Corillian, CardSpace, and Open ID - Digital Identity is happening
I totally stole the picture at right from Ashish Jain's blog post on CardSpace/OpenID Integration. It's a great image. Ashish works for PingIdentity and is down at the RSA Conference right now, along with Corillian it turns out. Ping is demonstrating a prototype OpenID IdP server that uses CardSpace for authentication at runtime.
Today JanRain, SXIP, Verisign and Microsoft announced that they'd collaborate on interoperability between OpenID and CardSpace. It's so refreshing to see folks in Web 2.0 getting along so well and moving the ball forward.
While some are surprised that folks are actually getting along, Dare puts it best when he says:
"With OpenID it didn't take as long for us to go through the NIH<->FUD<->Acceptance<->Approval<->Adoption cycle that I've come to expect from my fellow B0rg. It seems we have adapted."
Corillian (my company) was involved in the Identity Press Release today as well with a joint demo between Corillian, Wachovia and Arcot, led on the Corillian side by the tireless Stuart Celarier.
To further enable the vision of secure and easy anywhere access, Microsoft today announced the following product milestones and industry alliances:
On the heels of the Windows® CardSpace™ general availability launch in Windows Vista™, Microsoft demonstrated momentum with industry partners that are working to apply this technology to help consumers realize a more confident online experience. This includes the announcement of collaboration on use of Windows CardSpace with the OpenID 2.0 specification. Through the support of the WS-Trust-based Windows CardSpace experience, consumers can take advantage of increased security against phishing attacks without adding complexity to their identity management experience. Also at the conference, Wachovia Corp., Arcot Systems Inc. and Corillian Corp. showcased a proof of concept demonstration using Windows CardSpace to deliver a simpler and safer online banking experience for customers.
We've been looking at Digital Identity 2.0 solutions for at least 2 years now at Corillian led in part by our multi-factor authentication product and other identity solutions, all designed to stop phishing. We've integrated our suite with CardSpace, and that's what we're demoing at RSA. OpenID was next on my list. If you're not familiar, OpenID is different from CardSpace, as explained by Kim Cameron in that it assumes two things:
- Every person has a URL to which they lay claim.
- Every URL has an identity provider that “speaks for” it.
"All in all, the closest analogy is to using an email address as an identifier by asking what email address you own, sending you the email, and getting you to click a link showing you own the email. In this case the relying party depends on the underlying mail system, DNS, and all that. OpenID replaces email with web URLs. So it’s a lot more direct."
Digital Identity is getting closer with InfoCard/CardSpace, OpenID and i-names starting to converge on something very real. Here's some fun links to check out for yourself:
- Sxore (score) from Sxip identity using WhoBar to spackle cleanly over OpenIDs and i-names as well as CardSpace/Information Cards. I was able to login using my own blog as my OpenID.
- My i-Name is =scott.hanselman
- I use http://www.hanselman.com for my OpenID and that gets redirected to http://scotthanselman.myopenid.com/ (Do a view source, and notice my OpenID meta tags)
- JanRain runs MyOpenID and has a fun claims site called Jyte. It's a silly but fun reputation building exercise that's built on OpenID.
- Aside: JanRain is also in Portland, just a few miles away, on a street I worked on for six years.
- Try out Sxipper for FireFox. It uses OpenIDs as an authorization technology to manage a local wallet.
- Here's a great protocol flow diagram for OpenID that helped crystalize it for me.
- Read the very good aggre-blog at planet OpenID. There's lots of commentary and context.
- Read Mike Jones' notes on Bill Gates' Identity Keynote.
- Note in the FireFox 3.0 Requirements, support for OpenID and CardSpace are listed as mandatory. That's good for everyone.
OpenID and CardSpace together are going to cover the maximum number of platforms, the maximum number of browsers and make the end-user experience (like my Mom's) more secure and easier to use that ever before. I'm stoked that Corillian's involved in the banking back-end side of things with folks like Arcot and Wachovia and I'm jazzed to be architecting, in a small way - along with my fellow wonks here at Cori - something called Banking 2.0. I'm looking forward to logging into a Corillian bank using OpenID and/or CardSpace. If you're down in SFO at the RSA Conference, go see our InfoCard Banking Demonstration!
Also, one of these days we'll get another DasBlog release that includes Kevin Hammond's good CardSpace work as well as OpenID. It's only a matter of doing it. You can also CardSpace-enable Community Server if you like.