Fast Forward to InfoCards

Here's a good summary of what those of us working on InfoCards are trying to do, written by Johannes Ernst of Netmesh and LID. At DIDW Microsoft released a whitepaper referencing InfoCards called Microsoft's Vision of an Identity Metasystem. But Johannes has zoomed in on a number of very interesting pieces in the puzzle – including how what we learned through metadirectory relates to the ideas in the identity metasystem, the web services protocols underlying it, and how an identity selector would work.

Personally, I'm really looking forward to the day I can put up a demo – this is a case of a system which is a whole lot easier to use than to describe. But Johannes has done a really good job of bridging that gap.

If you Google Microsoft's InfoCard, you mostly seem to find people asking “who can tell me more about InfoCard”, but very little actual answers. Here is what I've learned from public statements by Kim Cameron and other Microsoft people, and the public demo they did at Digital Identity World 2005. (Disclaimer: I may be wrong about some things, as I don't work for Microsoft. Also, I believe all of the information here is public. If I'm wrong on either count, please do let me know.)

To understand InfoCard, you need to understand Kim Cameron, InfoCard's architect. Kim is credited with being the, or at least one of the inventors of the concept of a meta-directory. A directory (as in corporate directory, LDAP, that kind of thing) is a special kind of database run by companies to manage information about their employees, such as their names, phone numbers, e-mail addresses, office locations, as well as computers, printers and sometimes access permissions to various applications or information. When companies started to deploy directories, very quickly multiple directories were found within the same company, and the question arose how those directories could be used together, because some directories would know information about some employees but not others, etc. The idea of a meta-directory is to have a piece of software that would appear just like any other directory, but that would pull its data from other directories. In other words: have your cake and eat it, too. Keep whatever directories you have, but make all their information appear in one place (coincidentally one of the core principles behind our NetMesh InfoGrid as well).

So when Kim decided to do something about digital identity, he used the same mindset that he used for the idea of a meta-directory, because he saw the same market conditions in this area: lots of incompatible digital identity systems, that prevent everybody from interacting with most other people — just like stovepipe directory systems would prevent one person from accessing a printer defined in another. In the identity space, not only do we have Microsoft Passport, Liberty Alliance, SXIP, Identity Commons, and our LID, but thousands, or maybe far more, home-grown account and user registration systems. In Kim's view, while there may be advantages that one of those systems has versus others, the real problem is fragmentation of digital identity systems, just like fragmentation of directory systems back then. So the core idea for InfoCard is to be a meta-identity system, with the word “meta” meaning the same thing as it does in the term meta-directory system.

Another way saying the same thing would be by parallel with TCP/IP as the universal abstraction layer that abstracts away from things like Ethernet, but nevertheless depends on them. Using this analogy, we could think of InfoCard just like we do about TCP/IP (in relation to digital identity systems and Ethernet or WiFi, respectively).

Kim's hope that by having such an abstraction layer, such a big momma identity backplane (as Marc Canter puts it so memorably), we can get an explosion of identity-enabled new applications. And he adds another analogy: there was little innovation in graphics before there were commons APIs that developers could use to talk to any graphics card, but then it exploded, we got graphical user interfaces and all of that. Without that common API, the next level of innovation simply wasn't possible. He thinks that it will be the same about identity.

Before we get into the guts, let's list some more of the assumptions behind Infocard: (you should also read Kim's Laws of Identity which I won't cover here but which contain a lot more interesting assumptions)

  • Kim believes that it has to be an entirely open system. My understanding is that Microsoft will find a license (I also understand they have not settled on one, in fact Kim is looking for input), that allows anybody to create any part or all of InfoCard themselves. Unlike some earlier rumors, InfoCard does not seem to be released as open source itself, but admittedly, that would really have surprised me.
  • InfoCard is built entirely on the web services (WS-*) stack. Given that it is a very distributed system, this choice is understandable. Kim says that while not all WS technologies used in InfoCard have been blessed yet by suitable standards bodies, all of them are on the standards track already.
  • Because of the need to combat phishing and other attacks where outside stuff (web pages, viruses popping up application windows etc.) pretends to be something else to the user, InfoCard will be anchored pretty deeply inside the Windows OS in a secure process space.
  • The InfoCard — like a virtual credit card or membership card — metaphor is the central user interface metaphor.
  • InfoCard only defines the “framework” protocols between the InfoCard client-piece (the one inside Windows), an identity provider, and a relying party (e.g. a website that requires identifying information). Lots of parties can be an identity provider or a relying party using many (all?) of today's identity systems which can plug into the InfoCard system by adding actual content into the defined messages.

