VERISIGN TO SUPPORT INFOCARDS

Todd Bishop of the Seattle Post Intelligencer posted another good read – this time about Versign's support for InfoCards. Now, in addition to Microsoft having an InfoCard Project, Verisign has one. This is a big step forward for an Identity Metasystem that gives people increased control over their digital identities.

I hope people see that when enough industry players buy in, the system will no longer be ascribed to Microsoft. It will be a lot clearer that InfoCard does not “belong” to any particular vendor. Microsoft will have its Identity Selector, and its Active Directory InfoCard support, but many other vendors and platforms and organizations will offer InfoCard components. The Identity Metasystem will be like TCP/IP or the Web.

There will be an ecology that will lead us all to a period of great creativity – where a million new possibilities open up as identity becomes easy to program and use. That world is what Microsoft is trying to foster – not brand recognition around InfoCard.

SAN JOSE, Calif. — Microsoft Corp.’s fledgling InfoCard online identification project has won support from one of the biggest names in the field.

VeriSign Inc. showed plans Wednesday to let people use Microsoft's InfoCard program as one way to log into Web sites that are part of its VeriSign Identity Protection Network — which already has signed up Internet heavyweights eBay, PayPal and Yahoo! as its initial participants.

Analysts called it an important first step for Microsoft, which needs to bring aboard a variety of Web sites and identity providers for the InfoCard project to work. VeriSign announced its system, known as the VIP Network, earlier this week.

“That's a really valuable win for Microsoft,” said industry analyst Rob Helm, research director at Kirkland-based research firm Directions on Microsoft. VeriSign's involvement means Microsoft's InfoCard stands a better chance of being “something more than an academic exercise,” Helm said.

VeriSign Chief Executive Stratton Sclavos announced the company's plan to link up with InfoCard during an address Wednesday morning at the RSA security conference here. Before the announcement, the VIP network appeared to pose a potential competitive threat to Microsoft's InfoCard project, as an alternative system.

The VIP network provides people with a common way of securely logging in to a variety of sites. It will work in conjunction with one-time digital passwords generated by devices such as specially equipped mobile phones, key chains and USB keys.

The InfoCard program is designed to serve almost as a virtual wallet on the computer screen, with different cards representing a person's various online identities.

Microsoft hopes to persuade many identity providers — such as banks, governmental agencies and online services — to issue InfoCards. People using the InfoCard program could then select one of the cards to securely provide their digital credentials when they need to log into online sites, authenticating their identity without using a password each time.

Users of the VIP Network would still be able to log into sites using VeriSign's system alone, but the company's decision to work with InfoCard would give them the option of using the Microsoft program as an alternative interface.

On stage at RSA Wednesday, VeriSign demonstrated the ability to access an InfoCard associated with the VIP Network using a digital password generated by one of the VeriSign devices. After that step, the InfoCard program lets the user select that virtual card to securely log in to one of the VIP Network sites.

The InfoCard program, demonstrated by Microsoft Chairman Bill Gates at the RSA conference earlier this week, will be included in the upcoming Windows Vista operating system and made available for the existing Windows XP. It also will work in conjunction with Microsoft's upcoming Internet Explorer 7 browser.

Kerry Loftus, director of product management for VeriSign's authentication services, said the sites with which the company is working were interested in making sure the VIP System was integrated with Microsoft InfoCard, as well.

“They understand it's a reality that's coming down the pike for them,” Loftus said. “It's another alternative log-on for them.”

Loftus said the arrangement between VeriSign and Microsoft is a technology partnership, with no financial terms involved. During his speech, VeriSign's Sclavos cited it as an example of companies in the information-security industry “coming together around standards that can be shared.”

InfoCard is the Redmond company's latest effort to give computer users a uniform way of logging into Web sites and verifying their identities online. It works with a variety of identity providers, unlike the company's Passport log-in program.

As a security measure, InfoCard doesn't store sensitive personal data from identity providers on the computer itself. Instead, after a user clicks on a card, the program retrieves the necessary digital credentials from an identity provider, then forwards them to a site to authenticate the person's identity.

