OpenID and CardSpace are both complementary and competing technologies.  An interesting thing about OpenID it that it allows you to "attach" a Card to your OpenID account (create an openid at myopenid.com if you have not already).  That is interesting as it allows you to logon to your OpenID account using your InfoCard on your desktop.  That is pretty powerful because that means you can logon to any OpenID site using your InfoCard.  So the web designer that enables OpenID logins will also get CardSpace for free without writing a single line of additional code - that is pretty cool.

In a previous post, I wrote on the need of a Proxy that would allow me to get my Card easily when on a public pc.  OpenID with cardspace support does not get us there, because I still have to have the card on the machine I am at in order to authenticate to OpenID using my card.  However, OpenID does allow me to login using name/pwd pair, so that is always a good last resort.  However this can be made better I think.

What if the OpenID provider also "stored" my Card in encrypted form?  Then I could download that card and use it.  To make this process simple, MS needs to create a temp proxy card.  So on a new machine I create a TProxy card that have my name and a URI to my OpenID provider.  Now when I try to use TProxy card, it downloads my real card from the provider and decrypts by prompting for a password.  Now that I have my real card local, I can then continue to use as normal during the session.  The provider only ever sees my card in encrypted form so it is protected from snooping.  Now the question is how to get rid of local card when done?  If I log out, the CardSpace framework and just clear card memory and be done.  But what if I just walk away and forget to logout?  I guess that is same issue as forgetting your credit card at a store and hoping nobody uses it until you cancel the card.  One option to mitigate the risk is to add a timeout on the card.

I guess another option would be a usb smart card and a pwd pair.  Keep your smart card on your key chain and you can login anywhere.  Loose your card, and someone still needs your password.  So I need to login once (to decrypt the card on the smart card) and can use the card for remainder of my session.

InfoCard (i.e. CardSpace) has been out for a bit, but does not get much joy yet. I think probably cause a lot people just don't know about it or don't care yet.  But the other day I created a OpenID and started using it for identi.ca.  identi.ca is a good example of a site that uses OpenID well and makes it easy.  That got me thinking all sites should use OpenID.  Then I rediscovered CardSpace because OpenID also always you to attach an InfoCard to your id.  So that got me thinking more about CardSpace and using it for my web site.

In general, I am starting to think InfoCard (or the idea of InfoCard) is almost the perfect security model for the following reasons:

1) You control your cards locally. You don't have various names and password strung out all over the INET.

2) You can use same card on multiple sites.

3) You only share the info you want in the card.

4) You get to pick your card at login using a picture and named card.  This makes it easy to remember what card you used at what site. Vista actually has a nice CardSpace control for this and it works well (can download for XP).

5) People can't hack your password on a site using normal hash tables (rainbow) or brute force.  I am not sure yet if it is possible to brute force an InfoCard.

6) It moves the security model to a standard and tested model.  Today, each site may (or may not) protect your password with all kinds of good or no good hash and/or encryption methods.  Point it, you don't know what method is used - it could be stored in the clear!  InfoCard removes many of the server side variants and acts almost like an agent on your behalf.

7) The framework it there where in the future you can time limit your card and revoke it from use.

Given the upsides and the fact that I am in control of the card, I am starting to wonder if OpenID is the right model.

That said, AFAICT, there is one primary down side - you have to have your card on each machine you use.  That means if you are on some random machine, you need to figure our how to get your card and have to worry about removing it from the machine when you done.  Maybe what we need is password protected Temp Proxy Card.  When you are at a "public" PC, you create a Proxy Card that includes the URL of your real card (stored at a public URL that is encrypted AES with your known password).  Then browse to web site that requires a card, the Card selector will popup and you select your Proxy card.  The framework will download and decrypt your real card and use that and cache it in memory only in encrypted form using your same password as your proxy card.  Maybe it also has a time limit on it.

Make your web site InfoCard enabled.  I have looked at a couple solutions, but found Dominick's control the best fit and ease of use.  It also supports non-SSL mode, as many web sites (i.e. blogs) do not use SSL.  Having the option is nice.

Dominick Baier's IC Selector at: http://www.codeplex.com/InfoCardSelector/Release/ProjectReleases.aspx?ReleaseId=12626