Key Piece of The Identity Puzzle

John Fontana, who writes expert pieces about identity for Network World, just posted this piece, called “Microsoft Sets Key Piece of Identity Puzzle“.   

Microsoft Wednesday released a beta of its most important tool to date for helping developers build applications that can plug into the company's Identity Metasystem and provide what amounts to a re-usable identity service for securing network resources.

Code-named Zermatt, the tools are a new extension to the .Net Framework 3.5 that helps developers more easily build applications that incorporate a claims-based identity model for authentication/authorization. Claims are a set of statements that identify a user and provide specific information such as title or purchasing authority…

John goes on to quote Stuart Kwan:

“The model is that when a user arrives at the applications, they bring claims that they fetched from an STS ahead of time,” says Stuart Kwan, director of program management for identity and access for Microsoft. “Zermatt is one part of building apps that can more easily plug into your environment. You use Zermatt so [applications] can use the STS in your environment.”

In fact, a network would have multiple STS nodes. Those nodes will eventually include Active Directory, which will have an STS built into the directory's Federation Services in the next version slated to ship sometime after 2008.

Microsoft will use the new Federation Services capabilities, Zermatt and STS technology to build toward its ultimate goal of an “identity bus.” The nirvana of the idea is that off-the-shelf applications could plug into the bus in order to authenticate users and provide access control.

In my view, as enterpise applications and desktop suites start to integrate with the identity metasystem,  it will become obvious that businesses can build “business logic” into STS's and suddenly get a huge payoff by controlling access, identity and personalization in all their off-the shelf and enterprise-specific applications.  This is going to be huge for developers, who will be able both to simplify and deliver value.

But back to John and Stuart:

Kwan says Zermatt also can be used to build an STS that would run on top of custom built stores of user data.  He says Zermatt could be used to build applications that accept information from CardSpace, the user-centric identity system in Vista and XP.

The final release of Zermatt is expected by year-end.

It is the first time Microsoft has so directly written its sizeable development army into its Identity Metasystem, plan, which was outlined first in 2005 and defines a distributed identity architecture for multi-vendor platforms.

Read the full story here.

What identity providers will sites support?

Paul Madsen digs deeper into the factors that will influence the choices of Internet service providers as they move towards user-centric identity.

“Often times, in trying to be clever and sarcastic, I dive too deep into the ‘satire pool’. The urge to be witty and contrarian surpasses the urge to be clear. Consequently, the ‘point’ I am trying to make can, on occasion, be buried underneath surface frivolity and snideness.
“As happened with my recent post on HealthVault‘s chosen model for OP acceptance.

“With that post, I have confused Kim, and for that I here apologize.

“I was responding to a post of Simon Willison, in which he defended HealthVault's right to choose OPs selectively – and not be compelled to accept any ol’ OP coming in off the street presenting an identity claim.

“My post might have given some the impression that I disagreed with Simon. For instance, I wrote

‘I disagree’

“Admittedly, this set a tone.

“But the rest of the post was meant to point out that, while I do think the user has the right to pressure RPs like HealthVault to accept assertions from particular OPs – the appropriate mechanism for this pressure, as for many other interactions between customers and service providers (e.g. buying an OS), is through market forces. If enough users choose an OP because it is secure and privacy-respecting, or because it offers 2-factor authentication, or because it has a snazzy flash UI, the RPs will find it (if they are interested in serving their customer base).

“When the RPs do find these candidate OPs (or IDPs, the issue is of course not unique to OpenID) they will themselves do their own checking and assessment before they start accepting assertions. And of course, each RP has to ask the question ‘Is this OP appropriate for the resources I protect/manage?’. If the resources are neither privacy sensitive nor valuable, the list of OPs that are appropriate will be longer than for medical or financial information.

“HealthVault (actually probably some other audit & risk management group in Microsoft) performed this assessment and, at least initially, came up with 2 OPs that they felt were right for them. More power to ‘em. Partner selection is tough and fraught with risk – they are right to be careful.

“I smile (more a smirk really) when I hear some in the user-centric world place the sole right and responsibility of choosing an OP on the user's shoulders. User's can't even remember their passwords, and you want them to assess the security infrastructure of an OP?

