Zermatt is a destination in Switzerland, shown above, that benefits from what Nietzsche calls “the air at high altitudes, with which everything in animal being grows more spiritual and acquires wings”.

It’s therefore a good code name for the new identity application development framework Microsoft has just released in Beta form.  We used to call it IDFX internally  - who knows what it will be called when it is released in final form? 

Zermatt is what you use to develop interoperable identity-aware applications that run on the Windows platform.  We are building the future versions of Active Directory Federation Services (ADFS) with it, and claims-aware Microsoft applications will all use it as a foundation.  All capabilities of the platform are open to third party developers and enterprise customers working in Windows environments.  Every aspect of the framework works over the wire with other products on other platforms.

 I can’t stress enough how important it is to make it easy for application developers to incororate the kind of sensible and sophisticated capabilities that this framework makes available.  And everyone should understand that our intent is for this platform to interoperate fully with products and frameworks produced by other vendors and open source projects, and to help the capabilities we are developing to become universal.

I also want to make it clear that this is a beta.  The goal is to involve our developer community in driving this towards final release.  The beta also makes it easy for other vendors and projects to explore every nook and cranny of our implementation and advise us of problems or work to achieve interoperability.

I’ve been doing my own little project using the beta Zermatt framework and will write about the experience and share my code.  As an architect, I can tell you already how happy I am about the extent to which this framework realizes the metasystem architecture we’ve worked so hard to define.

The product comes with a good White Paper for Developers by Keith Brown of Pluralsight.  Here’s how Zermatt’s main ReadMe sets out the goals of the framework.

Building claims-aware applications

Zermatt makes it easier to build identity aware applications. In addition to providing a new claims model, it provides applications with a rich set of API’s to reason about the identity of a caller using claims.

Zermatt also provides developers with a consistent programming experience whether they choose to build their applications in ASP.NET or in WCF environments. 

ASP.NET Controls

ASP.NET controls simplify development of ASP.NET pages for building claims-aware Web applications, as well as Passive STS’s.

Building Security Token Services (STS)

Zermatt makes it substantially easier for building a custom security token service (STS) that supports the WS-Trust protocol. These STS’s are also referred to as an Active STS.

In addition, the framework also provides support for building STS’s that support WS-Federation to enable web browser clients. These STS’s are also referred to as a Passive STS.

Creating Information Cards

Zermatt includes classes that you can use to create Information Cards - as well as STS’s that support them.

There are a whole bunch of samples, and for identity geeks they are incredibly interesting.  I’ll discuss what they do in another post.

Follow the installation instructions!

Meanwhile, go ahead and download.  I’ll share one word of advice.  If you want things to run right out of the digital box, then for now slavishly follow the installation instructions.  I’m the type of person who never really looks at the ReadMe’s - and I was chastened by the experience of not doing what I was told.  I went back and behaved, and the experience was flawless, so don’t make the same mistake I did.

For example, there is a master installation script in the /samples/utilities directory called “SamplesPreReqSetup.bat”. This is a miraculous piece of work that sets up your machine certs automatically and takes care of a great number of security configuration details.  I know it’s miraculous because initially (having skipped the readme) I thought I had to do this configuration manually.  Congratulations to everyone who got this to work.

You will also find a script in each sample directory that creates the necessary virtual directory for you.  You need this because of the way you are expected to use the visual studio debugger.

Using the debugger

In order to show how the framework really works, the projects all involve at least a couple of aspx pages (for example, one page that acts as a relying party, and another that acts as an STS).  So you need the ability to debug multiple pages at once.

To do this, you run the pages from a virtual directory as though they were “production” aspx pages.  Then you attach your debugger to the w3wp.exe process (under debug, select “Attach to a process” and make sure you can see all the processes from all the sessions.  “Wake up” the w3wp.exe process by opening a page.  Then you’ll see it in the list). 

For now it’s best to compile the applications in the directory where they get installed.  It’s possible that if you move the whole tree, they can be put somewhere else (I haven’t tried this with my own hands).  But if you move a single project, it definitely won’t work unless you tweak the virtual directory configuration yourself (why bother?).

Clear samples

I found the samples very clear, and uncluttered with a lot of “sample decoration” that makes it hard to understand the main high level points.  Some of the samples have a number of components working together - the delegation sample is totally amazing - and yet it is easy, once you run the sample, to understand how the pieces fit together.  There could be more documentation and this will appear as the beta progresses. 

The Zermatt team is really serious about collecting questions, feedback and suggestions - and responding to them.  I hope that if you are a developer interested in identity you’ll take a look and send your feedback - whether you are primarily a Windows developer or not.  After all, our goal remains the Identity Big Bang, and getting identity deployed and cool applications written on all the different platforms. 

Microsoft Wednesday released a beta of its most important tool to date for helping developers build applications that can plug into the company’s Identity Metasystem and provide what amounts to a re-usable identity service for securing network resources.

Code-named Zermatt, the tools are a new extension to the .Net Framework 3.5 that helps developers more easily build applications that incorporate a claims-based identity model for authentication/authorization. Claims are a set of statements that identify a user and provide specific information such as title or purchasing authority…

John goes on to quote Stuart Kwan:

“The model is that when a user arrives at the applications, they bring claims that they fetched from an STS ahead of time,” says Stuart Kwan, director of program management for identity and access for Microsoft. “Zermatt is one part of building apps that can more easily plug into your environment. You use Zermatt so [applications] can use the STS in your environment.”

In fact, a network would have multiple STS nodes. Those nodes will eventually include Active Directory, which will have an STS built into the directory’s Federation Services in the next version slated to ship sometime after 2008.

