Upcoming Internet Identity Workshop

Identity Woman Kaliya will be back to orchestrate the next identity unconference, one in a series that have played a key role in the evolution of OpenID and Information Cards.  If you are interested in identity, it's a great place to meet a lot of people involved in the community.   

Check out the conference page at Internet Identity Workshop.  Here's an overview:

The heart of the workshop is a practical idealism in working towards the shared vision of a decentralized, user-centric identity layer for the Internet.

Because the web was built around “pages”, no tools or standards were created to control how the information about you was collected or used. At the Internet Identity Workshop we bring the people creating these tools and standards so people can safely manage their online identity and control their personal data.

It is not about any one technology – rather it is a place to discuss multiple interoperating ?(and possible competing) ? projects, standards, and networks for identity, data sharing, and reputation.

As part of Identity Commons, the Internet Identity Workshop creates opportunities for both innovators and competitors. We provide an open forum for both the big guys and the small fry to come together in a safe and balanced space.

There are a wide range of projects in the community:

  1. Open conceptual, community, and governance models.
  2. Open standards and protocols.
  3. Open source projects.
  4. Commercial projects.
  5. Projects to address social and legal implications of these technologies.
  6. Efforts to rethink the business models and opportunities available with these new technologies.

User-centric identity is the ability:

  • To use one's identifier(s) on more then one site
  • To control who sees what information about you
  • To selectively share presence and profile information
  • To maintain multiple identities and personas in the contexts you wish
  • To aggregate attention, navigation, and purchase history from the sites and communities you frequent
  • To move and share your personal data, relationships, documents, and other publications as you wish

All of the following are active topic areas at each IIW:

  • Improving Existing Legal Constructs
    • Privacy Policies
    • Terms of Service
  • Creating New Legal Constructs
    • Limited Liability Personas
    • Identity Rights Agreements
  • Creating New Business Models
    • Identity Oracle
    • I-Brokers
  • New Citizenship Perspectives
    • Activism
    • Community Event Coordination
    • Community Identity and Data Sharing

The conference takes place in Mountain View, California on May 12 – 14

Joined like heads and tails

Dave Kearns has expanded further on his view of distributed data, metadirectory and virtual directory.  It seems like some of our disagreement is a matter of terminology.  Dave grudgingly admits (poor Linus and his blanket!) that application developers should be permitted to use databases:

The application database (for those who cling to it like Linus and his blanket) now can serve two purposes – one to subscribe to virtual directory data and one to publish!

The question becomes whether we need more than publish / subscribe relationships between services.   I think we do.  It is this higher level (meta level) of service and information that I call metadirectory. 

Let's make it clear that I see metadirectory as an evolving thing. 

  • First generation metadirectory dealt exclusively with a managing applications that had been conceived without reference to each other – or to any common framework  (In truth, this is still an issue – see Jeff Bohren's recent posting called “Which is better, Phillips or Flat-head?“). 
  • Second generation metadirectory has an additional focus:  providing the framework by which next-generation applications can become part of the distributed data infrastructure.  This includes publishing and subscription.  But that isn't enough.  Other applications need ways to find it, name it, and so on. 

A real distributed information architecture requires services that join objects across contexts, arbitrate truth, advertise schema possibilities and provide the grid through which virtual directory queries can be dispatched.  

These services are what I call metadirectory – the framework for distributed storage.  One may choose to call the queries in this framework ”virtual directory”.  But such “virtual directory” requires a “real” framework. 

Dave suggests we read a piece called “The second wave:  Linking identities to contexts” by Michel Prompt (CEO of Radiant Logic).  It is good and I recommend it to everyone.  It raises many issues that are worth thinking about:

If for each application, we can find the unique identifier associated with a person, and we can speak the applicationspecific protocol (LDAP, RDBMS, API, Web services, etc.,) then we can retrieve a specific identity profile associated with that person when we need it. Knowing an identifier and its associated protocol is sufficient to access a specific definition of an identity.

Common access alone, however, is not correlation. It will not tell us that UserId A is in fact EmployeeId 235, and that both underlying profiles are aspects of the identity of Person Y.

Some correlation mechanism thus needs to be deployed, based possibly on matching some common attributes for each profile. If no rules can be produced, then the matching must be done manually, a painstaking process but in many cases unavoidable for at least a subset of the identity data.

