Windows CardSpace

Windows CardSpace (codenamed InfoCard), is Microsoft's now-canceled client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector. CardSpace stores references to users' digital identities for them, presenting them to users as visual Information Cards. CardSpace provides a consistent UI designed to help people to easily and securely use these identities in applications and web sites where they are accepted. Resistance to phishing attacks and adherence to Kim Cameron's "7 Laws of Identity"[1] were goals in its design.[2]

Windows CardSpace
Windows CardSpace icon
The Windows CardSpace user interface running on Windows XP, showing card creation template example.
The Windows CardSpace user interface running on Windows XP, showing card creation template example.
Operating systemMicrosoft Windows
Replaced byU-Prove
Service nameWindows CardSpace (idsvc)
TypeIdentity management system


When an Information Card-enabled application or website wishes to obtain information about the user, the application or website requests a particular set of claims from the user. The CardSpace UI then appears, switching the display to the CardSpace service, which displays the user's stored identities as visual i-cards. The user selects the InfoCard to use and the CardSpace software contacts the issuer of the identity to obtain a digitally signed XML token that contains the requested information. CardSpace also allows users to create personal (also known as self-issued) Information Cards, which can contain one or more of 14 fields of identity information such as full name, address, etc. Other transactions may require a managed InfoCard; these are issued by a third party identity provider that makes the claims on the person's behalf, such as a bank, employer, or a government agency.

Windows CardSpace is built on top of the Web Services Protocol Stack, an open set of XML-based protocols, including WS-Security, WS-Trust, WS-MetadataExchange and WS-SecurityPolicy. This means that any technology or platform that supports WS-* protocols can integrate with CardSpace. In order to accept Information Cards, a website developer simply needs to declare an HTML <OBJECT> tag that specifies the claims the website is demanding from the user and then implement code to decrypt the returned token and extract the claim values. If an Identity Provider wants to issue tokens, they must provide a means by which a user can obtain a managed card and provide a Security Token Service (STS) which handles WS-Trust requests and returns an appropriate encrypted & signed token. If an Identity Provider does not wish to build an STS, they will be able to obtain one from a variety of vendors including PingIdentity, BMC, Sun Microsystems, Microsoft, or Siemens, as well as other companies or organizations.

Because CardSpace and the Identity Metasystem upon which it is based are token-format-agnostic, CardSpace did not compete directly with other Internet identity architectures like OpenID and SAML. In some ways, these three approaches to identity can be seen as complementary.[3] Indeed, Information Cards can be used today for signing into OpenID providers, Windows Live ID accounts, SAML identity providers, and other kinds of services.

IBM and Novell planned to support[4] the Higgins trust framework to provide a development framework that includes support for Information Cards and the Web Services Protocol Stack, thus including CardSpace within a broader, extensible framework also supporting other identity-related technologies, such as SAML and OpenID.

Microsoft initially shipped Windows CardSpace with the .NET Framework 3.0, which runs on Windows XP, Windows Server 2003, and Windows Vista. It is installed by default on Windows Vista as well as Windows 7 and is available as a free download for XP and Server 2003 via Windows Update. An updated version of CardSpace shipped with the .NET Framework 3.5. In Windows 7 CardSpace technology is used by the new Credential Manager for the management and storage of saved user credentials.[5]


On February 15, 2011, Microsoft announced that Windows CardSpace 2.0 would not be shipped.[6] Microsoft is currently working on a replacement called U-Prove.[7]

See also


  1. ^ Cameron, Kim (2005-05-01). "The Laws of Identity". MSDN. Microsoft. Retrieved 2010-12-13.
  2. ^ Cameron, Kim; Jones, Michael B. (January 2006). "Design Rationale behind the Identity Metasystem Architecture" (PDF). Retrieved 2010-12-13.
  3. ^ Ernst, Johannes (January 24, 2006). "Three Digital Identity Standards". Archived from the original on August 9, 2011.
  4. ^ "Open Source Initiative to Give People More Control Over Their Personal Online Information". News room. IBM. February 27, 2006.
  5. ^ "Windows 7 new features:". TechNet. Microsoft. February 3, 2009. Retrieved March 30, 2018.
  6. ^ "Beyond Windows CardSpace". Claims-Based Identity Blog. Microsoft. 15 February 2011. Retrieved 23 July 2011.
  7. ^ "U-Prove Home". Connect. Microsoft. Archived from the original on July 14, 2011. Retrieved July 23, 2011.