Surgeon: So, are we ready for your operation tomorrow?
Patient: Hi Doc, yes. But I was just reading about this new surgical instrument for the procedure. I really want you to try it out on me.
Surgeon: Hmmm, I don't know much about it …
Patient: Oh, you'll work it out as you go

“So yes Kim, I agree. Resources, and gall bladders, do have rights. “

Now it becomes clear why his original piece was called Pressure. Meanwhile, everyone should know that the last thing I would ever want to do is cast a chill over Paul's satire pool. What a refreshing oasis it is!  (No pun intended.)

Wide coverage of the Information Card Foundation

There has been a lot of coverage of the newly formed Information Card Foundation (ICF) in the last couple of days, including stories by mainstreet publications like the New York Times.  This article by Richard Thurston from SC Magazine gives you a good idea of how accurately some quite technical concepts were interpreted and conveyed by our colleagues in the press.

Google and Microsoft are among an extensive set of technology vendors aiming to spur the adoption of digital identity cards.

The two internet giants have helped form the Information Card Foundation (ICF), which aims to develop technologies to secure digital identities on the internet and which was launched today.

Digital identity cards are the online equivalent of a physical identity card, such as a driver's license. The idea is that internet users will have a virtual wallet containing an array of digital identity cards, and they can choose what information is stored on each card. The aim is to replace usernames and passwords in an effort to improve security.

Alongside Google and Microsoft, large suppliers such as Novell, Oracle, PayPal and financial information company Equifax, have joined the ICF, as well as 18 smaller suppliers and industry associations.

“Our shared goal is to deliver a ubiquitous, interoperable, privacy-respecting federated identity layer as a means to seamless, secure online transactions over network infrastructure,” said Brett McDowell, executive director of Liberty Alliance, one of the founding members.

The idea of digital identities is far from new. But so far vendors’ efforts have been fragmented and largely not interoperable.

The ICF is proposing a system based on three parties: the user, the identity provider (such as a bank or credit card issuer) and also what it calls a reliant party (which could be a university network, financial website or e-commerce website, for example).

The ICF argues that, because all three parties must be synced in real-time for the transaction to proceed, it should be more secure.

“Rather than logging into websites with usernames and passwords, information cards let people ‘click-in’ using a secure digital identity that carries only the specific information needed to enable a transaction,” said Charles Andres, executive director of the ICF. “Businesses will enjoy lower fraud rates, higher affinity with customers, lower risk and more timely information about their customers and business partners.”

The ICF now wants to expand its membership to include businesses, such as retailers and financial institutions, as well as government organizations.

It also wants to become a working group of Identity Commons, a community-driven organization which promotes the creation of an open identity layer for the internet.

You can find thousands of similar links to the Foundation here and here.  Amazing.

HealthVault moves forward with OpenID

Via Mike Jones, here's a blog post on identity issues by Sean Nolan, chief architect of Microsoft’s HealthVault service:     

My plan had been to blog about this when the feature goes live later in the week. But there's been some online discussion already, and I'm sitting here at the horse show in waiting mode anyway, so it seems like now is as good a time as any to join the conversation.

The deal is — as of our next release in the next few days, users will have a new way to identify themselves to HealthVault. In addition to Windows Live ID, they will be given the option of using OpenID accounts from Verisign or TrustBearer.

As we've always said, HealthVault is about consumer control — empowering individuals with tools that let them choose how to share and safeguard their personal health information. OpenID support is a natural fit for this approach, because it allows users to choose the “locksmith” that they are most comfortable with.

You can certainly expect to see more such options in the future. For example, we are in the process of building in native support for Information Cards, which provide some unique advantages, in particular around foiling phishing attempts.

But why just two providers? When we were making our plans here, Chris on our partner team asked me, “Isn't this more like sort-of-OpenID?” The same question has come up online as well.*** Really, there's a very simple answer here. OpenID is a new and maturing technology, and HealthVault is frankly the most sensitive relying party in the OpenID ecosystem. It just makes sense for us to take our first steps carefully.

Both TrustBearer and Verisign have taken their obligations very seriously with their OpenID implementations. Beyond basic must-have safeguards like SSL, each offers a variety of second-factor options that provide a step up over traditional passwords — through the use of physical tokens or, in Verisign's case, the ability to associate an Information Card with an OpenID. This isn't meant to imply that there aren't other great providers out there — there are. This is just a start.

As we learn more, and as OpenID continues to mature, we fully expect to broaden the set of providers that work with HealthVault. We believe that a critical part of that expansion is the formalization and adoption of PAPE, which gives relying parties a richer set of tools to determine if they are comfortable with the policies of an identity provider.

