Author: Kim Cameron

Here are some comments on the Laws by Bob Wyman, co-founder and CTO of pubsub.com.

I strongly support Hubert Le Van Gong‘s concern about the confusion between the “provision of identity versus the provision of attributes.” In fact, I go further to say that I am concerned that your Laws and the many discussions around them seem to be constantly conflating at least the three distinct issues of identity, attributes, and permissions or rights management.

I don't think ‘conflating’ is the right word, as I will explain. But it is true I am proposing that these things are more closely interrelated than many have thought.

Phrases such as “an identity provider is a claims provider in addition to whatever other services it might want to offer” are particularly confusing. Clearly, you see that this thing you call an “identity provider” is much more than just an “identity provider” yet you seem to insist on refusing to name it as such.

I apologize if I've been confusing. I see the provision of identity as the provision of claims. I was simply indicating that an identity provider might offer other related services as well – for example, auditing of usage, or management of authentication mechanisms. And so on.

In fact, what you often seem to view as a single service is actually a system of services composed as a conjunction of at least the three services mentioned above. It may be that your work has led you to “to think of a digital identity as a set of claims made by one digital subject about itself or another digital subject.” However, while this may be a natural simplification for someone who has worked long and hard on directory services — which are concerned with the issue of associating attributes with identities, it is not a useful or clear definition for those who work in other areas.

I appreciate Bob's gentlemanly gesture in explaining my myopia as a side-effect of excessive exposure to directory – certainly a possibility. But I've also built security systems for almost as long as I have been involved in directory, so I can't really claim overspecialization as an excuse. This aside, Bob continues to discuss keys in a way that I quite like, though I don't think it is the only truth:

Developing a solid and flexible architecture requires a more rigorous distinction between services. The problem here reminds me very much of the “Myth of Certificates.” We've been taught by the sellers of Certificate that keys aren't useful unless you have a certificate that binds the key to some person. The result is a nice little industry which specializes in tying claims of person-ness to key pairs that otherwise could be generated for free… Yet, the reality is that computer programs care little about “person-ness” and usually treat the keys themselves (or evidence of control over the keys) as the identifiers of unique entities.

Now here is the nub. Bob is describing a subset of computer programs, not all or even most computer programs.

There is almost always at least one cryptographic key involved in identity. But a key can be used in many different ways.

In some scenarios, the relying party knows the key of the party being identified. It can then use “evidence of control over the key” as evidence that it is “dealing with” that party. This has the advantage of being simple if there aren't too many keys involved, but in other cases has the drawback that the relying party needs to know a very large number of keys, and possibly who has them, and when they have changed or been lost or stolen. As Bob knows, this can get really complicated, and has all kinds of information leakage problems when there are large numbers of resources.

To avoid this complexity and vulnerability, other usages of keys have evolved appropriate to other scenarios. For example, the relying party may just know the key of some authority, and allow the authority to then provides a “claim” about the party being identified.

Consider Kerberos (and similar systems), since it is very widely deployed and relatively easy to manage. In Kerberos, no resource needs to know the key of everyone who can access it. The resource just needs to share a single key with the Key Distribution Center (KDC). There is thus no information leakage about other keys or identities in the system. The KDC creates a set of claims about the party being identified and packages it up so only the identified entity can present it to the resource. So such a KDC is an Identity Provider in exactly the sense I am using. Kerberos systems have been making claims about their users for more than a decade. In Windows systems employed in a great many enterprises, these claims include an identifier for the user and the identifiers of a list of groups to which the user belongs.

Now the question becomes “what is an identifier”. And again, I suspect Bob has notions about this which are restrictive. I don't. In my view, it is up to the relying party to decide how it wants to distinguish between potential users. In some scenarios, it may make a lot of sense to have some uniquely identifying claim – like an email address, or an identification number, or a guid, or a unique personal key. In others, it may be fine just to be able to determine that an authority known to me uses its key to say the subject is of a given age, or works for a given employer, or lives at a given address, or knows a given secret, or belongs to some club. And in yet others an authority might say that the digital subject possesses a given key, or combine this claim with others. What is wrong with this if it is the kind of identification required by the relying party?

Let's pop up the stack a bit. Let's go back to the Oxford English Dictionary (OED):

“Identity – The fact of being who or what a thing or person is.

