Linux Journal Does The Identity Metasystem

A picture named doc-cover.jpgThat's the Internet's Doc Searls on the cover of this month's Linux Journal. And as you can see, his piece is titled “The Identity Metasystem“. It tells the whole Identity Gang story in the way only Doc can do. I sure wish I could write like that! Of course I always wanted to skate like Wayne Gretzky too. Not likely any time soon!

The kicker reads:

Can a free market in identity systems emerge from a confusing array of vendor-specific silos? Doc sees hope from an unlikely source.”

And yes, he's talking about us.

I'm part of the story, and far from objective. But it must be evident to all that he has really put his reputation on the line to push identity into fast forward. I love the way he approaches things.

I sure hope I can live up to the belief Doc, Craig and others have placed in me. I”ll certainly keep plugging away at this with all my friends and colleagues across the industry until we get this thing built – redefining the future Internet in a way that gives its inhabitants the kind of identity capabilities they want and need in the different aspects of their lives.

I don't think anyone could have contemplated Linux Journal running an article like this a year ago. Is it a bizarre historical anomaly, or a sea change? Who can tell? But there is a deep conversation happening. And there is optimism. That feeling we had when personal computers were first explosively announcing the new digital era.

A picture named 2005-os-awards2.jpg While I'm on the subject of Doc, he just won a prestegious Google O'Reilly Communicator award:

Communicator: Internet pioneer Doc Searls, co-author of “The Cluetrain Manifesto” and a Senior Editor for Linux Journal.

Anyway – pick up Doc's Linux Journal article (not available online). No matter how things turn out, it will sure be a defining document of this incredible trip.

[tags: , , , ]

Interview with the Inventors of WS-Trust

I've been working on InfoCards for what seems like ages now. Projects this complex turn into a bit of a blur, but the last Microsoft PDC (Professional Developers Conference) in 2003 stands out as a milestone. That's when we first talked publicly about the concept of a non- proprietary identity metasystem that used a “visual card metaphor” to represent personal, professional, employment-related and government identities.

The presentation was focused around the idea that we needed a multi-centered system in which there would be multiple identity providers represented within a unifying interface offering separation between contexts. But the idea of incorporating multiple different underlying security technologies seemed too hard to achieve at the time. We knew that if we were successful, the Infocard system would be one of the most attacked systems in the history of computing. How could we build an InfoCard client with multiple “protocol heads” and still keep it secure?

So, in my thinking I fell back to the “simplest thing” – a hybrid that would employ existing PKI and “self-issued” certificates to sign long-lived SAML-encoded attribute statements represented visually as cards. It was admittedly arbitrary. But it could work. The X.509 and SAML standards were well accepted – if not well deployed! On the other hand, there were aspects of the proposal with which I wasn't happy. The inflexibility of long-lived tokens implied that they inadvertantly, simply by being unchanging, became tracking mechanisms – and always gave away maximum information. This seemed progressively more significant as I became more sensitized to the privacy issues involved in individual identity.

It was around this point that I met John Shewchuk, who was CTO of Web Services at Microsoft. The meeting was bizarre because he took one look at the InfoCard presentation and said, “Yeah. The InfoCard concept is amazing. I want you to look at this thing I'm working on.”

At Microsoft, almost everyone likes to “push back”, testing the limits of what they're examining. So John's “instant understanding” was disconcerting.

I said, “John – uh – I don't think you really get how important this is.”

He replied, “No, I do. I get it. It's the missing piece. Believe me. I get it.” And it turned out he did.

A few days later, we got together and he filled me in on WS-Trust. I could see that in a world transformed by WS-Trust, the problems of certificate management and key distribution in “third party trust” scenarios would just “go away”. So would the inflexibility of long-lived tokens. It even gave us a way to support multiple security systems without increasing our vulnerability. So as quickly as John had understood InfoCards, I was on board with WS-Trust. After all, the problems with certificate management and key distribution are huge, huge, huge.

The more I thought about WS-Trust, the more I understood its power and simplicity. I say simplicity because it is really just a mechanism for exchanging one token for another. You present a first token, tell the system what kind of token you want in return, and, assuming all goes well, get the new token back.

