Novell’s Dale Olds, who will be on Dave Kearns’ panel at the upcoming European Identity Conference, has added the “identity bus” to the metadirectory / virtual directory mashup.  He says in part :

Meta directories synchronize the identity data from multiple sources via a push or pull protocols, configuration files, etc. They are useful for synchronizing, reconciling, and cleaning data from multiple applications, particularly systems that have their own identity store or do not use a common access mechanism to get their identity data. Many of those applications will not change, so synchronizing with a metadirectory works well.

Virtual directories are useful to pull identity data through the hub from various sources dynamically when an application requests it. This is needed in highly connected environments with dynamic data, and where the application uses a protocol which can be connected to the virtual directory service. I am also well aware that virtual directory fans will want to point out that the authoritative data source is not the service itself, but my point here is that, if the owners shut down the central service, applications can’t access the data. It’s still a political hub.

Personally, I think all this meta and virtual stuff are useful additions to THE key identity hub technology — directory services. When it comes to good old-fashioned, solid scalable, secure directory services, I even have a personal favorite. But I digress.

The key point here as I see it is ‘hub’ vs. ‘bus’ — a central hub service vs. passing identity data between services along the bus.

The meta/virtual/directory administration and configuration is the limiting problem. In directory-speak, the meta/virtual/directory must support the union of all schema of all applications that use it. That means it’s not the mass of data, or speed of synchronization that’s the problem — it’s the political mass of control of the hub that becomes immovable as more and more applications rendezvous on it.

A hub is like the proverbial silo. In the case of meta/virtual/directories the problem goes beyond the inflexibility of large identity silos like Yahoo and Google — those silos support a limited set of very tightly coupled applications. In enterprise deployments, many more applications access the same meta/virtual/directory service. As those applications come and go, new versions are added, some departments are unwilling to move, the central service must support the union of all identity data types needed by all those applications over time. It’s not whether the service can technically achieve this feat, it’s more an issue of whether the application administrators are willing to wait for delays caused by the political bottleneck that the central service inevitably becomes.

Dale makes other related points that are well worth thinking about.  But let me zoom in on the relation between metadirectory and the identity bus.

As Dale points out in his piece, I think of the “bus” as being a “backplane” loosely connecting distributed services.  The bus exends forever in all directions, since ultimately distributed computing doesn’t have a boundary.

In spite of this, the fabric of distributed services isn’t an undifferentiated slate.  Services and systems are grouped into continents by the people and organizations running and using them.  Let’s call these “administrative domains”.  Such domains may be defined at any scale - and often overlap.

The magic of the backplane or “bus”, as Stuart Kwan called it, is that we can pass identity claims across loosely coupled systems living in multiple discontinuous administrative domains. 

But let’s be clear.  The administrative domains still continue to exist, and we need to manage and rationalize them as much tomorrow as we did yesterday.

I see metadirectories (meaning directories of directories) as the glue for stitching up these administrative continents so digital objects can be managed and co-ordinated within them. 

That is the precondition for hoisting the layer of loosely coupled systems that exists above administrative domains.  And I don’t think it matters one bit whether a given digital object is accessed by a remote protocol, synchronization, or stapling a set of claims to a message - each has its place.

Complex and interesting issues.  And my main concern here is not terminology, but making sure the things we have learned about metadirectory (or whatever you want to call it) are properly integrated into the evolving distributed computing architecture.  A lot of us are going to be at the European Identity Conference in Munich later this month, so I look forward to the sessions and discussions that will take place there.

You have to like the way, in his latest piece on metadirectory, Dave Kearns summons Lewis Carroll to chide me for using the word “metadirectory” to mean whatever I want:

“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean—neither more nor less.”
“The question is, ” said Alice, “whether you can make words mean so many different things.”
“The question is,” said Humpty Dumpty. “which is to be master—that’s all.