Michel has started to talk about the metadata needed to create a framework for distributed query.  Some service needs to know that “UserId A is in fact EmployeeId 235″.  That is clearly glue that creates a “directory of directories”.  Michel might call it a “directory of contexts”, but I don't think the difference is substantive.

A directory of directories: metadirectory

Michel continues:

By defining such a process we can create a “hub” where each person has a “global identifier” associated with the corresponding “local” source identifiers (e.g. UserId A, EmployeeId 235, etc.) If this virtual hub has the capability to write back to each source, we can use it to manage the account/identity life-cycle for each source. And when we need any specific aspect of an identity, we can retrieve it dynamically using the Identity Hub pointer.

Hmmm.  Michael calls it a “hub”, not a metadirectory.  But it is the same thing. 

Since our Identity Hub is stripped down to the minimum information required, the amount of synchronization and data transformation (complex tasks by definition) is reduced to the strict minimum. Only the different (local) references for components of a given identity are stored or synchronized. When we need a specific aspect of identity, we can retrieve it dynamically using the Identity Hub pointer, and the common virtual access layer.


If data transformation is a complex task, it is because there are different ways of representing data in the distributed system.  If that's the case, the problem doesn't go away with a virtual directory – it gets worse!  The application that calls into a first data source gets its representation, and if it then calls into a second data source, it gets a second representation.  The application is now on its own to figure out what is what.  Far from simplifying - in fact complex transforms need to be done in more locations.

A continuum

In terms of synchronization, the proposal made by Michel and Dave is good for some use cases but not right for others.  Again, we need to support a spectrum of choices. 

You don't always want to synchronize a common identifier.  Especially when working with identity data that is in danger of breach and insider attack, it is a better strategy to use different identifiers in different systems, so knowledge of the “joining glue” is required in order to assemble information across contexts (for example, personal information and financial information). 

And sometimes, you want to synchronize more than just an identifier.  

Real examples

A conversation like this needs real examples.  In most enterprises, the Human Resources Database is the authoritative source for information on employees.  We want our email address books and mail stores and message transfer agents to be up to date with the latest HR information. 

According to the argument being made by Dave and Michel, all our address books and all our mail switches and mail boxes should be sending each query directly into the”authoritative”  human resources database.

But everyone with any experience in the enterprise knows the people who run the HR databases WILL NOT go for this.  They don't want all the technical systems of the enterprise hitting on their systems in real time with every possible query.

My point here is that it will be necessary to offload information from the HR system to other systems.  No one can look seriously at these issues without admitting that SOME synchronization is required (which admittedly should be real time).  On the other hand, we don't want parallel unrelated architectures.

So we are led to the conclusion that we need a spectrum of synchronization and remote access capabilities. We should be able to use policy to define what information is stored where, and how to get to information that is not stored locally – e.g., combine metadirectory and virtual directory functionality.

Attention application developers: Obey Dave Kearns!

Dave Kearns, knife freshly sharpened, responded to my recent post on metadirectory with the polemic, “Killing the Metadirectory“:

… My interpretation is that the metadirectory has finally given way to the virtual directory as the synchronization engine for identity data. Kim interprets it differently. He talks about the “Identity Bus” and says that “…you still need identity providers. Isn’t that what directories do? You still need to transform and arbitrate claims, and distribute metadata. Isn’t metadirectory the most advanced technology for that? ” And I have to answer, “no.” The metadirectory is last century's technology and it's day is past.

The Virtual Directory, the “Directory as a Service” is the model for today and tomorrow. Data that is fresh, always available and available anywhere is what we need. The behemoth metadirectory with it's huge datastore and intricate synchronization schedule (yet is never quite up to date) are just not the right model for the nimble, agile world of today's service driven computing. But the “bus” Kim mentions could be a good analogy here – the metadirectory is a lumbering, diesel-spewing bus. The virtual directory? It's a zippy little Prius…  [Full article here]

Who would want to get in the way of Dave's metaphors?  He's on a streak.  But he's making a fundamental mistake, taking an extreme position that is uncharacteristically naive.  I hope he'll rethink it.

Applications drive infrastructure

Here's the problem.  Infrastructure people cannot dictate how application developers should build their applications.  Applications – providing human and business value – drive infrastructure, not the other way around.  Infrastructure people who don't get this are doomed. 

Dave's neat little story about web service query needs to be put in the crucible of application development.  We need to get real.