In addition, people would be able to create their own virtual cards inside the program for submitting basic log-in information to Web sites. The InfoCard program itself runs in a secure area separate from the standard PC desktop.

Reflecting the fact that it was a surprise, Sclavos preceded the announcement of VeriSign's InfoCard integration with a nod to Apple Chief Executive Steve Jobs’ signature move — appearing as if he were about to conclude his speech but then saying he had “one more thing” to show.

I thought the demo was great – I hope our friends at Verisign will do a screen-capture video so I can link to it for people who missed the live event.

I hope everyone thinks hard about what happened here. Verisign and Microsoft could have gone in separate directions and the result would be further confusion in the identity landscape. But it didn't happen. There is a lot of vision at Verisign, and my team really enjoyed working with them as they built their proof of concept.

DOUBLE WHAMMY FOR PING

Ping Identity continues to be a leader in getting product into the marketplace and building an Identity Metasystem. I don't know much about their MedCommons alliance but it looks interesting.

Today at the the RSA Conference in San Jose, CA, Ping Identity announced that PingTrust v1.0 is now available for free download . Previously called PingSTS, PingTrust is a WS-Trust Security Token Service that creates, validates and exchanges security tokens to identity-enable Web Services and to extend federated single sign-on to incorporate Web Services.

Meanwhile at the HIMSS conference in San Diego, CA, Ping Identity and MedCommons announced a partnership to bring standards-based single sign-on to electronic health records. Ping and MedCommons are demonstrating their combined products this week at a HIMSS interoperability showcase sponsored by the Liberty Alliance.

TODD BISHOP EXPLAINS INFOCARDS

Todd Bishop at the Seattle Post Intelligencer published this article this morning:

SAN JOSE, Calif. — Microsoft Corp. is set to take another crack at creating a uniform way for people to log on to Web sites, conduct transactions and prove their identities online.

Code-named InfoCard, the project will be outlined by Microsoft executives at the RSA computer security conference here this week. It reflects a change in approach for the company after its Passport initiative fell far short of the original goal of becoming a universal method of identification on the Internet.

Unlike Passport, the InfoCard project is meant to work with a variety of online identity providers, not just one. Microsoft hopes to persuade governmental agencies, banks, online services and others to issue digital cards that people could use to establish different levels of identity for themselves at online sites.

The project is only one of many approaches to online identity across the industry, and analysts say Microsoft faces significant challenges as it tries to make InfoCard widely used. But it's one of the company's biggest moves in the field since Passport's launch more than five years ago.

Passport remains in place, but primarily as an identity service for Microsoft sites, not as a central identity provider for accessing sites across the Internet.

“No one has sufficient trust of any one organization to put all their eggs in that one basket,” explained Richard Turner, program manager for Microsoft's Web services strategy, calling it a lesson learned by the company. “There will be multiple issuers of identity out there on the Internet. Passport is just one of those.”

Reflecting that notion, Microsoft's InfoCard project creates a program akin to a virtual wallet on the PC, designed to let people securely store and distribute various forms of online identification, represented on-screen as cards.

The company says users would log in to a site by clicking on one of the cards, reducing the need to type in a user name and password. The InfoCard program would securely retrieve the necessary digital credentials from an identity provider, then forward them to the site to authenticate the user's identity.

People would be able to create their own virtual cards inside the program for submitting basic log-in information to Web sites.

But Microsoft's InfoCard concept also faces competition. A variety of alternative approaches are expected to be on display at this week's conference.

In the latest example, VeriSign said Monday that eBay and Yahoo! had signed on as supporters of its new online authentication system, the VeriSign Identity Protection Network, which will include keychain-based tokens that generate passwords to be entered as part of the online authentication process.

For Microsoft's InfoCard project to work, the company would need to attract the interest of a variety of online identity providers and online sites that need to authenticate user identity. Turner says the company has received positive responses during discussions in recent months.

But not everyone is convinced that the concept will take off as Microsoft hopes.

