Category: Identity

New British report on identity card technologies

There is a new report by the British House of Commons Science and Technology Committee entitled, “Identity Card Technologies: Scientific Advice, Risk and Evidence“.

For those new to this blog, the ongoing discussion of a British Identity Card interests me not only because of what it means for Britain's future, but because it is a crucible in which to watch the Laws of Identity play themselves out. The initial proposal broke a number of them – with, so far, the predicted results.

Here is the summary from the multi-party Committee's report:

This Report is the final of three case studies considering the Government’s treatment of scientific advice, risk and evidence. It focuses upon the Home Office’s identity cards scheme, which uses various technologies including biometrics, information and communication technology (ICT) and smart cards. We considered this scheme in order to explore the ways in which scientific advice, risk and evidence could be managed in relation to technologies that are continually developing.

This inquiry has found several areas in which the Home Office’s treatment of scientific advice and evidence appears to be following good practice: the establishment of advisory committees, the use of Office of Government Commerce (OGC) Gateway Reviews and the development of risk management strategies are examples. We welcome the Home Office’s commitment to implementing the scheme gradually rather than using a “big bang” approach, which could jeopardise the success of the programme.

We have also identified weaknesses in the use of scientific advice and evidence. We are disappointed with the lack of transparency surrounding the incorporation of scientific advice, the procurement process and the ICT system.

Potential suppliers are confused about the extent to which the scheme will be prescriptive and when technical specifications will be released. Whilst the Home Office has attempted to consult the wider community, stakeholders have complained that consultations have been unduly limited in scope and their objectives have been unclear.

As a result, the wider community does not have the level of confidence in the scheme that could reasonably be expected at this stage. Whilst the Home Office has determined some aspects of the scheme such as the biometrics, it has left other aspects such as the structure of the database undetermined. Its decisions demonstrate an inconsistent approach to scientific evidence and we are concerned that choices regarding biometric technology have preceded trials. Given that extensive trialling is still to take place, we are sceptical about the validity of costs produced at this stage. We note the danger of cost ceilings driving the choice of technology and call for the Home Office to publish a breakdown of the technology costs following the procurement process.

The identity cards scheme has at least another two years before identity cards begin to be introduced and the scheme has not yet entered its procurement phase. There is still time for the Home Office to make alterations to its processes. We encourage the Home Office to seek advice on ICT from senior and experienced professionals and to establish an ICT assurance committee.

Whilst biometric technology is an important part of the scheme, it must not detract from other aspects of the programme, in particular ICT. It is crucial that the Home Office increases clarity and transparency across the programme, not only in problem areas. We also emphasise that if evidence emerges that contradicts existing assumptions, changes must be made to the programme even if the timescale or cost of the project is extended in consequence.

Peddalo sir? Of course, just leave me your ID card …

Being on vacation, surrounded by bizarre identity phenomena, I liked this post by Jerry Fishenden, Microsoft's National Technology Officer in Britain 

If anyone doubts the extent to which ID cards will be demanded for the most trivial of reasons, my recent experiences on holiday in the Ardennes amused me. On going to hire a peddalo on a lake for myself and my family to inflict some gratuitous self-humiliation on ourselves, I was asked for my ID card.

“I don't have an ID card”, I explained – at which point they asked for my passport. Which I was not carrying with me.

Oh uh – it was not looking good. Was I going to be prevented from some harmless family entertainment on the lake due to the lack of a proper identity document? I couldn't but help observing beside the cash till (in full public view and easy reach) a collection of ID cards and passports provided by other peddalo tourists.

However, it turned out that they wanted the ID card/passport from me purely as some sort of sureity for the hire of the peddalo. I negotiated a cash deposit of 15 Euros instead.

But the episode did highlight to me the risks involved with any ID card that has physically printed on it a wide range of sensitive personal information – who knows what some unscrupulous peddalo hirer might do with that useful information whilst it is in their custody? Let alone someone with a more serious criminal intent.

Even odder, on returning the padlock key for the peddalo after completion of a few half-hearted circum-navigations of the lake, I was offered a choice of ID cards and/or passports to take from the pile beside the till. Until I reminded them that I only needed my 15 Euros returned – not someone else's identity document (kind as it was of them of course to offer me alternative identity documents – and free of charge at that).

The ease with which anyone with an ID card or passport meekly complied with the request and handed them over to a peddalo-hiring stranger also illustrates the extent to which people become complacent about where and who asks for such credentials. Of course, happily most of the time the people that ask us will have the best of intentions. But we still need to design our identity documents with the assumption they do not.

All the more important then that we have the time to ensure any ID card (and the personal information it provides access to) is designed to protect us against casual acquisition and misuse.

While you pondering this one, take a look at Jerry's very thought-inducing piece, “biometrics: enabling guilty men to go free? Further adventures from the law of unintended consequences“.

He focusses on the fact that biometrics are progressively becoming public information, as are many other aspects of our identity.  Because they are being stored in an ever-widening circle of computer systems and without serious security precautions, they may in fact lose the power to convince and convict.  We need to understand these issues if we are to understand the role of biometrics in identity.