Telling application developers how to live 

Real-time query across web services solves some identity problems very well.  In these cases, application developers will be happy to use them.  But it doesn't solve all their identity needs, or even most of them.  When Dave Kearns starts to tell real live application developers they shouldn't put identity information in their databases, they'll tell him to take his zippy Prius and shove off. 

Application developers like to use databases and tables.  They have become expert at doing joins across tables and objects to produce quite magical results.  As people and things become truly first class objects in our applications, developers will want even more to include them in their databases. 

Think for a minute about the kinds of queries you need to do when you start building enterprise social networks.  ”Show me all the friends of friends who work in a class of projects similar to the ones I work in…”  You need to do joins, eh?  So it's not just existing enterprise applications that have the need to support distributed storage - it's the emerging ones too.

Even thinking for a moment just about Microsoft applications – SharePoint provides a good example  – the developers ran into the need to maintain local tables so they can get the kind of performance and complex query they need.  Virtual directory doesn't help them one iota in solving this kind of problem.  Nor do web service queries.

Betting big time against the house 

I admire many aspects of Dave's thinking about identity.  But I pity anyone who follows his really ideological argument that virtual directory solves everything and distributed storage just isn't needed.  We need both.

He's asking readers to bet against databases.  He's asking them to bet against the programming model used by application developers.  He's asking them to forget about performance.  He's asking them to take all the use cases in the world and stuff them into his Prius – which is actually more like a hobby horse than a car.

Once you have identity data distributed across stores you either have chaos or you have metadirectory.  I'll explore this more in upcoming posts.

Meanwhile, if anyone wants to bet against the future of databases and integration of identity information into them, drop me a note and I'll set up a page to take your money.  And at the same time, I recommend that you start training for a second career.

This said, I'm as strong a believer in using web services to query for claims in real time as Dave is.  So on that we very much agree.

Metadirectory and claims

My friend and long-time collaborator Jackson Shaw seems to have intrigued both Dave Kearns and Eric Norlin in an  amusing (if wicked) post called You won't have me to kick around anymore

You won't have me to kick around anymore!

No, not me. Hewlett-Packard.

I heard about a month ago that HP was going to bow out of the IDM business. I didn't want to post anything because I felt it would compromise the person that told me. But, now that it has made the news:

Check out Burton Group's blog entry on this very topic

Burton Group has been contacted by HP customers who report that HP is no longer going to seek new customers for its Identity Center product. We have contacted HP and the company confirms that HP Software has decided to focus its investment in identity management products exclusively on existing customers and not on pursuing additional customers or market share. HP is in the process of reaching out to each customer regarding the change.

Seriously – you thought HP was a contender in this space???!!! No, no, Nanette. Thanks for playing. Mission failure…

Let's be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead. We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind…

There is going to be a big bang in this area. HP getting sucked into the black hole is just a step towards that…

As graphic as the notion of identity leprosy might be, it was the bit on metadirectory that prompted Dave Kearns to write,

That’s a quote from Quest’s Jackson Shaw. Formerly Microsoft’s Jackson Shaw. Formerly Zoomit’s Jackson Shaw. This is a guy who was deeply involved in metadirectory technology for more than a dozen years. I can only hope that Microsoft is listening.

Back at Jackson's blog we find out that he was largely responding to a session he liked very much given by Neil MacDonald at a recent Gartner Conference.  It was called “Everything You Know About Identity Management Is Wrong.”  Observing that customers are dissatisfied with the cost of hand tailoring their identity and access management, Jackson says,

Neil also introduced the concept of “Identity as a service” to the audience. At the Directory Experts Conference, John Fontana wrote “Is Microsoft’s directory, identity management a service of the future?“   What I am stating is quite simple: I believe a big-bang around identity is coming and it will primarily be centered around web services. I hope the resultant bright star that evolves from this will simplify identity for both web and enterprise-based identity infrastructure.

Active Directory, other directories and metadirectory “engines” will hopefully become dial tone on the network and won't be something that has to be managed – at least not to the level it has to be today.

Without getting overly philosophical, there is a big difference between being, metaphorically,  a “dial tone” – and being “dead”.   I buy Jackson's argument about dial tone, but not about “dead”. 