What can you do with it? Authentication. Authorization. Secure exchange of claims about… anything at all. What kind of payload can you handle? Anything you want. And that is power.

This meant one could make the metasystem not only multi-centered, but polymorphic in the sense of supporting different underlying technologies. My thinking about the metasystem – later captured in “The Laws of Identity” – had led me to worry that InfoCards might end up being another technology silo. The polymorphic capabilities of WS-Trust could be employed so InfoCards not only escaped becoming a silo, but cut across existing silos in a very synergistic way.

Through John I met the witty and razor-sharp Tony Nadalin from IBM. Later I found out that they, along with Mary Ann Hondo from IBM and Chris Kaler from Microsoft, were the original four musketeers behind WS-Trust and the related microspecs. I thought it would be a good idea to talk with them about their work so others could get their perspective on things – and get to know them.

In this conversation, John and Tony tell us why they invented the WS-Trust protocol, what it does, how it differs from earlier technologies, and the kinds of reactions various parties initially had to their concepts. They go on to discuss “claims”, and the advantages of “claims neutrality” over their factoring into authentication, authorization, and attribute release “buckets”. Tony, who also works with Liberty, shares his thinking about the way tokens will, through the use of policy, be scoped to applications, and why the competitive advantages of dynamic systems mean rigidly taxonomized formats are unlikely to survive in the long term.

John explores the differences between what he calls the old “fixed offset protocols” and the approach, possible today with modern parsers, that can handle new composable and flexible payloads in what he calls “linear time” – meaning that CPUs can decompose the information flow faster than networks can deliver it. Then we look at where we are in the process of getting the protocol into wide use, and what remains to be done.

The conversation concludes by exploring the issues of standardization and complexity. Both John and Tony say we are already moving beyond the theoretical phase and shipping products. This leads to a discussion of profiles and interoperability.

This interview lasts 29 minutes. The mp3 is here. And here's the Windows media version.

[tags: , , , , WS Trust, Identity Metasystem]

Eric's open letter to Bill Gates and Microsoft

Never a prisoner to small ambition, my good friend Eric Norlin has put together an open letter to Bill Gates and Microsoft – what he calls “the ultimate act of hubris — telling the most successful software company in the history of the world how they *should* be running things… ” As Doc says, markets are conversations and relationships, and you can't do enough listening. Beyond that, Eric is a person who always has interesting things to say.

I hope other people at Microsoft will think hard about what Eric wants to tell us. I agree very much with his fundamental point: nothing is more important to the future of the virtual and animated world than giving software and the things it inhabits the ability to respond deeply to who we are. This is what digital identity is all about. We are in a period of conceptual revolution as we come to understand this. And it's just a matter of time before identity becomes a truly central message that is broadcast far and wide.

I've taken the liberty of lifting his piece from here. I don't want to get in the way of Eric's ideas, but I'll make a few comments – I hope Eric won't mind since the letter is addressed to Microsoft as well as to Bill. Clearly, I can't speak for Bill, especially when it comes to the matters in which Eric specializes. But I can assure everyone Bill thinks deeply about identity and all the same issues we talk about in this blogosphere conversation.

Eric Norlin Dear Mr. Gates,

Digital ID World has been covering some of Microsoft's more cutting edge work since our inception in 2002. We've covered NGSCB (a.k.a., “Palladium”) since its early days, watched the development of Microsoft's Rights Management Server, and seen you move from mere mentions of digital identity to large sections of your RSA Security Conference keynote focusing on the subject.

Amidst it all, we have tried to dig deep; to really understand the technical underpinnings, while pointing out what we felt were some of the rough spots ahead. And, in that context, Phil and I have often had “behind closed doors” conversations wherein we “play Bill” – i.e. talk about what we'd do if we ran Microsoft. So it is with a sense of humility that I undertake one of the great acts of hubris – the “open letter.”