Dave continues:

Kim talks about a “second generation” metadirectory. Metadirectory 2.0 if you will. First time I’ve heard about it. First time anyone has heard about it, for that matter. There is no such animal. Every metadirectory on the market meets the definition which Kim provides as “first generation”.

It’s time to move on away from the huge silo that sucks up data, disk space, RAM and bandwidth and move on to a more lithe, agile, ubiquitous and pervasive identity layer. Organized as an identity hub which sees all of the authoritative sources and delivers, via the developer’s chosen protocol, the data the application needs when and where it’s needed.

It’s funny.  I remember sitting around in Craig Burton’s office in 1995 while he, Jamie Lewis and I tried to figure out what we should call the new kind of multi-centered logical directory that each of us had come to understand was needed for distributed computing. 

After a while, Craig threw out the word “metadirectory”.  I was completely amazed.  My colleagues and I had also come up with the word ”metadirectory”, but we figured the name would be way too “intellectual” - even though the idea of a “directory of directories” was exactly right.

Craig just laughed the way he always does when you say something naive.  Anyone who knows Craig will be able to hear him saying, “Kim, we can call it whatever we want.  If we call it what it really is, how can that be wrong?”

So guess what?  The thing we were calling a metadirectory was a logical directory, not a physical one.  We figured that the output of one instance was the input to the next - there was no center.  The metadirectory would speak all protocols, support different technologies and schemas, support referral to specific application directories, and preserve the application-related characteristics of the constituent data stores.   I’ll come back to these ideas going forward because I think they are still super important.

My message to Dave is that I haven’t changed what I mean by metadirectory one iota since the term was first introduced in 1995.  I’ve always seen what is now called virtual directory as an aspect of metadirectory.  In fact, I shipped a product that included virtual directory in 1996.  It not only synchronized, but it did what we used to call “chaining” and “referral” in order to create composite views across multiple physical directories.  It did this not only at the server, but optionally on the client.

Of course, there were implementations of metadirectory that were “a bit more focussed”.  Customers put specific things at the top of their list of “must-haves”, and that is what everyone in the industry tried to build.

But though certain features predominated in the early days of metadirectory, that doesn’t mean that those features ARE metadirectory.   We still live in the age of the logical directory, and ALL the aspects of the metadirectory that address that fact will continue to be important.

[Read the rest of Dave's post here.]

I just came across Ian Brown’s proposal for doing random audits while avoiding data breaches like Britain’s terrible HMRC Identity Chernobyl: 

It is clear from correspondence between the National Audit Office and Her Majesty’s Revenue & Customs over the lost files fiasco that this data should never have been requested, nor supplied.

NAO wanted to choose a random sample of child benefit recipients to audit. Understandably, it did not want HMRC to select that sample “randomly”. However, HMRC could have used an extremely simple bit-commitment protocol to give NAO a way to choose recipients themselves without revealing any of the data related to those not chosen:

1. For each recipient, HMRC should have calculated a cryptographic hash of all of the recipient’s data and then given NAO a set of index numbers and this hash data.
2. NAO could then select a sample of these records to audit. They would inform HMRC of the index values of the records in that sample.
3. HMRC would finally supply only those records. NAO could verify the records had not been changed by comparing their hashes to those in the original data received from HMRC.

This is not cryptographic rocket science. Any competent computer science graduate could have designed this scheme and implemented it in about an hour using an open source cryptographic library like OpenSSL.

Ben Laurie notes that the redacted correspondence itself demonstrates a lack of basic security awareness. I hope those carrying out the security review of the ContactPoint database are better informed.

From Mike Jones at self-issued.info here’s the latest on the Information Card and OpenID interop testing coming up at RSA.  The initiatives continue to pick up support from vendors and visitors will get sneak peaks at what the many upcoming products will look like.

33 Companies…
24 Projects…
57 Participants working together to build an interoperable user-centric identity layer for the Internet!

Come join us!