Web services allow solutions to be hooked together on an identity bus (I called it a backplane in the Laws of Identity).  Claims are the electrons that flow on that bus.  This is as important to information technology as the development of printed circuit boards and ICs were to electronics.  Basically, if we were still hand-wiring our electronic systems, personal computers would be the size of shopping centers and would cost billions of dollars.  An identity bus offers us the possibility to mix and match services in a dynamic way with potential efficiencies and innovations of the same magnitude.

In that sense, claims-based identity drastically changes the identity landscape.

But you still need identity providers.  Isn't that what directories do?  You still need to transform and arbitrate claims, and distribute metadata.  Isn't metadirectory the most advanced technology for that?  In fact, I think directory / metadirectory is integral to the claims based model.  From the beginning, directory allowed claims to be pulled.  Metadirectory allowed them to be pulled, pushed, synchronized, arbitrated and integrated.  The more we move toward claims, the more these capabilities will become important. 

The difference is that as we move towards a common, bus-based architecture, these capabilities can be simplified and automated.   That's one of the most interesting current areas of innovation. 

Part of this process will involve moving directory onto web services protocols.  As that happens, the ability to dispatch and assemble queries in a distributed fashion will become a base functionality of the system – that's what web services are good at.  So by definition, what we now call ”virtual directory” will definitely be a base capability of emerging identity systems.

A C# Code Library for building an Information Card STS

I just heard about SharpSTS – a new open source project that allows you to implement a custom claims provider that will support Identity Selectors like CardSpace.  Better still, the code base has been posted.  Barry Dorrans, from idunno.org,  says:

Dominick and David beat me to the punch; last night I hit the “publish” button on codeplex for SharpSTS; a C# library to allow you to develop Information Card Security Token Services.

As with all open source projects there is still a bunch of work to do; as it stands we have a command line STS which should allow you to get started. Well; if you can work out from the source code what you need to do :)

Over the coming weeks and months I, as dictator, Dominick Baier and David  Christiansen hope to deliver a stable, tested, code base from which you can deliver managed information cards to your users, as well as a test web site which will issue and accept managed cards.

In the mean time you can download the code, implement your own authorisation policy provider and get started. In the meantime we’re guiding the rough beast, its hour come round at least, slouching towards Redmond to be born (with apologies to Yeats).

Wow.  Not only an STS but Yeats too!

SharpSTS is a C# code library which enables easy development of a Security Token Service, the server component for managed Information Cards.

To begin developing with SharpSTS you will need Visual Studio 2008 Standard (or higher), an SSL certificate and a client system that supports Information Cards.

The source code is available from http://www.codeplex.com/sharpSTS and is licensed under the Microsoft Public License (MS-Pl).

For those who are curious, the SharpSTS site includes a notice making it clear that “this web site, service and code are unaffiliated with Microsoft…”.

Microsoft says, “U-Prove it”

Ralf Bendrath chided me yesterday for bragging about having proven Bruce Schneier wrong in his concern that there is not a “viable business model” for the Credentica technology.  (In my defense, Bruce had said, “I'd like to be proven wrong.”, and I was just trying to oblige him.)

Anyway,  I think Joe Wilcox's article in eWeek's Microsoft Watch provides some unbiased analysis of the issue.

Sometimes, Microsoft really spends its money well, such as last week's acquisition of U-Prove technology from Credentica.

This is a damn, exciting acquisition. It's strategic and timely.

U-Prove is, simply put, a privacy/security protection mechanism. The technology works on a simple principle: Enable transactions by revealing as little information as possible.

Credentica's Stefan Brands, Christian Paquin and Greg Thompson have joined Microsoft, where they will work as part of the Identity and Access Group. Microsoft also acquired associated U-Prove patents.

Brands is a well-regarded cryptographer and author of “Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy,” which explains the principles behind U-Prove. The book is available for free download, courtesy of MIT Press. He brings a somewhat radical approach to cryptography: Disclose or collect little—ideally no—private information during any transaction process. During most transactions, whether online or offline, too much personal information is exposed.

I vaguely recall Brands from Zero-Knowledge Systems, where he went in early 2000. About six months earlier I consulted Zero-Knowledge Systems’ chief scientist for a story about an alleged cryptographic flaw/back door in then unreleased Windows 2000.