Digital Identity: The thread that runs through Microsoft
The launch of Vista (Longhorn) is widely seen as one of the most important events in the history of Microsoft. Indeed, part of the challenge of the launch is clearly the representation of Microsoft's constantly growing product set in a cohesive vision. While Vista may be just one of these products, it is a lynchpin that will drive the message of Microsoft far into the future. And, frankly, as I watch the “share your passion” messages, I'm not inspired.

As an outsider looking in, Microsoft often appears to be a ship with more than one rudder – being pulled to and fro by the driving force of the moment—whether it is web services, gaming, mobile applications, or directory deployments. Of course, I assume that I'm wrong; that there must be some grand vision that I do not understand; a master plan that drives the decisions of the most successful software company in the history of the world.

I don't want to nitpick, but Is the world a single thing? Are its phenomena focused in some single direction?

I think there is a fundamental and undeniable complexity here. As Microsoft advances digital technology to embrace this complexity, it is not clear to me that “master plan” is the right metaphor. What is needed, really, is to understand the synergy between things, and use that to forward our understanding of each area of specialization.

You can then evolve an overarching strategy. And well articulated tactics that embody this strategy. Yet no matter what, the underlying flexibility must not be lost.

And I actually think Eric understands this, not only because I know him, but because in the next few paragraphs we see that he is talking less about an intransigent master plan than about messaging.

But if that's true, then why don't I understand it? Is it because they don't want me to? Or is it just simply a mistake of marketing? Is the messaging unclear, unfocused, and uncoordinated? I find that hard to believe, but – outside looking in – it really does seem that way.

I would argue that Microsoft needs a uniting force to represent itself to the marketplace…

That “thread” doesn't appear to me to be all that hard to find. The uniting thread of digital identity runs through the majority of Microsoft's work, and actually gives you a messaging platform that is cohesive and convincing.

The Microsoft Universe: Walking up the identity stack
The figure below is my representation of the Microsoft product universe, or the product universe as I think it should be (with tongue firmly in cheek). Starting at the bottom and working my way up, I'd like to connect the dots.

Identity of Things and People
One thread runs through all of these products – digital identity. I'm not limiting digital identity simply to humans, but expanding it to include the identity of things. As Microsoft comes to see itself as a company that helps the things and people in the networked world to be managed and/or manage themselves, it also comes to understand the ultimate goal of the company: providing the right information to the right people at the right time in the right context.

Be managed or manage themselves” – interesting, I think of it as self-organization within a process-driven environment. “Providing the right information to the right people” – yes, and not only information – but all digital experience.

NGSCB: the Next Generation Secure Computing Base (or “Palladium”)
NGSCB is the controversial effort inside of Microsoft to build a secure operating system within the operating system that will (in some senses) seek the elimination of software-driven hacks. Peter Biddle has been valiantly leading the effort along these lines for several years – an effort that is quite unique in that it combines hardware and software. But, really, what NGSCB does is provide a secure boot up process for the isolation and management of foundational system identity – it allows the machine to prove to itself that it is who it says it is and can proceed. It grounds the computer in identity.

Yup I have to agree.

One layer up we find the Xbox/Media Center, Vista, and strong authentication layer. We'll deal with the “Xbox stack” separately. For now, let's look at Vista and Strong Authentication.

Vista and Strong Authentication
From NGSCB we move on to the operating system (Vista), its associated development frameworks (Indigo), and a tacked-on strong authentication module. An important note here is that Microsoft may not necessarily build the strong auth mechanism – it may be an RSA token, an OATH USB key, or perhaps a fingerprint reader on the laptop. Whatever it is, once the secure boot occurs, the user authenticates themselves into the Windows operating system – an environment that seeks to deliver personalized information in a personal fashion, while giving the end-user control of their various digital identities.

I'm not sure I'd use the word “tacked on”. Once these devices are all STSs (incorporating WS-Trust), they will just fit together using standards.