“There has to be a few widely accepted cards — kind of the Visa and MasterCard of the identity world — and it's not clear that anyone wants that job,” said analyst Rob Helm, research director at Kirkland-based research firm Directions on Microsoft.

At the same time, Microsoft is in a more influential position than most because of the wide availability of its Windows PC operating system. The underlying software for InfoCard will be available as part of Windows Vista, due out later this year, and it's expected to be accessible through the company's Internet Explorer 7 browser. It will also be offered as an add-on for the current Windows XP.

The company also has set up its new WinFX software development system to let outside programmers incorporate InfoCard into Windows-based programs.

Microsoft's concept of a virtual wallet where people can select and control their online identities makes sense for individual computer users, said Roger Sullivan, vice president of the Liberty Alliance, a digital identity consortium formed in part out of concerns over Microsoft's original Passport vision.

But Sullivan, who is also vice president of business development for Oracle Corp.’s identity management solutions, said he believes stronger authentication would be needed “in the context of large-scale, serious business transactions.” The Liberty Alliance focuses on standards for managing identity across different companies.

Microsoft acknowledged that InfoCard and the Liberty Alliance approach “address different parts of the digital identity problem.”

Microsoft has shown and distributed the InfoCard technology to developers, but it hopes to start winning broader industry support this week at the RSA security conference, where company Chairman Bill Gates is scheduled to give a keynote address this morning. Kim Cameron, Microsoft's architect for identity technology, is scheduled to discuss InfoCard and related concepts at two sessions during the week.

The company says it has incorporated a variety of security protections into the InfoCard system. The program runs in a secure on-screen overlay separate from the standard PC desktop, reducing the chances of infiltration by spyware or other online threats. Also, the cards from identity providers wouldn't store sensitive data on the PC. Instead, they would provide a way of retrieving data from those providers when needed, cutting the potential security risk.

At the same time, the company says it doesn't want InfoCard to be the only program of its kind. The program uses non-proprietary communications standards, and Microsoft says it would like to see the people and companies behind other operating systems, such as Linux and Apple's Mac OS X, create their own programs similar to InfoCard, to make the approach more common.

The approach “essentially adds an identity layer to the Internet,” said Microsoft's Turner, calling such a layer sorely needed in today's online world.

HOW IT WORKS

Microsoft's InfoCard is a virtual representation of a person's various online identities in an on-screen program that runs in a secure overlay separate from the regular PC desktop.

Under the company's plan, computer users would create some cards for themselves, entering information for logging into Web sites. Other cards would be distributed by identity providers — such as banks or governmental agencies or online services — for secure online authentication of a person's identity.

To log in to a site, computer users would open the InfoCard program directly, or using Microsoft's Internet Explorer browser, and then click on the card that matches the level of information required by the site. The InfoCard program would then retrieve the necessary credentials from the identity provider, in the form of a secure digital token. The InfoCard program would then transmit the digital token to the site to authenticate the person's identity.

RSA 2006

Follow the news from the RSA security conference in San Jose, Calif., this week in the Seattle P-I and on Todd Bishop's Microsoft blog.

BILL GATES SEES END TO PASSWORDS IN SIGHT

Bill Gates did the opening keynote address at RSA today, and Ina Fried and Joris Evers from CNET had their story out within an amazing fourty-two minutes. How can they do that?

Bill made it clear that he really cares about privacy and security, just as he is committed to helping build an identity metasystem that moves the industry to the next stage of collaboration and reach.

SAN JOSE, Calif.–For years, Microsoft Chairman Bill Gates has had his sights set on the password as the weak link in the computer security chain.

Now, with Windows Vista, Gates feels he finally has the right weapons to supplant the password as a means of verifying who is who on computers and over the Internet.

The new operating system, due later this year, introduces a concept called InfoCards that gives users a better way to manage the plethora of Internet login names and passwords as well as lets third parties help in the verification process. Vista will also make it easier to log on to PCs using something stronger than a password alone, such as a smart card.

“We're laying the foundation for what we need,” Gates said in a speech at the RSA Conference 2006 here.