Microsoft will use the new Federation Services capabilities, Zermatt and STS technology to build toward its ultimate goal of an “identity bus.” The nirvana of the idea is that off-the-shelf applications could plug into the bus in order to authenticate users and provide access control.

In my view, as enterpise applications and desktop suites start to integrate with the identity metasystem,  it will become obvious that businesses can build “business logic” into STS’s and suddenly get a huge payoff by controlling access, identity and personalization in all their off-the shelf and enterprise-specific applications.  This is going to be huge for developers, who will be able both to simplify and deliver value.

But back to John and Stuart:

Kwan says Zermatt also can be used to build an STS that would run on top of custom built stores of user data.  He says Zermatt could be used to build applications that accept information from CardSpace, the user-centric identity system in Vista and XP.

The final release of Zermatt is expected by year-end.

It is the first time Microsoft has so directly written its sizeable development army into its Identity Metasystem, plan, which was outlined first in 2005 and defines a distributed identity architecture for multi-vendor platforms.

Read the full story here.

Axel Nennker points out that the supposed “Cardspace Hack” is still floating around the old media. He allows the issue is not really a Cardspace security hole, but a problem between the keyboards and seats at Ruhr University Bochum:

A while ago two students, Xuan Chen and Christoph Löhr, from Ruhr University Bochum claimed to have “broken” CardSpace. There were some blog reactions to this claim. The authoritative one of course is from Kim.

Today I browsed through a magazine lying on the desk of a colleague of mine. This magazine with the promising title “IT-Security” repeats the false claim and reports that the students proved that CardSpace has severe security flaws… Well, when you switch off all security mechanism then, yes, there are security flaws (The security researcher in front of the computer).

Sort of what developers like me call an ID₁₀T error.

Update: speaking of ID₁₀T errors, I originally mistyped Axel’s name as Alex. My apologies.

“Often times, in trying to be clever and sarcastic, I dive too deep into the ’satire pool’. The urge to be witty and contrarian surpasses the urge to be clear. Consequently, the ‘point’ I am trying to make can, on occasion, be buried underneath surface frivolity and snideness.
“As happened with my recent post on HealthVault’s chosen model for OP acceptance.

“With that post, I have confused Kim, and for that I here apologize.

“I was responding to a post of Simon Willison, in which he defended HealthVault’s right to choose OPs selectively - and not be compelled to accept any ol’ OP coming in off the street presenting an identity claim.

“My post might have given some the impression that I disagreed with Simon. For instance, I wrote

‘I disagree’

“Admittedly, this set a tone.

“But the rest of the post was meant to point out that, while I do think the user has the right to pressure RPs like HealthVault to accept assertions from particular OPs - the appropriate mechanism for this pressure, as for many other interactions between customers and service providers (e.g. buying an OS), is through market forces. If enough users choose an OP because it is secure and privacy-respecting, or because it offers 2-factor authentication, or because it has a snazzy flash UI, the RPs will find it (if they are interested in serving their customer base).

“When the RPs do find these candidate OPs (or IDPs, the issue is of course not unique to OpenID) they will themselves do their own checking and assessment before they start accepting assertions. And of course, each RP has to ask the question ‘Is this OP appropriate for the resources I protect/manage?’. If the resources are neither privacy sensitive nor valuable, the list of OPs that are appropriate will be longer than for medical or financial information.

“HealthVault (actually probably some other audit & risk management group in Microsoft) performed this assessment and, at least initially, came up with 2 OPs that they felt were right for them. More power to ‘em. Partner selection is tough and fraught with risk - they are right to be careful.

“I smile (more a smirk really) when I hear some in the user-centric world place the sole right and responsibility of choosing an OP on the user’s shoulders. User’s can’t even remember their passwords, and you want them to assess the security infrastructure of an OP?

Surgeon: So, are we ready for your operation tomorrow?
Patient: Hi Doc, yes. But I was just reading about this new surgical instrument for the procedure. I really want you to try it out on me.
Surgeon: Hmmm, I don’t know much about it …
Patient: Oh, you’ll work it out as you go

“So yes Kim, I agree. Resources, and gall bladders, do have rights. “

Now it becomes clear why his original piece was called Pressure. Meanwhile, everyone should know that the last thing I would ever want to do is cast a chill over Paul’s satire pool. What a refreshing oasis it is!  (No pun intended.)

 Thanks Axel.  This pretty much sums it up.

“Simon Willison defends HealthVault’s choice of OPs [OpenID providers - Kim].

“I disagree. It is I, as a user, that should be able to dictate to HealthVault the OPs from which they are to accept identity assertions through OpenID.

“Just as I, as a user of Vista, should be able to dictate to Microsoft which software partners they work with to bundle into the OS (I particularly like the Slow Down to Crawl install).

“Just as I, as a Zune user … oh wait, there are no Zune users….

“The mechanism by which I (the user) am able to indicate to HealthVault, or Vista, my preferences for their partners is called ‘the market‘.”

Hmmm.  All passion aside, are Vista and HealthVault really the same things?

When you buy an operating system like Vista, it is the substratum of YOUR personal computer.  You should be able to run whatever YOU want on it.  That strikes me as part of the very definition of the PC.

But what about a cloud service like HealthVault?  And here I want to get away from the specifics of HealthVault, and talk generically about services that live in the cloud.  In terms of the points I want to make, we could just as easily be talking about Facebook, LinkedIn, Blogger or Hotmail.

As a user, do you own such a service? Do you run it in whatever way you see fit?  

I’ve tried a lot of services, and I don’t think I’ve ever seen one that gives you that kind of carte blanche. 