Brands, his colleagues and U-Prove will first go into Windows Cardspace and Windows Communications Foundation. Microsoft's Brendon Lynch explained in a Thursday blog post:

“Credentica's U-Prove technology will help people protect their identities by enabling them to disclose only the minimum amount of information needed for a transaction—sometimes no personal information may be needed at all. When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments and consumers all stand to benefit from the enhanced security and privacy that it will enable. We look forward to a world where people have more control of their personal information and are better protected from harms of online fraud and identity theft.”

Kim Cameron, Microsoft's identity architect, does a wonderful job explaining Brands’ “minimal disclosure” approach in a Thursday blog post and how the company may apply it. The basic concept: to use other cryptographic means to verify identity “without revealing the signature applied by the identity provider.”

Microsoft has made one helluva good acquisition, whose potential long-term benefits I simply cannot overstate. The company has been trying to tackle the identity problem for nearly a decade. Early days, Passport acted as a single sign-on for multiple services, a heritage Windows Live ID expanded. But U-Prove departs from Microsoft's past identity efforts. The idea is to identify you without, well, identifying you.

Microsoft online services would look dramatically different with an identity mechanism that truly protected privacy and security on both sides of the transaction all while guaranteeing both parties that they are who they say they are, without necessarily saying who they are.

The best conceptual analogy I can think of is Swiss or offshore banking, where an account holder presents a numerical token or tokens that verify his or her right to account access but not the individual's identity or necessarily the token's issuer. Such a mechanism could be a boon to business and consumer confidence in online transactions as well as reduce petty fraud.

Microsoft's money would be better spent on more acquisitions like this one, rather than frittering away valuable resources on Yahoo. Microsoft is operating on the false premise that Google's huge search lead also puts it ahead in advertising—too far to catch up without a means of leaping ahead. Yahoo is the means.

But Microsoft is mistaken. Online activities and transactions are more complex than that. Search is one strategic technology, but there are others that Google doesn't control. If Microsoft could take a strategic lead protecting identity around transactions, the company could better enable all kinds of Web activities, and in so doing raise its online credibility. Privacy concerns have dogged Google.

I think Microsoft should take half of its proposed Yahoo offer and spend it on more acquisitions like Credentica's U-Prove technology. I'm not the first to suggest that Microsoft spend $20 billion on smaller companies. But I will say that U-Prove is an example what Microsoft should do to bolster its online technology portfolio in more meaningful ways, without taking on the hardship of a large, messy acquisition like Yahoo.

Ralf Bendrath on the Credentica acquisition

Privacy, security and Internet researcher and activist Ralf Bendrath is a person who thinks about privacy deeply. The industry has a lot to learn from him about modelling and countering privacy threats. Here is his view of the recent credentica acquisition:

Microsoft has acquired Montreal-based privacy technology company Credentica. While that probably means nothing to most of you out there, it is one of the most important and promising developments in the digital identity world.

My main criticism around user-centric identity management has been that the identity provider (the party that you and others rely on, like your credit card issuer or the agency that gave you your driver's license) knows a lot about the users. Microsoft's identity architect Kim Cameron explains it very well:

[W]ith managed cards carrying claims asserted by a third party authority, it has so far been impossible, even for CardSpace, to completely avoid artifacts that allow linkage. (…) Though relying parties are not able to collude with one another, if they collude with the identity provider, a set of claims can be linked to a given user even if they contain no obvious linking information.

This is related to the digital signatures involved in the claims flows. Kim goes on:

But there is good news. Minimal disclosure technology allows the identity provider to sign the token and proof key in such a way that the user can prove the claims come legitimately from the identity provider without revealing the signature applied by the identity provider.

Stefan Brands was among the first to invent technology for minimal disclosure or “zero knowledge” proofs in the early nineties, similar to what David Chaum did with his anonymous digital cash concept. His technology was bought by the privacy firm Zero-Knowledge until they ran out of funding and gave it back to Stefan. He has since then built his own company, Credentica, and, together with his colleagues Christian Paquin and Greg Thompson, developed it into a comprehensive middleware product called “U-Prove” that was released a bit more than a year ago. U-Prove works with SAML, Liberty ID-WSF, and Windows CardSpace.

The importance of the concept of “zero-knowledge proofs” for privacy is comparable to the impact public key infrastructures (PKIs) described by Witfield Diffie and Martin Hellmann had on internet security. The U-Prove technology based on these concepts has been compared to what Ron Rivest, Adi Shamir and Leonard Adleman (RSA) did for security when they were the first to offer an algorithm and a product based on PKIs.