This is exciting stuff — in a geeky way perhaps, but anything that begins to put strong identity technology in the hands of real users is a good thing, not just for those users, but for HealthVault and the Internet overall. Woo hoo!

*** BTW, I am clearly all about being cool and buzzword-compliant! :)

It's great to see an architect like Sean, who lives in Internet time and has a thousand other things on his mind, paying so much personal attention to identity issues.  He's showing leadership through his commitment to phishing resistant solutions (like OpenID's PAPE and Information Cards).  And he clearly embraces giving people choice. 

The privacy requirements of the information he is protecting mean he HAS to do everything possible to protect peoples’ privacy.  It makes complete sense to move incrementally.  I hope the other OpenID providers who have clearly demonstrated their committment to strong security see the wisdom in this approach.  He's opening doors.  And this is the beginning of a process, not the end. 

Federation: the promise of potentially transforming our business

Ping's Andre Durand has announced an award that not only says good things about his company, but is a crystal clear indication of the importance federated identity technology will inevitably acquire as people adopt it: 

“A few days ago Morgan Stanley awarded Ping their CTO Summit Innovation Award. Ping was the sole recipient of this years award, which recognizes those which hold the  promise of potentially transforming Morgan Stanley’s business. VMware won the award in 2005 — we really like that comparison! Who knew virtualization was going to be as big as it is today 3 or 4 years ago?
   
“Every year Morgan Stanley receives around 200 applications from companies to present at their CTO Summit.  They internally vote and select 36 to present. Of these, only four ever get as far as contracts and of those, only one receives this award.  We presented Ping Identity and our product, PingFederate back in 2006 (is the ulterior motive obvious enough?).  As hoped, earlier this year Morgan Stanley became a customer, using our technology to secure and integrate their employees’ use of on-demand applications such as Salesforce.com among other things.
 
“It’s great to finally see identity federation receive the recognition it deserves for enabling companies to secure their virtual borders. It’s going to be a good year!”

Ping's success doesn't surprise me given the high standards it sets itself.  And we all expect Morgan Stanley's CTO to be forward-thinking and “on the money”, so to speak. 

But still, this is a remarkable bellwether in so clearly recognizing the transformative nature of identity.  Congratulations are due both to Ping and to Jonathan Saxe, Managing Director, Global Chief Information Officer of Morgan Stanley.   

More on distributed query

Dave Kearns responded to my post on the Identity Bus with Getting More Violent All the Time (note to the Rating Board: he's talking about violent agreement… which is really rough):

What Kim fails to note… is that a well designed virtual directory (see Radiant Logic's offering, for example) will allow you to do a SQL query to the virtual tables! You get the best of both: up to date data (today's new hires and purchases included) with the speed of an SQL join. And all without having to replicate or synchronize the data. I'm happy, the application is happy – and Kim should be happy too. We are in violent agreement about what the process should look like at the 40,000 foot level and only disagree about the size and shape of the paths – or, more likely, whether they should be concrete or asphalt.

Neil Macehiter answers by making an important distinction that I didn't emphasize enough:

But the issue is not with the language you use to perform the query: it's where the data is located. If you have data in separate physical databases then it's necessary to pull the data from the separate sources and join them locally. So, in Kim's example, if you have 5000 employees and have sold 10000 computers then you need to pull down the 15000 records over the network and perform the join locally (unless you have an incredibly smart distributed query optimiser which works across heterogeneous data stores). This is going to be more expensive than if the computer order and employee data are colocated.

Clayton Donley, who is the Senior Director of Development for Oracle Identity Management, understands exactly what I'm trying to get at and puts it well in this piece:

Dave Kearns has followed up on Kim Cameron's posting from Friday.

  1. Kim says that sometimes you need to copy data in order to join it with other data
  2. Dave says the same thing, except indicates that you wouldn't copy the data but just use “certain virtual directory functionality”

Actually, in #2, that functionality would likely be persistent cache, which if you look under the covers is exactly the same as a meta-directory in that it will copy data locally. In fact, the data may even be stored (again!) in a relational database (SQLServer in the Radiant Logic example he provides).

Let's use laser focus and only look at Kim's example of joining purchase orders with user identity.

Let's face it. Most applications aren't designed to go to one database when you're dealing solely with transactional data and another database when you're dealing with a combination of transactional data and identities.

