Dick Hardt joins Microsoft's Identity Team

John Fontana from Network World has picked up on one of the big deals in my life recently – Dick Hardt is joining our team at Microsoft.  John Fontana posted this in Network World

Noted identity innovator Dick Hardt has agreed to join Microsoft to help the company shape its identity platform.

Hardt, one of the unique personalities in the busy identity community and a vocal Identity 2.0 advocate, will have the title “partner architect” and will be working on consumer, enterprise and government identity problems, he said on his blog

Hardt said he was recruited by Microsoft because he is an “independent thinker.” Microsoft has benefited greatly from the work of other independent thinkers notably identity architect Kim Cameron, who has been instrumental in evolving the company's identity platform and its integration with other vendors, protocols and tools.

“I think the hiring of Dick Hardt is another proof point that Microsoft is serious about identity,” said Jackson Shaw, senior director of product management for Active Directory and integration solutions at Quest Software. “I believe it is also a further sign that Microsoft wants to avoid a Microsoft-centric ‘Passport’ type solution. They are, quite clearly, thinking much bigger – Azure, Geneva and CardSpace are on their way or already delivered so we know they are serious. Dick, along with Kim Cameron and others at Microsoft, will further help to ensure that Microsoft ‘thinks big’ in this important area.”

Hardt, whose reputation is that of an entrepreneur, said on his blog: “I view the opportunity to come in at a senior level and learn how big enterprise and big software works a great learning experience. I'm also excited about changes that are afoot at Microsoft such as Azure and to work beside a bunch of really smart people!”

He also said he relished the opportunity to come in and work with his “Foo Camp friends Jon Udell, Dana Boyd and of course Ray Ozzie.” Foo Camp is an annual hacker event put on by O'Reilly Media.

Hardt, most recently the chair of Sxipper, a position he will retain, comes in at a time when Microsoft is working to marry its newly minted Geneva identity strategy with its services push.

Sxipper was a spin-off from Sxip Identity, where Hardt first began to gain notice in the identity community with his rapid-fire Identity 2.0 presentation. Sixp Identity developed a technology called Sxip Access, which Google used as the foundation of a single sign-on bridge to corporate directories. Sxip later sold the technology to Ping Identity

In addition to his identity background, Hardt also has worked extensively with open source. He founded ActiveState in 1997 and developed tools for open source programming languages, and he ported the Perl programming language to Windows. 

In February, he showed off for the first time his newest work to create “address book 2.0,” a social networking “flow application” that presents a user's contact data in context with what they are viewing on the Internet.

There has never been a better presentation on identity than Dick's presentation on Identity 2.0.  He has played a pivotal role as a catalyst and contributed great thinking and technical ideas to the identity community as an important figure in OpenID.   It's exciting to think that we'll be working together more closely – I have no doubt that Microsoft will be a good place for him to continue all the good work he has beein doing, as a key figure in moving user-centric identity forward as fast as possible.
 

What identity providers will sites support?

Paul Madsen digs deeper into the factors that will influence the choices of Internet service providers as they move towards user-centric identity.

“Often times, in trying to be clever and sarcastic, I dive too deep into the ‘satire pool’. The urge to be witty and contrarian surpasses the urge to be clear. Consequently, the ‘point’ I am trying to make can, on occasion, be buried underneath surface frivolity and snideness.
“As happened with my recent post on HealthVault‘s chosen model for OP acceptance.

“With that post, I have confused Kim, and for that I here apologize.

“I was responding to a post of Simon Willison, in which he defended HealthVault's right to choose OPs selectively – and not be compelled to accept any ol’ OP coming in off the street presenting an identity claim.

“My post might have given some the impression that I disagreed with Simon. For instance, I wrote

‘I disagree’

“Admittedly, this set a tone.

“But the rest of the post was meant to point out that, while I do think the user has the right to pressure RPs like HealthVault to accept assertions from particular OPs – the appropriate mechanism for this pressure, as for many other interactions between customers and service providers (e.g. buying an OS), is through market forces. If enough users choose an OP because it is secure and privacy-respecting, or because it offers 2-factor authentication, or because it has a snazzy flash UI, the RPs will find it (if they are interested in serving their customer base).