When I was at the CFP conference in Montreal last May, I was meeting Kim and Stefan, and a colleague pointed me to the fact that Kim was being very nice to Stefan. “He has some cool patents Microsoft really wants”, my colleague said. Bruce Schneier recently also praised U-Prove, but questioned the business model for companies like Credentica. He added, “I’d like to be proven wrong.”

Kim Cameron is now bragging about having proven Bruce wrong (which is hard to imagine, given the fact that “Bruce Schneier feeds Schrödinger's cat on his back porch. Without opening the box”), while admitting that he still has no business model:

Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash. That will be worth billions.

Stefan Brands is also really happy:

For starters, the market needs in identity and access management have evolved to a point where technologies for multi-party security and privacy can address real pains. Secondly, there is no industry player around that I believe in as much as Microsoft with regard to its commitment to build security and privacy into IT systems and applications. Add to that Microsoft’s strong presence in many of the target markets for identity and access management, its brain trust, and the fact that Microsoft can influence both the client and server side of applications like no industry player can, and it is easy to see why this is a perfect match.

A good overview of other reactions is at Kim's latest blog post. The cruicial issue has, again, been pointed out by Ben Laurie, who quotes the Microsoft Privacy Team's blog:

When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments, and consumers all stand to benefit from the enhanced security and privacy that it will enable.

Ben sarcastically reads it like “the Microsoft we all know and love”, implying market domination based on proprietary technology. But the Microsoft we all know in the identity field is not the one we used to know with Passport and other crazy proprietary surveillance stuff. They have released the standards underlying the CardSpace claims exchange under an open specification promise, and Kim assures us that they will have their lawyers sort out the legal issues so anybody can use the technology:

I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo. Like, it’s 2008, right? Give me a break, guys!

Well. Given the fact that U-Prove is not just about claims flows, but involves fancy advanced cryptography, they really should do everybody a favour and release the source code and some libraries that contain the algorithm under a free license, and donate the patent to the public domain.

First of all, because yes – it's 2008, and “free is the new paid”, as even the IHT has discovered in January 2007.

Second, because yes – it's 2008, and there has been an alternative product out there under a free license for more than a year. IBM Research Labs Zurich have finished their Idemix identity software that works with zero-knowledge proofs in January 2007. It is part of the Higgins identity suite and will be available under an open source license. (The Eclipse lawyers seem to have been looking into this for more than a year, though. Does anybody know about the current status?)

Third, because yes – it's 2008, it's not 1882 anymore, to quote Bruce Schneier again:

A basic rule of cryptography is to use published, public, algorithms and protocols. This principle was first stated in 1883 by Auguste Kerckhoffs.

While I don't follow Ralf into every nook and cranny of his argument, I think he has a pretty balanced view.

But Ralf, you should tell your friend I was being very nice to Stefan in Montreal because I find him very amusing, especially with a scotch in him.  I would have tried to get his technology into widescale use whether I liked him or not, and I would have liked him just as much if he didn't have any patents at all.

I don't want to get into a “free is the new paid” discussion.  As the article you cite states, “Mass media given away freely or at low cost is hardly new, of course. In many countries, over-the-air television and radio have long been financed primarily by advertisers, at no direct cost to consumers.”  So what is new here?  When I can apply this paradigm to my next dinner, tell me about it. 

This having been vented, I come to exactly the same general conclusions you do:  we want a safe, privacy-friendly identity infrastructure as the basis for a safe, privacy-friendly Internet, and we should do everything possible to make it easier for everyone to bring that about.  So your suggestions go in the right direction.  If we were ultimately to give the existing code to a foundation, I would like to know what foundation people in the privacy community would suggest.

As for the business model issue, I agree with you and Bruce – and Stefan – that there is no obvious business model for a small company.  But for companies like Microsoft, our long term success depends on the flourishing of the Internet and the digital economy.  The best and most trustworthy possible identity infrastructure is key to that.  So for the Microsofts, the IBMs, the Suns and others, this technology fits very squarely into our business models.

As for the Identity and Access group at Microsoft, our goal is to have the most secure, privacy-friendly, interoperable, complete, easy to use and manageable identity products available.  As the Internet's privacy and identity problems become clearer to people, this strategy will attract many new customers and keep the loyalty of existing ones.  So there you have it.  To us, U-Prove technology is foundational to building a very significant business.