Normally a service provides options. You can often control content, but you function within parameters.  Your biggest decision is whether you want to use the service in the first place.  That’s a large part of what “the market” in services really is like.

But let me push this part of the discussion onto “the stack” for a moment.

PUSH

Last week a friend came by and told me a story.  One of his friends regularly used an Internet advertising service, and paid for it via the Internet too.  At some point, a large transaction “went missing”.  The victim contacted the service through which he was making the transaction, and was told it “wasn’t their problem”.  Whose problem was it?

I don’t know anything about legal matters and am not talking from that point of view.  It just seems obvious to me that if you are a company that values its relationships with customers, this kind of breach really IS your problem, and you need to face up to that.

And there is the rub.  I never want to be the one saying, “Sorry - this is your problem, not ours.”  But if I’m going share the problem, shouldn’t I have some say in preventing it and limiting my liability?

POP

I think that someone offering a service has the right to define the conditions for use of the service (let’s for now ignore the fact that there may be some regulation of such conditions - for example certain conditions might be “illegal” in some jurisdictions).  And that includes security requirements.

In other words, matters of access control proceed from the resource.  The resource decides who can access it.   Identity assertions are a tool which a resource may use to accomplish this.  For years we’ve gotten this backwards, thinking access proceeded from the identity to the resource - we need to reverse our thinking.

Takeaway:  “user-centric” doesn’t mean The Dictatorship of the Users.  In fact there are three parties whose interests must be accomodated (the user, the resource, and the claims provider).  At times this is going to be complex.  Proclamations like, “It is I, as a user, that should be able to dictate…” just don’t capture what is at stake here. 

I like the way Simon Willison puts this:

“You have to remember that behind the excitement and marketing OpenID is a protocol, just like SMTP or HTTP. All OpenID actually provides is a mechanism for asserting ownership over a URL and then “proving” that assertion. We can build a pyramid of interesting things on top of this, but that assertion is really all OpenID gives us (well, that and a globally unique identifier). In internet theory terms, it’s a dumb network: the protocol just concentrates on passing assertions around; it’s up to the endpoints to set policies and invent interesting applications.

“Open means that providers and consumers are free to use the protocol in whatever way they wish. If they want to only accept OpenID from a trusted subset of providers, they can go ahead. If they only want to pass OpenID details around behind the corporate firewall (great for gluing together an SSO network from open-source components) they can knock themselves out. Just like SMTP or HTTP, the protocol does not imply any rules about where or how it should be used…”

In a later post - where he seems to have calmed down a bit - Paul mentions a Liberty framework that allows relying parties to “outsource the assessment of… OPs to accredited 3rd parties (or at least provide a common assessment framework…)”.  This sounds more like the Paul I know, and I want to learn more about his thinking in this area.

Google and Microsoft are among an extensive set of technology vendors aiming to spur the adoption of digital identity cards.

The two internet giants have helped form the Information Card Foundation (ICF), which aims to develop technologies to secure digital identities on the internet and which was launched today.

Digital identity cards are the online equivalent of a physical identity card, such as a driver’s license. The idea is that internet users will have a virtual wallet containing an array of digital identity cards, and they can choose what information is stored on each card. The aim is to replace usernames and passwords in an effort to improve security.

Alongside Google and Microsoft, large suppliers such as Novell, Oracle, PayPal and financial information company Equifax, have joined the ICF, as well as 18 smaller suppliers and industry associations.

“Our shared goal is to deliver a ubiquitous, interoperable, privacy-respecting federated identity layer as a means to seamless, secure online transactions over network infrastructure,” said Brett McDowell, executive director of Liberty Alliance, one of the founding members.

The idea of digital identities is far from new. But so far vendors’ efforts have been fragmented and largely not interoperable.

The ICF is proposing a system based on three parties: the user, the identity provider (such as a bank or credit card issuer) and also what it calls a reliant party (which could be a university network, financial website or e-commerce website, for example).

The ICF argues that, because all three parties must be synced in real-time for the transaction to proceed, it should be more secure.

“Rather than logging into websites with usernames and passwords, information cards let people ‘click-in’ using a secure digital identity that carries only the specific information needed to enable a transaction,” said Charles Andres, executive director of the ICF. “Businesses will enjoy lower fraud rates, higher affinity with customers, lower risk and more timely information about their customers and business partners.”

The ICF now wants to expand its membership to include businesses, such as retailers and financial institutions, as well as government organizations.

It also wants to become a working group of Identity Commons, a community-driven organization which promotes the creation of an open identity layer for the internet.

You can find thousands of similar links to the Foundation here and here.  Amazing.

June 24, 2008 – Australia, Canada, France, Germany, India, Sri Lanka, United Kingdom, United States – An array of prominent names in the high-technology community today announced the formation of a non-profit foundation, The Information Card Foundation, to advance a simpler, more secure and more open digital identity on the Internet, increasing user control over their personal information while enabling mutually beneficial digital relationships between people and businesses.

Led by Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community, the group established the Information Card Foundation (ICF) to promote the rapid build-out and adoption of Internet-enabled digital identities using Information Cards.

Information Cards take a familiar off-line consumer behavior – using a card to prove identity and provide information – and bring it to the online world. Information Cards are a visual representation of a personal digital identity which can be shared with online entities. Consumers are able to manage the information in their cards, have multiple cards with different levels of detail, and easily select the card they want to use for any given interaction.

“Rather than logging into web sites with usernames and passwords, Information Cards let people ‘click-in’ using a secure digital identity that carries only the specific information needed to enable a transaction,” said Charles Andres, executive director for the Information Card Foundation. “Additionally, businesses will enjoy lower fraud rates, higher affinity with customers, lower risk, and more timely information about their customers and business partners.”