“When the RPs do find these candidate OPs (or IDPs, the issue is of course not unique to OpenID) they will themselves do their own checking and assessment before they start accepting assertions. And of course, each RP has to ask the question ‘Is this OP appropriate for the resources I protect/manage?’. If the resources are neither privacy sensitive nor valuable, the list of OPs that are appropriate will be longer than for medical or financial information.

“HealthVault (actually probably some other audit & risk management group in Microsoft) performed this assessment and, at least initially, came up with 2 OPs that they felt were right for them. More power to ‘em. Partner selection is tough and fraught with risk – they are right to be careful.

“I smile (more a smirk really) when I hear some in the user-centric world place the sole right and responsibility of choosing an OP on the user's shoulders. User's can't even remember their passwords, and you want them to assess the security infrastructure of an OP?

Surgeon: So, are we ready for your operation tomorrow?
Patient: Hi Doc, yes. But I was just reading about this new surgical instrument for the procedure. I really want you to try it out on me.
Surgeon: Hmmm, I don't know much about it …
Patient: Oh, you'll work it out as you go

“So yes Kim, I agree. Resources, and gall bladders, do have rights. “

Now it becomes clear why his original piece was called Pressure. Meanwhile, everyone should know that the last thing I would ever want to do is cast a chill over Paul's satire pool. What a refreshing oasis it is!  (No pun intended.)

Resources have rights too

Paul Madsen has a knack for pithy identity wisdom.  But his recent piece on HealthVault's use of OpenID made me do a double take.

“Simon Willison defends HealthVault‘s choice of OPs [OpenID providers – Kim].

“I disagree. It is I, as a user, that should be able to dictate to HealthVault the OPs from which they are to accept identity assertions through OpenID.

“Just as I, as a user of Vista, should be able to dictate to Microsoft which software partners they work with to bundle into the OS (I particularly like the Slow Down to Crawl install).

“Just as I, as a Zune user … oh wait, there are no Zune users….

“The mechanism by which I (the user) am able to indicate to HealthVault, or Vista, my preferences for their partners is called ‘the market‘.”

Hmmm.  All passion aside, are Vista and HealthVault really the same things?

When you buy an operating system like Vista, it is the substratum of YOUR personal computer.  You should be able to run whatever YOU want on it.  That strikes me as part of the very definition of the PC.

But what about a cloud service like HealthVault?  And here I want to get away from the specifics of HealthVault, and talk generically about services that live in the cloud.  In terms of the points I want to make, we could just as easily be talking about Facebook, LinkedIn, Blogger or Hotmail.

As a user, do you own such a service? Do you run it in whatever way you see fit?  

I've tried a lot of services, and I don't think I've ever seen one that gives you that kind of carte blanche. 

Normally a service provides options. You can often control content, but you function within parameters.  Your biggest decision is whether you want to use the service in the first place.  That's a large part of what “the market” in services really is like.

But let me push this part of the discussion onto “the stack” for a moment.

PUSH

Last week a friend came by and told me a story.  One of his friends regularly used an Internet advertising service, and paid for it via the Internet too.  At some point, a large transaction “went missing”.  The victim contacted the service through which he was making the transaction, and was told it “wasn't their problem”.  Whose problem was it?

I don't know anything about legal matters and am not talking from that point of view.  It just seems obvious to me that if you are a company that values its relationships with customers, this kind of breach really IS your problem, and you need to face up to that.

And there is the rub.  I never want to be the one saying, “Sorry – this is your problem, not ours.”  But if I'm going share the problem, shouldn't I have some say in preventing it and limiting my liability?

POP

I think that someone offering a service has the right to define the conditions for use of the service (let's for now ignore the fact that there may be some regulation of such conditions – for example certain conditions might be “illegal” in some jurisdictions).  And that includes security requirements.

In other words, matters of access control proceed from the resource.  The resource decides who can access it.   Identity assertions are a tool which a resource may use to accomplish this.  For years we've gotten this backwards, thinking access proceeded from the identity to the resource – we need to reverse our thinking.

