Author: Kim Cameron

Kapil Sachdeva, author of SmartCard Serenity, is an identity blogger from Axalto, which Gartner has called the world's leading supplier of microprocessor cards. These are innovative folks, who seemed to have no trouble at all putting full featured Java and .NET implementations into a credit card form factor… I find that sort of stuff amazing. So it will be interesting to see what they do with the Identity Metasystem.

Kapil has raised a couple of questions recently:

There is a nice blog from Andy Harjanto on InfoCard System so do not want to explain here the basic concepts. He has done a great job describing with some sample code all the elements of InfoCard system.

By the way, unfortuntately for us (but fortunately for Andy) he's gone to the (metaphorical) beach for a few weeks… He wanted to stay and work, of course, but what could he do? Anyway, Kapil continues:

I was recently playing with the Avalon and Indigo BETA SDK to see the InfoCard systems in action. There is something which may be confusing (seems like today I am going to talk only about confusions 🙂 ) to some people. With Indigo comes a Windows service called Microsoft Digital Identity service (InfoCard system) which displays a GUI where you could create sets of attributes. These sets are called “Cards”. Lot of people will take this to be “InfoCards”.

Yes, the user is really editing a set of claims forming a self-asserted digital identity that is then represented by an associated InfoCard. Our naming isn't clear enough yet.

Kapil continues:

An InfoCard is just a metadata which says what is the authentication mechanism to be used at STS .. what are supported claims at STS etc. It does not contain the data or attributes about user.

This is exactly right.

Microsoft InfoCard 1.0 Beta 1 GUI displays digital identities of user and not the Info cards. Wish there is a better word MSFT can use for these set of attributes instead of “Cards” to avoid possible confusion.

Well, the question is, does the user have to know about the metadata connecting the InfoCard to the Identity Provider? I don't think so. Therefore we “dereference” the metadata and show the underlying identity information. Developers might find this confusing at first, but what do developers like better than a level of indirection????

Here's our thinking. The InfoCards contain “metadata” just as Kapil says. But when a user looks at an InfoCard, we don't show her the metadata (which would be meaningless to her). Instead, we use the metadata to procure a token, and show the information the identity provider is capable of releasing (in other words the set of claims that go along with that identity).

The user experience is that when they examine the InfoCard they see the contents of the token it is capable of releasing (expressed as a set of attributes).

In the case of self-asserted InfoCards, not only can the user see the related attributes – she can also edit those attributes.

Those who understand the details of the technology will know that the InfoCard is itself metadata, and the user is really examining and even editing the set of claims pointed to by the InfoCard. In the old ‘C’ days we would have said:

userView = *InfoCard;

Does this help?

Here's an article from The Economist that nicely captures the sea change around data protection. It posits that safeguarding of identity assets has become “a business issue” on the “corporate agenda” rather than simply an aspect of IT operations…

IT NEVER rains but it pours. Just as bosses and boards had finally sorted out their worst accounting and compliance troubles, and beefed up their feeble corporate governance, a new problem threatens to earn them—especially in America—the sort of nasty headlines that inevitably lead to heads rolling in the executive suite: data insecurity. Left, until now, to geeky, low-level IT staff to put right, and seen as a concern only of data-rich industries such as banking, telecoms and air travel, information protection is now high on the boss's agenda in businesses of every variety.

Bosses, according to the piece, need to put risk-management processes in place:

“Boards should pay as much attention to these IT operational risks as they do to other operational risks in the firm,” argues George Westerman of the MIT Sloan School of Management. After all, boards have audit committees and compensation committees. It may be time for a data-protection committee, he argues. Bosses must ensure that there are effective data risk-management processes in place, be aware of their greatest vulnerabilities and promote a corporate culture that acknowledges data risks rather than hides them.

But there is a catch:

… the problem is often a lack of understanding by senior managers not just of technology but of business processes, says Thomas Parenty, author of “Digital Defense: What You Should Know About Protecting Your Company's Assets (Harvard Business School Press, 2003). “No one in the organisation bothers to look at the value of what data they hold, the consequences if something bad happens to it, and the appropriate mechanisms to prevent that from happening,” he says.

The bottom line seems to be litigation:

Many of the worst recent data leakages resulted from failure of the most basic kind. The data-processing firm that suffered the breach that exposed 40m credit-card accounts was not in compliance with the security standards of Visa and MasterCard—which may now find themselves liable for negligence. If nothing else gets bosses to focus on data security, surely the prospect of ending up in court will.