The founding members of the Information Card Foundation represent a wide range of technology, data, and consumer companies. Equifax, Google, Microsoft, Novell, Oracle, and PayPal, are founding members of the Information Card Foundation Board of Directors. Individuals also serving on the board include ICF Chairman Paul Trevithick of Parity, Patrick Harding of Ping Identity, Mary Ruddy of Meristic, Ben Laurie, Andrew Hodgkinson of Novell, Drummond Reed, Pamela Dingle of the Pamela Project, Axel Nennker, and Kim Cameron of Microsoft.

“The creation of the ICF is a welcome development,” said Jamie Lewis, CEO and research chair of Burton Group. “As a third party, the ICF can drive the development of Information Card specifications that are independent of vendor implementations. It can also drive vendor-independent branding that advertises compliance with the specifications, and the behind-the-scenes work that real interoperability requires.”

The Information Card Foundation will support and guide industry efforts to enable the development of an open, trusted and interoperable identity layer for the Internet that maximizes control over personal information by individuals. To do so, the Information Card infrastructure will use existing and emerging data exchange and security protocols, standards and software components.

Businesses and organizations that supply or consume personal information will benefit from joining the Information Card Foundation to improve their trusted relationships with their users. This includes financial institutions, retailers, educational and government institutions, healthcare providers, retail providers, travel, entertainment, and social networks.

The Information Card Foundation will hold interoperability events to improve consistency on the web for people using and managing their Information Cards. The ICF will also promote consistent industry branding that represents interoperability of Information Cards and related components, and will promote identity policies that protect user information. This branding and policy development is designed to give all Internet users confidence that they can exert greater control over personal information released to specific trusted providers through the use of Information Cards.

“Liberty Alliance salutes the open industry oversight of Information Card interoperability that the formation of ICF signifies,” said Brett McDowell, executive director, Liberty Alliance. “Our shared goal is to deliver a ubiquitous, interoperable, privacy-respecting federated identity layer as a means to seamless, secure online transactions over network infrastructure. We look forward to exploring with ICF the expansion of the Liberty Alliance Interoperable(tm) testing program to include Information Card interoperability as well as utilization of the Identity Assurance Framework across Information Card deployments.”

As part of its affiliations with other organizations, The Information Card Foundation has applied to be a working group of Identity Commons, a community-driven organization promoting the creation of an open identity layer for the Internet while encouraging the development of healthy, interoperable communities.

Additional founding members are Arcot Systems,Aristotle, A.T.E. Software, BackgroundChecks.com, CORISECIO, FuGen Solutions, the Fraunhofer Institute, Fun Communications, the Liberty Alliance, Gemalto, IDology, IPcommerce, ooTao, Parity, Ping Identity, Privo, Wave Systems, and WSO2

Further information about the Information Card Foundation can be found at www.informationcard.net.

I enjoy having been invited to join the foundation board as one of the representatives of the identity community, rather than as a corporate representative (Mike Jones will play that role for Microsoft). Beyond the important forces involved, this is a terrific group of people with deep experience, and I look forward to what we can achieve together.

One thing for sure: the Identity Big Bang is closer than ever.  Given the deep synergy between OpenID and Information Cards, we have great opportunities all across the identity spectrum.

My plan had been to blog about this when the feature goes live later in the week. But there’s been some online discussion already, and I’m sitting here at the horse show in waiting mode anyway, so it seems like now is as good a time as any to join the conversation.

The deal is — as of our next release in the next few days, users will have a new way to identify themselves to HealthVault. In addition to Windows Live ID, they will be given the option of using OpenID accounts from Verisign or TrustBearer.

As we’ve always said, HealthVault is about consumer control — empowering individuals with tools that let them choose how to share and safeguard their personal health information. OpenID support is a natural fit for this approach, because it allows users to choose the “locksmith” that they are most comfortable with.

You can certainly expect to see more such options in the future. For example, we are in the process of building in native support for Information Cards, which provide some unique advantages, in particular around foiling phishing attempts.

But why just two providers? When we were making our plans here, Chris on our partner team asked me, “Isn’t this more like sort-of-OpenID?” The same question has come up online as well.*** Really, there’s a very simple answer here. OpenID is a new and maturing technology, and HealthVault is frankly the most sensitive relying party in the OpenID ecosystem. It just makes sense for us to take our first steps carefully.

Both TrustBearer and Verisign have taken their obligations very seriously with their OpenID implementations. Beyond basic must-have safeguards like SSL, each offers a variety of second-factor options that provide a step up over traditional passwords — through the use of physical tokens or, in Verisign’s case, the ability to associate an Information Card with an OpenID. This isn’t meant to imply that there aren’t other great providers out there — there are. This is just a start.

As we learn more, and as OpenID continues to mature, we fully expect to broaden the set of providers that work with HealthVault. We believe that a critical part of that expansion is the formalization and adoption of PAPE, which gives relying parties a richer set of tools to determine if they are comfortable with the policies of an identity provider.

This is exciting stuff — in a geeky way perhaps, but anything that begins to put strong identity technology in the hands of real users is a good thing, not just for those users, but for HealthVault and the Internet overall. Woo hoo!

*** BTW, I am clearly all about being cool and buzzword-compliant!

It’s great to see an architect like Sean, who lives in Internet time and has a thousand other things on his mind, paying so much personal attention to identity issues.  He’s showing leadership through his commitment to phishing resistant solutions (like OpenID’s PAPE and Information Cards).  And he clearly embraces giving people choice. 

