More Cardspace in the Enterprise
Posted by BPuhl on March 15, 2008
So it’s been brought to my attention, that there is a very important distinction which I should probably make about my views of Cardspace in the enterprise. That distinction is the difference between Cardspace as a user interface – and Cardspace as the underlying infrastructure for performing claims based authentication.
The basic reason why I’m hesitant about Cardspace in the enteprise, is actually because I LOVE the idea of having my users perform claims based authentication and authorization…but I can’t fathom the idea that people are going to keep getting these UI pop-ups and having to pick the same card over and over again throughout the day as they are trying to do their job. Even having to click it once or twice per day is too much in my opinion.
Since we already know that Cardspace will show you all cards which meet the criteria, as an enterprise administrator, I’d like to say that if there is only a single card which meets the relying parties criteria – THEN USE IT! Don’t pop the UI, just go ahead and send the card, and have fun with that!
Yes, I realize that this violates numerous basic principles of user centric identity, however those principles that it violates are based on the idea that the person owns the digital identity. In a company, the enterprise owns the identities, and issues them to individuals for use on behalf of the enterprise. So we don’t really need (or in many cases want) the “transparency” or to provide the ability for a user to decline to send claims info, because that would distract them from the primary mission that we’ve issued the identity for to begin with – to do their jobs. It’s not as though an HR analyst would make the decision, “You know, I don’t think I want this application to know my employee ID number, so I’m going to decline to authenticate to it.” Ok, then what are you going to do, since accessing the application is a core part of your job, and the enterprise had determined (meaning, the app dev’s, security, IT, etc…) that the data was needed?
So don’t get me wrong, I love “claims based authentication and authorization”, and I firmly believe that Cardspace and Infocards have a HUGE value in the consumer space, anti-phishing, etc… But I would love to see either more granular policies available to administrators over the user interface, so that we could use the cardspace plumbing while intelligently presenting the UI only when it was necessary.