I'll be curious to see how you put a price tag on an information catastrophe.

While visiting Belgium on my recent trip, I met Joeri. At fifteen he's already a for-real identity person, thinking about identity issues and what they will mean for computing. In this picture he's wearing a “Code is Poetry” tee shirt, and I'm presenting him with some backpack gear that he won as part of an international contest.

Believe it or not, he's been working on the redesign of a website for sick children based on strong identities.

When my Belgian colleague Peter Vander Auwera first met Joery, he found himself facing questions about whether Belgian ID Cards were based on version 3 X.509 certificates, and what extensions they supported.

Joeri came to see a presentation I gave on the Laws of Identity at a very successful Belgian eID conference organized by Peter (and thought the laws were “excellent”). The conference included presentations of many actual working systems for obtaining government services based on the Belgian smart card.

It is interesting to see how different the Belgian system is from the proposed British system. First of all, in keeping with the first law, the use of government smart cards in establishing digital identity is optional and under the control of the person described. Secondly, most municipalities seem to be giving it out for free. Third, they contain only a very small number of attributes – the same ones Belgians have always had on their identity cards. Fourth, there are no biometrics. Fifth, there is no intention of restructuring all citizen data into a pan-sectoral database ripe for information leakage. So Belgian cards are not only dramatically more “moderate”, but they are incremental in the sense that they are part of an established tradition of identification. About 800,000 smart cards have been distributed to date.

Having real cards in circulation is having the effect of making people think deeply about what they want to accomplish. The people I met seem to like the idea of using the cards to obtain “two factor” authentication, but don't want all aspects of their identities (formal and informal roles, for example) mixed and conflated with their official government personal identity.

For example, does a government official sign government documents using his or her personal identity? I've always assumed so. But the government officials I met didn't like the idea one bit. They were prepared to use their eID to authenticate to a government system, but were looking for ways to do their electronic signatures using credentials that expressed their role, not their identity as an individual. The same concepts came up repeatedly as I listened to what people were hoping to achieve in other aspects of life.

There seems to be a lot of interest in how the card can be combined with web services in order to heighten privacy. Belgium is a country we should all be watching very closely to learn about identity issues.

A friend pinged me to point out this amusing posting from the very likeable Robin Wilton on what it actually feels like as we learn to “get over” the previous fracturing around identity infrastructure…

Well, without any great fuss or fanfare, I‘ve had a couple of ‘firsts‘ in the last few days.

Last Thursday I met Kim Cameron for the first time, along with Caspar Bowden and Jerry Fishenden, and we had a very engaging chat about identity, liberty (with and without a capital L ;^), privacy and related matters. Many thanks to Jerry, Microsoft‘s UK National Technology Officer, for hosting that one.

And yesterday I had my first visit to Microsoft‘s UK campus at Thames Valley Park. In the interests of ‘breaking them in gently‘, I felt I had to wear my “Sun Java Web Services” shirt. Well, I think they are going to need to get used to seeing a Sun logo onsite a lot more than it would have been in the past! And no, the shirt did not spontaneously ignite as I walked through the badge-locked doors…

And on the ‘flammability‘ theme, I have to report that our hosts didn‘t have horns, tails or little pointy forks. In fact, we had a very positive and relaxed meeting and made huge progress. Thanks this time to Gary Kelly for hosting us and making us feel extremely welcome. I genuinely look forward to working with you and your colleagues over the coming months…

I probably should have handed this in at reception on the way out, but under the circumstances it seemed a good souvenir!

People who've followed this blog for a while know that I'm very interested in the debate around government issued ID cards currently taking place in Britain. Like Americans, Britons aren't used to compulsary ID cards. The proposed British scheme is based on a single universal identifier used across all government contexts and possibly across commercial applications as well. It is tied to a central database and audit log intended to track all uses of citizen identity information. And the scheme would concentrate a great deal of information – including biometric data – in a single place, and then make it widely available to government employees and systems.

These factors taken together have already resulted in significant criticism, skepticism and frustration. The famous London School of Economics has recently produced the final version of a study by 100 of the country's top academics and experts. Those interested in identity issues will likely want to take a good long look at it. The report is hard hitting. It's well written. And it makes a number of technical points with great clarity. Don't miss it.

Some have been critical of the LSE report for being too “engaged”. That's because it attempts to estimate the cost of deployment of the government proposal. The authors claim British citizens will need to shell out 300 to 500 American dollars each for the compulsory ID cards and passports – a tax holiday in reverse!