The privacy requirements of the information he is protecting mean he HAS to do everything possible to protect peoples’ privacy.  It makes complete sense to move incrementally.  I hope the other OpenID providers who have clearly demonstrated their committment to strong security see the wisdom in this approach.  He’s opening doors.  And this is the beginning of a process, not the end. 

Meanwhile, if anyone notices any features of the blog that aren’t working properly, please let me know.  So far, it seems too smooth to be true.  So congratulations to our friends at WordPress too!

Information accumulates power by being put into proximity and aggregated.   This even appears to be an inherent property of information itself.  Of course information can’t effect its own aggregation, but easily finds hosts who are motivated to do so: businesses, governments, researchers, industries, libraries, data centers - and the indefatigable search engine.

Some forms of aggregation involve breaking down the separation between domains of facts.  Facts are initially discerned within a context.   But as  contexts flow together and merge , the facts are visible from new perspectives.  We can think of them as “views”.

Information trends and digital identity 

How does this fundamental tendency of information to reorganize itself relate to digital identity?

This is clearly a complicated question.  But it is perhaps one of the most important questions of our time - one that needs to come to the attention of students, academics, policy makers, legislators, and through them, the general public.   The answer will affect everyone.

It is hard to clearly explain and discuss trends that are so infrastructural.  Those of us working on these issues have concepts that apply, but the concepts don’t really have satisfactory names, and just aren’t crisp enough.  We aren’t ready for a wider conversation about the things we have seen.

Recently I’ve been trying to organize my own thinking about this through a grid expressing, on one axis, the tendency of context to merge; and, on the other, the spectrum of data visibility:

The spectrum of visibility extends from a single individual on the left to everyone in the society on the right  [if reading a text feed please check the graphic - Kim]. 

The spectrum of contextual separation extends from complete separation of information by context at the top, to complete joining of data across contexts at the bottom.

I’ve represented the tendency of information to aggregate as the arrow leading from separation to full join, and this should be considered a dynamic tendency of the system.

Where do we fit in this picture?

Now lets set up a few markers from which we can calibrate this field.  For example, let’s take what I’ve labelled “Today’s public personas”.  I’m talking about what we reveal about ourselves in the public realm.  Because it’s public, it’s on the “Visible to all” part of the spectrum.  Yet for most of us, it is a relatively narrow set of information that is revealed - our names, property we own, aspects of our professional lives.  Thus our public personas remain relatively contextual.

You can imagine variants on this - for example a show-business personality who might be situated further to the right than the “public persona”, being known by more people.  Further, additional aspects of such a person’s life might be known, which would be represented by moving down towards the bottom of the quadrant (or even further).    

I’ve also included a marker that represents the kind of commercial relationships encountered in today’s western society.  Now we’re on the “Visible to some” part of the visibility spectrum. In some cases (e.g. our dealings with lawyers), this marker would hopefully be located further to the left, indicating fewer parties to the information.  The current location implies some overlapping of context and sharing across parties - for example, transactions visible to credit card companies, merchants, and third parties in their employ.

Going forward, I’ll look at what happens as the dynamic towards data joining asserts itself in this model.

“A few days ago Morgan Stanley awarded Ping their CTO Summit Innovation Award. Ping was the sole recipient of this years award, which recognizes those which hold the  promise of potentially transforming Morgan Stanley’s business. VMware won the award in 2005 — we really like that comparison! Who knew virtualization was going to be as big as it is today 3 or 4 years ago?
   
“Every year Morgan Stanley receives around 200 applications from companies to present at their CTO Summit.  They internally vote and select 36 to present. Of these, only four ever get as far as contracts and of those, only one receives this award.  We presented Ping Identity and our product, PingFederate back in 2006 (is the ulterior motive obvious enough?).  As hoped, earlier this year Morgan Stanley became a customer, using our technology to secure and integrate their employees’ use of on-demand applications such as Salesforce.com among other things.
 
“It’s great to finally see identity federation receive the recognition it deserves for enabling companies to secure their virtual borders. It’s going to be a good year!”

Ping’s success doesn’t surprise me given the high standards it sets itself.  And we all expect Morgan Stanley’s CTO to be forward-thinking and “on the money”, so to speak. 

But still, this is a remarkable bellwether in so clearly recognizing the transformative nature of identity.  Congratulations are due both to Ping and to Jonathan Saxe, Managing Director, Global Chief Information Officer of Morgan Stanley.   

The students are not able to undermine the system without active co-operation by its owner. 

You might be thinking a user could be tricked into accidently cooperating with the attack..  To explore that idea, I’ve captured the steps required to enable the attack in this video.  I suggest you look at this yourself to judge the students’ claim they have come up with a “practical attack”.

 In essence, the video shows that a sophisticated computer owner is able to cause her system to be compromised if she chooses to do so.  This is not a “breach”.

I’ve spent a fair amount of time reproducing and analyzing the attack.  The students were not actually able to compromise my safety except by asking me to go through elaborate measures to poison my own computer (I show how complicated this is in a video I will post next).  For the attack to succeed, the user has to bring full administrative power to bear against her own system.  It seems obvious that if people go to the trouble to manually circumvent all their defenses they become vulnerable to the attacks those defenses were intended to resist.  In my view, the students did not compromise CardSpace.

