SAN FRANCISCO – Microsoft plans to update its CardSpace identity software with new security options and is testing the technology for large-scale deployment using its Hotmail and other Live online services.

The company made the announcements during the first day of the Digital ID World conference, which is put on by Network World parent company IDG.

The CardSpace improvements will come as part of the .Net Framework 3.5 release, which is planned for the end of the year to coincide with the shipment of Visual Studio 2008. 

Version 3.5 does not require Web sites using CardSpace to have an SSL certificate. With .Net Framework 3.0, every CardSpace site had to deploy as a secure HTTP (HTTPS) site. That meant that casual Web sites, such as those run by bloggers, had to buy and correctly install a certificate, and run from a fixed IP address just to provide simple log-ins via CardSpace.

“We figured out it was completely unreasonable for those people to have a certificate,” says Kim Cameron, Microsoft’s identity architect.

On the flip side, the 3.5 changes also mean that highly sensitive sites, such as those run by financial-services companies, can stipulate the use of high-assurance certificates.

“We also figured out the proper way to do this is for the identity provider to decide if a certificate is required or not,” Cameron says. “So we strengthened the high end and solved the low-end issue by allowing the identity provider to determine the type of security the site must have.”

Currently, CardSpace is one size fits all, but identity providers -- those who issue cards to users -- will be able to create managed cards that can have high, medium and low levels of security. In addition, users can self-issue cards to be used as replacements for username/password with sites that do not use SSL certificates.

CardSpace, which is an implementation of Microsoft’s Information Card technology, is a user-centric identity client that shipped with Vista and was back ported to XP.