Here is an example use case:

  1. An InfoCard-enabled user (e.g. one running the upcoming Windows Longhorn, or the downward-compatible release for XP) first signs up with one or more identity providers of their choice. That could be their ISP, their bank, a site like eBay, or Slashdot. This process is entirely outside of InfoCard, but of course the identity provider must support their part of the InfoCard protocol.
  2. The user visits an InfoCard-enabled relying website (such as an InfoCard-enabled Amazon) that requires certain identity information from the user, say, a shipping address. The website sends a web page which contains an HTML OBJECT tag, which triggers a DLL which invokes the InfoCard system.
  3. The InfoCard system determines which personal information is requested by the website, and matches it to the identities (i.e. InfoCards) that are in possession of the user. It then displays those InfoCards to the user that are applicable, such as: driver's license (if the government was an InfoCard-enabled identity provider), or credit card from AMEX. Note that the InfoCard selector runs natively on the PC and is not downloaded.
  4. The user selects an InfoCard to use. The dialog shown takes over the entire Windows screen (similar to the Windows login / logout dialogs today) in order to reduce phishing. It would also be difficult for an attacked to bring up a screen that has the exact set of InfoCard pictures on it as the user owns, as the information about which cards the user has is stored securely in a secure area of Windows. As a result of the selection, the InfoCard process on the PC contacts the selected identity provider, and obtains essentially a signed XML document that contains the requested identity information. The signature comes from the identity provider.
  5. The InfoCard PC piece then forwards the obtained document to the relying party (the website).
  6. However, InfoCard does not describe the actual tokens flying around, thereby enabling other identity systems to plug in.

In order to accomplish this, InfoCard employs:

  • SOAP
  • WS-Addressing
  • WS-MetadataExchange
  • WS-Policy
  • WS-Security
  • WS-SecurityPolicy
  • WS-Transfer
  • WS-Trust
  • XML Signature
  • XML Encryption

Does this make sense do you? It does to me … Feel free to post back or contact me if I'm wrong or incomplete or you have questions or …

Jamie on the Asphalt metaphor

I just saw that Jamie Lewis has posted this set of links to articles on DIDW by Between the LinesPhil Becker's keynote, the discussion of federation standards, John Shewchuk's keynote and Jamie's Wednesday keybnote.

I look forward to Jamie's presentations for their panoramic scope – a rare pleasure – and invariably find myself on the edge of my seat waiting for the pithy new metaphor he has discovered.

And this year, it was the idea that the current debates over protocols deserve about the same degree of interest as do arguments over the chemical composition of asphalt amongst those building a network of highways for the nation. Even here, it isn't the roads themselves that are the final product. It's the “neat cars and trucks” that run on them.

Today's post adds clarification to some of the coverage:

I … want to clarify one thing that Chris Jablonski said in his post summarizing my keynote. Chris summarized something I said this way:

However, he cautioned that achieving meaningful implementation by the end of the decade will depend on how long the vendors want to fight over building the road (standard framework) as opposed to building neat cars and trucks (more proprietary solutions).

Actually, the “neat cars and trucks” aren’t proprietary systems in the analogy I was using. My point was this: Arguments over the chemical composition of asphalt (the protocols necessary to build the standard framework) is of little value to customers who need a solution to a very real problem. What customers want is products and services that solve their identity problems (the cars and trucks that actually help people get somewhere) but that work in an interoperable system (cars that run on the public road). So in the analogy, I was trying to encourage the vendors to quit arguing over how to build the road, settle on what asphalt formula we’ll use, and focus instead on building the interoperable solutions that solve a real problem, which customers will want to buy.