DNS must be undermined through a separate (unspecified) attack

To succeed, the students first require a compromise of a computer’s Domain Name System (DNS).  They ask their readers to reconfigure their computers and point to an evil DNS site they have constructed.  Once we help them out with this, they attempt to exploit the fact that poisoned DNS allows a rogue site and a legitimate site to appear to have the same internet “domain name” (e.g. www.goodsite.com) .  Code in browser frames animated by one domain can interact with code from other frames animated by the same domain.  So once DNS is compromised, code supplied by the rogue site can interfere with the code supplied by the legitimate site.  The students want to use this capability to hijack the legitimate site’s CardSpace token.

However, the potential problems of DNS are well understood.  Computers protect themselves from attacks of this kind by using cryptographic certificates that guarantee a given site REALLY DOES legitimately own a DNS name.  Use of certificates prevents the kind of attack proposed by the students.

The certificate store must also ”somehow be compromised”

But this is no problem as far as the students are concerned.  They simply ask us to TURN OFF this defense as well.  In other words, we have to assist them by poisoning all of the safeguards that have been put in place to thwart their attack.  

Note that both safeguards need to be compromised at the same time.  Could such a compromise occur in the wild?  It is theoretically possible that through a rootkit or equivalent, an attacker could completely take over the user’s computer.  However, if this is the case, the attacker can control the web browser, see and alter everything on the user’s screen and on the computer as a whole, so there is no need to obtain the CardSpace token.

I think it is amazing that the Ruhr students describe their attack as successful when it does NOT provide a method for compromising EITHER DNS or the certificate store.  They say DNS might be taken over through a drive-by attack on a badly installed wireless home network.  But they provide no indication of how to simultaneously compromise the Root Certificate Store. 

In summary, the students’ attack is theoretical.  They have not demonstrated the simultaneous compromise of the systems necessary for the attack to succeed.

The user experience

Because of the difficulty of compromising the root certificate store, let’s look at what would happen if only DNS were attacked.

Internet Explorer does a good job of informing the user that she is in danger and of advising her not to proceed. 

First the user encounters the following screen, and has to select “Continue to the website (not recommended)”:

 
If recalcitrant, the user next sees an ominous red band warning within the address bar and an unnaturally long delay:

The combined attacks require a different yet coordinated malware delivery mechanism than a visit to the phishing site provides.  In other words, accomplishing two or more attacks simultaneously greatly reduces the likelihood of success.

The students’ paper proposes adding a false root certificate that will suppress the Internet Explorer warnings.  As is shown in the video, this requires meeting an impossibly higher bar.  The user must be tricked into importing a “root certificate”.  This by default doesn’t work – the system protects the user again by installing the false certificate in a store that will not deceive the browser.  Altering this behavior requires a complex manual override.

However, should all the planets involved in the attack align, the contents of the token are never visible to the attacker.  They are encrypted for the legitimate party, and no personally identifying information is disclosed by the system.  This is not made clear by the students’ paper.

What the attempt proves 

The demonstrator shows that if you are willing to compromise enough parts of your system using elevated access, you can render your system attackable.   This aspect of the students’ attack is not noteworthy. 

There is, however, one interesting aspect to their attack.  It doesn’t concern CardSpace, but rather the way intermittent web site behavior can be combined with DNS to confuse the browser.  The student’s paper proposes implementing a stronger “Same Origin Policy” to deal with this (and other) possible attacks.  I wish they had concentrated on this positive contribution rather than making claims that require suspension of disbelief. 

The students propose a mechanism for associating Information Card tokens with a given SSL channel.   This idea would likely harden Information Card systems and is worth evaluating.

However, the students propose equipping browsers with end user certificates so the browsers would be authenticated, rather than the sites they are visiting.  This represents a significant privacy problem in that a single tracking key would be used at all the sites the user visits.  It also doesn’t solve the problem of knowning whether I am at a “good” site or not.  The problem here is that if duped, I might provide an illegitimate site with information which seriously damages me.

One of the most important observations that must be made is that security isn’t binary – there is no simple dichotomy between vulnerable and not-vulnerable.  Security derives from concentric circles of defense that act cumulatively and in such a way as to reinforce one another.  The title of the students’ report misses this essential point.  We need to design our systems in light of the fact that any system is breachable.  That’s what we’ve attempted to do with CardSpace.  And that’s why there is an entire array of defenses which act together to provide a substantial and practical barrier against the kind of attack the students have attempted to achieve.

What Kim fails to note… is that a well designed virtual directory (see Radiant Logic’s offering, for example) will allow you to do a SQL query to the virtual tables! You get the best of both: up to date data (today’s new hires and purchases included) with the speed of an SQL join. And all without having to replicate or synchronize the data. I’m happy, the application is happy - and Kim should be happy too. We are in violent agreement about what the process should look like at the 40,000 foot level and only disagree about the size and shape of the paths - or, more likely, whether they should be concrete or asphalt.

Neil Macehiter answers by making an important distinction that I didn’t emphasize enough:

But the issue is not with the language you use to perform the query: it’s where the data is located. If you have data in separate physical databases then it’s necessary to pull the data from the separate sources and join them locally. So, in Kim’s example, if you have 5000 employees and have sold 10000 computers then you need to pull down the 15000 records over the network and perform the join locally (unless you have an incredibly smart distributed query optimiser which works across heterogeneous data stores). This is going to be more expensive than if the computer order and employee data are colocated.

Clayton Donley, who is the Senior Director of Development for Oracle Identity Management, understands exactly what I’m trying to get at and puts it well in this piece:

Dave Kearns has followed up on Kim Cameron’s posting from Friday.

1. Kim says that sometimes you need to copy data in order to join it with other data
2. Dave says the same thing, except indicates that you wouldn’t copy the data but just use “certain virtual directory functionality”

Actually, in #2, that functionality would likely be persistent cache, which if you look under the covers is exactly the same as a meta-directory in that it will copy data locally. In fact, the data may even be stored (again!) in a relational database (SQLServer in the Radiant Logic example he provides).

