Day: September 23, 2005

Here's an article by Robert McMillan (of IDG News Service) that appeared recently on InfoWorld. He caught me speaking to an audience of entrepreneurs and venture capitalists at the recent DataCenter Ventures 2005 Conference in Redwood City.

I participated in the conference to try and get attendees interested in building and funding software and devices whose behavior reflects identity. I was also arguing that InfoCards, as a cross-platform phenomenon providing a consistent interface to multiple underlying identity systems, finally made this plausible.

Hoping to learn from the lessons of its unsuccessful Passport initiative, Microsoft is taking a more open tack in developing its new InfoCard identity management platform, a company executive said Tuesday.

Like Passport, InfoCard, is designed to make it easier for users to surf the Web by keeping track of their user names and passwords as they move from site to site. Unlike Passport, however, InfoCard is being designed to work on client and server software that was not developed by Microsoft.

The presentation didn't deal with the fact that InfoCards uses advanced cryptography rather than passwords, so Robert can't be faulted for this assumption.

Since the beta version of InfoCard was released in May, Microsoft has been working with developers of the Firefox and Opera browsers, as well as organizations like the Apache Software Foundation and Apple Computer, said Kim Cameron, Microsoft's chief architect of identity and access, speaking at the DataCenter Ventures 2005 conference in Redwood City, California.

“These aren't your typical Microsoft customers,” he said. “The main thing is, we need a solution that works on Linux boxes as much as it works on Microsoft boxes.”

Though the Passport identity management system now processes about 1 billion authentication requests per day, making it too popular to rightly be called a failure, the service has never gained popularity outside of Microsoft's own Web properties, Cameron said.

I argued that Passport is one of the most widely used authentication service on the Web – and its success in different roles has been determined by the Third Law of Identity:

“When it comes to identity, people want to understand why the parties to any interaction are there,” he said. “It makes sense for people to use passport, run by Microsoft… to access Microsoft properties. It didn't make sense for users to use Passport to access eBay.”

Likewise, Europeans were uncomfortable with the fact that Passport data was stored on servers in Redmond, Washington, he said.

InfoCard seeks to get around this problem by operating in what Cameron calls a “polycentric,” and “polymorphic” fashion, meaning that the software will run on different operating systems, and the data will be stored in places that make sense to the user.

After its release, Passport was blasted by privacy advocates, including the Electronic Privacy Information Center, which argued that Microsoft was not taking adequate steps to protect and give users control of their data.

At the time, Microsoft disputed these concerns, but the company now needs to welcome them, Cameron said.

“We need to invite the people who used to be called privacy extremists into our hearts because they have a lot of wisdom,” Cameron said. “This (is) not the son of Passport”

Microsoft's goal is to make it easier to create “identity-aware software,” while at the same time respecting the users privacy concerns, he said.

Privacy will become an even more important issue as the implications of wireless networking become better understood, the Microsoft executive said.

At a recent security conference pranksters tracked a Bluetooth device that Cameron was using to offer attendees a real-time map of his progress through the convention center, a light-hearted hack that underlined a more serious point.

That same kind of technology could be used to build more intelligent, bombs, Cameron said. “Nobody has thought through the privacy threats that this involved,” he said. “Now I can build a device that explodes when a specific person is in the vicinity.”

With the quality of online attacks improving, and consumer confidence already somewhat shaken by recent security scares, technology vendors like Microsoft are more pressed than ever to develop a reliable, widely used identity system for the Internet, he said. “We have to put on our tinfoil hats; we have to think through these technologies; we have to fix them.”

In a piece by Mike Shaver which I relayed here, he referred to an article in Network World by John Fontana. John is always in front of the curve – recently I came across his article on InfoCards from the 2003 PDC with great quotes from Ray Ozzie. I'm going to find that piece and quote exerpts so you can see how clearly he got what we were trying to do even back then.

Meanwhile, here's the InfoCard piece John wrote this week:

‘Looking to ease the way customers manage their digital identities, Microsoft has begun working to integrate its InfoCard authentication technology with Internet Explorer and is in discussions with the Firefox and Safari browser developers to have them include the technology on their platforms.

‘According to Microsoft officials, InfoCard integration could show up in Internet Explorer 7.0 even though InfoCard is currently not on the feature list. The goal is to improve security and privacy on the Internet using the InfoCard model, which puts users in control of their personal identity information and would eliminate the need for user names and passwords to sign into a Web site.

‘”We are still working on if there is enough time to get this done” for Internet Explorer 7, says Michael Stephenson, Microsoft's group product manager for Windows Server. “We expect many different applications, smart apps, Web apps and browsers, to use InfoCard. Our own browser will take advantage of it.”

