OpenID and CardSpace are both complementary and competing technologies. An interesting thing about OpenID it that it allows you to "attach" a Card to your OpenID account (create an openid at myopenid.com if you have not already). That is interesting as it allows you to logon to your OpenID account using your InfoCard on your desktop. That is pretty powerful because that means you can logon to any OpenID site using your InfoCard. So the web designer that enables OpenID logins will also get CardSpace for free without writing a single line of additional code – that is pretty cool.
In a previous post, I wrote on the need of a Proxy that would allow me to get my Card easily when on a public pc. OpenID with cardspace support does not get us there, because I still have to have the card on the machine I am at in order to authenticate to OpenID using my card. However, OpenID does allow me to login using name/pwd pair, so that is always a good last resort. However this can be made better I think.
What if the OpenID provider also "stored" my Card in encrypted form? Then I could download that card and use it. To make this process simple, MS needs to create a temp proxy card. So on a new machine I create a TProxy card that have my name and a URI to my OpenID provider. Now when I try to use TProxy card, it downloads my real card from the provider and decrypts by prompting for a password. Now that I have my real card local, I can then continue to use as normal during the session. The provider only ever sees my card in encrypted form so it is protected from snooping. Now the question is how to get rid of local card when done? If I log out, the CardSpace framework and just clear card memory and be done. But what if I just walk away and forget to logout? I guess that is same issue as forgetting your credit card at a store and hoping nobody uses it until you cancel the card. One option to mitigate the risk is to add a timeout on the card.
I guess another option would be a usb smart card and a pwd pair. Keep your smart card on your key chain and you can login anywhere. Loose your card, and someone still needs your password. So I need to login once (to decrypt the card on the smart card) and can use the card for remainder of my session.