THE SECURITY ZONE

Aldo replied to my last post as follows:

… I think its true that as Kim says, “people will avoid those interfaces”.

Equally if not more important in my opinion is ensuring that metasystem “participants” (implementers) have access to and enjoy sufficient legal assurances (licensing terms to intellectual property necessary to implement a given UI “look and feel”) to enable them to implement as many “standard/recommended” UI elements as possible.

(Sidebar) For those who haven't seen an InfoCard demo, one impressive aspect of how it works is that when an “ID transaction” is initiated the system visually and technically goes in to a type of “security zone”. To be dramatic envision the lights dimming and the sound of cold steel rolling followed by the clang and reverb of metal meeting metal as the doors close around you. I should stress that in this scenario, unlike the movies those doors are closing to provide a security cordon in service for end-users to keep the thieves at bay not to capture them in act. The point I'm getting at is, that because the end-user is entering a separate “zone” it really shouldn't matter if the end-user entered it through Windows, Linux, Sun or the Apple OS as long as their entry is valid. In my opinion much of the “look and feel” of that “zone” shouldn't be a proprietary branding opportunity but should provide a “standard/recommended” visual message to end-users that they've entered the “security zone”. Naturally an end-user will interact with all kinds of proprietary intellectual property once within that “zone” (Visa, Ebay, WalMart logos etc) but the “scaffolding” of that space should ideally be as common a UI as possible. (End Sidebar)

Encouraging “standard/recommended” UI implementations is in the interest of all market participants Microsoft, Novell, IBM included. It seems axiomatic that widespread adoption of the metasystem (accelerated through ease of use implied by UI standardization) will as the saying goes “lift all boats”. Granted some boats are bigger than others and perhaps they'll enjoy the ride more (larger market share) than the small boats but that's competition. But aren't those “bigger boats” currently exposing themselves to more risk in the short-term to see that the tide can rise.

Concluding:

I don't doubt that Kim and the InfoCard folks will work with Paul and the Higgins folks. Furthermore as I've stated on this blog and to other's involved in this field in-person I don't think Microsoft, Kim or anyone else working on InfoCards has something up their sleeve. In other words it's pretty obvious why Microsoft would like to see a Linux or other major OS implementation of InfoCard (see previous paragraph and if only to forestall the “Passport” PR issue). Imagine Kim's challenge in encouraging proactive investment in a Linux implementation of InfoCard from within Microsoft. Frankly I think there's a chance that might happen if a third party doesn't appear reasonably soon to do so. Consider for a moment, the investment Microsoft has already made in InfoCard, the potential upside of a widely adopted Metasystem and the downside risk that it's viewed as another Passport.

So to end this already long post, what I'm advocating is that Microsoft (like it or not the onus is on you all at the moment) should make every effort to make it as clear as possible the specific licensing terms under which third parties can implement the various aspects of InfoCard. Naturally I'm particularly focused on the UI elements aspects but the same holds true for other aspects of InfoCard. As far as I know the licensing terms for implementation of the UI “layer” are not yet publicly available (someone please correct me if I'm wrong).

Perhaps they will be soon?

Given the increasing attention that InfoCard and Digital Identity has received lately it seems the time for publication of those licenses is drawing near.

*My reference to “Channeling Kim Cameron” in the title to this post is a reference to this quote, also from Kim's post cited above. “it was almost like reading a part of my own mind.” Just for the record, I have not ever knowingly been nor do I hope to occupy “the mind of Kim” :-D

I've always been clear that Microsoft's work on the identity metasystem has one goal and one goal only: to create an identity layer for the internet that will launch the next era of computing. This era will be one of great new software, services and physical products, as privacy and identity come to underlie our increasingly interconnected social and virtual environments. Out of this will come tremendous opportunities for all. These opportunities dwarf anything else on the horizon.

This is the identity vision. My colleagues inside Microsoft get it in full technicolor. The identity metasystem must be ubiquitous for this technological liberation to come about. Our approach to licensing derives from that analysis. We will make our identity metasystem intellectual property freely available in furthering this set of goals. We are encouraging others to use our breakthroughs around both protocols and visual interfaces and paradigms as a jumping off point for their implementations. Licensing of this IP is the normal “RANDZ” – reasonable and non-discriminatory zero royalty.