Takeaway:  “user-centric” doesn't mean The Dictatorship of the Users.  In fact there are three parties whose interests must be accomodated (the user, the resource, and the claims provider).  At times this is going to be complex.  Proclamations like, “It is I, as a user, that should be able to dictate…” just don't capture what is at stake here. 

I like the way Simon Willison puts this:

“You have to remember that behind the excitement and marketing OpenID is a protocol, just like SMTP or HTTP. All OpenID actually provides is a mechanism for asserting ownership over a URL and then “proving” that assertion. We can build a pyramid of interesting things on top of this, but that assertion is really all OpenID gives us (well, that and a globally unique identifier). In internet theory terms, it’s a dumb network: the protocol just concentrates on passing assertions around; it’s up to the endpoints to set policies and invent interesting applications.

“Open means that providers and consumers are free to use the protocol in whatever way they wish. If they want to only accept OpenID from a trusted subset of providers, they can go ahead. If they only want to pass OpenID details around behind the corporate firewall (great for gluing together an SSO network from open-source components) they can knock themselves out. Just like SMTP or HTTP, the protocol does not imply any rules about where or how it should be used…”

In a later post – where he seems to have calmed down a bit – Paul mentions a Liberty framework that allows relying parties to “outsource the assessment of… OPs to accredited 3rd parties (or at least provide a common assessment framework…)”.  This sounds more like the Paul I know, and I want to learn more about his thinking in this area.

Information Card Foundation Formed

It's a great day for Information Cards, Internet security and privacy. I can't put it better than this:

June 24, 2008 – Australia, Canada, France, Germany, India, Sri Lanka, United Kingdom, United States – An array of prominent names in the high-technology community today announced the formation of a non-profit foundation, The Information Card Foundation, to advance a simpler, more secure and more open digital identity on the Internet, increasing user control over their personal information while enabling mutually beneficial digital relationships between people and businesses.

Led by Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community, the group established the Information Card Foundation (ICF) to promote the rapid build-out and adoption of Internet-enabled digital identities using Information Cards.

Information Cards take a familiar off-line consumer behavior – using a card to prove identity and provide information – and bring it to the online world. Information Cards are a visual representation of a personal digital identity which can be shared with online entities. Consumers are able to manage the information in their cards, have multiple cards with different levels of detail, and easily select the card they want to use for any given interaction.

“Rather than logging into web sites with usernames and passwords, Information Cards let people ‘click-in’ using a secure digital identity that carries only the specific information needed to enable a transaction,” said Charles Andres, executive director for the Information Card Foundation. “Additionally, businesses will enjoy lower fraud rates, higher affinity with customers, lower risk, and more timely information about their customers and business partners.”

The founding members of the Information Card Foundation represent a wide range of technology, data, and consumer companies. Equifax, Google, Microsoft, Novell, Oracle, and PayPal, are founding members of the Information Card Foundation Board of Directors. Individuals also serving on the board include ICF Chairman Paul Trevithick of Parity, Patrick Harding of Ping Identity, Mary Ruddy of Meristic, Ben Laurie, Andrew Hodgkinson of Novell, Drummond Reed, Pamela Dingle of the Pamela Project, Axel Nennker, and Kim Cameron of Microsoft.

“The creation of the ICF is a welcome development,” said Jamie Lewis, CEO and research chair of Burton Group. “As a third party, the ICF can drive the development of Information Card specifications that are independent of vendor implementations. It can also drive vendor-independent branding that advertises compliance with the specifications, and the behind-the-scenes work that real interoperability requires.”

The Information Card Foundation will support and guide industry efforts to enable the development of an open, trusted and interoperable identity layer for the Internet that maximizes control over personal information by individuals. To do so, the Information Card infrastructure will use existing and emerging data exchange and security protocols, standards and software components.

Businesses and organizations that supply or consume personal information will benefit from joining the Information Card Foundation to improve their trusted relationships with their users. This includes financial institutions, retailers, educational and government institutions, healthcare providers, retail providers, travel, entertainment, and social networks.

