Open-source ID project awaits Microsoft's blessing

Higgins project developers are creating a tool equivalent to Windows CardSpace but need Redmond's go-ahead for certain features.
Written by Joris Evers, Contributor
An open-source rival to a Microsoft identity tool has been in limbo for months, awaiting the software giant's go-ahead on certain patent-related issues.

Developers working on the Higgins project want to create a tool equivalent to Microsoft's Windows CardSpace, but fear the software giant's legal wrath if they don't receive permission on certain features. Although parts of the project continue to move forward, proponents say it may not reach its full potential without Microsoft's help.

"There are some pieces that we would not be able to release that we would like to," Mary Ruddy, a Higgins project leader, said Thursday. "We want to make sure that the intellectual property for all of our open-source projects is really clean, so that people can feel confident about using our code."

In September, Microsoft pledged not to assert its patents pertaining to nearly three dozen Web services specifications. That did help the Higgins project, but developers say that wasn't enough to help them deliver all the features they hope to. They have asked Microsoft to provide guarantees that it won't sue on other parts of its intellectual property.

"We want to make sure that the intellectual property for all of our open-source projects is really clean, so that people can feel confident about using our code."
-- Mary Ruddy,
a Higgins project leader

"Microsoft gave us the first round, which was great. We just need a next round to have people be able to ship systems equivalent to CardSpace," said Anthony Nadalin, IBM's chief security architect. IBM and Novell are Higgins' main backers.

The Higgins project wrote a formal request to Microsoft in November. There have been discussions and some progress has been made, but Microsoft remains a hurdle, the Higgins developers said.

For its part, Microsoft is pleased that Higgins is building tools that are compatible to CardSpace, a company representative said in an e-mailed statement. "Microsoft is committed to an interoperable, secure and consistent consumer experience as it is related to the identity space," the representative wrote.

Microsoft will continue its discussions with Higgins, the Microsoft representative said, but declined to say whether the company will expand its open-specification promise.

CardSpace's goals
CardSpace, formerly known as InfoCard, is part of Windows Vista and also available for Windows XP. It promises to make using digital identities easier and safer and ultimately replace username and password as the means of verifying identity on the Internet.

Microsoft describes CardSpace as a single place to manage authentication and payment information, in the same way a wallet holds multiple credit cards. A CardSpace client on a PC will connect with Web sites that need information for authentication or transactions.

While CardSpace is available on Windows, one goal of the Higgins project is to cover other operating systems. Higgins wants to offer an open-source alternative that works on Windows and on alternatives such as Linux and Mac OS X. The application would work similarly to CardSpace.

"We don't intend to duplicate CardSpace, but a user should be able to sit down in front of the open-source implementation and feel comfortable and understand how things work, like Firefox versus Internet Explorer," said Dale Olds, who holds the title of distinguished engineer at Novell, drawing a parallel to Web-browsing software.

Also, Higgins developers want to include the capability to take identity information from Linux systems or Macs and use it with CardSpace, and vice versa, Olds said.

"This is the equivalent of the user's wallet. You want to be able to take your cards and use them in whatever system. How to do that has now been fully documented, but we need that included under the open-specification promise," Olds said. Without Microsof's acquiescence, import and export will only be possible between Higgins systems, he said.

Postponing features
Interactions with Microsoft have been encouraging, but the software heavyweight hasn't budged yet, Ruddy said. "As a consequence, there are some things that we're putting off until we get more specification promises."

The import and export specifications and documentation of the process underlying the CardSpace user experience are two examples of what the Higgins developers need.

The issue is patents, Olds said. "We want to make sure that any open-source developer can use any code that we produce with no fear of sued for patent infringement."

Microsoft closely guards some parts of CardSpace, such as where and how it stores data, for security reasons, the representative said. "How and where card data is physically stored by Windows CardSpace is specific to Microsoft’s implementation of CardSpace and in no way impedes the creation of interoperable identity selectors," he said.

Traditionally a fierce opponent of open source, Microsoft has shown growing acceptance of the core open-source tenets. The Microsoft Open Specification Promise, which was issued in September and promises that Microsoft will not sue anyone who creates software based on Web services protocols it and others developed, was a big step, Microsoft's rivals have said.

"We were thrilled with the historic open-specification promise. That was really a landmark," Ruddy said.

Microsoft has since expanded its open-specification promise to include its Sender ID e-mail authentication technology. That move was in part to promote interoperability among commercial and open-source software products, according to Microsoft.

Higgins was announced last year. A first version of what's called the Higgins Trust Framework is slated to be delivered this summer.

Without additional promises from Microsoft, Higgins will still deliver its software, but without certain features. Also, the client application is only one part of the project. Higgins seeks to deliver a complete "identity system," which also includes software that provides identities to individuals and applications that process the identity data.

"There is a ton of other things that we can go ahead and release," Ruddy said.

Editorial standards