Notes on Bill Gates’ Identity Keynote

Many of you know my colleague Mike Jones. He had enough wits about him to take notes on what actually transpired during the keynote earlier today. So I'll share them with you:

The flow of the identity part of the talk went something like this:

  • Slide: Evolution of Identity: Making the Vision Real (with picture of two cards in hands)
  • People are used to choosing what credential to use where for what purpose (talking about cards in our wallets)
  • We use a variety of physical tokens to represent these things
  • CardSpace creates a vehicle to allow people to have a GUI for credentials that represent their identities or personas in particular situations
  • Each thing in the physical world conveys a particular set of information and discloses just enough information
  • CardSpace provides a drag & drop interface for identity
  • People will have to acclimate to it
  • People can create their own credentials and others can give you credentials
  • The system reasons about what the right credential is for you to simplify things for users
  • WS-* hints about what credentials that are being looked for
  • CardSpace shows candidates for credentials

Then they segued to the OpenID collaboration announcement:

  • Issues of reputation and trust are foundational on the Internet
  • Different levels of trust are needed in different contexts, such as blogs and access to enterprise resources
  • People have been thinking about issues of trust
  • OpenID 2.0 is doing this in the blog / Web 2.0 world, others are coming at this from the enterprise space
  • We see these approaches as being complementary
  • “Today we are announcing that we are supporting OpenID 2.0 and that they’re extending what they’ve done to enable the use of strong credentials”
  • They're doing this because they see that it solves problems and attacks that a pure password approach has
  • We're excited about this marriage of CardSpace and Web 2.0
  • This will help eliminate the possibility of man-in-the-middle attacks
  • CardSpace is built on our work on the WS-* specifications
  • OpenID will be endorsing the CardSpace marriage later today
  • We see this as a very smooth continuum with a common GUI metaphor

Numerous enthusiastic comments followed in Mikes rendition…

OpenID Editor David Recordon

Here's what Editor David Recordon has to say:

So with the recent OpenID news, I have to say that I'm quite excited! Convergence isn't new for OpenID, rather continues to show how it is a great technology to innovate around. This isn't about one technology swallowing another, it is about true cooperation, collaboration, and ultimately convergence.At the first Internet Identity Workshop in 2005, Brad Fitzpatrick, Johannes Ernst, and I collaborated with the XRI guys and jointly developed Yadis. Suffice it to say, the technology developed by the community in Yadis is so powerful that it is now being built into the standard XRI Resolution spec at OASIS. Over this last summer there was further convergence with the XRI community, now allowing the OpenID Authentication 2.0 spec to support both URLs and XRIs as identifier formats. In August Sxip joined forces, which has caused the OpenID technology to continue to improve and has built the community to be even stronger.

Now today, we get to announce that Microsoft too has decided to collaborate with the OpenID community. I've known Kim Cameron and Mike Jones for about two years now and despite anything you may say about Microsoft, these guys continue to push for the best and engage the wider user-centric identity community in a very positive light. I'm personally really excited to be working with them, and others, in further developing the Assertion Quality Extension so that OpenID can be used within a wider range of products (including those from Microsoft). So welcome Kim and Mike, I hope to see you on the mailing lists shortly!

Johannes sends “marriage” greetings

Here's more support from another legendary member of the OpenID community, Johannes Ernst of Netmesh.  He's the inventor of LID, and one of the strongest champions for the “URL-based” identity used in OpenID.  He brought ideas his together with Brad Fitzpatrick's quite a while ago now, creating one of the first synergy-lurches for the community.

I should also point out that Johannes has also been one of the first, and most tireless, advocates of the synergy between OpenID and Information Cards.  He has given many cycles to OSIS, the group that has co-ordinated open source work around identity selectors and information card technology.  The beautiful thing here is that convergence with CardSpace MEANS convergence with Information Cards in general, including the Higgins project and work by many others in the community.  I've been concentrating on CardSpace for obvious reasons, but to me it is very important that this goes far beyond CardSpace into another whole community.