The law of unintended consequences seems to be making itself felt a lot these days.

 

Will industry rescue the identity card?

IT Week recently ran a story quoting Simon Davies, director of Privacy International, that has raised an eyebrow or two in the blogosphere.

Industry may need to lead the way if the UK is ever to get a national identity card scheme that can deliver significant security and efficiency benefits.

That is the view of Simon Davies, one of the academics behind the London School of Economics’ controversial report last year on the cost and viability of the government’s ID card scheme. Davies told IT Week that now leaked emails from Whitehall officials have revealed their doubts about the viability of the scheme, the private sector may have to step in to save the project.

“I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the government about effectively taking over the project.”

The Home Office has long argued that the introduction of ID cards will deliver many business benefits, such as more efficient identity verification processes, less fraud, and more secure e-business transactions, and has maintained that it has been working closely with business leaders about how the technology should be used.

Speaking in her office at the newly formed Identity and Passport Service (IPS) earlier this year, Katherine Courtney, director of business development for the government’s ID card scheme, argued that while much of the coverage of ID cards has focused on the ability to tackle fraud and terrorism, it will also deliver such significant business benefits that “we will all be asking ourselves in 10 years’ time how we ever got along without them”.

Courtney added, “Because of the mobility of society and the development of the digital economy, people are leading more complicated lives and want to be able to conduct their personal administration more easily and out of office hours. These changing social trends mean that the capability to prove your identity is vital and this scheme will deliver the enabling technology [to do that].”

The Home Office is talking to public-sector bodies, such as the police and the NHS, and private firms, including banks, retailers, e-businesses and other large employers, about how they could use ID cards. The theory is that if everyone has a national identity card that can be checked against a central register containing biometric and personal details, tapping in a personal PIN code or undergoing a biometric scan will quickly replace the need to photocopy utility bills or show a passport for tasks such as enrolling for a doctor or applying for a loan.

Perhaps unsurprisingly, firms have broadly welcomed plans that the Home Office estimates will save the private sector £425m a year through streamlined identity verification processes and reduced exposure to fraud. In fact, these benefits could prove so significant that organisations will offer incentives for customers to have cards, according to Ed Schaffner, director of enterprise security at IT supplier Unisys – one of the companies likely to bid for part of the Home Office contract…

“The cost of identity fraud is built into the cost of any service,” Schaffner said. “So businesses and banks can say that if you use this card to verify your ID you can have a discount.”

A spokesman for one bank also said identity cards could make it easier it to serve disenfranchised sections of society, such as migratory workers and students, who are less likely to have currently accepted forms of identity proof such as utility bills and passports.

Another way the Home Office hopes the cards will deliver significant benefits for businesses and consumers is by enhancing the security of online transactions. The Home Office argues that asking customers for an ID card number and PIN code that can verify identity against a national register would give organisations a more secure means of identifying online users.

It is a technique already used in Belgium, where 2.5 million people currently hold electronic ID cards and government agencies and banks are using information on the cards to authorise online access to their services. Chatrooms have also started to use ID card checks to ensure age limits are enforced.

In future, attaching card readers and fingerprint scanners, such as those already found on some laptops, to PCs could further strengthen security. If the technology proves as secure as the Home Office promises, retailers and banks would be able to authorise far larger online transactions than at present.

Like many observers, Jeremy Beale, head of e-business at the CBI, has concerns about the technical challenges the scheme will face, but he also argues that a working system could bring huge benefits. “ID cards are not so much a disruptive technology as a stabilising one,” he said. “Firms have been saying for years that they want a single secure standard for online identity verification, and if the government manages to deliver it there could be huge benefits for online commerce.”

But Davies added that despite these potential benefits the government has not been doing enough to form a partnership with industry and technology suppliers to develop a workable ID card system, and it is therefore time for business leaders to take a more proactive role. He argued that management of the scheme should be taken from the Home Office and handed to the Treasury and the Department of Trade and Industry (DTI). “Industry has been left high and dry [by the government’s failure to make its plans clear], and the DTI should be able to rebuild trust with industry,” he said.

Alan Rodger of analyst firm Butler Group said there is a growing belief among some identity management experts that the government should leave the scheme to the private sector. “There is a feeling from some that we should let the market sort it out,” he said. “It would allow the problem [of securing individuals’ identities] to be tackled without the need for huge public investment.”

Separately, Davies argued that now some senior civil servants have expressed fears that the project is likely to fail, the government ought to publish all its reports on the feasibility of the scheme. “It is now all about trust,” Davies added. “The government has to restore some faith in the project.”

Simon, who has been a relentless and towering force in the privacy movement, responded to his critics as follows:

It’s important to recognise that context can be lost in any media report. In this case the quotes are accurate, though of course not complete. I’ve made similar remarks to conferences over the past six months, and for good reason. While it would have been nice to have seen the full conversation published, we all know that’s not the way media does its business.

I doubt that anyone who has followed the UK ID card debate, or indeed the debates in other countries, would have any doubt about where I stand on identity. My views are well known, mainly because government has made a point of repeatedly expressing them in public. I don’t resile from anything I’ve everr done or said on the subject.

