Credit where it's due

Mary Branscombe of Britain's The Guardian posted an article today on the Identity Metasystem and “InfoCard” in which she accurately captures the essence of the technology (and the opportunity for the industry) and explains it clearly to her wide and important audience – all in just a few paragraphs.

Microsoft's InfoCard could integrate the internet's many different identity systems, resulting in a safer surfing experience for all. By Mary Branscombe

Thursday June 9, 2005
The Guardian

Can you tell the difference between a real email from PayPal, warning you that your credit card is about to expire, and a fake email asking for your bank account details? It is getting increasingly difficult, and a mistake could have unfortunate financial consequences. But Microsoft is working on an open system that could help: InfoCard. It is like keeping several credit cards in your wallet, along with your business card, your driving licence and a few membership cards; you can pick which to use if you need to prove who you are.

With InfoCard, the different cards have different amounts of information about your identity: one might have details of where you work, another could have your address or credit card details. And you know who is asking for the information.

Criminals are now using at least two techniques to steal ID: phishing and pharming. Phishing emails lure users to fake copies of banking and shopping websites where they type in their account details; these are used to break into accounts on the real site. Pharming uses viruses to redirect your web browser to fake sites.

But even if you go to what looks like a legitimate site, how do you know you are safe? Microsoft's identity architect, Kim Cameron, says leaving the security interface up to individual websites is like “sheep going to a sheep farm operated by wolves: when you visit an evil site, you put yourself into a user experience 100% controlled by those assaulting you”.

The fundamental problem, says Cameron, isn't poor website security or naive users. It is that the net was not designed to cope with the question of who's who online. It has no framework for dealing with identity.

“In the early days, people improvised to get by: we ended up with a patchwork of ad hoc solutions,” he says. “But, unfortunately, no one can know for sure what's going on in any given interaction because every part of the patchwork behaves differently. What is safe and what is dangerous? What is real and what is scam? Who are you giving your information to when you type it into a browser? How do you know whether it is being intercepted? You have no way to evaluate the risks you are taking.”

Improving site security with a better password system, or a toolbar that checks you are at the right site, can't fix a general security problem. “There are excellent people working on these things, but they can't counter current threats without changing the way computers behave in a distributed fashion,” Cameron says. “We need to work together.”

Cameron's solution is an identity metasystem based on open Web Services (WS-*) standards, especially WS-Trust, which allows systems to securely “trade” one kind of security token for another, and the seven “laws of identity” he has thrashed out on his blog. The laws are about privacy and consent, disclosing as little information as possible and only for a good reason, putting the user in the driving seat (because otherwise people will ignore systems they don't like), and promoting multiple identity technologies run by multiple identity providers.

Cameron thinks any security architecture has to follow these principles if it is to succeed, but he isn't suggesting a single architecture, or a single identity system. He wants to keep existing identity systems, whether that's Active Directory or the Liberty Alliance standards, fit them together, and give them a consistent user interface. That way, you won't have to remember the quirks of individual sites to know you are in a safe place.

Unlike Passport, this isn't a system that Microsoft would run, or charge for, and it holds no personal information. Instead, websites plug their identity systems into the metasystem. John Shewchuk, an architect in Microsoft's distributed systems group, says: “Just like we put an abstraction over [a] file system, so we could have different kinds of hard drives, the identity metasystem bumps up the abstraction, so you can plug in lots of different kinds of systems. In the first version, InfoCard supports usernames and passwords, X.509 smart cards and other kinds of technologies, all in an integrated package.”

When you visit a website to buy a book or check your bank statement, or post a comment to a message board, you always see the same Identity Selector interface: on Windows, that is InfoCard. However, you won't provide the same information to every site. You could use an official ID issued by a government site or your ISP or your company, or an identity you have created yourself. You simply pick which InfoCard to provide. You also get to see the identity of the site you are visiting.

Microsoft isn't dictating the look of the InfoCards or the information on them. However, it does insist that logos are cryptographically verified, so users can be sure they are not forged.

For the system to work, it needs to cover more than just Windows. There will have to be Identity Selectors for Linux, Macintosh, mobile phones and any other devices used to browse securely. Microsoft has already demonstrated InfoCard working with an open source Java implementation on Linux, which gives Cameron hope that the industry will see this as more than just Passport 2.

“To me,” he says, “it demonstrates that innovative people can get into this and that it can truly be a cross-platform solution that transcends the usual faultlines of the industry.”

How can she do that? I guess five years as Senior Editor of the AOL UK Technology Channel gives you a pretty strong background…

Published by

Kim Cameron

Work on identity.