Wow! After two years of hard work, we are finally getting real convergence in identity land! Today, Bill Gates is announcing has announced in his keynote at the RSA conference that Microsoft will support OpenID. Here are some posts covering the news:

At NetMesh, we've held for a long time that URL-based identity (OpenID, with its roots LID, i-names and Sxip), and other technologies such as CardSpace have to come together so we can really get to an interoperable, multi-vendor, user-centric identity layer for the open internet. That's why we helped put together OSIS, and lots of activities of that nature.

Now even Bill Gates supports the same vision! Yippie!! (apologies for being too excited, but this is exciting!)

Just pointed out to my wife — who wrote the first line of code, ever, about three years ago, implementing URL-based identity — that in some way, she should now be famous!

So, congratulations Tammy!

Feature – not a bug!

As he says, Brad Fitzpatrick “made” the orginal OpenID to solve problems he was facing at Six Apart.  Of course it grew over time, if anyone's opinion counts, it's his.  And here it is:

So Bill Gates just announced earlier this morning (while I was sleeping in / recovering) that Microsoft is supporting OpenID.

When I made OpenID, I intentionally left the method of authentication undefined. (feature, not a bug!)

Now people ask me what I think about Microsoft supporting it, using their InfoCards as the method of authentication…. I think it's great! So far I've seen Kerberos integration for OpenID, voiceprint biometric auth (call a number and read some words), Jabber JID-Ping auth, etc…. all have different trade-offs between convenience and security. But as more people have CardSpace on their machines, users should get both convenience and security. (sorry, I'm not totally up on all the details… just seen demos….)

Anyway, I and others at Six Apart are thrilled to see Microsoft supporting OpenID. Kudos!

Thanks Brad.  For us, its clear that OpenID is a really great technology for doing public identities – the simplicity is stunning.  I really like your work.  OpenID is clearly an important part of the identity metasystem.  We really hope to see the synergy keep expanding.

 

Scott Kveton on CardSpace and OpenID

Many of the people adding OpenID support to their blogs and services are using JanRain's libraries.  Scott, the company's CEO, addresses the worry some members of his community may have about a big, powerful company getting involved with the bottoms-up technology they have worked on so hard.  I actually have  a lot of sympathy for this concern, and for peoples’ feelings about the technology they have developed.  If we were coming to “take over”, it would really be bad news for everyone.  But Scott Kveton, Dick Hardt, Michael Graves and myself aren't the kind of people who would let this happen.

What I really like about Scott's comments is the way he focusses, without any bias, on what is good about the component technologies and their synergy.  This is what real engineering is about, in my humble opinion.  It's one of the things that will really drive us towards the Identity Big Bang.  And the whole world will benefit.

OpenID has always been about convergence. When Brad, David and Johannes talked about how OpenID and Yadis could work together over a year ago. When the XRI folks brought their amazing people and technology to be integrated into OpenID 2.0 last Spring. This past Summer when Sxip Identity joined the OpenID party by joining in on developing the specification and offering up their attribute exchange specification to the OpenID community. And now today, we have a commitment from Microsoft to take part in the OpenID community as well as enable the technology for their future identity products.

There are a couple of points I’d like to make outside of the above announcement to hopefully address any concerns that the OpenID community might have:

  • JanRain will never require users of our libraries or services to use Windows CardSpace â„¢. We offer support for this technology as another option for users much like using our Safe SignIn and Personal Icon technologies on MyOpenID.com. We’ll also continue to support the OpenID efforts going on with Mozilla and Firefox.
  • Windows CardSpace â„¢ is shipping with Vista today and is a well thought-out technology that helps address many of the privacy and security concerns that people have had with OpenID. OpenID helps users describe their identity across many sites in a public fashion. The two together are very complimentary products and each has its strength.
  • Microsoft did not cave in to the OpenID community and the OpenID community is giving nothing up to Microsoft. This is a collaboration on bringing the best technology to the marketplace as quickly as possible to help secure users and solve the single sign-on solution once and for all.
  • Please reserve judgment on what this all means until you see it all work together. The technology is really quite simple and the ramifications for end-users is huge. It also goes a very long way to completely addressing the phishing concerns we’ve heard so much about.