The Information Card Foundation will hold interoperability events to improve consistency on the web for people using and managing their Information Cards. The ICF will also promote consistent industry branding that represents interoperability of Information Cards and related components, and will promote identity policies that protect user information. This branding and policy development is designed to give all Internet users confidence that they can exert greater control over personal information released to specific trusted providers through the use of Information Cards.

“Liberty Alliance salutes the open industry oversight of Information Card interoperability that the formation of ICF signifies,” said Brett McDowell, executive director, Liberty Alliance. “Our shared goal is to deliver a ubiquitous, interoperable, privacy-respecting federated identity layer as a means to seamless, secure online transactions over network infrastructure. We look forward to exploring with ICF the expansion of the Liberty Alliance Interoperable(tm) testing program to include Information Card interoperability as well as utilization of the Identity Assurance Framework across Information Card deployments.”

As part of its affiliations with other organizations, The Information Card Foundation has applied to be a working group of Identity Commons, a community-driven organization promoting the creation of an open identity layer for the Internet while encouraging the development of healthy, interoperable communities.

Additional founding members are Arcot Systems,Aristotle, A.T.E. Software, BackgroundChecks.com, CORISECIO, FuGen Solutions, the Fraunhofer Institute, Fun Communications, the Liberty Alliance, Gemalto, IDology, IPcommerce, ooTao, Parity, Ping Identity, Privo, Wave Systems, and WSO2

Further information about the Information Card Foundation can be found at www.informationcard.net.

I enjoy having been invited to join the foundation board as one of the representatives of the identity community, rather than as a corporate representative (Mike Jones will play that role for Microsoft). Beyond the important forces involved, this is a terrific group of people with deep experience, and I look forward to what we can achieve together.

One thing for sure: the Identity Big Bang is closer than ever.  Given the deep synergy between OpenID and Information Cards, we have great opportunities all across the identity spectrum.

European Identity Awards

The recent European Identity Conference 2008 featured the presentation of Kuppinger Cole's European Identity Awards. Vendors, integrators, consultants and user companies were asked for nominations. For each category, three outstanding projects and innovations were nominated as finalists. Here is how Kuppinger Cole framed the results:

Best Innovation

“The award went to a group of companies that are driving forward the process to outsource authentication and authorisation, making it easier to control application security ‘from outside’.   There are several providers with different approaches in this field but during the past year, they all contributed a lot to promote this concept, considered as indispensable by KCP.   The winners in this category are Bitkoo, CA, iSM, Microsoft and Oracle.

“Also among the finalists were Aveksa and Sailpoint for their Identity Risk Management solutions and Microsoft for making a significant contribution to identity information protection in distributed environments through their takeover of Credentica and the planned integration of U-Prove technology into user-centric Identity Management.”

Best New/Improved Standard

“The award went to the OpenID Foundation and to Microsoft for their InfoCard initiative. These standards form the base for Identity 2.0, the so-called user-centric Identity Management.

“Other outstanding solutions nominated as finalists were the eCard API Framework and the simpleSAMLphp project driven forward by Feide RnD. The eCard API Framework has been jointly developed by Secunet and the Bundesamt für Sicherheit in der Informationstechnik (abbreviated BSI – in English: Federal Office for Security in Information Technology) to simplify the interaction of applications with different card technologies. With simpleSAMLphp, federation functions can easily be integrated into existing and new applications.”

Best Internal Identity Management Project

“The award went to BASF for their AccessIT project, which realises Identity Management within a complex corporate structure and excells in consistent approaches to centralised auditing.

“Another finalist in this category was the Royal Bank of Scotland, with its project to control a multitude of applications by an integrated role-based access control.”

Best B2B Identity Management Project

“The award went to Orange/France Telecom.  Their project is revolutionary due to the consistent use of federation and the opening of systems to partners.

“Also among the finalists in this category were Endress+Hauser for their business customer portal and education network SurfNET which is at present one of the most comprehensive federation implementations.”

Best B2C Identity Management Project

“The award went to eBay and Paypal which support strong authentication mechanisms, thus making a significant contribution to the protection of online transactions and creating more awareness on this issue among the wider public.