Tuesday and Wednesday, April 8 and 9 at RSA 2008, Moscone Center, San Francisco, California
Location: Mezzanine Level Room 220
Interactive Working Sessions: Tuesday and Wednesday, 11am - 4pm
Demonstrations: Tuesday and Wednesday, 4pm - 6pm
Reception: Wednesday, 4pm - 6pm

Identity Woman Kaliya will be back to orchestrate the next identity unconference, one in a series that have played a key role in the evolution of OpenID and Information Cards.  If you are interested in identity, it’s a great place to meet a lot of people involved in the community.   

Check out the conference page at Internet Identity Workshop.  Here’s an overview:

The heart of the workshop is a practical idealism in working towards the shared vision of a decentralized, user-centric identity layer for the Internet.

Because the web was built around “pages”, no tools or standards were created to control how the information about you was collected or used. At the Internet Identity Workshop we bring the people creating these tools and standards so people can safely manage their online identity and control their personal data.

It is not about any one technology - rather it is a place to discuss multiple interoperating ?(and possible competing) ? projects, standards, and networks for identity, data sharing, and reputation.

As part of Identity Commons, the Internet Identity Workshop creates opportunities for both innovators and competitors. We provide an open forum for both the big guys and the small fry to come together in a safe and balanced space.

There are a wide range of projects in the community:

1. Open conceptual, community, and governance models.
2. Open standards and protocols.
3. Open source projects.
4. Commercial projects.
5. Projects to address social and legal implications of these technologies.
6. Efforts to rethink the business models and opportunities available with these new technologies.

User-centric identity is the ability:

• To use one’s identifier(s) on more then one site
• To control who sees what information about you
• To selectively share presence and profile information
• To maintain multiple identities and personas in the contexts you wish
• To aggregate attention, navigation, and purchase history from the sites and communities you frequent
• To move and share your personal data, relationships, documents, and other publications as you wish

All of the following are active topic areas at each IIW:

• Improving Existing Legal Constructs
  • Privacy Policies
  • Terms of Service
• Creating New Legal Constructs
  • Limited Liability Personas
  • Identity Rights Agreements
• Creating New Business Models
  • Identity Oracle
  • I-Brokers
• New Citizenship Perspectives
  • Activism
  • Community Event Coordination
  • Community Identity and Data Sharing

The conference takes place in Mountain View, California on May 12 - 14

Dave Kearns has expanded further on his view of distributed data, metadirectory and virtual directory.  It seems like some of our disagreement is a matter of terminology.  Dave grudgingly admits (poor Linus and his blanket!) that application developers should be permitted to use databases:

The application database (for those who cling to it like Linus and his blanket) now can serve two purposes - one to subscribe to virtual directory data and one to publish!

The question becomes whether we need more than publish / subscribe relationships between services.   I think we do.  It is this higher level (meta level) of service and information that I call metadirectory. 

Let’s make it clear that I see metadirectory as an evolving thing. 

• First generation metadirectory dealt exclusively with a managing applications that had been conceived without reference to each other - or to any common framework  (In truth, this is still an issue - see Jeff Bohren’s recent posting called “Which is better, Phillips or Flat-head?“). 
• Second generation metadirectory has an additional focus:  providing the framework by which next-generation applications can become part of the distributed data infrastructure.  This includes publishing and subscription.  But that isn’t enough.  Other applications need ways to find it, name it, and so on. 

A real distributed information architecture requires services that join objects across contexts, arbitrate truth, advertise schema possibilities and provide the grid through which virtual directory queries can be dispatched.  

These services are what I call metadirectory - the framework for distributed storage.  One may choose to call the queries in this framework ”virtual directory”.  But such “virtual directory” requires a “real” framework. 

Dave suggests we read a piece called “The second wave:  Linking identities to contexts” by Michel Prompt (CEO of Radiant Logic).  It is good and I recommend it to everyone.  It raises many issues that are worth thinking about:

If for each application, we can find the unique identifier associated with a person, and we can speak the applicationspecific protocol (LDAP, RDBMS, API, Web services, etc.,) then we can retrieve a specific identity profile associated with that person when we need it. Knowing an identifier and its associated protocol is sufficient to access a specific definition of an identity.