Dick Hardt on CardSpace and OpenID

Here is Dick Hardt, CEO of SXIP, explaining our joint announcement on OpenID and CardSpace to people in the community who may worry that Starship Microsoft is about to land on OpenID and squish it. 

This morning Microsoft announced they would support OpenID in future identity server products. Although this is a huge endorsement for OpenID, there will likely be many people that are fearful of what Microsoft’s involvement may do to OpenID.

At ActiveState I worked with Microsoft to bring Perl and Python technology to the Windows platform. This was a win for Perl and Python programmers that wanted to use their tools on the Windows platform. It was also a win for the community at large, as a fair amount of the threading and Unicode support that is in Perl today was funded by Microsoft. Just as I bridged the Microsoft and Open Source worlds back in the 90s,

I look forward to bridging the Microsoft and OpenID worlds today. The team at Microsoft get what we are doing in OpenID, and want to enable their technology to take advantage of the reach of OpenID, as well as enable the OpenID community to take advantage of CardSpace technology. This looks like a win-win for everybody.

Dick's previous Perl work really is a good example of what came about when we “defactionalized” our industry and got momentum going.  The “identity gang” phenomenon has been a good example of the same thing since day one, and this concrete announcement takes things in an even more positive direction.

Let me say something about potential squishing. It just won't happen.  One of the best things about OpenID is its organic quality, and the last thing we want to do is interfere with that.  

My big ask was to add a way to request credentials based on phishing-resistant authentication.  The main idea was to ensure the system is built to handle the dangers that would come with its own success.  As it is more widely adopted, and used for more purposes, OpenID credentials will inevitably become a “honeypot”.  But through the collaboration going on here, and other similar initiatives, we can make sure we'll have the means in place to protect our users even before they are in danger. This in turn is key to preventing a loss of confidence in identity systems and the internet in general.

In the early 1980’s, James Martin said, “Every successful system will attract usage to the point that it becomes unsuccessful”.  He was referring to systems that gobbled up mainframe resources by attracting users until they became bogged down and unusable, but over the years I've thought of his maxim in many contexts.  I think one outcome of today's announcement will be to provide an exception, and that's worth celebrating.

 

CardSpace / OpenID Collaboration Announcement

As an outcome of the discussions that have been taking place here in the Blogosphere – and in-person meetings – it is exciting to convey the following joint announcement by JanRain, SXIP Identity, VeriSign and Microsoft:

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpaceâ„¢ to make the Internet safer and easier to use. Specifically:

  • As part of OpenID’s security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.
  • Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure.  Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.
  • JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users.  Information Cards, based on the open WS-Trust standard, are available though Windows CardSpaceâ„¢.
  • JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.
  • JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.
  • Microsoft plans to support OpenID in future Identity server products
  • The four companies have agreed to work together on a “Using Information Cards with OpenID” profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Dick Hardt, Sxip Identity
Kim Cameron, Microsoft
Michael Graves, VeriSign
Scott Kveton, JanRain
 

 

Scott Kveton on InfoCard / OpenID convergence

Here's a post by Scott Kveton, CEO of JanRain, that sums up a meeting we had during the week.  JanRain is one of the driving forces behind OpenID, and produces the libraries that a lot of people are integrating into their websites and blogs.  JanRain also operates MyOpenId, an identity service that works with OpenID software.

You want to know about the JanRain World Headquarters?  Energy radiates from everywhere.  Beside our conference table was a very impressive can of Bad Idea Repellant, which seems to have done its job.

For what it's worth, I really liked these people.  They are real engineers.  They are committed to getting an identity layer in place. 

I explained my concerns about the current OpenID proposal and  phishing, and they not only ACKed; they had ideas about how to move quickly to change things.  