“Other finalists were Karlsruhe-based company Fun Communications for their innovative approach to the use of info cards as virtual customer cards, which is groundbreaking in our opinion, and KAS bank for their consistent use of strong authentication and encryption technologies to protect transactions.”

Best eGovernment Identity Management Project 

“The Republic of Austria received the prize in the “Best eGovernment Identity Management project” category for their eGovernment initiatives which we think are leading with regard to the implementation of Identity Management.

“Other finalists were Crossroads Bank, Smals and BAMF  – the Bundesamt für Migration and Flüchtlinge (Federal Office for Migration and Refugees).”

Special prizes

Dale accepting award and champagne on behalf of Higgins/Bandit“Special prizes were given to two initiatives considered as groundbreaking by KCP.

“In KCP's opinion, the VRM project by Doc Searls is an innovative approach that applies user-centric Identity Management concepts to customer management. In the VRM Unconference 2008 at the EIC 2008, this issue was intensely discussed in Europe for the first time.

“The second special prize went to open source projects Higgins and Bandit which we think are the most important open source initiatives in Identity Management.”

[Thanks to Jackson Shaw for Photos]

Is New Zealand's government a ‘justifiable party’?

Vikram Kumar works for New Zealand's State Services Commission on the All-of-government Authentication Programme.   As he puts it, “… that means my working and blog lives intersect….”  In this discussion of the Third Law of Identity, he argues that in New Zealand, where the population of the whole country is smaller than that of many international cities, people may consider the government to be  a “justifiable party” in private sector transactions:

A recent article in CR80News called Social networking sites have little to no identity verification got me thinking about the Laws of Identity, specifically Justifiable Parties, “Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.”

The article itself makes points that have been made before, i.e. on social networking sites “there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man…The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.”

In the US, this has thrown up business opportunities for some companies to act as third party identity verifiers. Examples are Texas-based Entrust, Dallas-based RelyID, and Atlanta-based IDology. They rely on public and financial records databases and, in some cases, government-issued identification as a fallback.

Clearly, these vendors are Justifiable Parties.

What about the government? It is the source of most of the original information. Is the government a Justifiable Party?

In describing the law, Kim Cameron says “Today some governments are thinking of operating digital identity services. It makes sense (and is clearly justifiable) for people to use government-issued identities when doing business with the government. But it will be a cultural matter as to whether, for example, citizens agree it is “necessary and justifiable” for government identities to be used in controlling access to a family wiki or connecting a consumer to her hobby or vice.” [emphasis added]

So, in the US, where there isn’t a high trust relationship between people and the government, the US government would probably not be a Justifiable Party. In other words, if the US government was to try and provide social networking sites with the identity of its members, the law of Justifiable Parties predicts that it would fail.

This is probably no great discovery- most Americans would have said the conclusion is obvious, law of Justifiable Parties or not.

Which then leads to the question of other cultures…are there cultures where government could be a Justifiable Party for social networking sites?

To address, I think it is necessary to distinguish between the requirements of social networking sites that need real-world identity attributes (e.g. age) and the examples that Kim gives- family wiki, connecting a consumer to her hobby or vice- where authentication is required (i.e. it is the same person each time without a reliance on real-world attributes).

Now, I think government does have a role to play in verifying real-world identity attributes like age. It is after all the authoritative source of that information. If a person makes an age claim and government accepts it, government-issued documents reflects the accepted claim as, what I call, an authoritative assertion that other parties accept.

The question then is whether in some high trust societies, where there is a sufficiently high trust relationship between society and government, can the government be a Justifiable Party in verifying the identity (or identity attributes such as age alone) for the members of social networking societies?

I believe that the answer is yes. Specifically, in New Zealand where this trust relationship exists, I believe it is right and proper for government to play this role. It is of course subject to many caveats, such as devising a privacy-protective system for the verification of identity or identity attributes and understanding the power of choice.

In NZ, igovt provides this. During public consultation held late last year about igovt, people were asked whether they would like to use the service to verify their identity to the private sector (in addition to government agencies). In other words, is government a Justifiable Party?

The results from the public consultation are due soon and will provide the answer. Based on the media coverage of igovt so far, I think the answer, for NZ, will be yes, government is a Justifiable Party.