And in that light, the interoperability profile for Web-based SSO between Liberty and the WS-* frameworks that Sun and Microsoft announced today are certainly encouraging. More on that later.

Doc's links

Want some links? Doc Searls has been assembling some over at Doc Searls’ IT Garage (the blog where he discusses identity issues):

Here's a pile of links on the Identity Conversation, coming out of last week's DIDW conference in San Francisco…

On the one hand, it's clear that most of the folks following this thing are giving Kim and Microsoft a lot of slack (no “Passport 2.0″ this time around, thankfully). On the other hand, we still have a long way to go.

He's right. We do.

Doc did an amazing couple of sessions on the final day at DIDW – I wonder if Phil Becker will eventually make them generally available as podcasts? That would sure be cool – though it's a lot to expect out of a conference – even a forward thinking one like DIDW.

A convenient shorthand

By the way, in case you don't know me personally, I want to make sure one thing is pretty clear. When I look at the “Kim Cameron World” aspect of what happened at last week's DIDW (as described, humorously, by Dave Kearn below) I hope everyone sees my name as being symbolic – a convenient shorthand for referring to the work a great number of us have done together to get the identity metasystem and laws off the ground.

This doesn't mean I don't appreciate the personal gestures and remarks – I am completely overwhelmed by the generosity of my colleagues across the industry.

Passing the Kearns Test

Few are better at rooting out half-baked ideas than Dave Kearn of Network Fusion and Network World. When he shoots a barb your way, pay attention. First of all, it will be too witty to ignore. More important, it's sure to contain at least one important idea.

So it's been great having Dave along in the part of the identity odyssey we've completed so far. I've counted on him to point out the parts of the discussion which are flabby, ill-expressed or don't hold together – and for offering remedies from his long experience in the trenches. In this regard, Dave is very well known as a neutral and trustworthy commentator by all those who deploy and manage identity systems.

I'm very moved by his kind personal comments in the piece below. But above all, I'm proud that through this conversation we have been able to earn his support for the laws as a place from which to begin structuring an ongoing identity conversation that doesn't always revert to page zero. Here's what he says in his latest newsletter.

I spent an enormously enlightening week at Digital ID World in
San Francisco last week. Actually, it probably could have been
renamed “Kim Cameron World.” The soft-spoken Microsoft identity
architect has taken the world (or, at least, that small corner
of the world populated by those of us who think identity is key)
by storm with his promulgation of the Seven Laws of Identity
(link to Cameron's identity blog below).

Not only was his session on the laws filled to overflowing by
those eager to understand their nature, but also the laws were
the central theme of Burton Group CEO Jamie Lewis’ opening
keynote and Linux Journal Editor Doc Searls’ closing summary.
Cameron also walked away with a Digital ID World award.
According to the show organizers, the awards are “…dedicated
to recognizing those individuals or organizations that have made
a significant contribution (technology, policy or social) to the
digital identity industry.”

Cameron's contribution goes well beyond the content of the laws
themselves. He's fostered, almost single-handedly, a constant,
globe-circling conversation taking place not only in the
metaverse of the blogosphere (where the “listener” sometimes
feels they're at a virtual tennis match as they snap back and
forth from one blog to another) but also in the physical world
where any two or more people with an interest in defining
identity (and identity solutions) gather.

In the lobbies of the San Francisco Hyatt Regency, you could see
and hear small groups of attendees talking about one law or
another, what it might mean or where it might lead. In the
almost 20 years that I've been involved with identity, this is
the most exciting event to have occurred.

I urge all of you to get involved in this conversation. For
consumers of identity products, the seven laws give you the
foundation for the questions to ask of any vendor looking for
your business. For vendors, the laws provide a working context
for designing the next version of your products and services.
For all of us, the laws force us to look at our own beliefs
about identity and re-think them. Get involved in these
conversations or risk being left behind.

Eric Norlin on the Mysterious Law 7

In his post today, Eric Norlin of Ping gets right to the essence of the seventh law:

So *everyone* was talking about Kim's laws at last week's show, but one aspect of the whole thingy (btw – a “thingy” is totally different than “thingifying” something ;-) that really stuck with me is the Mysterious Law 7 (or something containted within it):

7. Consistent Experience Across Contexts

The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.