Against this background it was clear how CardSpace could be one important way of strengthening their system and integrating it with others.  Meanwhile, I conveyed my enthusiasm for the great simplicity of their proposal. 

We talked about public (omnidirectional) and private (unidirectional) identifiers and we all agreed that both were necessary in different contexts.  We talked about how OpenID managed Cards could provide CardSpace with strong new capabilities around public personas for web services.

Then the conversation got pretty technical, and I showed a profile of WS-Trust that didn't involve use of a SOAP stack or anything complicated.  But over to Scott:

Mike Jones and Kim Cameron from Microsoft came in for a visit today to the JanRain World Headquarters (if you’ve ever visited here, you’d understand why that’s funny).

The JanRain engineers were interested in learning more about CardSpace. We’ve heard about it, seen Kim talk and even read his proposal on a way to integrate OpenID and CardSpace. However, we didn’t know enough about the technology to comment on it either way. Also, we wanted to hear more than just marketing hype and hand waving; we wanted some code. Kim and Mike did not disappoint … :-)

CardSpace is an identity meta-system that you use to manage InfoCards. InfoCards are like the cards in your wallet except these cards you present to sites that you want to visit to identify yourself with. I really believe that Mike and Kim have their hearts in the right place and the technology looks solid. It looks like Microsoft has learned a lot since their last foray into identity. I think OpenID and CardSpace could really compliment each other quite nicely as well as help address the phishing concerns that have become so prevalent.

The CardSpace InfoCard manager is an interface that comes up when the user is presented with a site that supports InfoCard login. Instead of giving the user a login form in the browser that might be phished, the user is presented with a dialog that allows them to deliver an InfoCard for the site they are trying to login to. This dialog is single-modal; you are locked out of doing anything else unless you complete the task at hand. This follows along with what Mike Beltzner shared on the OpenID general list and the difficulties in fighting phishing:

I can also sum things up for you even more succinctly:

– users are task oriented, driving to complete the goal the quickest way possible
– users pay more attention to the content area than the browser chrome
– users don’t understand how easy it is to spoof a website

Kim went through several code examples where we could see how it all worked. Forget SOAP, forget complicated. There is no hook back to the mothership with this technology. As a matter of fact, OpenID and CardSpace could work together quite easily.

CardSpace is really good at handling the issues around phishing and personal privacy. But what if I don’t want to be private about certain things? I like that I can identify myself as me to lots and lots of different sites and I don’t mind if people correlate that data. As a matter of fact, I like it. Wouldn’t it be nice to have an OpenID tied to my InfoCard then? One of the greatest reasons OpenID is succeeding is that its a destination. Its a unique place on the Internet where you can learn more about who I am. Coupled with microformats you start to see some interesting possibilities. CardSpace doesn’t do the public side very well and both Kim and Mike admitted this. This is an interesting possibility for OpenID IMHO. Not only that, it could be done without any changes to sites that already support OpenID. You’d get the benefits of OpenID’s strengths while leveraging the anti-phishing and privacy mojo that CardSpace has.

We already have some great technology for changing the chrome in Firefox and discussions are on-going with Mozilla about how we can integrate this further and have it truly baked in (hopefully they’ll look at Dmitry’s thoughts on this). We’ve got the CardSpace code that is now shipping on Vista and available for Windows XP. We’ve got lots of options for fighting phishing and protecting privacy with more on the way. All of these solutions play to each technologies strengths and actually just might be what we need to get to the identity holy land.

 

Ping will show OpenID / CardSpace integration

According to this post, Ashish Jain at Ping has a new prototype of how CardSpace / OpenID integration will work in their evolving product.  It seems to be a continuation of the work they've already done with SAML / CardSpace integration – only now, the OpenID protocol has been added to the metasystem mix.

Come to think of it, isn't Dick Hardt's Whobar pretty close to having this capability as well?  So I think a number of us have wanted to integrate this work for some time, but recently it has become more obvious what the advantages are.

Anyway, if you haven't read Ashish's piece:

Kim posted a pretty good description of how CardSpace and OpenID can interact. This has been talked about for a while and Kim did a great job of describing it.

