Next Generation CardSpace

Posted on by

Every so often over the last year, I would enthusiastically suggest various CardSpace feature enhancements to whoever on the team I happened to be bending the ear of at that particular moment. They usually very patiently noted that only so much could go into V1, and that other features would have to wait.

The digital ink isn’t even dry on the RTM announcements, but I’m more than ready to get in on the ground floor with round #1 of Pam’s recommendations for CardSpace V2 :)

The first feature suggestion is not really a client feature at all, but I think it is an issue that needs to be addressed. It is IMO important, so I shall leave it in.
Feature 1: Some way to automate Testing & Monitoring

Automated QA testing tools like Mercury LoadRunner and Rational Robot will not work with CardSpace. I predict this will be a major barrier to adoption by any company with a large-scale QA testing infrastructure. Same goes for web-based monitoring programs. The catch-22 is, if a testing tool can automate a CardSpace interaction, so can a bot.

Feature 2: Addition of “Identity Selector” as Windows Software Client type

I would like to see MS work towards adding a new entry for an Identity Selector in this screen:

It may be tough to make the case for adding this, when there are no competing products out – but if you wait until those clients exist, you won’t have it ready in time. You need to put it in now, in order for it to work through the MS monolith (after all, what’s the ETA for v2?).

Feature 3: Logging of card backups and restores.

I hate the fact that, that should there be an opportunity to get into your windows account, somebody could export all of your cards, and the next time you run CardSpace, you wouldn’t be able to tell. Sure, the thief shouldn’t get that much, as managed cards still require separate authentication to the IdP, and I can pin-lock my personal cards if I’m paranoid – but still, I want a way to know what happens to my precious cards in my absence, even if it only ends up being for forensic purposes. If I could have anything, I would prefer that the user be challenged to re-authenticate to the domain any time they attempt to make a card backup, but I understand that’s very difficult to do, so this is a compromise.

Feature 4: Alterable Card Size

I know this is a frou frou request, but it is near & dear to my heart. I want to be able to resize my cards so that I can fit more or less of them on the screen at one time. This way people with vision problems can make them bigger and easier to see, and power users can make them tiny so they can see many cards at once.

Feature 5: One Time Password Support for Managed Cards

I think the first and most obvious candidate for an IdP is a token provider. You could offer a service that (a) is far more secure than what people have now, (b) would be accepted at any site which supports Information Cards without any specialized integration at the RP, and (c) uses a physical product that could be branded and used to build product loyalty. Imagine replacing everything from your gmail login to your bank login with a token interaction from the same token. I would certainly use such a product, especially if the IdP was a non-auditing IdP.

There are more, but I’ll save them for Round #2. What features would you folks add?