• The characteristics determining this: he wanted to develop a more distinctive Scottish Tory identity.
• Serving to establish who the holder, owner or wearer is by bearing their name and often other details such as a signature or photograph: an identity card“

A distinctive Scottish Tory identity is certainly not a unique identifier – rather it represents a certain class of user (!) – yet still an identity. The details referred to in the subsequent bullet (name, signature, photograph) are to my way of thinking precisely examples of claims being made in order to establish identity.

If I am guilty of conflation between “identity” and “attributes”, I am no more so than the authors of the OED just cited.

Code only “cares” that whatever entity it interacts with is able to distinguish itself from other entities. “Identity” lies in that ability to distinguish one thing from another. Names, permissions, addresses, etc. are not “identity” — rather they are claims which are bound to or associated with identities.

The problem here is one of vocabulary but it appears to be influencing design. We've got an “Identity Industry” that seems to be very focused on “personal information management” or claims processing but very little concerned with Identity itself. The result is systems that are more complex and less well defined than is necessary.

As respectful as I am of Bob Wyman's contribution to computing, I believe he is holding to a definition of identity which is overly narrow and has nothing to do with normal usage of the word. By reverting to a more usual use of the idea, and allowing claims to be unique identifiers or tuples of meaning or whatever the relying party would like to see, we can actually get a lot closer to building a unifying identity metasystem, because then the implementation details of different systems recede as well they should.

Bob also brings up the issue of permissions and grants, another interesting topic to which I will return as I explore the issues of the relying party in more detail.

Thanks to Nick Mudge for pointing me to an article in govtech.net which first appeared in this newsletter run by the CIO of New York State. It's interesting – and shows the extent to which the E-Authentication initiative is picking up steam at the state level.

Pat Patterson has introduced me to one of his friends from Sun's CTO office. He's a new blogger called Hubert Le Van Gong. Hubert has started thinking pretty deeply about our metasystem proposal. Here's his posting:

Microsoft recently shed more light on their new identity project called the Identity Metasystem. A core component of it is InfoCard. Actually InfoCard is composed of 2 elements:

Identity selector: it will reside on the PC and will act as a sort of broker for the user by negotiating between the identity providers and the relying party. Note that the term identity provider has a quite different meaning that the one used in other identity framework (like Liberty). In Microsoft's Identity Metasystem, an identity provider issues digital identities that are relevant to the business it is in. For instance, a credit card provider would issue identities that enable payment (so credit card number info or whatever is needed for a payment). To me such identity provider is more of an attribute provider but maybe I sent too much time working on Liberty? The relying party is a service provider that is also InfoCard enabled.

I don't know if I'd call the Identity Selector a “broker” – in the sense that it is operated by the user rather than some other organization or agency. I don't want to start thinking of myself as “brokering” my own interactions – my life is complicated enough already. And I'll bet Hubert feels the same way.

The selector is actually engineered as a highly tuned control surface through which the user can establish an unambiguous and safe channel to the digital world. Through this surface the user is able to evaluate the authenticity of those with whom he or she is interacting, decide what provider should be used in a given context, and approve (or prevent) information being released to a relying party.

Within this kind of a system, does an Identity Provider (IP) know what the user's decisions are? That depends.

An IP never knows what a user has disclosed using another IP. So there is complete segregation of providers. This allows complete segregation of identity contexts.

Further, a given IP may or may not know who the user is divulging information to. In other words there can be both “auditing” and “non-auditing” identity providers. Our study of the laws led us to conclude that in some contexts, auditing by the provider may be considered a good thing, whereas in others it may not. Our goal is to provide a platform for expressing all aspects and variations of identity.

A non-auditing identity provider is significantly different from what an IP does in Liberty. But an auditing provider seems to me to be totally consistent with the concept of a Liberty IP (which knows about the information releases a user has approved, including what information has been – or should be – released to whom).

Hubert's comment about provision of identity versus the provision of attributes is interesting. As explained in the Laws whitepaper and elsewhere, my work has led me to think of a digital identity as a set of claims made by one digital subject about itself or another digital subject. So an identity provider is a claims provider in addition to whatever other services it might want to offer.

