Scott and Carl talk about digital identity and related technologies. Hanselminutes is a weekly audio talk show with noted Web developer and technologist Scott Hanselman hosted by Carl Franklin. Scott discusses utilities and tools, gives practical how-to advice, and discusses ASP.NET or Windows issues and workarounds.

Carl Franklin: Hi, this is Carl Franklin. You are listening to Hanselminutes. I am here with Scott Hanselman. Hi, Scott.

Scott Hanselman: How are you, sir?

CF: Identity, CardSpaces, is the topic today.

SH: Today Carl and I will just show you all the history, Identity 2.0. Yeah, dude, this is all about CardSpaces, because we've been - we talked about doing a .NET Framework 3.0 show but we all know that the Framework is too big to do in a short Hanselminutes double-speed, 20-minute podcast so we are going to do it in chunks.

CF: We also know that, it's really not a framework .NET for 3.0.

SH: Yeah, it's kind of...it's a collection of pillars.

CF: New features.

SH: These were the new features, so we've got CardSpace, we've got Windows Presentation Foundation, and we've got Windows Communication Foundation. So, Avalon, InfoCard, and Indigo were the code names. So, at Corillian we are really interested in CardSpace because you know we do online banking, and banks are always getting phished. They are always getting attacked by people who get their names and their passwords stolen.

CF: Right.

SH: And we encourage people to have stronger passwords, we encourage people to have passphrases, right, add a space and have a big long password that's like 20-30 characters long. But these are still just things that you know that can be stolen from you, you can be tortured and they could - you could give them up. And generally identity on the Internet is broken. You got identity theft, there is spoofing, and they're in the middle things, and there is evil malware that could be running on your machine, and it's pretty clear that the user name and password mechanism is overwhelmed. I mean just the fact that we've got password manager programs, programs with a super password that are set up to manage your other passwords. It doesn't really work, right?

CF: Yeah.

SH: The whole idea is what's a better way to identify both the user to the site and the site to the user. Because a lot of times you go to a site and you don't know if you trust this site, maybe it's a blog, I don't want to go and sign up on a blog, I don't know about you but I don't want to sign up with a blog and give them yet another user name and password just for the privilege of leaving a comment.

CF: Exactly, the less sign-ups I can do the better.

SH: Exactly, then we get down to these kind of main sign-ups and then of course, Passport, Microsoft Passport was kind of an attempt to centralize all of that, but the problem was it was managed by Microsoft. It wasn't the fact there was Microsoft, but it was the fact there was a single entity that would handle it. They were basically saying, just give us your user name and password and we will come up with a tricky way to single sign you into all these different places.

CF: And we will keep your credit card number on file and all your business information, all your personal business info...

SH: Right, we'll hold all your stuff.

CF: And the response was a resounding thud, right?

SH: Yeah, it worked technically like I used it for Expedia and for eBay and that was pretty much the extent of it but I just didn't feel comfortable with it because, you never know, I don't think that password was phished successfully, but it's easy to make a site that looks like the site that you wanted to go to. So, phishing is a problem, and of course, we've seen Firefox 2.0 and IE 7. They have built-in anti-phishing stuff. There is a good reason just to install IE 7 right there; I've put IE 7 on all my relatives' machines.

CF: I also think, Scott, before we get too far away from it, that one of the reasons Passport failed or .NET My Services is what we're really talking about, was because of timing, there was a lot of disruption going on security-wise at the time. SH: Yeah, it was kind of the end of Web 1.0 and the beginning of 2.0, the bubble occurred, and it was a fairly disruptive thing, and it was not exactly easy, frankly, to integrate it if you ever tried to get your Passport to work. SDK was a little tricky and just when you got it working another STK came out. So, the real issue here is what the guys on the CardSpace team...and Nigel Watling is one of the guys that's got a presentation I'll point everyone to...is the idea of identity silo hell. You get all of these different silos where you have an identity at one place but you are not trusted by another, like Amazon is big and wonderful and they use my identity for a number of things. I can make reviews and comments, I can buy stuff but I can't use my Amazon identity or my reputation and use it somewhere else.

CF: Let's talk about CardSpace.

SH: CardSpace is basically an implementation by Microsoft of an open and specifi cally non-proprietary way to represent identity. It's open and nonproprietary in that it uses the WS *.* technologies, it's on with Web Services, using XML assertions, using WS-MeX, that's called WS-Metadata Exchange, I like to call it WS TeX-MeX but people don't like that joke - and using WS-Trust.

CF: Scott, I know that anybody can say this is an open standard and then still exploit it for their own personal benefi t at the expense of others. So, the real test is, is anyone else besides Microsoft using it?

SH: That's a very good point. So, of course, this is an example of something where Microsoft's done the first and perhaps thus far the best implementation of it but people are already getting excited about this. For example, the guy Kim Cameron at Microsoft, who really promotes this who runs identityblog.com...

CF: Brilliant guy.

SH: Up at www.Shrinkster.com/jkm, he runs a blog based on PHP. So, in a kind of an unusual move by Microsoft guys, he ate his own dog food and built a PHP implementation of InfoCard. So, if you have CardSpaces on your machine, the Windows implementation of CardSpaces then you can go up to his blog and you can sign in and it's using all PHP, no Microsoft stack. The idea is that, you would go up to his blog and in this instance, you would be using IE 7 and then you'd have the .NET Framework 3.0 on your system. Remember, that IE 7 is going to get pushed out as a high-priority update to everyone and that .NET Framework 3.0 is going to be an optional but recommended update. So, I think more and more, we are going to see this. It's also built into Vista. Otherwise it's unfortunate that 3.0 is not going to be an high-priority update. We are going to see this pushed out to a lot of people's machines. You go up to his blog and then you visit a regular HTML page. If you did a View Source on this page of the HTML, you would see an object tag, right, an object tag is the kind of thing you would use to show like a Flash object. In his case the object is an information card that's saying, "I have some requirements that you are going to need to give me." So just like you - for putting a name and password together on an HTML site, you would say input text equals password, input text equals text. And it would put in their name and their password. In his case within the form there is an object tag.