InfoCards: the central thread
The central thread that runs through the majority of Microsoft's work is InfoCards. InfoCards utilizes the WS-Trust specification to allow the individual to manage their identities in various contexts. When conducting a commercial transaction, the individual can choose which identities to present which will satisfy the requirements of the commercial entity they interact with. Similarly, in social, collaborative or community environments, the individual presents who they are. An important note is that “anonymous” is just as valid an identity as “Eric – Digital ID World writer.” The other significant aspect to InfoCards is that it is the first digital identity mechanism of the current era to bridge the end-user and corporate environments. Its brilliance lies in the fact that it provides a unified mechanism for traversing what has been (to this point) two widely separate arenas.

I also agree that once you understand how important identity is to both personalization and access, InfoCards are key and central in precisely the way Eric describes.

Active Directory and Microsoft Identity Integration Server
Moving up the stack we find the centerpiece of Microsoft's enterprise efforts: Active Directory. Active Directory (and Active Directory Federation Server) and MIIS (Microsoft Identity Integration Server) form the core of identity for the enterprise, while utilizing InfoCards (for end-user self management) and Vista (for corporate desktop security and as a foundation for productivity tools).

Moving to the right: RFID and Network Management
A parallel track on the right of the stack brings in the RFID and Network management middleware for the enterprise. Both of these systems are focused on managing the identity of things – an equally important aspect of identity within the enterprise.

Returning to the center: Exchange, RMS and Office
Back in the center of the stack, we find the core of Microsoft's business – Exchange, the Rights Management Server and Office (what I've here called “personalized office”). All of these products utilize identity (via email, calendaring, rights management and document management, and personal productivity tools) to give the end-user an environment within which to accomplish tasks and set policies that work in accordance with both their own and larger enterprise goals. Utilizing these tools a person can use email to set a meeting; write a confidential document for that meeting; and protect it using the RMS, so that only the intended readers can read and alter it.

Stepping Left: the XBOX and Media Center
The left side of the stack represents the XBOX and Media Center efforts at Microsoft. These are the pure “consumer” plays – bringing Microsoft into the center of the digital home and community. Identity is the central thread of these platforms (which is really what the XBOX is) – providing the home with a means for managing personal identities and their representations in social and gaming environments.

The Presentation and Transaction Layer
Sitting on top of the stacks, we hit the first unifying layer – the presentation and transaction layer. This layer encompasses things like photos, blogs, the web, RSS, and search. Sitting atop the identity stacks, it provides personalized experiences and a means for representing different aspects of personal identity, while receiving personalized information and transacting in a personalized digital world.

Proposing this layering is a novel way to think of things…

Mobile and Location-based applications
Atop the presentation and transaction layer sits the mobile world. In this world of identity-based location and presence applications, users are no longer tied to the desktop or home — and still their digital identity persists and becomes increasingly portable. Here we find Microsoft-driven smart phones, location-based search, and personalized, location-driven CRM.

Identity-driven Services
The top layer of the stack is the coming identity-driven services. These are most likely not Microsoft owned or Microsoft built. Rather, this is a wide ranging independent software vendor community (or services community) that utilizes the lower layers of the Microsoft stack to provide identity-driven services.

Message for the Market
That's the Microsoft product universe – a universe united around the central thread of identity. A universe moved by the idea that in a distributed world, providing the user with the means for managing identity is the most powerful platform one could build. A unifying metaphor that says, managing and leveraging identity in a networked world will build the foundation for the next great developer base; services, software, hosted or not – it doesn't matter. Microsoft's product set is the concrete upon which to build this identity-driven technology world. Accordingly, Microsoft needs a simple message that conveys the benefits of this unified vision; a tagline for the digital identity future…

Be You.

Eric Norlin

My main complaint is that the picture shows Microsoft technologies as a silo. They aren't. We're in the age of web services. The platform is in some ways across platform. How will this be shown? Maybe that's a third dimension. Or maybe it's in the services layer at the top of Eric's diagram. I'm curious to hear what Eric will say.

But I think this is very interesting stuff. Of course, I see the world through the lens of identity too. And more and more people now understand identity. Identity concepts are entering the mainstream.

Luckily I don't have to make marketing decisions on this order. I just want to get what we do about identity right. Then smart people like Eric, and his confreres at Microsoft and elsewhere in the industry, will take care of the rest.