At first glance (or mine at least), i thought this was just about user interfaces – and i admit to not quite getting it…but hey – by the time you've made it through 6 laws you're exhausted – you don't care what they slip by you on law 7! ;-)

Yes, this is indeed a problem.

Buried within law 7, however, may be the most significant thing about the laws — the fact that for the first time in identity technologies we're aiming for something that spans *both* the enterprise and end-user. (quoting Jamie quoting Inigo Montoya) Lemme sum up:

In the short history of identity technologies, there has generally been 2 universes: the end user and the enterprise. Think firefly (aka passport) vs. the metadirectory. the closest attempt we've really had is the Liberty Alliance's work (SAML is admittedly not a “user facing” technology) — but frankly, it just hasn't caught on with the “end-user” (does it violate a law? dunno – that's a totally different conversation).

In the metasystem we have, for the first time, a unifying construct that A) solves enterprise problems and is necessary and B) becomes an incredibly powerful end-user facing technology. The vehicle for this is WS-Trust; the now oft-called “STS” or “secure token service” — what i've taken to calling “project cadillac.”

In essence, the STS exchanges tokens within the enterprise “onion layers” of security, thus enabling the use of identity tokens all the way back into the fossilized layers of mainframe security. Simultaneously, the STS exchanges tokens as the user moves throughout his/her differing domains.

I don't think i can emphasize *how* important this is…..this isn't the “mosaic” moment (where we realize the internet's potential by seeing it), but it is an important point of coalescence that surely is closely related to the mosaic moment (big bang) for identity. Digital Identity has not had this available before, and this convergence should not be underestimated.

Law 7 says that the metasystem really can be distributed, belong to no one, AND unifying and universal. No more sith (enterprise) vs. jedi (end user) – this could become the end of Return of the Jedi (without the ewoks, hopefully).

so – that's what i learned last week — how HUGE law 7 is……..

could we really be on the cusp of something big? god, i hope so.

Exactly. Enterprise identity systems normally”deal with” employee end-users – who go home at night and jump into consumer-to-enterprise and even peer-to-peer identity relationships. If we stop tying UX and protocols to these various silos, we can imagine that a user-centric paradigm would replace the scenario-specific paradigm. A user-centric identity paradigm could remain consistent across these various scenarios, resulting in portability of understanding across them. This is just one example of what happens when identity systems begin to benefit from synergy – the magical ingredient which has so far remained just beyond their reach.

My readers know how hard it was for me to name the seventh law and put it into words. The implications of introducing synergy are huge. With a little help from our friends we've been able to get closer to the bone and jettison a bunch of verbiage. Eric's contribution here makes it clearer still.

Steve Gillmore

Here's a piece by Steve Gillmore that nicely captures how what we are doing together in identity is part of a broader “something's happening here” that could really revitalize our industry and take us past our preconceptions – hard as it is to let go of them.

I love Steve's audio work – his podcasts have helped me evolve many of my ideas.

‘Enlightened’ Identity Metasystem

Here's Dan Farber's story over at ZDNet on the way Microsoft is approaching the identity metasystem. I'm not the only one who has seen Dan as a multi-talented guru over the years – so having him vet our thinking is important to me. It's also great to see Dan giving my friend John Shewchuk the credit he deserves – he is a tireless supporter of the identity metasystem.

shewchuk1_1.jpgOn the final day of Digital ID World 2005, John Shewchuk, CTO for distributed systems at Microsoft, and Kim Cameron, identity and access architect at Microsoft, outlined their company’s plan for delivering a unifying identity metasystem, an abstraction layer, based on WS-* Web services technology.

“The essential concept of the metasystem is you have a bunch of contexts and need to achieve separation or amalgamation across the [contexts],” said Cameron. “Getting the metasystem working, like networking [via TCP/IP], can expand what’s happening by orders of magnitude, bringing synergy that current does not exist. If we do, we’ll get to the identity big bang.”

