Scott's Workblog

This blog has moved! Go to my new blog!

May 24, 2007

Shibboleth to add CardSpace support

Kim Cameron reports that Internet2 are adding CardSpace support for Shibboleth. This is significant as CardSpace enables a consistent approach to providing personal credentials at the user interface level, whether the actual mechanism for handling identities is system-specific, federated or distributed.

I can see two clear benefits from this move:

Firstly, for users it offers a consistent experience to logging in for services. Whether this involves offering an OpenID identity or an identity managed by a Shibboleth Identity Provider. This is potentially very useful: sometimes you need to be "you", and sometimes you need to be "a staff member of x".

Second, CardSpace offers a way of overcoming the potential Phishing problems of Shibboleth; the CardSpace interface replaces the potentially vulnerable (and, as federations grow, confusing) Where Are You From? (WAYF) service.

However, I'm assuming here that Shibboleth SAML assertions will be made available as Managed Cards within a users personal CardSpace; the text of the announcement isn't very clear on this point. However - if (and I assume this isn't the case) the intent is the opposite - to make CardSpace cards usable by federations, but not vice-versa - then the value proposition will be considerably less.

main archive