[tags: , , , , ]

Get smart on the new identity thinking in less than a week

Analyst James Governor of Redmonk has done a piece about how to “Get smart on the new identity thinking in less than a week”. Isn't this is a great heading?

“I was talking yesterday to Dennis Szerszen, vp of marketing at Securewave, a company that keeps Microsoft shops ticking over calmly by enabling whitelist policies of acceptable executables (the zen of behaviour blocking).”

I'm going to come back to this in another piece – it is a perfect example of how a “whitelist” reputation architecture is stronger than a “blacklist” architecture.

“Anyway, we were discussing the notion that identity is only important in context. We both agreed the notion of a single canonical digital identity for everything is absurd.”

He then goes on to describe Information Bulimia (I think that's a first):

“To my mind this is why the approach of the mooted British National ID Card System looks like an expensive and potentially dangerous failure (in terms of budget, civil liberties and fraud opportunities); its a Big Bang, the kind of program the UK Government and associated public sector service provider cartel have a terrible track record for delivering. Most problematical however is the attempt to create a digital ID useful in seemingly every conceivable public meets private sector digital context. It will prevent welfare benefit fraud, catch terrorists, be used by commercial organizations (Insurance companies, potentially), and probably solve world poverty too.

“Unfortunately in real life the massive central ID database will probably suffer from information bulimia, a disorder common amongst information intermediaries, characterized by episodic binge data collection followed by uncontrollable vomiting and purging, leading to information leakage and theft.”

It does seem to be a tendency, doesn't it?

“But anyway back to Dennis and the conversatron. We were discussing USB memory sticks and other portable mass storage devices, a huge information breach challenge for all kinds of company. You don't necessarily want to block all USB access, it depends on the context. That is where his firm is focusing attention.

“I wanted to provide more context for our discussion and suggested Dennis read some blogs on “the new identity thinking”. I don't mean oldline discussions concerning SSO and PKI, but rather people working on new (often lightweight) approaches and thinking to identity problems. These are the thinkers that will enable new business models, and hopefully some more coherent national policies on identity and privacy going forward. We should all engage with this kind of thinking because ID is important and it is tightly associated with our civil liberties.

“Anyway – I reckon that if you subscribe to and read the blogs below for just a few days your ID IQ will be significantly increased. i tried to limit it to ten or so, and gave myself some breathing room for feedback. Should I have included Sun's very own Superpat, for example? Who is driving the new thinking at IBM- is there a Sam Ruby of ID out there? I basically erred on the side of Web 2.0 folks. Change agents, that is.

“So here you go – Now go get smartened up.

Kim Cameron, Microsoft

“Perhaps the most influential figure in Identity 2.0. Why? Because Kim is driving Microsoft's Identity Management strategy, and he wants to put the user, rather than the corporation, at the center of the world. The real deal is our Kim. Put forward seven laws of identity to help drive the debate forward. “

James makes it sound like I had the good sense to come up with the idea that the user should be at the center, when in truth I'm just acting on the fact that the user is obviously at the center – if you want your system to succeed. It's a simple matter of boarding the cluetrain, as Doc would say. I mean, it's coming straight at us… But I'll still take any compliment I can get – just to keep the energy up…

Jamie Lewis, Burton Group

“Whatever you think of industry analyts it is hard to argue Burton Group have been instrumental in driving the state of the art forward on directory and identity.

Eric Norlin, Ping Identity

“Eric is quite simply an identity news maker. Is that the same as a noise-maker? :-) No-he gets things done.

Kaliya Hamlin, Identity Woman

“Kaliya has all necessary technical gubbins, the respect of her peers, and umm. she's a she. Its important more women are part of the identity conversation because they likely see things differently than male alpha geeks. As we're seeing over at the Blogher conference, questions of identity and credibility are closely associated (the link debate). What is the A-list? Its surely an identity management system… And if women do share more personal information online, as Blogaholics notes, what does that say for identity and metadata management in a digital age, and potential abuse of same?

Phil Windley, Technometria

“Smart dude from Brigham Young, part of the new identity community cluster.