Hubert continues:

Self-issued identity provider: a PC will be able to store some of the user's personal information in a secure area of the operating system. The InfoCard client application (on the PC) can then provide these data to relying parties. Microsoft says that the data stored on the PC cannot be sensitive information (e.g. social security numbers…). While this is an interesting concept, storing locally personal attributes is raising the issue of availability: unlike digital identities stored on an identity provider the self-issued digital identities are only available when you're using your PC.

This is true. The self-issued identity provider won't be able to do some of the cool things that a “managed” provider can do. It's not intended to compete with them. We look at it as a way of bootstrapping the metasystem. Virtually the entire consumer web works today with self-issued identities (that people have created by pouring their personal details into forms). The self-issued provider does this “out-of-the-box”, so everyone can “play” in the InfoCard world without purchasing a service or making any kind of commitment. Our thinking is that as people understand the benefits and issues, they will become informed about the benefits that “managed” providers can provide. They can then upgrade their experience. So the self-issued identity provider is a way to get the ecology moving. And for some purposes, a self-issued identity is probably fine.

I should point out that we will also be creating a managed Identity Provider for Active Directory (AD) that can be used in the InfoCard Identity Selector. Enterprise customers who use AD will have the option of giving their employees InfoCards that represent a professional identity. (They will also be able to control whether InfoCard Selectors are enabled in machines which they manage).

We also see Indigo as being very closely integrated with the InfoCard proposal since Indigo programs can support InfoCards with no special coding.

I want to make it crystal clear that if Pat and Hubert like the idea of working together in a metasystem, Sun could provide an InfoCard representation for identities managed by Sun technologies, and those could appear in a Windows InfoCard Selector alongside or instead of, for example, an AD InfoCard. Further, Sun workstations could include their own Identity Selector. Same for all the other platforms and identity systems people come up with.

I congratulate Hubert for putting together a swim lane:

Gathering as much info as I could, I have created the following diagram to illustrate how InfoCard would actually work. I'd be happy to hear any comment on it (or corrections if I got something wrong).

Now an interesting question is how this is going to work with other identity frameworks? Microsoft called this architecture Identity Metasystem since it is supposed to be above (and play nicely with) existing systems. I could imagine this being used on top of SAML2.0 or Liberty ID-FF1.2 but obviously this architecture is in direct competition with Liberty's ID-WSF framework.
I'm sure I'll come back to this.

This is a good first approximation of what our swim-lanes look like. I'll post something more detailed on this site pretty soon. All this stuff will be published in excruciating detail within a few weeks – we're just trying to make sure it is as accurate as possible.

Hubert also asks a good question about the details of interworking with other systems. It has been pretty clear to me that SAML and Liberty implementations can easily interwork with this proposal – it may require some extensions to current capabilities but nothing very significant. So really, it's a question of whether we want (as an industry) to make this proposed metasystem work or not. As an identity guy I certainly hope so since I think it is win-win for all players, including the individual – who, as Doc Searls so convincingly pointed out at DIDW, will increasingly move toward the center of economic activity as the world continues to collide with cyberspace.

In terms of the ID-WSF framework, I'm not an expert on this. But from my viewpoint, InfoCards in no way dictate what protocols are used for all kinds of web services and all kinds of scenarios, so I don't understand the “direct competition” point. Maybe Hubert can explain. InfoCards are, basically, a proposal for giving the user control, supporting multiple technologies and operators within a unified context, and upping the bar on safety and user integration – doing all the things necessary to building a metasystem that is consistent with the laws of identity outlined here.

Dick Hardt has moved the identity part of his blog to Identity 2.0. Identity 2.0 is his meme for differentiating user-centric identity from what came before it. I like it.

Dick gave an absolutely fantastic presentation on identity at DIDW last week. It was intensely visual and direct – and really got his point across. Everyone who saw it came out a changed person. So I wonder if it's possible for him to put together a flash animation that we could all point our friends to…

FYI: Here is a story by Joris Evers at news.com on InfoCards. The story makes it clear that only momentum and mutual benefit can create an identity metasystem.

Speaking of Johannes, at the bottoms up identity meeting preceeding DIDW he made some really good points about the need to brainstorm deeply on what we mean by an identity big bang. How will applications change? What new applications will appear? I think Johannes is right on target when he calls on us to turn the discussion in this direction. So let's all start ruminating… and then get to work on this.