Common access alone, however, is not correlation. It will not tell us that UserId A is in fact EmployeeId 235, and that both underlying profiles are aspects of the identity of Person Y.

Some correlation mechanism thus needs to be deployed, based possibly on matching some common attributes for each profile. If no rules can be produced, then the matching must be done manually, a painstaking process but in many cases unavoidable for at least a subset of the identity data.

Michel has started to talk about the metadata needed to create a framework for distributed query.  Some service needs to know that “UserId A is in fact EmployeeId 235″.  That is clearly glue that creates a “directory of directories”.  Michel might call it a “directory of contexts”, but I don’t think the difference is substantive.

A directory of directories: metadirectory

Michel continues:

By defining such a process we can create a “hub” where each person has a “global identifier” associated with the corresponding “local” source identifiers (e.g. UserId A, EmployeeId 235, etc.) If this virtual hub has the capability to write back to each source, we can use it to manage the account/identity life-cycle for each source. And when we need any specific aspect of an identity, we can retrieve it dynamically using the Identity Hub pointer.

Hmmm.  Michael calls it a “hub”, not a metadirectory.  But it is the same thing. 

Since our Identity Hub is stripped down to the minimum information required, the amount of synchronization and data transformation (complex tasks by definition) is reduced to the strict minimum. Only the different (local) references for components of a given identity are stored or synchronized. When we need a specific aspect of identity, we can retrieve it dynamically using the Identity Hub pointer, and the common virtual access layer.

Hmmm.

If data transformation is a complex task, it is because there are different ways of representing data in the distributed system.  If that’s the case, the problem doesn’t go away with a virtual directory - it gets worse!  The application that calls into a first data source gets its representation, and if it then calls into a second data source, it gets a second representation.  The application is now on its own to figure out what is what.  Far from simplifying - in fact complex transforms need to be done in more locations.

A continuum

In terms of synchronization, the proposal made by Michel and Dave is good for some use cases but not right for others.  Again, we need to support a spectrum of choices. 

You don’t always want to synchronize a common identifier.  Especially when working with identity data that is in danger of breach and insider attack, it is a better strategy to use different identifiers in different systems, so knowledge of the “joining glue” is required in order to assemble information across contexts (for example, personal information and financial information). 

And sometimes, you want to synchronize more than just an identifier.  

Real examples

A conversation like this needs real examples.  In most enterprises, the Human Resources Database is the authoritative source for information on employees.  We want our email address books and mail stores and message transfer agents to be up to date with the latest HR information. 

According to the argument being made by Dave and Michel, all our address books and all our mail switches and mail boxes should be sending each query directly into the”authoritative”  human resources database.

But everyone with any experience in the enterprise knows the people who run the HR databases WILL NOT go for this.  They don’t want all the technical systems of the enterprise hitting on their systems in real time with every possible query.

My point here is that it will be necessary to offload information from the HR system to other systems.  No one can look seriously at these issues without admitting that SOME synchronization is required (which admittedly should be real time).  On the other hand, we don’t want parallel unrelated architectures.

So we are led to the conclusion that we need a spectrum of synchronization and remote access capabilities. We should be able to use policy to define what information is stored where, and how to get to information that is not stored locally - e.g., combine metadirectory and virtual directory functionality.

Dave Kearns, knife freshly sharpened, responded to my recent post on metadirectory with the polemic, “Killing the Metadirectory“:

… My interpretation is that the metadirectory has finally given way to the virtual directory as the synchronization engine for identity data. Kim interprets it differently. He talks about the “Identity Bus” and says that “…you still need identity providers. Isn’t that what directories do? You still need to transform and arbitrate claims, and distribute metadata. Isn’t metadirectory the most advanced technology for that? ” And I have to answer, “no.” The metadirectory is last century’s technology and it’s day is past.