CardSpace OpenID Integration

In short, I agree. In fact, if you want to see a demo of what Kim describes, please stop by Ping Identity’s booth next week at the RSA Conference and you will get to see exactly that. An OpenID IdP Server that uses CardSpace for runtime authentication.

It’s not done by any means. There are still some unresolved items. For instance, If the user already has a profile registered with the OP, at runtime should the server use the persisted attributes or the claims as provided by the card? And the support for multiple cards. But you will get the idea.

I still have a few questions though. AFAIK OpenID Authentication 2.0 considers authentication out of scope.. So….to prevent phishing and to build user’s confidence, I can use CardSpace. Or anything on the likes of PassMark’s mutual auth. To provide more confidence to the RP, I can use OTP, device finger printing, biometric, certificates, KBA whatever. However there doesn’t seem to be the SAML AuthnContext equivalent to convey this to the RP. Therefore RP has no way to determine the type of OP authentication or if the authentication ever happened.

Even if there is way to communicate the authentication type, there is no trust or relationship between the OP and the RP. So….RP (who as a service provider has everything to loose) has no reason to believe that the OP isn’t lying and may have to employ their own safety measures.

I’m still coming up the curve so I may be wrong, but something seems missing. I’ll keep looking.

Ashish makes an interesting point about conveying the authentication type in the protocol.  I certainly agree with him.

I also like his question about trust.  It's one others have asked and which I scratched my head about at first.  So I'll put in my two cents worth.

In all identity protocols, you have an authority that makes claims about a subject, and the relying party decides whether or not to believe them.  As computer nerds we have called that “trust”, though in real business environments it's usually more a matter of reducing risk to the point that, on balance, it's better to do a transaction than not to do it.

But what is “the trust” (risk analysis) based on?  Usually on business relationships.  For example, we trust a bank to make assertions of various sorts.  And we trust a partner or customer to make other assertions.  So the trust is rooted in our experience – in a relationship.

This is where OpenID does something different: the authority is simply the behavior of the internet, and the trust only pertains to an identifier (one could layer other capabilities on top of this).

Basic Tenets

  1. Every person has a URL to which they lay claim.
  2. Every URL has an identity provider that “speaks for” it.

When I go to a relying party I tell it which URL I claim.  Then it sends me to the identity provider that speaks for that URL to get a token saying I really control it.

I give that token to the relying party, which then contacts the identity provider to verify the token is valid (the actual protocol includes optimizations).

To believe the claim, the Relying Party (RP) needs to trust that the URL has not been tampered with (an evil party could alter it to say an evil identity provider speaks for it).  The RP also has to believe it really contacted the URL when finding out who spoke for it (I could have been misdirected through a DNS attack).  And it needs to believe it really contacted the identity provider when getting token validation (again trusting DNS).  The last two issues can be mitigated by using https, but that complicates it, and even then, the system has different characteristics than one based on cryptographic tokens.

All in all, the closest analogy is to using an email address as an identifier by asking what email address you own, sending you the email, and getting you to click a link showing you own the email.  In this case the relying party depends on the underlying mail system, DNS, and all that.  OpenID replaces email with web URLs.  So it's a lot more direct.

Proving control 

How does an identity service know you really control some URL?  Many approaches are possible.  Let me give the example of Yahoo's system (it's not OpenID but uses the same general idea). You log into their identity provider and it gives you a key (a couple of lines or random gook).  You must then paste the key into your html page and press a button back at Yahoo.  This causes their system to open your page and see if the key is there. If so, the service deems that you own the URL.  Having done this you can get rid of the key and the Yahoo identity provider is willing to “speak for” your control of the URL.  The whole process just takes five minutes.

 

Integrating OpenID and Infocard – Part 1

Let's start by taking a step-by-step look at the basic OpenID protocol to see how the phishing attack works.  (Click on the diagrams to see them on a more readable scale.)