Here's a good summary of what those of us working on InfoCards are trying to do, written by Johannes Ernst of Netmesh and LID. At DIDW Microsoft released a whitepaper referencing InfoCards called Microsoft's Vision of an Identity Metasystem. But Johannes has zoomed in on a number of very interesting pieces in the puzzle – including how what we learned through metadirectory relates to the ideas in the identity metasystem, the web services protocols underlying it, and how an identity selector would work.

Personally, I'm really looking forward to the day I can put up a demo – this is a case of a system which is a whole lot easier to use than to describe. But Johannes has done a really good job of bridging that gap.

If you Google Microsoft's InfoCard, you mostly seem to find people asking “who can tell me more about InfoCard”, but very little actual answers. Here is what I've learned from public statements by Kim Cameron and other Microsoft people, and the public demo they did at Digital Identity World 2005. (Disclaimer: I may be wrong about some things, as I don't work for Microsoft. Also, I believe all of the information here is public. If I'm wrong on either count, please do let me know.)

To understand InfoCard, you need to understand Kim Cameron, InfoCard's architect. Kim is credited with being the, or at least one of the inventors of the concept of a meta-directory. A directory (as in corporate directory, LDAP, that kind of thing) is a special kind of database run by companies to manage information about their employees, such as their names, phone numbers, e-mail addresses, office locations, as well as computers, printers and sometimes access permissions to various applications or information. When companies started to deploy directories, very quickly multiple directories were found within the same company, and the question arose how those directories could be used together, because some directories would know information about some employees but not others, etc. The idea of a meta-directory is to have a piece of software that would appear just like any other directory, but that would pull its data from other directories. In other words: have your cake and eat it, too. Keep whatever directories you have, but make all their information appear in one place (coincidentally one of the core principles behind our NetMesh InfoGrid as well).

So when Kim decided to do something about digital identity, he used the same mindset that he used for the idea of a meta-directory, because he saw the same market conditions in this area: lots of incompatible digital identity systems, that prevent everybody from interacting with most other people — just like stovepipe directory systems would prevent one person from accessing a printer defined in another. In the identity space, not only do we have Microsoft Passport, Liberty Alliance, SXIP, Identity Commons, and our LID, but thousands, or maybe far more, home-grown account and user registration systems. In Kim's view, while there may be advantages that one of those systems has versus others, the real problem is fragmentation of digital identity systems, just like fragmentation of directory systems back then. So the core idea for InfoCard is to be a meta-identity system, with the word “meta” meaning the same thing as it does in the term meta-directory system.

Another way saying the same thing would be by parallel with TCP/IP as the universal abstraction layer that abstracts away from things like Ethernet, but nevertheless depends on them. Using this analogy, we could think of InfoCard just like we do about TCP/IP (in relation to digital identity systems and Ethernet or WiFi, respectively).

Kim's hope that by having such an abstraction layer, such a big momma identity backplane (as Marc Canter puts it so memorably), we can get an explosion of identity-enabled new applications. And he adds another analogy: there was little innovation in graphics before there were commons APIs that developers could use to talk to any graphics card, but then it exploded, we got graphical user interfaces and all of that. Without that common API, the next level of innovation simply wasn't possible. He thinks that it will be the same about identity.

Before we get into the guts, let's list some more of the assumptions behind Infocard: (you should also read Kim's Laws of Identity which I won't cover here but which contain a lot more interesting assumptions)

• Kim believes that it has to be an entirely open system. My understanding is that Microsoft will find a license (I also understand they have not settled on one, in fact Kim is looking for input), that allows anybody to create any part or all of InfoCard themselves. Unlike some earlier rumors, InfoCard does not seem to be released as open source itself, but admittedly, that would really have surprised me.
• InfoCard is built entirely on the web services (WS-*) stack. Given that it is a very distributed system, this choice is understandable. Kim says that while not all WS technologies used in InfoCard have been blessed yet by suitable standards bodies, all of them are on the standards track already.
• Because of the need to combat phishing and other attacks where outside stuff (web pages, viruses popping up application windows etc.) pretends to be something else to the user, InfoCard will be anchored pretty deeply inside the Windows OS in a secure process space.
• The InfoCard — like a virtual credit card or membership card — metaphor is the central user interface metaphor.
• InfoCard only defines the “framework” protocols between the InfoCard client-piece (the one inside Windows), an identity provider, and a relying party (e.g. a website that requires identifying information). Lots of parties can be an identity provider or a relying party using many (all?) of today's identity systems which can plug into the InfoCard system by adding actual content into the defined messages.