The Virtual Directory, the “Directory as a Service” is the model for today and tomorrow. Data that is fresh, always available and available anywhere is what we need. The behemoth metadirectory with it’s huge datastore and intricate synchronization schedule (yet is never quite up to date) are just not the right model for the nimble, agile world of today’s service driven computing. But the “bus” Kim mentions could be a good analogy here - the metadirectory is a lumbering, diesel-spewing bus. The virtual directory? It’s a zippy little Prius…  [Full article here]

Who would want to get in the way of Dave’s metaphors?  He’s on a streak.  But he’s making a fundamental mistake, taking an extreme position that is uncharacteristically naive.  I hope he’ll rethink it.

Applications drive infrastructure

Here’s the problem.  Infrastructure people cannot dictate how application developers should build their applications.  Applications - providing human and business value - drive infrastructure, not the other way around.  Infrastructure people who don’t get this are doomed. 

Dave’s neat little story about web service query needs to be put in the crucible of application development.  We need to get real.

Telling application developers how to live 

Real-time query across web services solves some identity problems very well.  In these cases, application developers will be happy to use them.  But it doesn’t solve all their identity needs, or even most of them.  When Dave Kearns starts to tell real live application developers they shouldn’t put identity information in their databases, they’ll tell him to take his zippy Prius and shove off. 

Application developers like to use databases and tables.  They have become expert at doing joins across tables and objects to produce quite magical results.  As people and things become truly first class objects in our applications, developers will want even more to include them in their databases. 

Think for a minute about the kinds of queries you need to do when you start building enterprise social networks.  ”Show me all the friends of friends who work in a class of projects similar to the ones I work in…”  You need to do joins, eh?  So it’s not just existing enterprise applications that have the need to support distributed storage - it’s the emerging ones too.

Even thinking for a moment just about Microsoft applications - SharePoint provides a good example  - the developers ran into the need to maintain local tables so they can get the kind of performance and complex query they need.  Virtual directory doesn’t help them one iota in solving this kind of problem.  Nor do web service queries.

Betting big time against the house 

I admire many aspects of Dave’s thinking about identity.  But I pity anyone who follows his really ideological argument that virtual directory solves everything and distributed storage just isn’t needed.  We need both.

He’s asking readers to bet against databases.  He’s asking them to bet against the programming model used by application developers.  He’s asking them to forget about performance.  He’s asking them to take all the use cases in the world and stuff them into his Prius - which is actually more like a hobby horse than a car.

Once you have identity data distributed across stores you either have chaos or you have metadirectory.  I’ll explore this more in upcoming posts.

Meanwhile, if anyone wants to bet against the future of databases and integration of identity information into them, drop me a note and I’ll set up a page to take your money.  And at the same time, I recommend that you start training for a second career.

This said, I’m as strong a believer in using web services to query for claims in real time as Dave is.  So on that we very much agree.

My friend and long-time collaborator Jackson Shaw seems to have intrigued both Dave Kearns and Eric Norlin in an  amusing (if wicked) post called You won’t have me to kick around anymore…

You won’t have me to kick around anymore!

No, not me. Hewlett-Packard.

I heard about a month ago that HP was going to bow out of the IDM business. I didn’t want to post anything because I felt it would compromise the person that told me. But, now that it has made the news:

Check out Burton Group’s blog entry on this very topic…

Burton Group has been contacted by HP customers who report that HP is no longer going to seek new customers for its Identity Center product. We have contacted HP and the company confirms that HP Software has decided to focus its investment in identity management products exclusively on existing customers and not on pursuing additional customers or market share. HP is in the process of reaching out to each customer regarding the change.

Seriously - you thought HP was a contender in this space???!!! No, no, Nanette. Thanks for playing. Mission failure…

Let’s be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead. We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity “stuff” is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind…

There is going to be a big bang in this area. HP getting sucked into the black hole is just a step towards that…

As graphic as the notion of identity leprosy might be, it was the bit on metadirectory that prompted Dave Kearns to write,

That’s a quote from Quest’s Jackson Shaw. Formerly Microsoft’s Jackson Shaw. Formerly Zoomit’s Jackson Shaw. This is a guy who was deeply involved in metadirectory technology for more than a dozen years. I can only hope that Microsoft is listening.

