Here's Dan Farber's story over at ZDNet on the way Microsoft is approaching the identity metasystem. I'm not the only one who has seen Dan as a multi-talented guru over the years – so having him vet our thinking is important to me. It's also great to see Dan giving my friend John Shewchuk the credit he deserves – he is a tireless supporter of the identity metasystem.
On the final day of Digital ID World 2005, John Shewchuk, CTO for distributed systems at Microsoft, and Kim Cameron, identity and access architect at Microsoft, outlined their company’s plan for delivering a unifying identity metasystem, an abstraction layer, based on WS-* Web services technology.
“The essential concept of the metasystem is you have a bunch of contexts and need to achieve separation or amalgamation across the [contexts],” said Cameron. “Getting the metasystem working, like networking [via TCP/IP], can expand what’s happening by orders of magnitude, bringing synergy that current does not exist. If we do, we’ll get to the identity big bang.”
The big bang identity metasystem addresses many of problems in digital identity, avoiding the patchwork of single provider, single technology siloed solutions. It also places the user at the center, giving them control over how their identity information is parsed out. Microsoft’s identity framework supports multiple identity technologies, as well as multiple operators and implementations, Shewchuk said. This is not the typical of Microsoft, which tends to focus on developing its own proprietary solutions rather what’s in the best interest of the industry, but it seems that Cameron and Shewchuk so far have convinced Gates & company for any identity system to succeed–unlike Passport–it must be interoperable and open standards-based.
Shewchuk said that the fundamental metasystem functions include enabling relying parties and identity providers to negotiate technical policy requirements; providing a technologically agnostic way to exchange policies and claims (Cameron’s definition: an assertion of the truth of something, typically one which is disputed or in doubt; claims could include an identifier, knowledge of a secret, as in password based systems, personally identifying information, membership in a group…) between identity providers and relying parties; allowing a trusted way to change one set of claims, regardless of the token format, to another, so users aren’t stuck in one technology stack; and maintaining a consistent user interface across multiple systems and technologies.
WS-* has the underpinnings for building the metasystem and mostly political correct credentials—broad participation from heavyweights in the technical community; open, published specifications on a standards track; and a promise of non-discriminatory, royalty free use. The security token format is neutral and embodied in WS-Security, supporting multiple profile (Kerebos, SAML flavors, XrML, x509, etc.). WS-MetaExchange and WS-Security Policy provide a dynamic system for exchanging claims. WS-Trust provides a way to transform claims.
Microsoft’s Indigo is the Web services platform for creating .Net applications, and the user interaction takes place via Infocard, a creation and management experience that allows users to maintain control over how their identity information is used online. Users can authenticate themselves to a security token service (STS) using different methods such as a self-issued token (similar to PGP), Kerebos, smart cards and other technologies, Cameron said.
Shewchuk said that he showed a prototype of the identity metasystem to Bill Gates three weeks ago, who apparently has allowed the project to live on. Microsoft plans to make its identity metasystem code available to developers in an SDK in a few weeks.
I asked Jamie Lewis of the Burton Group about whether Microsoft can be a trusted steward of digital identity, spanning multiple platforms. “We can complain all we want about Microsoft’s approach to developing specifivations, but you can’t say they haven’t been clear about where they are headed the last several years,” Lewis said. “They have some very valid approaches. Federation is the most reasonable idea so far, and there is starting to be coalesence around the WS-* framework as a general purpose federation framework. Ping Identity demonstrated a Java-based STS, which is a powerful statement about the ability of others to play–call it enlightened self interest.”
Cameron and Shewchuk mentioned several times the necessity to maintain a consistent user interface, so that users can actually manage their online personas without having to learn arcane commands. It’s likely to be an area where Microsoft is less forthcoming on how to build solutions using its metasystem. “I doubt Microsoft will be publishing guidelines for front end as they will for back end,” Lewis said. Cameron seemed to say the Infocard would be supported on non-Windows platforms. Lewis also pointed to Microsoft’s focus on XrML (eXtensible rights Markup Language), which he gets into the contentious IP rights and management space. And we know that Microsoft wants to be a major platform in digital rights management.
“If we work together on a metasystem, we can avoid the need to agree on dominant technologies a priori—they will emerge from the ecosystem,” Cameron said during a session on his much discussed Seven Laws of Identity. The Holy Grail of identity management and efficient, reliable ecosystem is still years away, but there is a movement afoot that appears to have the best interests of users as its guiding principle. Whether it lasts and Microsoft doesn’t revert to its darker side remains to be seen, but Cameron and Shewchuk make convincing arguments that there is no turning back.
Just for the record, I need to correct Jamie on the “front end versus back end” comment. We want to talk with every interested platform vendor about our work – and be open about our concepts and plans. I'm trying to get some meetings going. We want the strongest identity metasystem possible – and the ideal would be a consistent basic approach across platforms. We'll want to have our own “distinct look”, of course. But our friends over at Apple and on other platforms have shown themselves to be fully capable of innovative design, haven't they? So I don't suspect they need me telling them how to design their user interfaces!