It is noteworthy that if citizens give them the go-ahead, the State Services Commission is prepared to take on the responsibility and risk of managing all aspects of the digital identity of New Zealand's citizens . The combined governement and commercial identities the Commission administers will attract attackers.  Effectively, the Commission will be handling “digital explosives” of a greater potency than has so far been the case anywhere in the world.

At the same time, the other Laws of Identity will continue to hold.  The Commission will need to work extra hard to achieve data minimization after having collapsed previously independent contexts together. I think this can be done, but it requires tremendous care and use of the most advanced policies and technologies.

To be safe, such an intertwined system must, more than any other, minimize disclosure and aggregation of information.  And more than any other, it must be resilient against attack. 

If I lived in New Zealand I would be working to see that the Commission's system is based on a minimal disclosure technology like U-Prove or Idemix.  I would also be working to make sure the system avoids “redirection protocols” that give the identity provider complete visibility into how identity is used.  (Redirection protocols unsuitable for this usage include SAML and WS-Federation, as well as OpenID).    Finally, I would make phishing resistance a top priority.  In short, I wouldn't touch this kind of challenge without Information Cards and very distributed, encrypted information storage.

Upcoming Internet Identity Workshop

Identity Woman Kaliya will be back to orchestrate the next identity unconference, one in a series that have played a key role in the evolution of OpenID and Information Cards.  If you are interested in identity, it's a great place to meet a lot of people involved in the community.   

Check out the conference page at Internet Identity Workshop.  Here's an overview:

The heart of the workshop is a practical idealism in working towards the shared vision of a decentralized, user-centric identity layer for the Internet.

Because the web was built around “pages”, no tools or standards were created to control how the information about you was collected or used. At the Internet Identity Workshop we bring the people creating these tools and standards so people can safely manage their online identity and control their personal data.

It is not about any one technology – rather it is a place to discuss multiple interoperating ?(and possible competing) ? projects, standards, and networks for identity, data sharing, and reputation.

As part of Identity Commons, the Internet Identity Workshop creates opportunities for both innovators and competitors. We provide an open forum for both the big guys and the small fry to come together in a safe and balanced space.

There are a wide range of projects in the community:

  1. Open conceptual, community, and governance models.
  2. Open standards and protocols.
  3. Open source projects.
  4. Commercial projects.
  5. Projects to address social and legal implications of these technologies.
  6. Efforts to rethink the business models and opportunities available with these new technologies.

User-centric identity is the ability:

  • To use one's identifier(s) on more then one site
  • To control who sees what information about you
  • To selectively share presence and profile information
  • To maintain multiple identities and personas in the contexts you wish
  • To aggregate attention, navigation, and purchase history from the sites and communities you frequent
  • To move and share your personal data, relationships, documents, and other publications as you wish

All of the following are active topic areas at each IIW:

  • Improving Existing Legal Constructs
    • Privacy Policies
    • Terms of Service
  • Creating New Legal Constructs
    • Limited Liability Personas
    • Identity Rights Agreements
  • Creating New Business Models
    • Identity Oracle
    • I-Brokers
  • New Citizenship Perspectives
    • Activism
    • Community Event Coordination
    • Community Identity and Data Sharing

The conference takes place in Mountain View, California on May 12 – 14

Microsoft says, “U-Prove it”

Ralf Bendrath chided me yesterday for bragging about having proven Bruce Schneier wrong in his concern that there is not a “viable business model” for the Credentica technology.  (In my defense, Bruce had said, “I'd like to be proven wrong.”, and I was just trying to oblige him.)

Anyway,  I think Joe Wilcox's article in eWeek's Microsoft Watch provides some unbiased analysis of the issue.

Sometimes, Microsoft really spends its money well, such as last week's acquisition of U-Prove technology from Credentica.

This is a damn, exciting acquisition. It's strategic and timely.

U-Prove is, simply put, a privacy/security protection mechanism. The technology works on a simple principle: Enable transactions by revealing as little information as possible.

Credentica's Stefan Brands, Christian Paquin and Greg Thompson have joined Microsoft, where they will work as part of the Identity and Access Group. Microsoft also acquired associated U-Prove patents.