By the way, I don't expect all the Identity Selectors (I actually love the concept of ‘Security Zones’) to be identical – just similar enough that when you see one you know how to use it. It's a bit like designing a car. The interiors are not identical, but when you sit down you know how to drive. If we can get to that point, a safe internet is completely possible.

USING INFOCARDS IN WORDPRESS

The hard part about adding infocards to WordPress is getting the token handling done.  This is explained in detail with sample code here

In addition I've made a few mods to WordPress to integrate the token handling.  I'll be publishing those soon – just need to figure out which files have been changed and where, if you know what I mean…

[Note – the PamelaWare and other code bases now far supercede this initial sketch as production code… – Kim]

USING RAW PUBLIC KEYS IN PHP

Now here we are going to write some stuff and it is going to be about the what it is like supporting PHP.

// this function makes up for the fact that openssl doesn't
// currently support direct use of modulus and exponent except
// when PEM encoded in publicKeyInfo or Certificate ASN.1 
// So, believe it or not, I convert it into a publicKeyInfo ASN
// structure and then turn it into PEM - then it works fine.

function kimssl_pkey_get_public ($modulus, $exponent)
{
    // decode to binary
    $modulus = base64_decode($modulus);
    $exponent = base64_decode($exponent);

    // make an ASN publicKeyInfo
    $exponentEncoding = makeAsnSegment(0x02, $exponent);    
    $modulusEncoding = makeAsnSegment(0x02, $modulus);    
    $sequenceEncoding = makeAsnSegment(0x30, 
        $modulusEncoding.$exponentEncoding);
    $bitstringEncoding = makeAsnSegment(0x03, $sequenceEncoding);
    $rsaAlgorithmIdentifier = pack("H*", "300D06092A864886F70D0101010500"); 
    $publicKeyInfo = makeAsnSegment (0x30, 
        $rsaAlgorithmIdentifier.$bitstringEncoding);

    // encode the publicKeyInfo in base64 and add PEM brackets
    $publicKeyInfoBase64 = base64_encode($publicKeyInfo);    
    $encoding = "-----BEGIN PUBLIC KEY-----\n";
    $offset = 0;
    while ($segment=substr($publicKeyInfoBase64, $offset, 64)){
       $encoding = $encoding.$segment."\n";
       $offset += 64;
    }
    $encoding = $encoding."-----END PUBLIC KEY-----\n";

    // use the PEM version of the key to get a key handle
    $publicKey = openssl_pkey_get_public ($encoding);

    return ($publicKey);
}

// this helper function is necessary because PHP's openssl
// currently requires that the public key be in PEM format
// This does the ASN.1 type and length encoding

function makeAsnSegment($type, $string)
{
    // fix up integers and bitstrings
    switch ($type){
        case 0x02:
            if (ord($string) > 0x7f)
                $string = chr(0).$string;
            break;
        case 0x03:
            $string = chr(0).$string;
            break;
    }

    $length = strlen($string);

    if ($length < 128){
       $output = sprintf("%c%c%s", $type, $length, $string);
    }
    else if ($length < 0x0100){
       $output = sprintf("%c%c%c%s", $type, 0x81, $length, $string);
    }
    else if ($length < 0x010000) {
       $output = sprintf("%c%c%c%c%s", $type, 0x82, $length/0x0100, $length%0x0100, $string);
    }
    else {
        $output = NULL;
    }

    return($output);
}

Truth is stranger than fiction.

SPECTER OF THE SEVENTH LAW

One of the people who has thought most deeply about the Laws of Identity is Aldo F. Castaneda. He studies Law and Business Administration at Suffolk University Law School. His blog is the home of his legal thesis, which grapples with intellectual property issues in the emerging digital identity space. He is also doing what must be the definitive series of interviews with people working on identity, called The Story of Digital Identity. He's currently up to Episode 16 (!), an interview with Identity Woman and Marc Canter.

This recent posting shocked me a bit because it was almost like reading a part of my own mind. It shows what happens when you share the same theoretical precepts.

The story of digital identity yesterday was without question the launch of the Higgins project. There's been some debate in the blogosphere and elsewhere about the tone adopted by various journalists in presenting that story. While I agree that some of the articles about the Higgins launch stressed (at least in headlines and opening paragraphs) the competitive aspects of Higgins and InfoCard I thought that most stories (presuming a complete reading) were reasonably balanced and presented the “interoperability” aspects of Higgins and InfoCard.