Scott C. Lemon, Digital Identity Management

“Digital Identity-its what Scott does. This blog is a great place to start thinking about the issues.

On The Identity Trail, Province of Ontario ID mavens

“Ontario is an e-government hub. Canada hopefully shows us that privacy should be considered when governments drive ID initiatives.

Dick Hardt, Identity 2.0

“I couldn't exactly use Identity 2.0 in my title without pointing to the guy credited with coming up with the term. I subsequently changed the blog title, but he is certainly an influencer of merit.

“There are some organizations with something useful to say: Liberty Alliance, Sxip Networks, Identity Commons, LID NetMesh, Here is an HP primer on Federated ID-related protocols.

“So there you go Dennis – some advanced thinking on identity in context. “

James ends with a golden maxim that eminates directly from the soul of technological inevitability:

A final word from monkchips: digital living will increase the number of identities we use as it increases the number of contexts and communities in which we interact.

This is good. And is why I have slaved so hard to get InfoCards into place.

[tags: , , , , ]

Identity Claims for GoBinder

Scott C. Lemon blogged recently that he is “close to a product release, and… anxious to begin to experiment with the new Microsoft SDK and Kim's work.” This should be interesting since Scott has been a creative force for years. Many have told me he was the mind behind all that was good about Novell's Digital Me.

He goes on to talk about how claim-based identity is a “two-way model”:

“I really like this terminology about “claims based identity” since that is all identity is, IMHO! This fits completely with the Axioms that I have (slowly) been working on, and it supports that – “Identity only exists in language.” (On a side note, it hit me this weekend that all words represent an “occurring” … not a “thing”. It is how something occurs to me that I name … although we often do not think of it this way.)

“Anyhow … I like the “claims based identity” since this is a nice “two-way” model … I can make claims about my identity, and others can make claims about my identity. In both cases, it is up to the recipient of the claim to do what ever verification that they feel is appropriate.”

That's right. It is an ‘N-way model.

“Another important apsect of this is that a “claim” is in no way “true” … it is merely a claim. This relates to the topics of reputation, etc. which are not something that a “person has”, but instead are something that a “person is given”. I am given a reputation by others … they are the ones that say that I am a particular way. My actions merely occur in a particular way to others …”

He's got it. Funny, because Paul Trevithick at SocialPhysics has been talking about this very point recently, as he works at sharpening our vocabulary. I think it is absolutely key to see digital reputation as being formally separate from digital identity – in just the way Scott proposes.

He goes on:

“Anyhow … I'm following things on a background thread and am about to reprioritize. I want to get the new identity code working within our GoBinder product. Our new version – GoBinder 2006 – is going to hit the market this fall.

“Kim … thanks for the great work! I'm looking forward to leveraging your work!”

Wow. This should be interesting. No pressure, of course.

Scott leaves us with this quote from my blog – making me doubly curious about what Scott has in mind:

“Once you get your head around expressing identities as sets of claims, you can easily imagine expressing a user's location as one of those claims. In the identity metasystem, the relying party could indicate in its policy that it requires several sets of identity claims- one indicating who the user is, and another indicating where the user is. The claims might come from different authorities (e.g. an enterprise and a trusted location provider). These would be implemented as two Security Token Services (claims transformers). Both sets of claims, taken together, would identify the user from the point of view of the relying party.”

[tags: , , , ]

Craig ‘Shrinks’ Kim after slashdotting

Craig Burton and I spent some time recently figuring out what we could learn from the slashdot community's reactions to the Laws of Identity (reactions which I first discussed here). Our conversation is available in mp3 and in wma (about 17 minutes).

We look at anonymity, and I ask Craig whether people will get the idea that in the digital world, anonymity is a form of digital identity in which there are no claims.

We discuss what Craig calls “the architectural weakness” of schemes based on “deny assertions” – commonly known as “blacklists” or “deny ACEs”.

And Craig says some interesting things about how all of this relates to what Dick Hardt has called Identity 1.0 and 2.0.

When I listened to the conversation I could see that in several places I used the word “identity” when I should have been saying “digital identity”. For example, I talk about identity being a set of claims – when it is digital identity that is a set of claims.