Let’s use laser focus and only look at Kim’s example of joining purchase orders with user identity.

Let’s face it. Most applications aren’t designed to go to one database when you’re dealing solely with transactional data and another database when you’re dealing with a combination of transactional data and identities.

If we model this through the virtual directory and indicate that every time an application joins purchase orders and identities that it does so (even via SQL instead of LDAP) through the virtual directory, you’ve now said the following:

1. You’re okay with re-modelling all of these data relationships in a virtual directory — even those representing purchase order information.
2. You’re okay with moving a lot of identity AND transactional information into a virtual directory’s local database.
3. You’re okay with making this environment scalable and available for those applications.

Unfortunately, this doesn’t really hold up. There are a lot more issues, but even after just these first three (or even the first one) you begin to realize that while virtual directory makes sense for identity, it may not make sense as the ONLY way to get identity. I think the same thing goes for an identity hub that ONLY thinks in terms of virtualization.

The real solution here is a combination of virtualization with more standardized publish/subscribe for delivery of changes. This gets us away from this ad-hoc change discovery that makes meta-directories miserable, while ensuring that the data gets where it needs to go for transactions within an application.

I discourage people from thinking that metadirectory implies “ad-hoc change discovery”.  That’s a defect of various metadirectory implementations, not a characteristic of the technology or architecture.  As soon as applications understand they are PART OF a wider distributed fabric, they could propagate changes using a publication pattern that retains the closed-loop verification of self-converging metadirectory.  

After talking about some of the identity problems of the enterprise, he puts forward a description of metadirectory that I found interesting because it starts from current concepts like claims rather than the vocabulary of X.500: 

…. Kim and the ZOOMIT team came up with the concept of a “metadirectory”. Metadirectory software essentially tries to find correlation handles (like a name or email) across the many heterogeneous software environments in an enterprise, so network admins can determine who has access to what. Once this is done, it then takes the heterogeneous claims and transforms them into a kind of claim the metadirectory can understand. The network admin can then use the metadirectory to assign and remove access from a single place. 

Zoomit released their commercial metadirectory software (called “VIA”) in 1996 and proceeded to clean the clock of larger competitors like IBM for the next few years until Microsoft acquired the company in the summer of 1999. Now anyone who is currently involved in the modern identity movement and the issues of “data portability” that surround it has to be feeling a sense of deja vu because these are EXACTLY the same problems that we are now trying to solve on the internet—only THIS time we are trying to take control of our OWN claims that are spread across innumerable heterogeneous systems that have no way to communicate with each other. Kim’s been working on this problem for SIXTEEN years—take note!

Yikes.  Time flies when you’re having fun.

When I asked Kim what his single biggest realization about Identity in the 16 years since he started working on it was, he was slow to answer, but definitive when he did—privacy. You see, Kim is a philosopher as well as a technologist. He sees information technology (and the Internet in particular) as a social extension of the human mind. He also understands that the decisions we make as technologists have unintended as well as intended consequences. Now creating technology that enables a network administrator to understand who we are across all of a company’s systems is one thing, but creating technology that allows someone to understand who we are across the internet, particularly as more and more of who we are as humans is stored there, and particularly if that someone isn’t US or someone we WANT to have that complete view, is an entirely other problem.

Kim has consistently been one the strongest advocates for obscuring ANY correlation handles that would allow ANY Identity Provider or Relying Party to have a more complete view of us than we explicitly give them. Some have criticized his concerns as overly cautious in a world where “privacy is dead”. When you think of your virtual self as an extension of your personal self though, and you realize that the line between the two is becoming increasingly obscured, you realize that if we lose privacy on the internet, we, in a very real sense, lose something that is essentially human. I’m not talking about the ability to hide our pasts or to pretend to be something we’re not (though we certainly will lose that). What we lose is that private space that makes each of us unique. It’s the space where we create. It’s the space that continues to ensure that we don’t all collapse into one.

Yes, it is the space on which and through which Civilization has been built.

…Williamson makes a pretty decent case for the military botnet; his points are especially strong when he describes the inevitable failure of a purely defensive posture. Williamson argues that, like every fortress down through history that has eventually fallen to a determined invader, America’s cyber defenses can never be strong enough to ward off all attacks.

And here, Williamson is on solid infosec ground-it’s a truism in security circles that any electronic “fortress” that you build, whether it’s intended to protect media files from unauthorized viewers or financial data from thieves, can eventually be breached with enough collective effort.

Given that cyber defenses are doomed to failure, Williamson argues that we need a credible cyber offensive capability to act as a deterrent against foreign attackers. I have a hard time disagreeing with this, but I’m still very uncomfortable with it, partly because it involves using civilian infrastructure for military ends…

Jeff then comments:

The idea (as I understand it) is to use military owned computers to launch a botnet attack as a retaliation against an attack by an enemy.

In this field of battle I fear the AFCYBER is both out-manned and out-gunned. The AF are the go-to guys if you absolutely, positively need something blown up tomorrow. But a DDoS attack? Without compromising civilian hardware, the AF likely couldn’t muster enough machines. Additionally the network locations of the machines they could muster could be easily predicted before the start of any cyber war.

There is an interesting alternative if anyone from AFCYBER is reading this. How about a volunteer botnet force? Civilians could volunteer to download an application that would allow their computer to be used in an AFCYBER controlled botnet in time of a cyber war. Obviously securing this so that it couldn’t be hijacked is a formidable technical challenge, but it’s not insurmountable.