Whatever the price tag turns out to be, there is no doubt that it would have been infinitely better to define a system which made people feel secure about the privacy of their identity information.

Here's how the LSE describes its report:

The likely cost of rolling out the UK government's current high-tech identity cards scheme will be £10.6 billion on the ‘low cost’ estimate of researchers at the London School of Economics and Political Science (LSE), without any cost over-runs or implementation problems. Key uncertainties over how citizens will behave and how the scheme will work out in practice mean that the ‘high cost’ estimate could go up to £19.2 billion. A median figure for this range is £14.5 billion.

If all the costs associated with ID cards were borne by citizens (as Treasury rules currently require), the cost per card (plus passport) would be around £170 on the lowest cost basis and £230 on the median estimate…

The LSE report The Identity Project: an assessment of the UK Identity Cards Bill and its implications is published today (27 June) after a six month study guided by a steering group of 14 professors and involving extensive consultations with nearly 100 industry representatives, experts and researchers from the UK and around the world. The project was co-ordinated by the Department of Information Systems at LSE.

The LSE report concludes that an ID card system could offer some basic public interest and commercial sector benefits. But it also identifies six other key areas of concern with the government's existing plans:

• Multiple purposes Evidence from other national identity systems shows that they perform best when established for clear and focused purposes. The UK scheme has multiple rather general rationales, suggesting that it has been ‘gold-plated’ to justify the high tech scheme. For example, the government estimates that identity fraud crimes may cost up to £1.3 billion a year, but only £35 million of this amount can be addressed by an ID card.
• Will the technology work? No scheme on this scale has been undertaken anywhere in the world. Smaller and less ambitious schemes have encountered substantial technological and operational problems that are likely to be amplified in a large-scale national system. The use of biometrics creates particular concerns, because this technology has never been used at such a scale.
• Is it legal? In its current form, the Identity Cards Bill appears to be unsafe in law. A number of elements potentially compromise Article 8 (privacy) and Article 14 (discrimination) of the European Convention on Human Rights. The government may also be in breach of law by requiring fingerprints as a pre-requisite for receipt of a passport. The report finds no clear case why the ID card requirements should be bound to internationally recognized requirements on passport documents.
• Security The National Data Register will create a very large data pool in one place that could be an enhanced risk in case of unauthorized accesses, hacking or malfunctions.
• Citizens’ acceptance An identity system that is well-accepted by citizens is likely to be far more successful in use than one that is controversial or raises privacy concerns. For example, it will be critical for realizing public value that citizens want to carry their ID cards with them and to use them in a wide range of settings.
• Will ID cards benefit businesses? Compliance with the terms of the ID cards Bill will mean even small firms are likely to have to pay £250 for smartcard readers and other requirements will add to the administrative burdens firms face.

The LSE report concurs with 79 out of the 85 recommendations made by the House of Commons Home Affairs Committee in its report on the draft Identity Cards Bill. Following up suggestions there and coming from industry and academic experts, the LSE team also set out an alternative ID card scheme that would still incorporate biometrics, but would be simpler to implement and radically cheaper. The LSE alternative ID card would also give citizens far more control over who can access data about them, and hence would be more likely to win positive public and industry support.

Dr Gus Hosein, a fellow in the Department of Information Systems at LSE, said : ‘We have proposed an alternative model that we believe to be cheaper, more secure and more effective than the current government proposal. It is important that Parliament gets the chance to consider a range of possible models before the ID Cards Bill is passed. Even if government figures were correct, the costs of the government scheme are disproportionately higher than the scheme's ability to protect the UK from crime, fraud or terrorism.’

Professor Patrick Dunleavy, Professor of Political Science and Public Policy at LSE, said: ‘This report is not an argument for or against ID cards, but an impartial effort to improve the evidence base available to Parliament and the public. The Home Office currently officially suggests that ID cards will cost around £6 billion to implement over ten years, but it has not yet justified this estimate in detail. By contrast, we recognize considerable uncertainties ahead with such a novel, high tech scheme and we show how these uncertainties might affect costings.’

To download the executive summary, see http://is.lse.ac.uk/idcard/identitysummary.pdf
To download the full report (approx 300 pages), see http://is.lse.ac.uk/idcard/identityreport.pdf

I'm still travelling in Europe and too jet-lagged to comment as fully as might otherwise be the case. Stefan Brands, a cryptographer specializing in privacy who has contributed ideas to the report (and to this blog), pulls out key points here, here, here and, of course, here.