Brands is a well-regarded cryptographer and author of “Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy,” which explains the principles behind U-Prove. The book is available for free download, courtesy of MIT Press. He brings a somewhat radical approach to cryptography: Disclose or collect little—ideally no—private information during any transaction process. During most transactions, whether online or offline, too much personal information is exposed.

I vaguely recall Brands from Zero-Knowledge Systems, where he went in early 2000. About six months earlier I consulted Zero-Knowledge Systems’ chief scientist for a story about an alleged cryptographic flaw/back door in then unreleased Windows 2000.

Brands, his colleagues and U-Prove will first go into Windows Cardspace and Windows Communications Foundation. Microsoft's Brendon Lynch explained in a Thursday blog post:

“Credentica's U-Prove technology will help people protect their identities by enabling them to disclose only the minimum amount of information needed for a transaction—sometimes no personal information may be needed at all. When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments and consumers all stand to benefit from the enhanced security and privacy that it will enable. We look forward to a world where people have more control of their personal information and are better protected from harms of online fraud and identity theft.”

Kim Cameron, Microsoft's identity architect, does a wonderful job explaining Brands’ “minimal disclosure” approach in a Thursday blog post and how the company may apply it. The basic concept: to use other cryptographic means to verify identity “without revealing the signature applied by the identity provider.”

Microsoft has made one helluva good acquisition, whose potential long-term benefits I simply cannot overstate. The company has been trying to tackle the identity problem for nearly a decade. Early days, Passport acted as a single sign-on for multiple services, a heritage Windows Live ID expanded. But U-Prove departs from Microsoft's past identity efforts. The idea is to identify you without, well, identifying you.

Microsoft online services would look dramatically different with an identity mechanism that truly protected privacy and security on both sides of the transaction all while guaranteeing both parties that they are who they say they are, without necessarily saying who they are.

The best conceptual analogy I can think of is Swiss or offshore banking, where an account holder presents a numerical token or tokens that verify his or her right to account access but not the individual's identity or necessarily the token's issuer. Such a mechanism could be a boon to business and consumer confidence in online transactions as well as reduce petty fraud.

Microsoft's money would be better spent on more acquisitions like this one, rather than frittering away valuable resources on Yahoo. Microsoft is operating on the false premise that Google's huge search lead also puts it ahead in advertising—too far to catch up without a means of leaping ahead. Yahoo is the means.

But Microsoft is mistaken. Online activities and transactions are more complex than that. Search is one strategic technology, but there are others that Google doesn't control. If Microsoft could take a strategic lead protecting identity around transactions, the company could better enable all kinds of Web activities, and in so doing raise its online credibility. Privacy concerns have dogged Google.

I think Microsoft should take half of its proposed Yahoo offer and spend it on more acquisitions like Credentica's U-Prove technology. I'm not the first to suggest that Microsoft spend $20 billion on smaller companies. But I will say that U-Prove is an example what Microsoft should do to bolster its online technology portfolio in more meaningful ways, without taking on the hardship of a large, messy acquisition like Yahoo.

From The Economist: the Identity Parade

It's great to see mainstream publications really taking the time to understand and convey the issues of digital identity and privacy.  A recent article in the Economist discussed the Laws of Identity at length.  Cambridge researcher Ross Anderson and others are quoted as well.  Here's an excerpt that gives you a sense for the full article

Internet users have become used to providing personal information to any convincing-looking box that appears on a screen. They have little idea of either the technology that helps to provide electronic security in practice or the theoretical principles that determine whether it will work. According to Mr Cameron, “there is no consistent and comprehensible framework allowing them to evaluate the authenticity of the sites they visit, and they don't have a reliable way of knowing when they are disclosing private information to illegitimate parties. At the same time they lack a framework for controlling or even remembering the many different aspects of their digital existence”…

Cybercrime discredits the use of the internet not only by business but by government too. Mr Cameron suggests rethinking the whole issue, starting from the principle that users may be identified only with their explicit consent. That sounds commonsensical, but many big government databases do things differently. Britain's planned central records for the NHS, for example, will assume consent as it combines all the medical records held in local practice databases.