In my opinion the best analysis so far was written by Eric Norlin* located here. What makes Eric's take particuarly insightful is that Eric looks through the marketing spin to see that IBM and Novell see InfoCard from an enterprise market perspective as an Active Directory “enabler”. Thus Higgins simultaneously keeps Microsoft honest by providing an “open” platform AND give IBM and Novell a means to offer enterprise customers an Active Directory alternative. So the point isn't that IBM and Novell are supporting Higgins to compete with InfoCard head-on or to offer their own “Metasystem” rather they're doing so to ensure an alternative to Microsoft's Active Directory “juggernaut” (As Eric terms it).

Another aspect of the story that's interesting to me is that IBM and Novell seem to be adhering to the Law of Pluralism of Operators and Technologies (Law #5 of Kim's Laws of Identity). In other words their actions based on quotes from yesterdays stories are consistent with the concept of interoperability (simply put the concept of a Metasystem).

But what remains an open question for me is, what happens to the Law of Human Integration and the Law of Consistent Experience Across Contexts? Will IBM and Novell be satisfied so long as customers access their digital identity data (from the Higgins framework) but via Microsoft's InfoCard UI? Will the Higgins project implement the InfoCard UI so that users can access Higgins via an InfoCard look-alike regardless of underlying platform (Linux, Windows, Apple…etc) choice?

I think these questions are important because I remain convinced that the UI is where we should all be focusing some attention to better understand that long-term strategic implications of “user centric identity” systems (See Law #1 The Law of User Control and Consent). While Microsoft is presumably offering much of the InfoCard UI to implementers on RANDZ terms (reasonably and non-discretionary terms @ Zero Royalty…has anyone read MSFT's actual licensing terms…are they available publically?) it will be interesting to see if Higgins and other's are so assured by Microsoft's licensing terms that they're willing to implement the InfoCard UI in their offerings. Doing so would arguably make it easier (more consistent end-user experience at minimum) for end-users to interact with their digital identity data across the various computing devices and environments that they use.

Frankly I think we'll see a separate UI from Higgins and others. And while that won't mean that the concept of the Metasystem will fail I believe it will tend to reduce ease-of-use and therefore diminish the extent of wide spread adoption. In more simple terms, if we end up with say 20 different identity systems that all interoperate but which all have seperate UIs will that be a truly “universal identity fabric”. I doubt end-users will think so.

*The guys (Eric Norlin and Phil Becker) have been helping The Story of Digital Identity podcast by posting new episodes to DigitalIdWorld.com. As always I thank them for their support and appreciate the additional exposure they've offered our budding little project. But note their support is not why I believe Eric's piece was the most insightful. See my reasoning above.

I have to admit that in my darker moments I have shared Aldo's concern about the seventh law. But I suspect that if interfaces complicate the user experience or introduce enough ambiguity that identity 2.0 becomes as unsafe as identity 1.0, people will avoid those interfaces. This means there are a set of strong objective forces working towards convergence of our interfaces in accord with the Seventh Law.

Our colleagues at Higgins are very smart people, as capable of seizing these dynamics as I am. So although I don't know, in detail, what people at Higgins are planning to do, I predict it will be very synergistic with my work. I am really excited to see an identity selector being written for non-windows platforms. And from my discussions with Paul, I expect that a lot of his work will be on enabling new scenarios and adding a lot of value.

TALKING ABOUT “RIPPLES”

Here is the latest from Eric Norlin, Editor of Digital ID World and industry veteran:

The big (as in could not miss it) news yesterday was the launch of the Higgins project — an open source instantiation of the WS-Trust framework within the Eclipse foundation. Several tech news articles got the take *way* wrong – pitching it as open source vs. microsoft story. In reality, that's not what it is at all.

In brief, the Higgins project (which is apparently named for some “long-tailed” tasmanian mouse, and NOT the guy from “Magnum P.I.” — and, really, wouldn't it be much more interesting if it was named after the guy from Magnum P.I.?) means the following:

1. This is, net-net, a *win* for Kim Cameron's Identity Metasystem. In the past few weeks, Kim has had Verisign announce support, and now an open source project building out a WS-Trust framework for application developers. So, make no mistake about it, Higgins equals more momentum for the Metasystem.

2. However, the move by IBM and Novell *appears* to be a move designed to pressure Microsoft and ensure that their instantiation of the metasystem (InfoCards) remains “open.”

3. That move is being done in response to one very big (and obvious) realization: InfoCards is going to ship in Vista (probably early) and it is going to be a game-changer in the user-centric identity space.