Back at Jackson’s blog we find out that he was largely responding to a session he liked very much given by Neil MacDonald at a recent Gartner Conference.  It was called “Everything You Know About Identity Management Is Wrong.”  Observing that customers are dissatisfied with the cost of hand tailoring their identity and access management, Jackson says,

Neil also introduced the concept of “Identity as a service” to the audience. At the Directory Experts Conference, John Fontana wrote “Is Microsoft’s directory, identity management a service of the future?“   What I am stating is quite simple: I believe a big-bang around identity is coming and it will primarily be centered around web services. I hope the resultant bright star that evolves from this will simplify identity for both web and enterprise-based identity infrastructure.

Active Directory, other directories and metadirectory “engines” will hopefully become dial tone on the network and won’t be something that has to be managed - at least not to the level it has to be today.

Without getting overly philosophical, there is a big difference between being, metaphorically,  a “dial tone” - and being “dead”.   I buy Jackson’s argument about dial tone, but not about “dead”. 

Web services allow solutions to be hooked together on an identity bus (I called it a backplane in the Laws of Identity).  Claims are the electrons that flow on that bus.  This is as important to information technology as the development of printed circuit boards and ICs were to electronics.  Basically, if we were still hand-wiring our electronic systems, personal computers would be the size of shopping centers and would cost billions of dollars.  An identity bus offers us the possibility to mix and match services in a dynamic way with potential efficiencies and innovations of the same magnitude.

In that sense, claims-based identity drastically changes the identity landscape.

But you still need identity providers.  Isn’t that what directories do?  You still need to transform and arbitrate claims, and distribute metadata.  Isn’t metadirectory the most advanced technology for that?  In fact, I think directory / metadirectory is integral to the claims based model.  From the beginning, directory allowed claims to be pulled.  Metadirectory allowed them to be pulled, pushed, synchronized, arbitrated and integrated.  The more we move toward claims, the more these capabilities will become important. 

The difference is that as we move towards a common, bus-based architecture, these capabilities can be simplified and automated.   That’s one of the most interesting current areas of innovation. 

Part of this process will involve moving directory onto web services protocols.  As that happens, the ability to dispatch and assemble queries in a distributed fashion will become a base functionality of the system - that’s what web services are good at.  So by definition, what we now call ”virtual directory” will definitely be a base capability of emerging identity systems.

I just heard about SharpSTS - a new open source project that allows you to implement a custom claims provider that will support Identity Selectors like CardSpace.  Better still, the code base has been posted.  Barry Dorrans, from idunno.org,  says:

Dominick and David beat me to the punch; last night I hit the “publish” button on codeplex for SharpSTS; a C# library to allow you to develop Information Card Security Token Services.

As with all open source projects there is still a bunch of work to do; as it stands we have a command line STS which should allow you to get started. Well; if you can work out from the source code what you need to do

Over the coming weeks and months I, as dictator, Dominick Baier and David  Christiansen hope to deliver a stable, tested, code base from which you can deliver managed information cards to your users, as well as a test web site which will issue and accept managed cards.

In the mean time you can download the code, implement your own authorisation policy provider and get started. In the meantime we’re guiding the rough beast, its hour come round at least, slouching towards Redmond to be born (with apologies to Yeats).

Wow.  Not only an STS but Yeats too!

SharpSTS is a C# code library which enables easy development of a Security Token Service, the server component for managed Information Cards.

To begin developing with SharpSTS you will need Visual Studio 2008 Standard (or higher), an SSL certificate and a client system that supports Information Cards.

The source code is available from http://www.codeplex.com/sharpSTS and is licensed under the Microsoft Public License (MS-Pl).

For those who are curious, the SharpSTS site includes a notice making it clear that “this web site, service and code are unaffiliated with Microsoft…”.

