Cardspace/InfoCard for the people!

I posted an irate comment about how hard it is to implement Infocard on a hosted ASP.NET account on a shared server.  It is a bit short of impossible and probably can’t be done securely with most hosting plans.

Let me say despite my cynicism, I hope Infocard succeeds, because the core concept of passwordless authentication is genius and an unqualified good thing. 

Kim Cameron, architect of InfoCard replied on his blog and agreed with me that requiring SSL for InfoCard on the smallest of websites, such as blogs was overkill.  There is hope that in V.next of InfoCard,  sites will be able to accept authentication and receive claims without SSL. [Now that I think about it, this should also solve the decrypting-the-response-and-claims problem in ASP.NET]

Any how, here are some reasons why I think that enabling Infocard for small sites—-however it may be accomplished—-is important:

Ubiquity.  Identity systems need to be ubiquitous.  When I arrive in a town at go to a new bank, the local tax office, the electric utility, they want to see my driver’s license or social security cards .  They don’t start by asking if I have a library card, a passport, a shopper’s club card. Those are not ubiquitous enough.  The situation is the same for the web.  As soon as people know that everyone has a “foo”-card or a “foo”-id, that is what they will ask for.  If Infocard relinquishes the “little sites” and the little sites adopt, say OpenID, then the banks are likely to follow.  As soon as my password database has 95% of its passwords replaced by either OpenId or Infocard, the other will fade into obscurity.  Why would a banks ask for a super secure but not ubiquitous library card when they know everyone has a reasonably secure driver’s license?

Phishing.  Who has the money?  Fishing attacks are mostly against banks.  That is where the money is.  But this might not be the right question. But where are the passwords?  They are mostly in rinky-dink blogs, forums and other little websites.  Users can’t remember 50 passwords, so they use the same password for all of them.  Phishing a forum may be just as effective at getting banking passwords and ID’s as phishing an actual bank.  Now if the banks use infocard, then a password obtained at a little site might be commercially useless.  Or maybe not….

Spam. Malware. The little sites are being crushed by ever more creative forms of spam.  My referral logs are mostly spam.  My comments are mostly spam.  Blogger is mostly splogs.  Usenet is all spam.  Email is almost entirely spam. Forums, more spam.  Spam, spam, spam.  Sites with no passwords (because it’s too much to ask of someone trying to leave a comment) are entirely open to spam.  All of this spam is driven by the fact that you can make money by exploiting defects in the identity system of small websites.

Without a function system of identity small web sites can’t interact with the world because they can’t tell who is a the same malicious user you banned last week and who is a potential legit user.  I doubt OpenId or Infocard will solve all the spam problems, but it will make it easier for small websites to demand registration instead of putting up with anonymous users.

Infocard-OpenID Hybridshttps://www.signon.com/  is interesting.  It is an OpenID site, but when a user is redirected to the authentication page, the user has the option of using a password or an InfoCard.  I’ve signed up for my account as successfully authenticated to a site using an Infocard+OpenId process.  From the website owner’s standpoint, this hybrid solution will have the same pros and cons as OpenId, as the interface to the claims will be the OpenID interface, not the InfoCard interface. 

In sum, I hope Microsoft doesn’t abandon the little sites.