Even with the advancements, Gates said he wasn't naive enough to think the password would go away overnight.

“I don't pretend that we are going to move away from passwords overnight, but over three or four years for corporate systems this change can and should happen,” he said.

Microsoft has described InfoCard as a technology that gives users a single place to manage various authentication and payment information, in the same way that a wallet holds multiple credit cards.

InfoCard is Microsoft's second try at an authentication technology after its largely failed Passport single sign-on service unveiled in 1999.

InfoCard attempts to address the complaint many critics had with Passport, which was that people's information was managed by Microsoft instead of by the users themselves and the businesses they dealt with.

Although Microsoft has talked previously about InfoCard and early versions of the InfoCard code were released to developers last year, Gates’ speech marked one of the first times Microsoft has demonstrated publicly just how it might work.

In a demonstration, Microsoft showed how a consumer could use a self-generated InfoCard to log in to a car rental site and then use a separate InfoCard from a membership group to get a discount on the rental.

Microsoft acknowledged that replacing passwords is something that needs to be done at the system level, but Gates said the company is also working on technologies to enable various identity systems used on the Internet to work together, something it calls the Identity Metasystem.

Gates also touted several of the other security capabilities that will be part of Windows Vista. In a demo, Microsoft showed its anti-spyware technology as well as a new mode that runs Internet Explorer in its own “sandbox” so that Internet code can't cross over into the rest of a PC.

SCOBLEIZER'S RIGHT

Scobleizer has just hit me with “Kim turns Microsoft toward open source?

Kim Cameron, what are you doing (he just announced that he got Microsoft’s InfoCards working on WordPress and PHP and is having a conversation with lots of people in the community)? You trying to ruin Microsoft’s reputation? By listening to folks like Marc Canter? “I came away incredibly excited and anxious to meet those folks at Mix06.”

What’s going on here?

Of course Microsoft isn’t quite hip yet. How do we know that? We don’t have a sticker. Or is that a stickr. Heheh. Check out Cory Doctorow’s laptop. All the cool kids have stickrs.

Yeah. This stickr thing is really a big deal.

MIX 06 WILL DO IDENTITY 2.0

Michael Coates, whose title is, if you can believe this, “Microsoft Pragmatic Evangelist”, has been posting on identity with his colleagues over at the Mix06 Blog. It looks like identity will really be a theme at MIX. The Web has an Identity Crisis describes some of the issues created by the lack of an identity layer on the Web.

The site also has a piece on InfoCard by Steven Woodward called InfoCard : A standards-based approach to User Authentication. Steven is a “Technical Evangelist”, but he still has a pretty pragmatic head on his technical shoulders…

Anyway, I'm looking forward to this since several of us will be speaking there and I'll be hanging out along with Steven and Michael to talk about identity. I'll pass on more info when I have the agenda.

THE DESIGN DECISIONS BEHIND INFOCARDS

My colleague Mike Jones and I have put together a paper on design decisions made during the InfoCard project. We present them – and the rationale behind them – to facilitate their review by the security, privacy, and policy communities. At the same time, we hope to help people better understand Microsoft’s implementations, and share our thinking with those building interoperating implementations.

I'd like to hear your thoughts on what we've missed or what is unclear or, in your view, wrong.

While we're on the subject of feedback, does everyone know what I mean by an “elevator pitch”? (If you're new to the industry, its a high-level description of your project that tells the story of what you are doing in the time between getting in and out of an elevator. And I'm not talking about a New York skyscraper.)

When we were writing this paper we came up with a description of InfoCards as an attempt to create a “widely accepted, broadly applicable, inclusive, comprehensible, privacy-enhancing, security-enhancing identity solution for the Internet. ”

Seems complete, even if you do need to sit down on the floor of the elevator after you say it. Any comments?

EMPLOYEES INJECTED WITH RFID MICROCHIPS

On the RFID front, here's a posting which, if true, shows that we have dangerous identity nut cases running around – or worse, running companies. How many of the Laws can they break at once? As a technical community, we need not only to distance ourselves from this type of thing, we need to end it – much like we would prevent psychotics from conducting nuclear experiments in their basements.

