I am not familiar with CardSpaces, but a considerable difference between OpenID and Persona is a matter of anonymity. With OpenID, your OpenID provider (e.g. Google) can track you as you log to your various accounts. By opposition, with Persona, the Persona provider does not get any meaningful information that can be used to blow your anonymity.
CardSpace was a Microsoft project led by Kim Cameron, the godfather of digital identity. They originally wanted to make it part of Windows Vista, but it was dropped for lack of interest. It was an open standard, and there were browser plugins to make it work in other browsers and operating systems. Microsoft knew they couldn't make it a Windows-only thing if they wanted people adopting it. They just wanted to be at the forefront of security for once.
A developer would add meta tags to a site's login page with a URL to post identity info to and a list of information it's requesting. That would trigger the browser (or plugin) to open a modal display of identity "cards", which the user could choose from. Then it would show what information the site requested and they could deny individual pieces of info. The data would be posted back to the site, along with a unique signature for that user & site.
Cards could be self-issued or issued by a third party, like your employer or bank. They could have graphical backgrounds applied so they looked more like ID cards or credit cards. It was a great UI for identity, and easy for developers to use. But I think the Microsoft name tarnished it. I know people outside the identity community were making comments about how this was Microsoft's attempt to become Big Brother & so forth, even though Microsoft was completely out of the communication loop between the user and the site.
Sounds interesting, but I never heard of it. This is a common issue for big corps - they see good ideas as not being popular enough, so they don't market them. Self-fulfilling prophecy.
I tried logging in to OpenPhoto with my Gmail address, and there's my profile photo pulled from my Google account. How can I be sure no tracks were created in the process of getting that image?
Once the site you sign into has your identity, the protocol can't stop them announcing to the world that you have signed in. But it doesn't require the ID provider to know where you're signing in.
Also, are you sure it's not from gravatar? In my case, it's the same image as the google profile photo.
I didn't remember setting up a Gravatar for my Gmail address, but it turns out I did, so yes, it's entirely possible it's from Gravatar. I feel better about that, although I guess Gravatar can track me now.
If you log into a service, that service can inform arbitrary third parties that you've logged in. By requesting your photo from google it is doing so, but how would you stop this at the protocol level?