The system consists of three parties – the relying party (or RP) which wants an ID in order to provide services to the user;  the user – running a browser;  and the Identity Provider (OpenID affectionados call it an OP – presumably because the phrase Open Identity Identity Provider smacks of the Department of Redundancy Department.   None the less I'll stick with the term IP since I want to discuss this in a broader context).

OpenID can employ a few possible messages and patterns, but I'll just deal with the one which is of concern to me.  An interaction starts with the user telling the RP what her URL is (1).  The RP consults the URL content to determine where the user's IP is located (not shown).  Then it redirects the user to her IP to pick up an authentication token, as shown in (2) and (3).  To do the authentication, the IP has to be sure that it's the user who is making the request.  So it presents her with an authentication screen, typically asking for a username and password in (4).  If they are entered correctly, the IP mints a token to send to the RP as shown in (5) and (6).  If the IP and RP already know each other, this is the end of the authentication part of the protocol.  If not, the back channel is used as well.

The attack works as shown in the next diagram.  The user unwittingly goes to an evil site (through conventional phishing or even by following a search engine).  The user sends the evil RP her URL (1) and it consults the URL's content to determine the location of her IP (not shown).  But instead of redirecting the user to the legitimate IP, it redirects her to the Evil Scooper site as shown in (2) an (3).  The Evil Scooper contacts the legitimate IP and pulls down an exact replica of its login experience (it can even simply become a “man in the middle”) as shown in (4).  Convinced she is talking to her IP, the user posts her credentials (username and password) which can now be used by the Evil Scooper to get tokens from the legitimate IP.  These tokens can then be used to gain access to any legitimate RP (not shown – too gory).

The problem here is that redirection to the home site is under the control of the evil party, and the user gives that party enough information to sink her.  Further, the whole process can be fully automated.

We can eliminate this attack if the user employs Cardspace (or some other identity selector) to log in to the Identity Provider.  One way to do this is through use of a self-issued card.  Let's look at what this does to the attacker.

Everything looks the same until step (4), where the user would normally enter her username and password.  With self-issued cards, username and password aren't used and can't be revealed no matter how much the user is tricked.  There is nothing to steal.  The central “honeypot credentials” cannot be pried out of the user. The system employs public key cryptography and generates different keys for every site the user visits.  So an Evil Scooper can scoop as much as it wants but nothing of value will be revealed to it.

I'll point out that this is a lot stronger as a solution than just configuring a web browser to know the IP's address.  I won't go into the many potential attacks on the web browser, although I wish people would start thinking about those, too.  What I am saying is the solution I am proposing benefits from cryptogrphy, and that is a good thing, not a bad thing. 

There are other advantages as well.  Not the least of these is that the user comes to see authentication as being a consistent experience whether going to an OpenID identity provider or to an identity provider using some other technology. 

So is this just like saying, “you can fix OpenID if you replace it with Cardspace”?  Absolutely not.  In this proposal, the relying parties continue to use OpenID in its current form, so we have a very nice lightweight solution.  Meanwhile Cardspace is used at the identity provider to keep credentials from being stolen.  So the best aspects of OpenID are retained.

How hard would it be for OpenID producers to go in this direction? 

Trivial.  OpenID software providers would just have to hook support for self-issued cards into their “OP” authentication.  More and more software is coming out that will make this easy, and if anyone has trouble just let me know.

Clearly not everyone will use Infocards on day one.  But if OpenID embraces the  alternative I am proposing, people who want to use selectors will have the option to protect themselves.  It will give those of us really concerned about phishing and security the opportunity to work with people so they can understand the benefits of Information Cards – especially when they want, as they inevitably will, to start protecting things of greater value.

So my ask is simple.  Build Infocard compatibility into OpenID identity providers.  This would help promote Infocards on the one hand, and result in enhanced safety for OpenID on the other.  How can that be anything other than a WIN/WIN?  I know there are already a number of people in the milieux who want to do this.

I think it would really help and is eminently doable.

This said, I have another proposal as well.  I'll get to it over then next few days.