Reactions to Credentica acquisition

Network World's John Fontana has done a great job of explaining what it means for Microsoft to integrate U-Prove into its offerings:

Microsoft plans to incorporate U-Prove into both Windows Communication Foundation (WCF) and CardSpace, the user-centric identity software in Vista and XP.

Microsoft said all its servers and partner products that incorporate the WCF framework would provide support for U-Prove.

“The main point is that this will just become part of the base identity infrastructure we offer. Good privacy practices will become one of the norms of e-commerce,” Cameron said.

“The U-Prove technology looks like a good candidate as an authentication mechanism for CardSpace-managed cards (i.e., those cards issued by an identity provider),” Mark Diodati, an analyst with the Burton Group, wrote on his blog

In general, the technology ensures that users always have say over what information they release and that the data can not be linked together by the recipients. That means that recipients along the chain of disclosure can not aggregate the data they collect and piece together the user’s personal information.

[More here...]

Eric Norlin has this piece in CSO, and Nancy Gohring's ComputerWorld article emphasizes that “U-Prove is the equivalent in the privacy world of RSA in the security space.”  Burton's Mark Diodati covers the acquisition here.

Gunnar Peterson from 1 Raindrop notes in That Was Fast

…the digital natives may be getting some better tooling faster than I thought. I am sure you already know there is a northern alliance and Redmond is U-Prove enabled. I fondly remember a lengthy conversation I had with Stefan Brands in Croatia several years ago, while he patiently explained to me how misguided the security-privacy collision course way of thinking is, and instead how real security is only achieved with privacy. If you have not already, I recommend you read Stefans’ primer on user identification.

Entrepreneur and angel investor Austin Hill gives us some background and links here:

In the year 2000, Zero-Knowledge acquired the rights to Dr. Stefan Brands work and hired Stefan to help us build privacy-enhanced identity & payments systems.  It turns out we were very early into the identity game, failed to commercialize the technology – and during the Dot.Com bust cycle we shut down the business unit and released the patents back to Stefan.  This was groundbreaking stuff that Stefan had invented, and we invested heavily in trying to make it real, but there weren’t enough bitters in the market at that time.  We referred to the technologies as the “RSA” algorithms of the identity & privacy industry.  Unfortunately the ‘privacy & identity’ industry didn’t exist.

Stefan went on to found Crendentica to continue the work of commercialization of his invention. Today he announced that Microsoft has acquired his company and he and his team are joining Microsoft.

Microsoft’s Identity Architect Guru Kim Cameron has more on the deal on his blog (he mentions the RSA for privacy concept as well).

Adam Shostack (former Zero Knowledge Evil Genius, who also created a startup & currently works at Microsoft) has this post up.   George Favvas, CEO of SmartHippo (also another Zero-Knowledge/Total.Net alumni – entrepreneur) also blogged about the deal as well.

Congratulations to Stefan and the team.  This is a great deal for Microsoft, the identity industry and his team. (I know we tried to get Microsoft to buy or adopt the technology back in 2001 :)  

(I didn't really know much about Zero-Knowledge back in 2000, but it's interesting to see how early they characterized of Stefan's technology as being the privacy equivalent of RSA.  It's wonderful to see people who are so forward-thinking.)

Analyst Neil Macehiter writes:

Credentica was founded by acknowledged security expert Stefan Brands, whose team has applied some very advanced cryptography techniques to allow users to authenticate to service providers directly without the involvement of identity providers. They also limit the disclosure of personally-identifiable information to prevent accounts being linked across service providers and provide resistance to phishing attacks. Credentica's own marketing literature highlights the synergies with CardSpace:

“`The SDK is ideally suited for creating the electronic equivalent of the cards in one's wallet and for protecting identity-related information in frameworks such as SAML, Liberty ID-WSF, and Windows CardSpace.”

This is a smart move by Microsoft. Not only does it bring some very innovative and well-respected technology (with endorsements from the likes of the Information and Privacy Commissioner of Ontario, Canada) which extends the capabilities of Microsoft's identity and security offerings; it also brings some heavyweight cryptography and privacy expertise and credibility from the Credentica team. The latter can, and undoubtedly will, be exploited by Microsoft in the short term: the former will take more time to realise with Microsoft stating that integrated offerings are at least 12–18 months away.

[More here...]