If we model this through the virtual directory and indicate that every time an application joins purchase orders and identities that it does so (even via SQL instead of LDAP) through the virtual directory, you've now said the following:

  1. You're okay with re-modelling all of these data relationships in a virtual directory — even those representing purchase order information.
  2. You're okay with moving a lot of identity AND transactional information into a virtual directory's local database.
  3. You're okay with making this environment scalable and available for those applications.

Unfortunately, this doesn't really hold up. There are a lot more issues, but even after just these first three (or even the first one) you begin to realize that while virtual directory makes sense for identity, it may not make sense as the ONLY way to get identity. I think the same thing goes for an identity hub that ONLY thinks in terms of virtualization.

The real solution here is a combination of virtualization with more standardized publish/subscribe for delivery of changes. This gets us away from this ad-hoc change discovery that makes meta-directories miserable, while ensuring that the data gets where it needs to go for transactions within an application.

I discourage people from thinking that metadirectory implies “ad-hoc change discovery”.  That's a defect of various metadirectory implementations, not a characteristic of the technology or architecture.  As soon as applications understand they are PART OF a wider distributed fabric, they could propagate changes using a publication pattern that retains the closed-loop verification of self-converging metadirectory.  

Virtual Corporate Business Cards

Martin Kuppinger is one of the key analysts behind the amazing European Identity Conference just held in Munich.  This was “User Centric Meets Enterprise Identity Management” with a twist: our European colleagues have many things to contribute to the discussion about how they fit together…

For a taste of what I'm talking about, here is a posting that I found dazzling.  There are no weeds encumbering Martin's thinking.  He's got the story:  Virtual Corporate Business Cards.   

Yes, I know – it is a little redundant talking about “corporate” and “business” in the context of virtual cards. But it is one of the most obvious, interesting and feasible business cases around Identity 2.0.

What do I mean by that term? My idea is about applying the ideas of Identity 2.0 and especially of InfoCard to the business. Provide every employee with an InfoCard or even some of them and you are better suited to solve many of today’s open issues.

How to issue these cards

I have this in mind for a pretty long time. I remember that I had asked Don Schmidt from Microsoft about the interface between Active Directory and CardSpace some time before EIC 2007. Active Directory might be one source of these cards. Just provide an interface between AD and an Identity Provider for InfoCards and you are able to issue and manage these cards based on information which still exits in the Active Directory. For sure, any other corporate directory or meta directory might work as well.

Today these technical interfaces are still missing, at least in an easy-to-use implementations. But it won’t take that long until we will see them. Thus, it is time to start thinking about the use cases.

How to use these cards

There are at least three types of cards I have in mind:

  • Virtual business cards: They are used when someone represents his company. How do you ensure today that every employee provides current and correct information when he registers with other web sites? How do you ensure that he acts in the web like you expect him to do? How do you ensure that he enters the correct title or the correct information about the size of your business when registering? InfoCards are the counterpart to your paper-based business cards today, but they can contain more information. And there might be different ones for different purposes.
  • Virtual corporate cards: They are used for B2B transactions and interactions. Add information like business roles to the cards and you can provide all these claims or assertions which are required for B2B business. These cards can be an important element in Federation, providing current information on the role of an employee or other data required. For sure there can be as well several cards, depending on the details which are required for interaction with different types of business partners.
  • Virtual employee cards: They are used internally, for example to identify users in business processes. Again, there might be a lot of information on them, like current business roles. You might use them as well to improve internal order processes, identifying the users who request new PCs, paper, or what ever else.

With these three types I might even have to extend the name for the cards, I assume. But I will stick with the term I have in the title of this post. The interesting aspect is the flexibility which (managed) InfoCards provide and the ability to manage them in context with a leading directory you have.

Due to the fact that you are the Identity Provider when applying these concepts you can ensure that no one uses these cards after leaving the company. You can ensure as well that the data is always up-to-date. That’s by far easier than with some of today’s equivalents for these future type of cards.

I will blog these days about two other ideas I have in mind in this context: The way the concept of claims Microsoft’s Kim Cameron is evangelizing will affect end-to-end security in business processes and SOA applications in general and the idea of using InfoCards for all these personalization and profiling ideas which have been discussed many years ago. I’m convinced that Identity 2.0 concepts like InfoCards and claims are a key element to solve these threats and bring these things to live.

There is a lot of business value in these concepts. And they will affect the way businesses cooperate, because they are much easier to implement and use than many other approaches.