The big bang identity metasystem addresses many of problems in digital identity, avoiding the patchwork of single provider, single technology siloed solutions. It also places the user at the center, giving them control over how their identity information is parsed out. Microsoft’s identity framework supports multiple identity technologies, as well as multiple operators and implementations, Shewchuk said. This is not the typical of Microsoft, which tends to focus on developing its own proprietary solutions rather what’s in the best interest of the industry, but it seems that Cameron and Shewchuk so far have convinced Gates & company for any identity system to succeed–unlike Passport–it must be interoperable and open standards-based.

Shewchuk said that the fundamental metasystem functions include enabling relying parties and identity providers to negotiate technical policy requirements; providing a technologically agnostic way to exchange policies and claims (Cameron’s definition: an assertion of the truth of something, typically one which is disputed or in doubt; claims could include an identifier, knowledge of a secret, as in password based systems, personally identifying information, membership in a group…) between identity providers and relying parties; allowing a trusted way to change one set of claims, regardless of the token format, to another, so users aren’t stuck in one technology stack; and maintaining a consistent user interface across multiple systems and technologies.

WS-* has the underpinnings for building the metasystem and mostly political correct credentials—broad participation from heavyweights in the technical community; open, published specifications on a standards track; and a promise of non-discriminatory, royalty free use. The security token format is neutral and embodied in WS-Security, supporting multiple profile (Kerebos, SAML flavors, XrML, x509, etc.). WS-MetaExchange and WS-Security Policy provide a dynamic system for exchanging claims. WS-Trust provides a way to transform claims.

kim.jpgMicrosoft’s Indigo is the Web services platform for creating .Net applications, and the user interaction takes place via Infocard, a creation and management experience that allows users to maintain control over how their identity information is used online. Users can authenticate themselves to a security token service (STS) using different methods such as a self-issued token (similar to PGP), Kerebos, smart cards and other technologies, Cameron said.

Shewchuk said that he showed a prototype of the identity metasystem to Bill Gates three weeks ago, who apparently has allowed the project to live on. Microsoft plans to make its identity metasystem code available to developers in an SDK in a few weeks.

I asked Jamie Lewis of the Burton Group about whether Microsoft can be a trusted steward of digital identity, spanning multiple platforms. “We can complain all we want about Microsoft’s approach to developing specifivations, but you can’t say they haven’t been clear about where they are headed the last several years,” Lewis said. “They have some very valid approaches. Federation is the most reasonable idea so far, and there is starting to be coalesence around the WS-* framework as a general purpose federation framework. Ping Identity demonstrated a Java-based STS, which is a powerful statement about the ability of others to play–call it enlightened self interest.”

Cameron and Shewchuk mentioned several times the necessity to maintain a consistent user interface, so that users can actually manage their online personas without having to learn arcane commands. It’s likely to be an area where Microsoft is less forthcoming on how to build solutions using its metasystem. “I doubt Microsoft will be publishing guidelines for front end as they will for back end,” Lewis said. Cameron seemed to say the Infocard would be supported on non-Windows platforms. Lewis also pointed to Microsoft’s focus on XrML (eXtensible rights Markup Language), which he gets into the contentious IP rights and management space. And we know that Microsoft wants to be a major platform in digital rights management.

“If we work together on a metasystem, we can avoid the need to agree on dominant technologies a priori—they will emerge from the ecosystem,” Cameron said during a session on his much discussed Seven Laws of Identity. The Holy Grail of identity management and efficient, reliable ecosystem is still years away, but there is a movement afoot that appears to have the best interests of users as its guiding principle. Whether it lasts and Microsoft doesn’t revert to its darker side remains to be seen, but Cameron and Shewchuk make convincing arguments that there is no turning back.

Just for the record, I need to correct Jamie on the “front end versus back end” comment. We want to talk with every interested platform vendor about our work – and be open about our concepts and plans. I'm trying to get some meetings going. We want the strongest identity metasystem possible – and the ideal would be a consistent basic approach across platforms. We'll want to have our own “distinct look”, of course. But our friends over at Apple and on other platforms have shown themselves to be fully capable of innovative design, haven't they? So I don't suspect they need me telling them how to design their user interfaces!