CardSpace in LiveID: Where's the STS?

Location: Blogs Daniel Bartholomew's Blog
Posted by: Daniel Bartholomew	Monday, August 20, 2007 11:10 PM
As LiveId now supports information cards for authentication it seems that Microsoft are getting the whole machine behind the technology publicly. You can now sign into Hotmail and various other sites using a self-issued card. But the process seems kind of funny to me: the identity metasystem was designed for Identity Providers to run their own STS - and for site providers to act as relying parties. However the current model for LiveId is topsy-turvy. LiveId acts as a RP and your computer acts as the STS. This means that web sites that want to use CardSpace for authenticating LiveId based users need to have a system of HTTP redirects in place - this messes with the security of the identity metasystem and gives the user an inconsistent experience. I hope that Microsoft soon expose a LiveId STS and then issue managed Information Cards to LiveId users. Then web sites will be able to act as Relying Parties, LiveId can act as the STS, and the user gets the true benefits of CardSpace - greater security and a better user experience.

Permalink \| Trackback

Re: CardSpace in LiveID: Where's the STS?	By Don Isenor on Tuesday, October 16, 2007 4:15 AM
It's strange enough that Live ID is not providing an STS, but even more strange is that Live ID does not accept managed cards at all, regardless of STS. They are using only the PPID claim, simply associating the PPID with my Live ID account, so it should be irrelevant whether the card is self-issued or managed.

Your name:
Title:
Comment:

Security Code Enter the code shown above in the box below
Add Comment Cancel

Search