About the book

Written by: Vittorio Bertocci, Garrett Serack, Caleb Baker
Pages: 384
Publisher: Addison Wesley Professional
ISBN-10: 0321496841
ISBN-13: 978-0321496843

Introduction

CardSpace, introduced in 2006 as part of the .NET 3.0 wave and updated as part of .NET 3.5 is Microsoft's attempt at entering the Digital identity space. One of the four elements that formed .NET 3.0, CardSpace is the least well known of the quartet (when compared to WCP, WPF and WF), but it is arguably one of the most important applications released.

CardSpace is the result of research that Microsoft did into the problems of Digital Identity, primarily in response to the growing threat of phishing, spam and other digital crime. Building upon existing open standards, Microsoft hopes to position CardSpace as a major player in this emerging arena.

Broken down into three separate sections, the book begins by giving a good overview of how identity exists on the Internet today and the problems that have emerged. It then moves into an overview of the possible solutions to this problem, given in the form of the Seven Laws of Identity. Finally it starts to cover the actual CardSpace technology, explaining in detail how it is positioned to solve the digital identity issue with its compliance of the Seven Laws. The last part of the book covers some guidelines for users and companies who want to enter the CardSpace arena.

Part 1: Setting the Context

The first part of the book begins by delving into “The Problem”. This section aims to give the reader a good understanding of the threats faced by an average user on the internet today. Starting with the emergence of hacking, this section shows how the threats have evolved over time. The simplicity of coding and the spreading of knowledge led to a generation of users that could take advantage of known exploits discovered by other users. As time progressed, the attacks became more sophisticated and eventually gave way to “social engineering” as a useful tool for the internet fraudster.

Having covered the problem that needs to be solved, the main security tool is analyzed; the password! The authors here give a good explanation of how the password came about. This section was very informative as it details the main limitations of the password and how it is no longer really useful as a primary means of identification in the internet realm. The benefits of passwords are also covered, with a good explanation as to where the password can be most effective and where it should and shouldn’t be used.

Across these sections the book makes uses of “breakouts” to give reasonably detailed descriptions of things like cryptography and authentication. These are very useful and will help the reader form a good understanding of the principals that will be covered later on. As I mentioned before, these explanations are generally very high level primers.

The next section of this part covers the Seven Laws of Identity. These laws were developed by Kim Cameron, an architect at Microsoft, in 2004. Cameron engaged many organizations and the open source community through his blog at http://www.identityblog.com/. By ignoring individual vendor technologies and focusing on defining the issues in general terms, Cameron succeeded in putting together the Seven Laws. These are covered in detail and are referred to time and time again. The Identity Metasystem is then covered. This covers the major components that make up an identity system such as a claim, an Identity Provider (IP) and a Replying Party (RP) to name but a few. I found this to the most interesting and informative part of the book as it breaks in detail who all the “actors” work together to prove identity.

The open source WS specifications are introduced and their place in the context of the Identity Metasystem is also covered.

Part 2: The Technology

Up to this point the book hasn’t mentioned any specific technology or implementation. I feel this is quite important as it helps reinforce the concept that providing one’s identity shouldn’t be constrained to one specific vendor or technology.

Since CardSpace itself is a local application, this part of the book covers the introduction of the “Card” concept and UI of CardSpace application itself. A description of the various parts of the Card and the UI helps give an understanding of how the Card and UI relate to the Identity Metasystem and how the user would interact with the UI. Walkthroughs are given, showing how a user would go about creating a card or installing a managed card. Snippets of code are provided to show how the CardSpace UI would be invoked from a browser, or how it would be used with WCF and Web Services.

A section is devoted on how a website could be modified to accept Cards. Beginning with the concept of a generic website that takes a username and password, it goes on to describe the various changes that would be required to move the site over to CardSpace. These changes range from the UI to the DB. The most basic approach is used here, assuming that Personal cards will be used. Sample DB tables are explained. All the necessary changes to the UI are covered with an excellent description of how to present the various elements to the users. By referring back to the Seven Laws, this helps show how important they are even in terms of UI design. This walkthrough is very generic and basic but covers the most important changes that a migration would entail.

Part 3: Practical Considerations

The final part of the book is targeted at people or companies that wish to either use a digital identity or to become an identity provider. These concepts are covered earlier in the book. This section of the book doesn’t really deal with any technical aspects of either role; rather it contains a list of do’s and don’ts that should be followed by a potential implementer.

Conclusion

When CardSpace was introduced in 2006 I set about trying to get a basic understanding of what it did and how it worked. I managed to get as far as generating personal cards but fell short of getting a full managed card scenario running. There seemed to be a lack of interest from the community at large and there wasn’t very much documentation available. I couldn’t find a good, basic explanation of the overall architecture of the Open Identity world and the Identity Metasystem.

But having finished this book, I’ve gained a much better understanding of how all the parts interact. The book itself doesn’t contain many code samples so if you’re looking for a book that’s going to show you the technical ins-and-outs of Open Identity and CardSpace I’m afraid you’ll be disappointed. There is enough C# code to get you up and running, but if you’re looking for samples on building your own STS or signing managed cards you’ll be disappointed. Even if you’re not a .NET developer this book focuses mainly on what should be done by an implementation rather than be specific about how it’s implemented.

This book is great starting point for CardSpace and I would recommend it for anyone who wants to get their feet wet in digital identity.

About Tomas McGuinness

Tomas McGuinness is currently working as an application developer for Resilient Networks in London and does part-time freelance work on small projects. He has worked primarily in web application development for a variety of companies. This author has published 4 articles on DotNetSlackers. View other articles or the complete profile here.