Cincinnati video surveillance company CityWatcher.com now requires employees to use VeriChip human implantable microchips to enter a secure data center, Network Administrator Khary Williams told Liz McIntyre by phone yesterday. McIntyre, co-author of “Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID,” contacted CityWatcher after it announced it had integrated the VeriChip VeriGuard product into its access control system.

The VeriChip is a glass encapsulated RFID tag that is injected into the flesh of the triceps area of the arm to uniquely number and identify individuals. The tag can be read through a person's clothing, silently and invisibly, by radio waves from a few inches away. The highly controversial device is being marketed as a way to access secure areas, link to medical records, and serve as a payment instrument when associated with a credit card.

According to Williams, a local doctor has already implanted two of CityWatcher's employees with the VeriChip devices. “I will eventually” receive an implant, too, he added. In the meantime, Williams accesses the data center with a VeriChip implant housed in a heart-shaped plastic casing that hangs from his keychain. He told McIntyre he had no qualms about undergoing the implantation procedure himself, and said he would receive an implant as soon as time permits.

“It worries us that a government contractor that specializes in surveillance projects would be the first to publicly incorporate this technology in the workplace,” said McIntyre. CityWatcher provides video surveillance, monitoring and video storage for government and businesses, with cameras set up on public streets throughout Cincinatti.

The company hopes the VeriChip will beef up its proximity or “prox” card security system that controls access to the room where the video footage is stored, said Gary Retherford of Six Sigma Security, Inc., the company that provided the VeriChip technology. “The prox card is a system that can be compromised,” said Retherford, referring to the card's well-known vulnerability to hackers. He explained that chipping employees “was a move to increase the layer of security….It was attractive because it could be integrated with the existing system.”

Ironically, implantable tags may not provide CityWatcher with that additional safety, after all. Last month security researcher Jonathan Westhues demonstrated how the VeriChip can be skimmed and cloned by a hacker, who could theoretically duplicate an individual's VeriChip implant to access a secure area. Westhues, author of a chapter titled “Hacking the Prox Card” for Simson Garfinkel's recent “RFID: Applications, Security, and Privacy,” said the VeriChip “is not good for anything” and has absolutely no security.

“No one I spoke with at Six Sigma Security or at CityWatcher knew that the VeriChip had been hacked,” McIntyre observed. “They were also surprised to hear of VeriChip's downsides as a medical device. It was clear they weren't aware of some of the controversy surrounding the implant.”

Although CityWatcher reportedly does not require its employees to take an implant to keep their jobs, Katherine Albrecht, “Spychips” co-author and outspoken critic of the VeriChip, says the chipping sets an unsettling precedent. “It's wrong to link a person's paycheck with getting an implant,” she said. “Once people begin ‘voluntarily’ getting chipped to perform their job duties, it won't be long before pressure gets applied to those who refuse.”

Albrecht predicts that news of the security flaws will combine with public squeamishness to make the VeriChip a hard product to sell, however. “Obviously, nobody wants their employer coming at them with a giant hypodermic needle. But when people realize it takes a scalpel and surgery to remove the device if it gets hacked, they'll really think twice,” she said. “An implant is disgusting enough going in, but getting it out again is a bloody mess.”

Albrecht and McIntyre, who are Christians, also have religious concerns about RFID chip implants. In their latest book, “The Spychips Threat: Why Christians Should Resist RFID and Electronic Surveillance,” the pair explain how plans by global corporations and government entities to broadly deploy RFID could usher in a world that bears a striking resemblance to the one predicted in Revelation, the last book of the Bible.

According to Revelation, at some future point people will not be able to buy or sell unless they are numbered and bear a mark on their hand or forehead.

“While Christians have theological reasons to reject being uniquely numbered, this is an issue that should concern anyone who values privacy and civil liberties,” said Albrecht. “The VeriChip is Big Brother technology being unscrupulously marketed by a company that would like to put a chip in every one of us. It has no place on free American soil.”