It is essential to be totally precise about these usages, so be sure to slap me around when I get it wrong.

[tags: , , , ]

Intriguing new identity technology

Nature magazine has published an intriguing report called Fingerprinting Documents and Packaging that suggests the possibility of interacting digitally with paper documents without the use of RFID tags or modifications to current production processes.

According to the authors:

“We have found that almost all paper documents, plastic cards and product packaging contain a unique physical identity code formed from microscopic imperfections in the surface. This covert ‘fingerprint’ is intrinsic and virtually impossible to modify controllably. It can be rapidly read using a low-cost portable laser scanner. Most forms of document and branded-product fraud could be rendered obsolete by use of this code.

“Our findings open the way to a new approach to authentication and tracking — even the inventors would not be able to carry out a physical attack on this fingerprint as there is no known manufacturing process for copying surface imperfections at the required level of precision. There is no need to modify the protected item in any way through the addition of tags, chips or inks, so protection is covert, lowcost, simple to integrate into the manufacturing process, and immune to attacks directed against the security feature itself.”

How might the technology be used in passports? A passport could be produced using conventional means, and then the main page of the passport could be scanned and its “fingerprint” held in a database along with relevant identifying information.

When examining the passport, authorities could scan it, causing verification of the fingerprint and retrieval of the associated information. This should match what is printed on the passport, and can be taken as authoritative.

The scheme clearly doesn't transform a document or piece of merchandise into a beacon or contravene the fourth law of identity, since the “digital inspection” of the document is entirely analogous to conventional visual inspection. In my view, this is key.

How does it work?

how does it work

“Figure 1a shows the results of scanning a focused laser beam across a sheet of standard white paper and continuously recording the reflected intensity from four different angles by using four photodetectors. (See supplementary information for methods.) Statistical analysis indicates that there are pseudorandom fluctuations that have a minimum wavelength of 70micrometers. The fluctuations from the mean intensity are digitized into ones and zeros to form the fingerprint code for the object.

“Figure 1b shows the digital cross-correlation between this scan and a similar scan from a different sheet of paper from the pack. The absence of any strong peak indicates that the scans are independent of each other. By contrast, the digital cross-correlation between the original scan and a subsequent scan from the same sheet of paper taken three days later, with normal handling of the paper in between, shows a strong peak close to zero positional shift (Fig. 1c); this indicates that the scans are largely identical. Similar results were obtained from matt-finish plastic cards (such as credit cards), identity cards and coated paperboard packaging (as used to pack pharmaceuticals and cosmetics, for example).”

I can hear you complaining that either intentional desecration or old fashioned wear and tear would render the fingerprint useless. So here is what I found to be perhaps the most astonishing aspect of the invention:

“Recognition was good even after the object had been roughly handled. For paper, this included screwing it into a tight ball, followed by smoothing to leave a badly creased surface; submerging it in cold water for 5min, followed by natural drying; baking it in air at 180 C for 30 min to scorch the surface; scribbling heavily over the scanned area with a ball-point pen and a thick black marker pen; or scrubbing the surface with an abrasive cleaning pad.

“The amplitude of the cross-correlation peak can be used to determine the probability of two objects sharing indistinguishable fingerprints. For the paper studied here, the probability was less than 10 to the 72nd (see supplementary information). Smoother surfaces, such as matt-finish plastic cards and coated paperboard, typically give probabilities of less than 10 to the 20th. The speckle signal therefore serves as a virtually unique fingerprint for the object. Each fingerprint requires about 200–500 bytes of storage space. “

Authors of the paper are James D. R. Buchanan, Russell P. Cowburn, Ana-Vanessa Jausovec, Dorothée Petit, Peter Seem, and Gang Xiong of Blackett Physics Laboratory at Imperial College London; Del Atkinson and Kate Fenton of Durham University Physics Department; and Dan A. Allwood and MatthewT. Bryan of the Department of Engineering Materials at University of Sheffield.

Thanks to Steve Grimaud for bringing this to my attention.