Ralf Bendrath chided me yesterday for bragging about having proven Bruce Schneier wrong in his concern that there is not a “viable business model” for the Credentica technology.  (In my defense, Bruce had said, “I’d like to be proven wrong.”, and I was just trying to oblige him.)

Anyway,  I think Joe Wilcox’s article in eWeek’s Microsoft Watch provides some unbiased analysis of the issue.

Sometimes, Microsoft really spends its money well, such as last week’s acquisition of U-Prove technology from Credentica.

This is a damn, exciting acquisition. It’s strategic and timely.

U-Prove is, simply put, a privacy/security protection mechanism. The technology works on a simple principle: Enable transactions by revealing as little information as possible.

Credentica’s Stefan Brands, Christian Paquin and Greg Thompson have joined Microsoft, where they will work as part of the Identity and Access Group. Microsoft also acquired associated U-Prove patents.

Brands is a well-regarded cryptographer and author of “Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy,” which explains the principles behind U-Prove. The book is available for free download, courtesy of MIT Press. He brings a somewhat radical approach to cryptography: Disclose or collect little—ideally no—private information during any transaction process. During most transactions, whether online or offline, too much personal information is exposed.

I vaguely recall Brands from Zero-Knowledge Systems, where he went in early 2000. About six months earlier I consulted Zero-Knowledge Systems’ chief scientist for a story about an alleged cryptographic flaw/back door in then unreleased Windows 2000.

Brands, his colleagues and U-Prove will first go into Windows Cardspace and Windows Communications Foundation. Microsoft’s Brendon Lynch explained in a Thursday blog post:

“Credentica’s U-Prove technology will help people protect their identities by enabling them to disclose only the minimum amount of information needed for a transaction—sometimes no personal information may be needed at all. When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments and consumers all stand to benefit from the enhanced security and privacy that it will enable. We look forward to a world where people have more control of their personal information and are better protected from harms of online fraud and identity theft.”

Kim Cameron, Microsoft’s identity architect, does a wonderful job explaining Brands’ “minimal disclosure” approach in a Thursday blog post and how the company may apply it. The basic concept: to use other cryptographic means to verify identity “without revealing the signature applied by the identity provider.”

Microsoft has made one helluva good acquisition, whose potential long-term benefits I simply cannot overstate. The company has been trying to tackle the identity problem for nearly a decade. Early days, Passport acted as a single sign-on for multiple services, a heritage Windows Live ID expanded. But U-Prove departs from Microsoft’s past identity efforts. The idea is to identify you without, well, identifying you.

Microsoft online services would look dramatically different with an identity mechanism that truly protected privacy and security on both sides of the transaction all while guaranteeing both parties that they are who they say they are, without necessarily saying who they are.

The best conceptual analogy I can think of is Swiss or offshore banking, where an account holder presents a numerical token or tokens that verify his or her right to account access but not the individual’s identity or necessarily the token’s issuer. Such a mechanism could be a boon to business and consumer confidence in online transactions as well as reduce petty fraud.

Microsoft’s money would be better spent on more acquisitions like this one, rather than frittering away valuable resources on Yahoo. Microsoft is operating on the false premise that Google’s huge search lead also puts it ahead in advertising—too far to catch up without a means of leaping ahead. Yahoo is the means.

But Microsoft is mistaken. Online activities and transactions are more complex than that. Search is one strategic technology, but there are others that Google doesn’t control. If Microsoft could take a strategic lead protecting identity around transactions, the company could better enable all kinds of Web activities, and in so doing raise its online credibility. Privacy concerns have dogged Google.

I think Microsoft should take half of its proposed Yahoo offer and spend it on more acquisitions like Credentica’s U-Prove technology. I’m not the first to suggest that Microsoft spend $20 billion on smaller companies. But I will say that U-Prove is an example what Microsoft should do to bolster its online technology portfolio in more meaningful ways, without taking on the hardship of a large, messy acquisition like Yahoo.