‘In addition, Microsoft is hoping others will adopt its InfoCard model on the Web to help improve security and privacy with a common identity layer.

‘”We are having concrete discussions with Firefox and others about specific mechanisms that would communicate between a Web site and the browser so we can enable credential selection such as InfoCard,” says John Shewchuk, CTO of distributed systems for Microsoft. “If we do this right, all browser vendors could provide a common mechanism for identity.”

‘Experts say that would improve security on the Internet.

‘”Adoption of a common user-friendly metaphor for identity can only help,” says Daniel Blum, an analyst with Burton Group.

‘In June, Microsoft unveiled its identity metasystem, which includes user-centric privacy controls in the form of InfoCard, a middleware technology called Windows Communication Foundation, Active Directory and a slate of Web services-based protocols led by WS-Trust that Microsoft and IBM have been developing.

‘WS-Trust is key for creating Security Token Service (STS), lightweight gateways for servers and clients that negotiate the exchange of security tokens, such as Kerberos or the Security Assertion Markup Language (SAML). IBM supports the technology in its federation server, and Ping Identity has an open source implementation of WS-Trust.

‘In the browser model, Web sites would need to run an STS in order to signal browser users to provide their InfoCard identity credentials.

‘”If there is useful information from the InfoCard work that doesn't necessarily require InfoCard technology and makes browsers more secure then we would like to see that happen,” says Scott Cantor, who works on the Internet2’s Shibboleth identity project and the SAML technical committee at the Organization for the Advancement of Structured Information Standards (OASIS). He also is the author of OpenSAML and the security architect at Ohio State University.

‘Another key to recruiting partners is standardization of WS-Trust. Microsoft's Stephenson says the company and partner IBM are finalizing the language on a charter to get WS-Trust, WS-SecurityPolicy and WS-SecureConversation submitted this month to OASIS for standardization.’

[tags: Identity, Mozilla, John Fontana, Identity Metasystem ]

Readers may be interested in this posting by Mike Shaver, the architect working on technology strategy issues that are of significant interest to the Mozilla community and products – including Firefox:

I ran across this article this morning, about how Microsoft is reaching out to other browsers like Firefox and Safari to encourage adoption of InfoCard technologies. The article is certainly true as written, and I’ve written before about some of my involvement in those discussions, but I would like to caution people against reading into it that we have made or announced concrete plans to support InfoCard as a piece of the Firefox platform.

I think that support for rich and user-empowering identity infrastructure is an important element of the future growth of both the web and Firefox, and I think — perhaps somewhat more controversially — that InfoCard’s principles and protocols are a pretty strong basis for that infrastructure, but there’s a big gap between those beliefs and an item in the committed Firefox roadmap.

For better or for worse, my still-forming opinions about technologies do not Mozilla technology policy make.

Mike was clear from the first day I met him that there is a whole process to go through here – first of investigation and consultation, then of considering the alternatives and figuring out what is best for his community, and finally of making a decision and winning consensus. Mozilla – and all of us in the industry – are very lucky to have him around. I wish each of us, in pushing identity forward, could just snap our fingers – and everything would just fall into place. But the world demands more of us and then gives us more in return.

[tags: Identity, Mozilla, Mike Shaver, Identity Metasystem ]

I got a note recently from Paul Sweeney, who sent me to a digital rights landscape mindmap that is worth pondering. He also pointed us to this macabre report from the BBC via the very cool out-law.com (I hadn't seen it before) via the register:

Revenue and Customs has apologised to customers of investment bank UBS Laing and Cruickshank after losing sensitive account information. The Revenue lost a computer disc, sent by the bank, which contained address and account details of UBS's Personal Equity Plan (Pep) investors.

The Revenue is investigating how the disc went missing from its offices.

The bank has offered to change the account details of customers whose personal information was on the disc.

Worried customers

UBS said the CD Rom was sent in late April at the request of the Revenue.

Customer information on the data disc included addresses, dates of birth, national insurance numbers, UBS account numbers and the value of their Peps.

Last week, UBS Laing and Cruickshank wrote to its customers telling them of the loss.

A UBS spokesman told BBC News that worried customers who wanted to change their account numbers would be allowed to do so.

It is not clear how many UBS customers had their account details on the CD Rom.

However, a spokesman for the bank told BBC News that it was only a “small percentage” of investors.

In a statement, the Revenue apologised for losing the disc, which it said had been “mislaid within a local office”.

“Following exhaustive searches, we contacted UBS Wealth Management to apologise,” it added.

“This is a one off incident in a single office which receives thousands of pieces of post per week. We are urgently reviewing our procedures to make sure this does not happen “

Another recent register link people may find interesting is this story on onion routing and associated technologies.

[tags: Identity Theft, Privacy Threat Analysis, Identity]