The second principle, says Mr Cameron, should be to keep down the risk of a breach by using as little information as possible to achieve the task in hand. This approach, which he calls “information minimalism”, rules out keeping information “just in case”. For example, if a government agency needs to check if someone falls into a certain age group, it is far better to acquire and store this information temporarily as a “yes” or “no” than to record the actual date of birth permanently, which would be much more personal and therefore more damaging if leaked.

Third, identity systems must be able to check who is asking for the information, not just hand it over. How easy it is for the outside world to access such information should depend on whose identity it is. Public bodies, Mr Cameron suggests, should make themselves accessible to all comers. Private individuals, by contrast, should be protected so that they have to identify themselves only temporarily and by choice…

[More here…]

Handbags at dawn?

Here is Pat Patterson's post on my recent discussion with Ben Laurie.   Pat is a widely respected member of Sun's identity team, blogs at Superpatterns, and runs the useful PlanetIdentity RSS feed.   There are a number of ways you could build a Password Manager for CardSpace, but I thought readers would enjoy seeing Pat's take on it:

You might have noticed the exchange between Ben and Kim over the past day or two… Ben made a point that CardSpace makes OpenID redundant – why not just send a password to the RP? Kim jumped all over him – somewhat misinterpreting what Ben later describes as one of my most diabolical hungover bits of prose ever. Ben goes on to clarify that maybe CardSpace can have a role in helping the user manage passwords; Kim says “Hmm… Food for thought” (okay, I'm paraphrasing); Ben admits he didn't explain himself too clearly to begin with; and, glory be, they're violently agreeing. Phew! I thought we were going to be seeing handbags at dawn

Reading all this lit a spark in my mind of how this could work. The crux is to consider the username/password token, usually sent as one of a set of possible input tokens to an identity provider security token service (IP/STS), as an output token.

Here's how it would work… Borrowing a diagram from Microsoft's Guide to Interoperating with the Information Card Profile V1.0:

First of all, the IP/STS would specify ic:RequireAppliesTo in the managed card. This tells the identity selector to include a wsp:AppliesTo element in the wst:RequestSecurityToken (RST). The IP/STS is going to need this later…

Now, the user visits the relying party (RP) in step 1, requesting some resource. In step 2, the ‘service requestor’ (application client with identity selector) requests security policy from the RP. The RP would indicate, in step 3, that it wanted a username/password token by specifying a token type of http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0 in the policy.

Now the identity selector presents some set of information cards (hopefully just one) to the user (step 5) and the user selects one (step 6). Steps 7 and 8 would see the RP requesting security policy from the IP/STS, and the IP/STS supplying it, exactly as in the standard information card interaction. Here the IP/STS could require any form of input token, but username/password is most likely.

Between steps 8 and 9, the identity selector prompts the user for credentials (bad Microsoft, missing that out of the diagram!) and in step 8, the identity selector packages up the user's credentials in a WS-Trust RST and send them to the IP/STS.

Now, here's the interesting bit. The IP/STS authenticates the user, exactly as in the standard CardSpace case, but now it looks at the wsp:AppliesTo element, and looks up the user's username/password pair for that RP (this is an implementation detail – there could be a mapping of RP identifiers to username/password pairs per user, all encrypted on disk, of course). The IP/STS packages them as a wsse:UsernameToken, which is then encrypted with the RP's public key and returned to the identity selector (step 10). The display token could just show ******** for the value of the password claim. Now we have a nice, securely packaged credential that the identity selector can send to the RP in step 11.

Here's the other nice bit… All the RP has to do is to decrypt the incoming token and it has the user's username and password, exactly as if they had arrived by a conventional form post. No further customization required at the RP – no changes to directory or database schemas, no extra steps of associating an information card with your account. Passwords on steroids.

If the RP uses https, I'm not even sure there is any need to decrypt at the token layer, which simplifies implementation to decoding a simple xml structure.  RP's who are looking for greated levels of security should switch to public key.

I'd like to hear Pat's ideas about the user experience of bootstrapping the passwords into the Identity Provider.