OK. Just when I thought I was on top of Eric's new posting regimen, he has to publish this – not on ping, this time, but on cnet!

The numbers have been staggering: 145,000; 13.9 million; 40 million.

I'm speaking, of course, about the recent rash of data loss–the innocuous term for millions of accounts containing personal data being exposed to the wrong eyes. Whether it's MasterCard, ChoicePoint, LexisNexis, Bank of America, Wachovia, Stanford University or the University of California at Berkeley, the rapid expansion of this problem is stunning.

The reasons for the data loss are all over the map, ranging from physical tapes lost in transit, to hackers, and even malicious insiders. And of course, there is always the ever-present bogey of bad network security practices.

We're told the solution is to embrace better network security, better encryption, better corporate safeguards and better “data protection.” Of course, all of these proffered solutions are a bit specious, since they're always accompanied by the corporate lawyer caveat: “We cannot guarantee that this won't happen again.”

This isn't really a question of data loss, data protection or data safeguarding. That, my friends, is a red herring.

All of this will ultimately result in some bloated piece of federal legislation around data privacy and protection that will impose new restrictions on corporate security practices and result in a wave of new spending on IT solutions to help solve that problem. But will we have solved it, really?

I don't think so.

This isn't really a question of data loss, data protection or data safeguarding. That, my friends, is a red herring. The real question is why corporations need to store all of this personal data in the first place. Why does my credit card company need to store my social security number? Why does Amazon need to store my credit card number? Why shouldn't every company store only what I tell them they can store? And why shouldn't the data that they store be as little as they possibly need to conduct business?

Assuming that I'm right, the next question is how to go about turning the possibility behind these questions into a reality.

Possible future directions
Federated identity is an infrastructure that makes security follow the transaction. It does this by making the identity associated with the transaction “portable” across heterogeneous security domains. The identity metasystem is a newer concept, one that bubbled forth from community conversations around Kim Cameron's Web log.

In brief, the identity metasystem is a conceptual backplane that would allow individuals to have control over which attributes or claims are presented and stored about them. This could be anything from a birthday to a credit card number to a favorite color. What we're really talking about is a framework for individual control and presentation of identity data. Taken together, federated identity (the infrastructure) and the identity metasystem (the control and presentation) would give individuals control over their digital identity in ways that have so far eluded them.

When I buy something from Amazon, it asks for, receives and stores my credit card number. In a future of federated identity and the identity metasystem, I would grant permission to seek a one-time use of my credit card. This permission could be presented to my credit card company, which could then charge my account. Amazon would no longer have a need to store (or even see) my credit card number.

This future would be a lot closer to a web of electronic commerce that protected both customers and companies. We would have actually moved toward solving the problems around personal data. In the meantime, however, we'll still hear a lot about data protection, corporate safeguards and legislative initiatives.

biography
Eric Norlin is vice president of corporate marketing at Ping Identity, a company focused on identity management.

Speaking of which, Eric Norlin has belied his marketing nonchalance by admitting he's reading a blog intended for… true techies!

This is an interesting weblog for our true techie-readers out there: A weblog written by a Microsoft employee that is devoted (apparently) to the technical implementation of weblogs.

I think he maybe meant “technical implementation of InfoCards” rather than “technical implementation of weblogs” – but hey, InfoCards will soon be used in Weblogs, right?

Quoting:
Ready, set, go…

Once you complete the WinFX Runtime installation, you’re ready…

1. First, you must start “InfoCard Service” manually; you could use the command prompt: net start “InfoCard Service”.
Note: this is Beta 1 behavior. In a subsequent beta release, it’s very likely that you don’t have worry about starting the InfoCard Service anymore.

2. Go to control panel, you will see a new control applet, call “Digital Identities” – double click it.

3. You will see the InfoCard Management UI. I’m going to warn you that this is a ‘wire frame’ UI, it is enough get basic ideas across, but it is no where close to the final UI, and it will be radically different in a subsequent beta release, so please don’t read too much into this.

I gotta say – this sure is snappier than my description – thanks Eric.

Eric Norlin seems to be bloging on the Digital ID World site as well as his own site. I'm checking into what's he's posting where and will let you know. Whatever the story, here's a post after my own heart:

I'm sorry, but reading the first paragraph of this story made me think that maybe I was reading the Onion, or watching Saturday Night Live:

“Credit card users, don't fret. Only a small fraction of the 13.9 million credit cards accounts at MasterCard exposed to possible fraud were considered at high risk, the company said Saturday.”