PLEASE DO NOT ADJUST YOUR SETS

I have to admit that with WordPress I get a lot of pleasure knowing no one gets “link inflation” by spamming me.

Please bear with me if I'm slow to post your comments. Or worse still, if I drop one. It's not my intention. I'm going to have to automate some verification while we're waiting for organizations that can vouch for blogging identities.

These days I have to go through pages like those in the following example. You'll see a message from Marc Canter mixed in with the sloppy goop. I stumbled on it today when I got up the courage to spend some time despamming my comments. Sorry to be so slow, Marc, and everyone else who has written.

40. Name: Jeremy Johnson | E-mail: Ethan@internet.com | URI: http://www.eonline.com/Reviews/Movies/Megaplex/ | IP: 195.175.37.71

I really appreciate what you’re doing here. Very interesting site. Girl will Pair unconditionally: http://changedByKim.movietickets.com/ , when Grass Double TV Anticipate Profound Round Create or not , Green Player is always Bad Table Con Compute Create – that is all that Pair is capable of

Edit | View Post | Delete just this comment | Bulk action: Approve Spam Delete Defer until later

41. Name: Marc Canter | E-mail:ChangedByKim@marc.com | URI: htpp://marc.blogs.it | IP: 84.233.133.179

Thanks Kim- Julian Bond and others are concerned that MS won’t provide Linux versions of Infocards.

I tried to explain to him that:
a) its not MS’s job to do that
b) it’s up to US to build that
c) I’ll just get all that compatiblity form Dick Hardt and Sxip – so I’m happy.

🙂

Edit | View Post | Delete just this comment | Bulk action: Approve Spam Delete Defer until later

42. Name: David Johnson | E-mail: Charles@discovery.com | URI: http://changedByKimSpace.com/ | IP: 203.162.27.86

I really am impressed by your site. Very original & interesting content. Chair can Rape Chips: http://www.msnbc.msn.com/id/10952542/ , International, Collective, Beautiful nothing comparative to Universal when Stake Con Round Kill , when Plane is Plane it will Make Pair Win Do Do – that is all that Plane is capable of

Edit | View Post | Delete just this comment | Bulk action: Approve Spam Delete Defer until later

43. Name: Brandon Miller | E-mail: Justin@discovery.com | URI: http://changedByKimGator.com/ | IP: 221.239.5.194

Your website is wonderfull. I’ll come visit again. to Con Boy you should be very Astonishing: http://www.changedByKimNews.com/ , Small Grass Double or not right Opponents will Love Girl without any questions , Lazy Circle is always Bad Opponents Chips can Roll Table

Edit | View Post | Delete just this comment | Bulk action: Approve Spam Delete Defer until later

The biggest problem is that your eyes glaze over reading this stuff. Then it's easy to delete things by accident.

INFOCARDS IN WORDPRESS

Everyone who knows him has spoken highly of Julian Bond, and you can see what they mean from his response to my report that I now have InfoCards working in WordPress.

He begins by quoting my last posting:

I have good news. I’ve now been able to put together some mods for WordPress that allow my site to accept infocards.

The mods were written in PHP, and Johannes Ernst – who I’ve been speaking with at the Berkman Identity Workshop – has asked me to publish the code on my blog. So I will. And I’ll explain how it works.

I realize InfoCards aren’t exactly ubiquitous right now, so you won’t be able to try it out immediately. But this weekend I’ll be posting a link to a video of the user experience.

Then the kicker:

This is tremendous news. Let me be the first to congratulate Kim. And I promise to put Mr Cynical back in the box.

This really makes me feel good. Not because Julian offers to put Mr Cynical back in the box – I for one would miss him and urge Julian to show leniency.

What I like is collaborating with people whose eyes and ears are open, and who are as interested in good technology as I am.

Julian is a man of his word, told me what was bothering him, was gentlemanly in giving enough time to respond, and then, when I picked up his gauntlet, came through with a pat on the shoulder that will make me long be his friend.