Further reading

External links

Software development
  • Microsoft Information Card Kit for ASP.NET 2.0 – ASP.NET Relying Party (RP) code to support CardSpace.
  • Microsoft Information Card Kit for HTML – platform-independent JavaScript and CSS code that detects if the client can use i-cards and provides the corresponding UI support.
  • Open source Ruby RP code for accepting Information Cards.
  • Open source Java RP code for accepting Information Cards.
  • Open source C and PHP RP code for accepting i-cards.
  • Open source C RP code for accepting Information Cards and STS code for managed i-cards.
  • Open source PHP Security Token Service code for managed i-cards.
  • Open source C# STS code for managed Information Cards.
Identity selectors
.NET Framework version history

Microsoft started development on the .NET Framework in the late 1990s originally under the name of Next Generation Windows Services (NGWS). By late 2001 the first beta versions of .NET 1.0 were released. The first version of .NET Framework was released on 13 February 2002, bringing managed code to Windows NT 4.0, 98, 2000, ME and XP.

Since the first version, Microsoft has released nine more upgrades for .NET Framework, seven of which have been released along with a new version of Visual Studio. Two of these upgrades, .NET Framework 2.0 and 4.0, have upgraded Common Language Runtime (CLR). New versions of .NET Framework replace older versions when the CLR version is the same.

The .NET Framework family also includes two versions for mobile or Embedded device use. A reduced version of the framework, the .NET Compact Framework, is available on Windows CE platforms, including Windows Mobile devices such as smartphones. Additionally, the .NET Micro Framework is targeted at severely resource-constrained devices.


ASP.NET is an open-source server-side web application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, web applications and web services.

It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft's Active Server Pages (ASP) technology. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language. The ASP.NET SOAP extension framework allows ASP.NET components to process SOAP messages.

ASP.NET's successor is ASP.NET Core. It is a re-implementation of ASP.NET as a modular web framework, together with other frameworks like Entity Framework. The new framework uses the new open-source .NET Compiler Platform (codename "Roslyn") and is cross platform. ASP.NET MVC, ASP.NET Web API, and ASP.NET Web Pages (a platform using only Razor pages) have merged into a unified MVC 6.

Active Directory Federation Services

Active Directory Federation Services (AD FS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity. Claims-based authentication involves authenticating a user based on a set of claims about that user's identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication. It is part of the Active Directory Services.

In AD FS, identity federation is established between two organizations by establishing trust between two security realms. A federation server on one side (the Accounts side) authenticates the user through the standard means in Active Directory Domain Services and then issues a token containing a series of claims about the user, including its identity. On the other side, the Resources side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another security realm without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.

In practice a user might typically perceive this approach as follows:

The user logs into their local PC (as they typically would when commencing work in the morning).

The user needs to obtain information from a partner company's extranet website, for example to obtain pricing or product details.

The user navigates to the partner-company extranet site, for example:

The partner website now does not require any password to be typed in; instead, the user credentials are passed to the partner extranet site using AD FS.

The user is now logged into the partner website and can interact with the website as if logged in.AD FS integrates with Active Directory Domain Services, using it as an identity provider. AD FS can interact with other WS-* and SAML 2.0-compliant federation services as federation partners.

AutoCollage 2008

AutoCollage 2008 is a Microsoft photomontage desktop application. The software creates a collage of representative elements from a set of images. It is able to detect faces and recognize objects.The software was developed by Microsoft Research labs in Cambridge, England and launched on September 4, 2008.

An update, named Microsoft Research AutoCollage 2008 version 1.1, was released on February, 2009. The software update adds the ability to select images for the AutoCollage, a richer integration with Windows Live Photo Gallery, support for network folders and the ability to define custom output sizes.

A new version, named Microsoft Research AutoCollage Touch 2009, was released on September 2009, and included by some OEMs on machines with Windows 7.

Higgins project

Higgins is an open-source project dedicated to giving individuals more control over their personal identity, profile and social network data.

The project is organized into three main areas:

Active Clients - An active client integrates with a browser and runs on a computer or mobile device.

Higgins 1.X: the active client supports the OASIS IMI protocol and performs the functions of an Information Card selector.

Higgins 2.0: the plan is to move beyond selector functionality to add support for managing passwords and Higgins relationship cards, as well other protocols such as OpenID. It also becomes a client for the Personal Data Store (see below) and thereby provides a kind of dashboard for personal information and a place to manage "permissioning"—deciding who gets access to what slice of the user's data.

Personal Data Store (PDS) is a new work area under development for Higgins 2.0. A PDS stores local personal data, controls access to remotely hosted personal data, synchronizes personal data to other devices and computers, accessed directly or via a PDS client it allows the user to share selected aspects of their information with people and organizations that they trust.

Identity Services - Code for (i) an IMI and SAML compatible Identity Provider and (ii) enabling websites to be IMI and OpenID compatible.