If the reason for having a botnet is because we should assume every system can be compromised, don’t we HAVE TO assume the botnet can be compromised too?   Once we say ”the problem is not surmountable” we have turned our back on the presuppositions that led to the botnet in the first place.  

Dave Kearns, Jackson Shaw, Dave Olds and myself had a good old time talking with Felix Gaehtgens about the “identity bus”.  I had a real ”aha” during the interview while I was talking with Dave about why synchronization and replication are an important part of the bus.  I realized part of the disconnect we’ve been having derives from the differing “big problems” each of us find ourselves confronted with.

As infrastructure people one of our main goals is to get over our ”information chaos” headaches…  These have become even worse as the requirements of audit and compliance have matured.  Storing information in one authoritative place (and one only) seems to be a way to get around these problems.  We can then retrieve the information through web service queries and drastically reduce complexity…

What does this worldview make of application developers who don’t want to make their queries across the network?   Well, there must be something wrong with them…  They aren’t hip to good computing practices…  Eventually they will understand the error of their ways and “come around”…

But the truth is that the world of query looks different from the point of view of an application developer. 

Let’s suppose an application wants to know the name corresponding to an email address.  It can issue a query to a remote web service or LDAP directory and get an answer back immediately.  All is well and accords with our ideal view.

But the questions application developers want to answer aren’t always of the simple “do a remote search in one place” variety.

Sometimes an application needs to do complex searches involving information “mastered” in multiple locations.   I’ll make up a very simple “two location” example to demonstrate the issue:  

“What purchases of computers were made by employees who have been at the company for less than two years?”

Here we have to query “all the purchases of computers” from the purchasing system, and “all empolyees hired within the last two years” from the HR system, and find the intersection.

Although the intersection might only represent a few records,  performing this query remotely and bringing down each result set is very expensive.   No doubt many computers have been purchased in a large company, and a lot of people are likely to have been hired in the last two years.  If an application has to perform this type of  query with great efficiency and within a controlled response time,  the remote query approach of retrieving all the information from many systems and working out the intersection may be totally impractical.   

Compare this to what happens if all the information necessary to respond to a query is present locally in a single database.  I just do a “join” across the tables, and the SQL engine understands exactly how to optimize the query so the result involves little computing power and ”even less time”.  Indexes are used and distributions of values well understood: many thousands of really smart people have been working on these optimizations in many companies for the last 40 years.

So, to summarize, distributed databases (or queries done through distributed services) are not appropriate for all purposes. Doing certain queries in a distributed fashion works, while in other cases it leads to unacceptable performance.

The result is that many application developers “don’t want to go there” - at least some of the time.  Yet their applications must be part of the identity fabric.  That is why the identity metasystem has to include application databases populated through synchronization and business rules.

On another note, I recommend the interview with Dave Kearns on the importance of context to identity. 

Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual. But when we look at this data we understand that as everywhere, you have to pay for quality. The first offer concerned bank logons. As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary:

For such prices, the seller offers some guaranties. For example, the purchase is covered by replacement, if you are unable - within the 24 hours - to log into the account using the provided details.

The selling site also proposes US, Austria and Spanish credit cards with full information…

It is also possible to purchase skimmers (for ATM machine) and “dump tracks” to create fake credit cards. Here too, cost is in touch with the quality:

Many other offers are available like shop administrative area accesses (back end of an online store where all the customer details are stored – from Name, SSN, DOB, Address, Phone number to CC) or UK or Swiss Passport information:

Read the rest of Francois’ story here.  Beyond that, it’s well worth keeping up with the Avert Labs blog, where every post reminds us that the future of the Internet depends on fundamentally increasing its security and privacy.   [Note:  I slightly condensed Francois' graphics...]

A couple of days later, I was at a conference and on stage under pretty bright lights.  Glancing down at my shiny new computer, I saw what looked unmistakably like a fingerprint on my laptop’s right mouse button.  Then it occurred to me that the fingerprint sensor was only a quarter of an inch from what seemed to be a perfect image of my fingerprint.  How secure is that?

A while later I ran into  Dale Olds from Novell.  Since Dale’s an amazing photographer, I asked if he would photograph the laptop to see if the fingerprint was actually usable.  Within a few seconds he took the picture above. 

When Dale actually sent me the photo, he said,

I have attached a slightly edited version of the photo that showed your fingerprint most clearly. In fact, it is so clear I am wondering whether you want to publish it. The original photos were in Olympus raw format. Please let me know if this version works for you.

Eee Gads.  I opened up the photo in Paint and saw something along these lines:

The gold blotch wasn’t actually there.  I added it as a kind of fig-leaf before posting it here, since it covers the very clearest part of the fingerprint. 

The net of all of this was to drive home, yet again, just how silly it is to use a “public” secret as a proof of identity.  The fact that I can somehow “demonstrate knowledge” of a given fingerprint means nothing.  Identification is only possible by physically verifying that my finger embodies the fingerprint.  Without physical verifcation, what kind of a lock does the fingerprint reader provide?  A lock which conveniently offers every thief the key.

At first my mind boggled at the fact that Toshiba would supply mouse buttons that were such excellent fingerprint collection devices.  But then I realized that even if the fingerprint weren’t conveniently stored on the mouse button, it would be easy to find it somewhere on the laptop’s surface.

It hit me that in the age of digital photography, a properly motivated photographer could probably find fingerprints on all kinds of surfaces, and capture them as expertly as Dale did.  I realized it was no longer necessary to use special powder or inks or tape or whatever.  Fingerprints have become a thing of “sousveillance”.