silos entails re-engineering risk management mechanisms, re-writing user agreements and contracts, and in the case of banking, relegislating to modify Know Your Customer rules. Despite easy intuitions about re-using identities, federated identity is a dramatic paradigm shift that is not warranted in many cases for solving the problems of ID theft and the password plague. Comment Share Thank Report 17 Feb, 2011

5 Doc Searls, I've dealt with Microsoft in many way... (more) Votes by Johannes Ernst, Jamie Nathan, Carsten Ptter, and Devon MT Loffreto. Let's unpack the opening paragraph of Wikipedia's entry on Windows Cardspace <http://en.wikipedia.org/wiki/Windows_CardSpace>: "Windows CardSpace ... This says Cardspace is not a stand-alone entitity, but a noun terminally modified by its owner's brand. ... (codenamed InfoCard)... More blurring. Cardspace had way too many names and related nouns over the years. Infocards (or werre they "information cards"?) needed a stand-alone label, a noun of their own. This never happened, at least not so the subject was easy to talk about. ...is Microsoft's client software... No 'fence to Microsoft, but its very name is aversive to all developers other than ones already in the MS ecosystem. Even though Microsoft was more open-source-friendly around Cardspace than around anything else I can think of, it still had a huge taint to folks in other communities. For example, Linux Journal ran a long and very friendly piece about Cardspace (not yet called that) and Kim Cameron's work <http://www.linuxjournal.com/article/8357>, to no effect at all, at least in the Linux community. It was like fishing for trout with handgun for bait. ... for the Identity Metasystem... More confusion. What was the Identity Metasystem? Those who followed Kim and his team knew (and said) that it was bigger than Microsoft. Kim says here <http://www.identityblog.com/stories/2004/12/09/thelaws.html> that the diverse needs of

many players demand that we weave a single identity fabric out of multiple constituent technologies. Many players, not just one. Not just Microsoft. At that same link, Kim's 5th

Law of Identity says, A universal identity system must channel and enable the inter-

working of multiple identity technologies run by multiple identity providers. Again, not
just Microsoft. But who knew that, outside folks that came to Internet Identity Workshops or followed the topic closely? Not many, or at least not enough. ... CardSpace is an instance of a class of identity client software called an Identity Selector... Talk about burying the lead. The identity selector was THE big feature/virtue of Cardspace. The world still needs it. U-Prove (Microsoft's new substitute) doesn't do it. Far as I know, nothing else does. ... CardSpace stores references to users' digital identities for them, presenting them to users as visual Information Cards... Again, cards is good. information cards isn't. Again a modifier problem. And a metaphorical mess. They didn't want to say "identity cards," but that would have been clearer for the user. ...CardSpace provides a consistent UI designed to help people to easily and securely use these identities in applications and web sites where they are accepted... Okay. But is it the UI or is it more than that? Also kinda blurry. ... Resistance to phishing attacks and adherence to Kim Cameron's "7 Laws of Identity"[1] were goals in its design... Nice virtues, but not top priority for users or developers. Here's another reason: Microsoft never got behind it in a serious way. Great wind-up, weak pitch. When other Information Card Foundation members wanted to move forward with development and evangelism, Microsoft was AWOL. From all I could tell (as an outsider), they sandbagged it. Whatever the reason, Microsoft failed Cardspace. It wasn't the other way around. Comment Share Thank Report 17 Feb, 2011

2 Dave Kearns, IdM analyst & opinionator Vote by Susan Morrow. Microsoft, never strong in the Identity space, brought this out (against the developers' wishes) with absolutely no go-to-market strategy. It didn't so much fail as wither because there was no way for 3rd parties to make use of it. Comment Share Thank Report 2 Jan

2 Tim Cole Vote by Dave Kearns. It didn't so much fail as slowly and silently vanish away... Microsoft never really put any muscle behind CardSpace, and even a company as big a them only has a limited amount of resources. Without top-level coporate sponsorship, priorities went elsewhwre and the whole thing eventually just petered out