Identity management system

An identity management system refers to an information system, or to a set of technologies that can be used for enterprise or cross-network identity management

Additional terms are used synonymously with "identity management system" including;

Access governance system

Identity and access management system

Entitlement management system

User provisioning systemIdentity management (IdM) describes the management of individual identities, their authentication, authorization, roles and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks."Identity management" and "access and identity management" (or AIM) are terms that are used interchangeably under the title of identity management while identity management itself falls under the umbrella of IT security.Identity management systems, products, applications, and platforms are commercial Identity management solutions implemented for enterprises and organizations.Technologies, services, and terms related to identity management include active directories, service providers, identity providers, Web services, access control, digital identities, password managers, single sign-on, security tokens, security token services (STS), workflows, OpenID, WS-Security, WS-Trust, SAML 2.0, OAuth, and RBAC.

Information Card

Information cards are personal digital identities that people can use online, and the key component of an identity metasystem. Visually, each i-card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select one they want to use for any given interaction. The information card metaphor is implemented by identity selectors like Windows CardSpace, DigitalMe or Higgins Identity Selector.

An identity metasystem is an interoperable architecture for digital identity that enables people to have and employ a collection of digital identities based on multiple underlying technologies, implementations, and providers. Using this approach, customers can continue to use their existing identity infrastructure investments, choose the identity technology that works best for them, and more easily migrate from old technologies to new technologies without sacrificing interoperability with others. The identity metasystem is based upon the principles in "The Laws of Identity".

Liberty Alliance

The Liberty Alliance Project was an organization formed in September 2001 to establish standards, guidelines and best practices for identity management in computer systems.

It grew to more than 150 organizations, including technology vendors, consumer-facing companies, educational organizations and governments.

It released frameworks for federation, identity assurance, an Identity Governance Framework, and Identity Web Services.

By 2009, the Kantara Initiative took over the work of the Liberty Alliance.

List of Microsoft Windows application programming interfaces and frameworks

The following is a list of Microsoft APIs and frameworks.

List of Microsoft Windows components

The following is a list of Microsoft Windows components.

List of features removed in Windows 8

Windows 8 is a version of Windows NT and the successor of Windows 7. Several features which are present on Windows Vista and Windows 7 are no longer present on Windows 8.

Microsoft account

A Microsoft account or MSA (previously known as Microsoft Passport, .NET Passport, Microsoft Passport Network, and Windows Live ID) is a single sign-on Microsoft user account for Microsoft customers to log into Microsoft websites (like, devices running on one of Microsoft's current operating systems (e.g. Windows 10 computers and tablets, Windows Phones, and Xbox consoles), and Microsoft application software (including Visual Studio).


OpenID is an open standard and decentralized authentication protocol.

Promoted by the non-profit OpenID Foundation, it allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password for each.Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation.The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the "relying party"). An extension to the standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements).The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart cards or biometrics).

The term OpenID may also refer to an identifier as specified in the OpenID standard; these identifiers take the form of a unique Uniform Resource Identifier (URI), and are managed by some "OpenID provider" that handles authentication.The current version of OpenID is OpenID Connect 1.0, finalized and published in February 2014, and updated with corrections in November 2014.

Open Database Connectivity

In computing, Open Database Connectivity (ODBC) is a standard application programming interface (API) for accessing database management systems (DBMS). The designers of ODBC aimed to make it independent of database systems and operating systems. An application written using ODBC can be ported to other platforms, both on the client and server side, with few changes to the data access code.

ODBC accomplishes DBMS independence by using an ODBC driver as a translation layer between the application and the DBMS. The application uses ODBC functions through an ODBC driver manager with which it is linked, and the driver passes the query to the DBMS. An ODBC driver can be thought of as analogous to a printer driver or other driver, providing a standard set of functions for the application to use, and implementing DBMS-specific functionality. An application that can use ODBC is referred to as "ODBC-compliant". Any ODBC-compliant application can access any DBMS for which a driver is installed. Drivers exist for all major DBMSs, many other data sources like address book systems and Microsoft Excel, and even for text or comma-separated values (CSV) files.

ODBC was originally developed by Microsoft and Simba Technologies during the early 1990s, and became the basis for the Call Level Interface (CLI) standardized by SQL Access Group in the Unix and mainframe field. ODBC retained several features that were removed as part of the CLI effort. Full ODBC was later ported back to those platforms, and became a de facto standard considerably better known than CLI. The CLI remains similar to ODBC, and applications can be ported from one platform to the other with few changes.

Technical features new to Windows Vista

Windows Vista (formerly codenamed Windows "Longhorn") has many significant new features compared with previous Microsoft Windows versions, covering most aspects of the operating system.

In addition to the new user interface, security capabilities, and developer technologies, several major components of the core operating system were redesigned, most notably the audio, print, display, and networking subsystems; while the results of this work will be visible to software developers, end-users will only see what appear to be evolutionary changes in the user interface.