I'm with you 100% Martin.  That's the most concise and comprehensible description of enterprise Information Cards that I've seen.  

B.C. to test virtual digital ID card

Here's a story by the Canadian Broadcasting Corporation (CBC) on the British Columbia government's IDM project.  Dick Hardt of sxip played the key and even charismatic role in developing a catalytic relationship between industry and government.

British Columbia will test a virtual ID “card” that enables citizens to connect with the government's online services more safely and easily, a top technology official said.

The government plans to begin tests on an “information card” early in the new year, said Ian Bailey, director of application architecture for the province's Office of the Chief Information Officer.

The cards are in the early stages, and “there's going to be some challenges,” Bailey said.

An information card is not a card at all: it's more like a document delivered to users’ computers which they can then use to access government websites.

It's meant to replace the current method of access, which involves logging on to a site with a name and password, and has a digital signature that can't be changed or reproduced, Bailey said.

“It will give us better privacy protection for individuals,” he said.

Among other attributes, Bailey said using an information card means:

  • The government won't know which sites the user visits.
  • The user is in control of shared information.
  • The cards won't have to reveal users’ birthdates or addresses, or a student's school. Instead, it could simply confirm the user is over 19, a B.C. resident or a student.

He compared using the card to using a driver's licence for identification since, in both cases, the government does not know what the citizen is doing. Continue reading B.C. to test virtual digital ID card

Zend PHP Information Cards

Dr. Dobb's Journal is dear to my heart.  My wife Adele Freedman, an architecture critic, always used to point to the copies I left lying around and tell our friends, “Check it out.  It's amazing to watch him read it.  No two words fit together.”

But to me it was like candy.  So it was exciting to read the following article today on Dobb's Portal:

Microsoft and Zend Technologies have announced a collaboration to enable support for information cards by PHP developers through a component built for Zend Framework. Using this as a stand-alone component or as part of the Framework, PHP developers will be able to specify a Web site's security policy and accept information cards from trusted third parties.

“Microsoft and Zend are making a commitment to deliver information card support to PHP developers, which will reduce development costs and help make the Web safer and more secure for people,” said Vijay Rajagopalan, principal architect for Platform & Interoperability Strategy at Microsoft.

The cooperative work on information cards extends Microsoft's previous interoperability efforts in this area. Microsoft, in collaboration with Fraunhofer Institute FOKUS and ThoughtWorks, has developed open source interoperability projects on information cards for systems based on Java and Ruby.

“Web sites developed on ASP.NET can already accept information cards,” Rajagopalan explained. “With this work, a Java-based Web site, for example, built on the Sun Java System Web Server, Apache Tomcat or IBM WebSphere Application Server can now accept a digital information card for security-enhanced identity. A Web site built on Ruby on Rails can accept an information card. There is also an open source information card library project implemented in C, developed by Ping Identity Corp.”

Information about Microsoft open source interoperability identity card projects can be found at:

When support for information cards within the Zend Framework (an open source PHP application framework for developing Web applications and Web services) is enabled, users who access PHP-enabled Web sites will receive consistent user control of their digital identities and improved confidence in the authentication process for remote applications, all with greater security than password-based Web logins offer. Zend Technologies’ implementation of information cards lets users provide their digital identities in a familiar, security-enhanced way. They are analogous to business cards, credit cards or membership cards that people use every day.

I guess everyone familiar with this blog knows I've developed a deep affection for PHP myself, so I'm very happy to see this.

What if we fail?

As innovators we need to think about what happens if our systems fail.  I've argued, for example, that the starting point for designing a secure system is to recognize it will be breached.

So I took Ben Laurie's recent piece on CardSpace as an invitation to review one more time what can go wrong with Information Cards and CardSpace. 

For those who don't know him, Ben has been a leading innovator in terms of open source SSL, and currently works at Google.  In his piece he writes that OpenID isn't gaining much traction.  Then he turns to CardSpace, which he says “appears to be supported only by Microsoft products.”

A number of people gagged on this, including Dale Olds of Novell (who none the less retained his unflappable charm).  Dale had just released his new DigitalMe product providing Information Card support for Mac and Linux.  In fact, at Digital ID World, the open source Bandit Project had launched a “Control Your Identity” campaign to promote awareness and use of information card technology. Hmmm.  I wonder if Linux is a Microsoft product? 
Continue reading What if we fail?