Here is an example use case:

1. An InfoCard-enabled user (e.g. one running the upcoming Windows Longhorn, or the downward-compatible release for XP) first signs up with one or more identity providers of their choice. That could be their ISP, their bank, a site like eBay, or Slashdot. This process is entirely outside of InfoCard, but of course the identity provider must support their part of the InfoCard protocol.
2. The user visits an InfoCard-enabled relying website (such as an InfoCard-enabled Amazon) that requires certain identity information from the user, say, a shipping address. The website sends a web page which contains an HTML OBJECT tag, which triggers a DLL which invokes the InfoCard system.
3. The InfoCard system determines which personal information is requested by the website, and matches it to the identities (i.e. InfoCards) that are in possession of the user. It then displays those InfoCards to the user that are applicable, such as: driver's license (if the government was an InfoCard-enabled identity provider), or credit card from AMEX. Note that the InfoCard selector runs natively on the PC and is not downloaded.
4. The user selects an InfoCard to use. The dialog shown takes over the entire Windows screen (similar to the Windows login / logout dialogs today) in order to reduce phishing. It would also be difficult for an attacked to bring up a screen that has the exact set of InfoCard pictures on it as the user owns, as the information about which cards the user has is stored securely in a secure area of Windows. As a result of the selection, the InfoCard process on the PC contacts the selected identity provider, and obtains essentially a signed XML document that contains the requested identity information. The signature comes from the identity provider.
5. The InfoCard PC piece then forwards the obtained document to the relying party (the website).
6. However, InfoCard does not describe the actual tokens flying around, thereby enabling other identity systems to plug in.

In order to accomplish this, InfoCard employs:

• SOAP
• WS-Addressing
• WS-MetadataExchange
• WS-Policy
• WS-Security
• WS-SecurityPolicy
• WS-Transfer
• WS-Trust
• XML Signature
• XML Encryption

Does this make sense do you? It does to me … Feel free to post back or contact me if I'm wrong or incomplete or you have questions or …

Seems my RSS feed has been blocked since May 8th.

I'm trying to unblock it – working with Radio Userland. Maybe I need some quality management software here.

I just saw that Jamie Lewis has posted this set of links to articles on DIDW by Between the Lines – Phil Becker's keynote, the discussion of federation standards, John Shewchuk's keynote and Jamie's Wednesday keybnote.

I look forward to Jamie's presentations for their panoramic scope – a rare pleasure – and invariably find myself on the edge of my seat waiting for the pithy new metaphor he has discovered.

And this year, it was the idea that the current debates over protocols deserve about the same degree of interest as do arguments over the chemical composition of asphalt amongst those building a network of highways for the nation. Even here, it isn't the roads themselves that are the final product. It's the “neat cars and trucks” that run on them.

Today's post adds clarification to some of the coverage:

I … want to clarify one thing that Chris Jablonski said in his post summarizing my keynote. Chris summarized something I said this way:

However, he cautioned that achieving meaningful implementation by the end of the decade will depend on how long the vendors want to fight over building the road (standard framework) as opposed to building neat cars and trucks (more proprietary solutions).

Actually, the “neat cars and trucks” aren’t proprietary systems in the analogy I was using. My point was this: Arguments over the chemical composition of asphalt (the protocols necessary to build the standard framework) is of little value to customers who need a solution to a very real problem. What customers want is products and services that solve their identity problems (the cars and trucks that actually help people get somewhere) but that work in an interoperable system (cars that run on the public road). So in the analogy, I was trying to encourage the vendors to quit arguing over how to build the road, settle on what asphalt formula we’ll use, and focus instead on building the interoperable solutions that solve a real problem, which customers will want to buy.

And in that light, the interoperability profile for Web-based SSO between Liberty and the WS-* frameworks that Sun and Microsoft announced today are certainly encouraging. More on that later.