As part of the redesign of the networking architecture, IPv6 has been incorporated into the operating system, and a number of performance improvements have been introduced, such as TCP window scaling. Prior versions of Windows typically needed third-party wireless networking software to work properly; this is no longer the case with Windows Vista, as it includes comprehensive wireless networking support.

For graphics, Windows Vista introduces a new as well as major revisions to Direct3D. The new display driver model facilitates the new Desktop Window Manager, which provides the tearing-free desktop and special effects that are the cornerstones of the Windows Aero graphical user interface. The new display driver model is also able to offload rudimentary tasks to the GPU, allow users to install drivers without requiring a system reboot, and seamlessly recover from rare driver errors due to illegal application behavior.

At the core of the operating system, many improvements have been made to the memory manager, process scheduler, heap manager, and I/O scheduler. A Kernel Transaction Manager has been implemented that can be used by data persistence services to enable atomic transactions. The service is being used to give applications the ability to work with the file system and registry using atomic transaction operations.

Windows Driver Frameworks

Windows Driver Frameworks (WDF, formerly Windows Driver Foundation), is a set of Microsoft tools and libraries that aid in the creation of device drivers for Windows 2000 and later versions of Windows. It complements Windows Driver Model, abstracting away much of the boilerplate complexity in writing Windows drivers.

WDF consists of Kernel-Mode Driver Framework (KMDF) and User-Mode Driver Framework (UMDF). These individual frameworks provide a new object-oriented programming model for Windows driver development. The primary goals of WDF is conceptual scalability and reduced duplication, enabling developers to apply the same concepts across different driver types and reducing the code overhead required for drivers. This differs markedly from the Windows Driver Model (WDM) which requires driver developers to be fully familiar with many complex technical details to write a basic driver.

Part of the key to achieving conceptual scalability is that KMDF and UMDF use an "opt-in" model. This model allows the developer to extend and override the default behavior of a canonical "good driver". In contrast, Windows Driver Model depends on the driver writer to implement all aspects of the driver's behavior.

Windows Vista

Windows Vista is an operating system that was produced by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs and media center PCs. Development was completed on November 8, 2006, and over the following three months, it was released in stages to computer hardware and software manufacturers, business customers and retail channels. On January 30, 2007, it was released worldwide and was made available for purchase and download from the Windows Marketplace; it is the first release of Windows to be made available through a digital distribution platform. The release of Windows Vista came more than five years after the introduction of its predecessor, Windows XP, the longest time span between successive releases of Microsoft Windows desktop operating systems.

New features of Windows Vista include an updated graphical user interface and visual style dubbed Aero, a new search component called Windows Search, redesigned networking, audio, print and display sub-systems, and new multimedia tools such as Windows DVD Maker. Vista aimed to increase the level of communication between machines on a home network, using peer-to-peer technology to simplify sharing files and media between computers and devices. Windows Vista included version 3.0 of the .NET Framework, allowing software developers to write applications without traditional Windows APIs.

Microsoft's primary stated objective with Windows Vista was to improve the state of security in the Windows operating system. One common criticism of Windows XP and its predecessors was their commonly exploited security vulnerabilities and overall susceptibility to malware, viruses and buffer overflows. In light of this, Microsoft chairman Bill Gates announced in early 2002 a company-wide "Trustworthy Computing initiative", which aimed to incorporate security into every aspect of software development at the company. Microsoft stated that it prioritized improving the security of Windows XP and Windows Server 2003 above finishing Windows Vista, thus delaying its completion.While these new features and security improvements have garnered positive reviews, Vista has also been the target of much criticism and negative press. Criticism of Windows Vista has targeted its high system requirements, its more restrictive licensing terms, the inclusion of a number of then-new DRM technologies aimed at restricting the copying of protected digital media, lack of compatibility with some pre-Vista hardware and software, longer boot time, and the number of authorization prompts for User Account Control. As a result of these and other issues, Windows Vista had seen initial adoption and satisfaction rates lower than Windows XP. However, with an estimated 330 million Internet users as of January 2009, it had been announced that Vista usage had surpassed Microsoft's pre-launch two-year-out expectations of achieving 200 million users.

At the release of Windows 7 (October 2009), Windows Vista (with approximately 400 million Internet users) was the second most widely used operating system on the Internet with an approximately 19% market share, the most widely used being Windows XP with an approximately 63% market share. In May 2010, Windows Vista's market share had an estimated range from 15% to 26%. On October 22, 2010, Microsoft ceased sales of retail copies of Windows Vista, and the OEM sales for Vista ceased a year later. Since April 2019, Vista's market share has declined to under 0.5% of Windows' total market share.

Microsoft development tools
Major APIs and
(see all)
Source control
Data access
Administration and
Component model
Device drivers
Software factories
Text and multilingual
File systems
Spun off to
Microsoft Store

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.