Federating identity for the Web

User-centric innovations CardSpace and OpenID may finally bring the promise of federation within reach

A CardSpace identity selector is included in Vista and can be downloaded for XP as part of the .Net Framework 3.0. Card selectors for the Mac and Linux are available from Novell as part of its Bandit project. You can try them out by logging in to Microsoft Chief Identity Architect Kim Cameron's blog.


An open standard, OpenID is the fruit of several folks' labor during the past several years. Originally developed by Brad Fitzpatrick as an identity system for LiveJournal, OpenID is now developed under the auspices of the OpenID Foundation.

OpenID identifiers are URLs. Any URL can be used as an OpenID. Rather than relying on tokens, OpenID is a relationship-based identity system. As a result, when I give a relying party my OpenID URL, the IdP asserts to the RP that I have provided sufficient evidence of a relationship with the IdP. What the evidence is and the nature of the relationship are undefined in the OpenID specification. Usually the evidence is a password authentication, but it may be based on a secure, physical token or a record that I had signed up for an account in the past.

This simplicity is OpenID's strength and chief weakness. On the one hand, it makes OpenID incredibly lightweight and easy to deploy. On the other hand, RPs know almost nothing about the user except that the IdP and the user share a secret. Unless the IdP is trusted by the RP, it is difficult to use an OpenID for anything more than authorizing blog commenters.

OpenID is the subject of significant ongoing activity. It has a robust discovery mechanism based on XRDS (eXtensible Resource DescriptorS) and an attribute exchange mechanism contributed by Sxip Identity. These and other improvements are documented in the yet-unratified OpenID 2.0 specification.

OpenID is most at home on the Web when deployed on sites that allow users to self-provision accounts. By using OpenID, these sites free themselves from the burden of managing the authentication phase of the interaction with the user and the hassles that come with this, such as password reset.

There are an estimated 160 million OpenID-enabled URLs and nearly 10,000 sites that support OpenID log-ins. No special software is needed to use one. In fact, if you have an AOL account or screen name, you're part of that 160 million because AOL has OpenID-enabled their identifiers. If your AOL screen name is "froam2," then your AOL OpenID is http://openid.aol.com/froam2. You can use it to log in to any of the sites in the OpenID Directory.

Additional resources

Seven Laws of Identity CardSpace libraries and samples Using CardSpace on a blog .Net Framework 3.0 selector for XP OpenID Directory OpenID providers OpenID libraries

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AOLBurton GroupCA TechnologiesFrance TelecomINSInteropLinuxMicrosoftMilestoneNovellPromiseProvisionProvisionRPS

Show Comments