Besides the many positives, there were concerns expressed about whether Microsoft would make the technology available beyond Windows.  Ben Laurie wrote:

Kim and Stefan blog about Microsoft’s acquisition of Stefan’s selective disclosure patents and technologies, which I’ve blogged about many times before.

This is potentially great news, especially if one interprets Kim’s

Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash.

in the most positive way. Unfortunately, comments such as this from Stefan

Microsoft plans to integrate the technology into Windows Communication Foundation and Windows Cardspace.

and this from Microsoft’s Privacy folk

When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments, and consumers all stand to benefit from the enhanced security and privacy that it will enable.

sound more like the Microsoft we know and love.

I hope everyone who reads this blog knows that it is elementary, my dear Laurie, that identity technology must work across boundaries, platforms and vendors (Law 5 – not to mention, “Since the identity system has to work on all platforms, it must be safe on all platforms”). 

That doesn't mean it is trivial to figure out the best legal mecahnisms for making the intellectual property and even the code available to the ecosystem.  Lawyers are needed, and it takes a while.  But I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo. 

Like, it's 2008, right?  Give me a break, guys!

Know your need

Here's a great comment from the smart and witty Paul Madsen.   He really his the nail on the head with his “Know your Need” corollory

In announcing Microsoft's purchase of the Credentica patents (and hiring of Stefan's core team), Kim uses the ‘need to know’ analogy.

That danger can be addressed by adopting a need-to-know approach to the Internet.

(For the life of me, I just cannot get Sgt Shultz's ‘I know nothing’ out of my head.)

Credentica's U-prove technology promises to close off a (depending on the deployment environment, potentially big) ‘knowledge leak’ – if the IDP doesn't need to know what/where/why/when/who the user does with the assertions it creates, then the principle of minimal ‘need to know’ means that it shouldn't.

Cardspace seems a great application for U-Prove to prove itself. As Stefan points out, ‘its a good thing’ to influence/control both client and server.

Separately, I see the flip side of ‘need to know’ as ‘know your need’, i.e. entities involved in identity transactions must be able to assess and assert their needs for identity attributes. This is the CARML piece of the Identity Governance Framework). Put another way, before a decision is made as to whether or not some entity ‘needs to know’, it'd be nice to know why they are asking.

I agree that it is sometimes a positive and useful thing for a claims provider to know the user's “what, where, why, when and who”.  So everything is a matter of minimization – but within to the requirements of the scenario.

I don't actually buy the “influence/control both client and server” phraseology.  I'm fine with influence, but see control as an elusive and worthless goal.  That's not how the world works.  It works through synergy and energy radiating from everywhere, and those of us who are on this odyssey must tap into that.

Microsoft to adopt Stefan Brands’ Technology

The Internet may sometimes randomly “forget”.  But in general it doesn't. 

Once digital information is released to a few parties, it really is “out there”.  Cory Doctorow wrote recently about what he called the half-life of personal information, pointing out that personal information doesn't just “dissipate” after use.  It hangs around like radioactive waste.  You can't just push a button and get rid of it.

I personally think we are just beginning to understand what it would mean if everything we do is both remembered and automatically related to everything else we do.  No evil “Dr. No” is necessary to bring this about, although evil actors might accelerate and take advantage of the outcome.  Linkage is just a natural tendency of digital reality, similar to entropy in the physical world.  When designing phsyical systems a big part of our job is countering entropy.  And in the digital sphere, our designs need to counter linkage. 

This has led me to the idea of the “Need-to-Know Internet”.

The Need-to-Know Internet

“Need to Know” thinking comes from the military.  The precept is that if people in dangerous situations don't know things they don't need to know, that information can't leak or be used in ways that increase danger.  Taken as a starting point, it leads to a safer environment.

As Craig Burton pointed out many years ago, one key defining aspect of the Internet is that everything is equidistant from everything else. 

That means we can get easily to the most obscure possible resources, which makes the Internet fantastic.  But it also means unknown ”enemies” are as “close” to us as our “friends” – just a packet away.  If something is just a packet away, you can't see it coming, or prepare for it.  This aspect of digital ”physics” is one of the main reasons the Internet can be a dangerous place.

That danger can be addressed by adopting a need-to-know approach to the Internet.  As little personal information as possible should be released, and to the smallest possible number of parties.  Architecturally, our infrastructure should lead naturally to this outcome. Continue reading