4. But more importantly, it may *also* be a game changer in the enterprise space, as well. There is a tremendous amount of enterprise interest in using InfoCards as a central metaphor for enterprise identity management.

5. So think about this for a second: InfoCards on a huge number of desktops, enterprises upgrading to Vista for its security features (like BitLocker), and InfoCards needs to have an identity credential issued. Where might that be issued from? Active Directory. It is no mistake that (as John Fontana observed), Active Directory is now the hub off of which all of Microsoft's enterprise identity management offerings hang.

6. ergo InfoCards will drive even more adoption of what is quickly becoming the Active Directory juggernaut.

7. Therefore, if I'm a company selling products that are competitive to Active Directory (say, like, for instance IBM or Novell), and I believe that the identity metasystem has gained enough critical mass, then it is absolutely in my best interest to push forward an open source project for the metasystem. Not doing so is to hand over my market to Active Directory.

8. Higgins is good for the community at large (the more Identity Metasystem things we get going the better), and necessary for the vendors involved.

Stay tuned, Phil will have much more to say about this in his newsletter this week.

I have no idea what peoples’ motivations might be. It all reminds me of the moments when my kids (who are now out of beta) have told me all about their friends” motivations and the knots they are experiencing in their relationships with them. When they have asked for advice, the one thing I've told them is to forget about thinking they understand peoples’ motivations, and just act so they have the best possible relationship at each moment in time… Maybe I'm hopelessly naive.

This said, I think (and here I join the speculation movement) there might be truth in the premise that once InfoCard started to gain steam, Microsoft's Active Directory support might have helped spur others to get into the middle of the game. And this is a good thing.

On the other hand, I know and work with all the players and they are people with whom I share a very deep common identity vision. They, like me, have to convince their colleagues to do some fairly counter-intuitive things to get this identity vision realized. So maybe, in this sense, the prospect of Active Directory support is something which actually helps them in their drive to explain all the dynamics in play.

Perhaps the most important thing I can say is that neither IBM nor Novell, nor Sun or anyone else, is really my competitor in this space. The competition comes from the vast patchwork of one-off and ad-hoc identity contraptions that the whole industry has been forced to build because the architecture of the Internet is missing the identity layer, leaving our virtual world in grave danger. So far, the one-off contraptions have about 99% of the market. So there's lots of space for all of us who want to change all that.

HIGGINS ON HIGGINS AND INFOCARD

This is little Higgins. Does he look like something that would pick fight with InfoCard? I don't think so. Anyone who knows what we're trying to do here at SocialPhysics and especially in the Identity Gang knows that we're striving for a common language and understanding in an area whose depth and complexity humbles the mighty. Many of us building technology are influenced by how this conversation evolves, where the common ground is, and where we can build interoperability ‘bridges’. The implications for society are real. The last thing we want here is more division. This blog post is an attempt to put out the flames that have arisen from recent press coverage about Higgins, IBM and Novell:

Is Higgins competitive with InfoCard?

No. InfoCard is the code name for a Windows WinFX component that provides a user interface and related services that allow that Windows system to interoperate with service providers and identity providers using the WS-Trust and related protocols. Higgins, on the other hand, is a software framework that relies on service adapters that connect to external systems using that system's native protocols or APIs. [If you're familiar with the framework/provider design pattern, what I just called service adapters are Higgins providers.] We expect that in the next few months a WS-* service will be created for Higgins. Higgins when configured with this service and running on Linux, MacOS, etc. will fully interoperate with InfoCard running on Windows.

How is Higgins related to Microsoft?

We are all indebted to Kim for his important work on the seven laws of identity, for his sincerity and tolerance in reaching across traditional divides and ‘doing the right thing’ to make the web a safer place to live. Inspired by Kim, the Higgins mouse has mended his ways, is now completely law-abiding, and brushes his teeth twice a day. We also are grateful for the support Microsoft has given to the SocialPhysics project (of which Higgins is a part) through the Berkman Center.

NEW PARADIGMS ALL AROUND US

Here's an article by Joris Evers, a Staff Writer at CNET News.com. Joris has done a great job covering the industry and has certainly paid his dues.

IBM and Novell on Monday are expected to announce an open-source response to Microsoft's forthcoming InfoCard identity management technology.