Only a “small fraction” of the 13.9 million accounts were at “high risk”? Were the rest at “medium risk”? And what – *exactly* – is “medium risk” in Mastercard terms? Is “medium” risk equivalent to Defcon 3? If so, is “high” risk equivalent to mutally assured destruction?

The equivocation in this opening paragraph is a wonderful example of a huge PR budget at work. Congratulations to Mastercard. Of course, with the frequency of data loss these days, this all just seems commonplace now (“OOPS! we lost 13.9 *million* account numbers – sorry – hehehehe”).

Yes, I like the idea of sending the PR team repsonsible for this to do a year at SNL – though I think we need them to stay on at MasterCard too – just in case they are needed there as well.

When I presented the Laws of Identity at the DIDW conference, someone asked how we would “enforce the laws”. I tried to explain that the laws are not what Bob Blakley calls “desiderata” – things that we would like to see. They are the objective characteristics of an enduring identity system at Internet scale.

Timothy Grayson of Recursive Progress has written very eloquently about how CardSystems has served as his teacher in this regard:

A while back, I took aim at The Laws of Identity with a critique that missed the mark, I'm sure, because I opted (well, truly, I had no choice) not to evaluate it with through the lens of a technologist. One of my comments in regard to Law 2: Minimal Disclosure for a Constrained Use was:

I think that minimal disclosure for a constrained use is essential for privacy and user control, which, presumably, is what drives Law no. 2. The statement, “There is no longer the possibility of collecting and keeping information ‘just in case’ . . .” [emphasis mine] is, however desirable and logical an outcome of a need-to-know minimal distribution of information, not part of technical mechanics. It is, as everyone doubtlessly knows, a matter of policy and practice. Somewhere I read not all that long ago that two of the non-obvious forces that are driving the creation of massive directories and databases — about people — are that (a) thanks to computing capability it's easy to accumulate rich records over time and (b) thanks to cheap storage there's no disincentive to keep accumulating information. These together with the underlying belief that “information is power” and all the other marketing and security-driven forces for creation of directories may be a little bit more than the principle of minimal disclosure can overcome, methinks.

Today, MSNBC (among others) is carrying a story about data mishandling by a credit card processing firm in Atlanta (Processing firm: Credit card data mishandled – Consumer Security). This situation speaks to digital identity generally, and at least from one angle to Law 2. Here's the money quote to support my earlier statement:

He [John Perry, chief executive of Atlanta-based CardSystems Solutions Inc., which was hacked] said the data was being stored for “research purposes” to determine why some transactions had registered as unauthorized or uncompleted. “We should not have been doing that,” Perry said in Monday's editions of The New York Times.

Under rules established by Visa and MasterCard, processors cannot retain cardholder information after handling transactions.

“CardSystems provides services and is supposed to pass that information on to the banks and not keep it,” Joshua Peirez, a MasterCard official, told the Times. “They were keeping it.”

Oops. Broken law. Technology — architecture or otherwise — may or may not have been able to avoid it.

Here's some more interesting thinking by Andre Durand – CEO of Ping.

Bryan, David and a few others over here in Pingland were kicking around some afternoon whiteboarding ideas on InfoCards. Figured since I'm getting back into my bloghead, I'd start posting a bit more…

1. It centers on the user. Users rule.
2. It can stop Phishing attacks cold — as we know them today
3. It’s better than Gator-like utilities or IE’s auto formfill for new account registration
4. It provides users with the convenience of SSO
5. It eliminates the need to manage weak passwords
6. It’s a branding opportunity for 3rd party Identity Providers
7. And of course, the client will be built into every Windows desktop

Challenges to overcome…

• How to roam and maintain your InfoCards
• How to recover if something bad happens to your computer
• How to enable InfoCards on other operating systems
• How to streamline the 1st time user experience

Implications

• Existing consumer-facing (external) federation use-cases will be displaced by user-mediated exchanges of attributes between IdP’s and SP’s

A battle will ensue between companies looking to become the branded (most trusted) identity providers

All Andre's challenges represent opportunities to contribute to the ecosystem. For example, roaming provides opportunities for smart card manufacturers, USB donglemakers, people who build phones (or software that runs on them) and web service operators. And so on for the other challenges. More about these as we go forward.

I agree with Andre's “implications” point: the proposal puts the user front and center, and thus rebalances the federation equation. This is bound to be unsettling to some – until it is understood that the new formula raises all the components of the previous equation to a higher power.