The companies plan to contribute to an open-source initiative code-named Higgins Project. The project aims to help people manage their plethora of Internet logins and passwords by integrating identity, profile and relationship information used across authentication systems on the Net.

The initiative also includes the Berkman Center for Internet & Society at Harvard Law School and Parity Communications, a company developing “social commerce” software that has been operating in stealth mode.

The open-source project, managed by the Eclipse Foundation, is a response to Microsoft's InfoCard identity management technology, Anthony Nadalin, distinguished engineer and chief security architect at IBM, said in an interview.

“This is a move to help get identity management out in the open source. InfoCard is one user-centric identity system…but the implementation Microsoft has is not what I would call open,” he said. “There are a lot of hidden elements.” One example, he said, is how it interacts with Active Directory, Microsoft's identity management technology for businesses.

Microsoft has described InfoCard as a technology that gives people a single place to manage authentication and payment information, in the same way a wallet holds multiple credit cards. An InfoCard client on a PC will connect with Web sites that need information for authentication or transactions.

Yet, the Higgins Project is more than a rival to InfoCard, Nadalin said. “We are not here to create another identity system; we are here to aggregate the existing systems,” he said. “We have invited Microsoft to participate…and we will continue to work with Microsoft to integrate with InfoCard. We think that has to happen.”

The Higgins Project will complement InfoCard in providing client software for operating systems other than Windows, Nadalin said. Also, it will make existing identity management products, such as IBM's Tivoli software, work with InfoCard, he said. IBM is expected to support Higgins in its products sometime next year.

“Microsoft would be left out in the cold without Higgins; it allows Microsoft to participate in non-Windows environments,” Nadalin said “Customers want choice. They end up voting with their pocket book. They don't want to be locked in.”

The Higgins Project looks to be a step forward in solving the problem surrounding online identities, said Kim Cameron, identity architect at Microsoft. “From what I've seen, this is a very positive development,” he said. “I think we are really going to see the identity big bang–a whole wave of social and identity-aware applications that are suddenly becoming possible.”

But while Nadalin may have his mind set on where the Higgins Project is headed, nothing is set in stone, said Burton Group analyst Mike Neuenschwander. “It is open source; it is hard to tell exactly where it will head,” he said.

There are other efforts to integrate identity information. But with IBM and Novell, the Higgins Project has attracted big-name support, Neuenschwander said.

“Everybody wants to be that central hub that integrates everybody else's stuff,” he said. “Higgins is significant in that IBM and Novell have stepped up to say they are going to develop their client software under that project.”

Neuenschwander doesn't expect to see anything tangible come out of the Higgins Project until at least the end of the year. “Then we can see with greater certainty where they are headed,” he said. “Microsoft has made it much further down the road with InfoCard.”

Microsoft plans to deliver InfoCard by the end of this year as part of Windows Vista, the next version of its flagship operating system. InfoCard will also be available for Windows XP, Microsoft has said.

Now, all is fair in love and software, and everyone who advances identity is a friend of mine. Nor do I expect people to bow down and say, “InfoCards are great and good and we will obsequiously follow in Microsoft's footsteps.” People need to differentiate themselves.

None-the-less I did contact Anthony to ask about the notion that “the implementation Microsoft has is not what I would call open.” I wanted to know what he saw as “hidden elements.” To my knowledge there is nothing hidden whatsoever, as the implementors guide published on this site testifies.

His answer:

“What I said was that User centric perspective points out the need to make it simple and easy for users to manage. What is also needed is that the framework be able to allow users and institutions to choose any identity systems and be able to integrate and interoperate between them. e.g., they can choose from any of the identity information stores to be federated – be it IBM Directory Server, Novell eDirectory, SAP system, ActiveDirectory, collaborative spaces, OpenLDAP, etc.”

And I couldn't agree more. InfoCard is specifically designed to allow this. And Anthony knows this as well as I do. So what I suspect might have happened is that when he pointed out the need to integrate all the other systems, it likely appeared that he saw things as being more counterposed than was actually the case.

With the Identity Metasystem, the paradigm is shifting. The way we are building this thing, in the open and in the blogosphere and in a spirit of collaboration, is a big break with the past. It's hard to get your arms around it. It's hard to know how to “message it” when we talk to others. It's hard to write about without it sounding silly.

But hey – we are gaining momentum and we are going to get this puppy moving full speed ahead. Further, we are going to have a renaissance of the industry that will shock everyone as the big bang hits the world of applications.