As for these particular remarks, I will clarify the position.

1. You will know through the recent leaked emails that it is government, rather than Privacy International, that has lost the plot over the ID card. The Home Office is in disarray and Treasury wants it scrapped or severely limited;

2. You’ll also know from the leaked Market Soundings report that industry no longer supports the goverrnment’s scheme. I’ve know that for more than a year. Industry wants a manageable project that has a light structure and that carries public trust;

3. Into this context comes the idea that industry wanting to pursue the “right” approach (no compulsion, no central register etc) now have the opportunity to do so. Companies like EDS will always support the government line. Others are moving quickly to establish an alternative position.

4. The idea of the “White Knight Consortium” has been around since mid 2005, when it was first discussed at an industry-wide meeting of the Enterprise Privacy Group. I supported the idea then because it seemed the best way to derail the government approach.

I don’t see any need to defend myself, other than to observe how odd it feels to be hailed one day as the master strategist behind the ill-fortunes of the scheme, and the next to be condemned as a guy who lost the plot.

The “plot” is something I have well and truly in mind, and maybe you just need to reflect a little more on what I’m supporting and why I’m supporting it, rather than lashing out. Strategy and tactics on an issue like this are long term game-plans.

I've met Simon – in fact he's a privacy mentor for me.  It's true he's put a few noses out of joint over the last couple of decades.  No wonder – he was so far ahead of the rest of us in his thinking.  Talk to him for two minutes and you can see that he has worked with these issues for a long time, and understands them in a many-sided way.

Incredibly, in 1994, when people like me didn't yet have a clue we might encounter privacy issues with digital technology, he had already written Touching Big Brother – How biometric technology will fuse flesh and machine.   I don't throw out the word visionary lightly, but read this article and wonder.

Through his work at the London School of Economics he has spent a lot of time talking with cryptographers and computer scientists to understand what can actually be done to replace current systems with ones which really are privacy enhancing.  After all, does anyone think the current situation represents a Nirvanna?  Not me – I've seen too many of the existing systems.

It's true that through unlikely initiatives such as the proposed UK Identity Card system, replete with panopticon observation post and massive centralized database, the handling of our personal information and threat to our privacy could actually get worse than it currently is.  But I don't think this type of initiative will succeed – it's like building a sixty-foot man.

So, surely, it is just as possible that we can take advantage of the increased awareness around these issues – and the amazing new technological possibilities that have emerged in the last few years – to allow government and business to become more secure and more privacy enhancing than they currently are.

Given the proper adult supervision by privacy advocates and policy experts, industry could, as Simon says, bring to life alternatives to the Dr. No blueprints that have emerged so far. 

It may still be hard to imagine a national (or international) conversation that includes notions like “directional identity”, but I think it will come.  Governments will inevitably see that the way to best strengthen their own security is to build strong social consensus by protecting the privacy of citizens at the same time they look after the interests of the state.

As always, the key here is “User Control and Consent”.  Citizens have to want to use the system.  Close behind are “Minimal Disclosure” and “Directed Identifiers” and all the other Laws of Identity.  Any successful ID card will have to be more attractive than the status quo – proving it is a step forward, not backward, and winning support.

   

Yeah, I'm a 27 year old single guy, but should I tell my wife?

Intel's Conor Cahill points out the problems with the “verification chains” being used by some of the emerging commercial identity verification services: 

In “How old are you, are you single?, my friend, Kim Cameron, quotes an article in the post-gazette.com Business News talking about identity verification services. The article, describes the process as:

The Verification Chain

How new identity-verification services work.

  • Users sign up for a new account on a classified, social-networking or dating site and are prompted to click through to the site of an identity verifier.
  • Verification service prompts users to create profiles with details such as their age, address, and occupation.
  • Verification services — or a separate company — electronically check data in public-record databases to verify assertions.

At first glance, this verification service looks like a good step forward. However, if you look closely, the process appears to mimic the same procedures that provide the foundation for much of the identity theft that exists to date — that being the fact that all I need to do to steal your identity is know a few key pieces of information (which will verify correctly).

I would hope that they start to add stronger verification that the person who “knows” this stuff is actually the person who's data is being verified. Things like what Paypal does for bank account verification (deposit two small sums in your account and require you to input the actual deposit values to prove you have access to the account).

We really need to move away from knowledge of basic facts as a verification of identity, especially when many of those facts are published in one form or another.

Paypal's approach is one of the best ways to prove that you have control of a particular bank account. 

But it doesn't say much about how old you are – or whether you are single.  So it's not a silver bullet in the wider scheme of things.

Too bad, because I couldn't agree more that knowing things about me doesn't prove you are me.

Isn't it amazing how many times we are required to tell people far too much about ourselves? 

I've been asked so many times for the name of my first pet that I've had to make one up.  My first pet was a turtle, and as far as I can remember, his short life didn't involve a name – we were both too young.  Yet I have to use this silly name to avoid giving people my mother's date of birth.

Once you've revealed all, the party you've given it to can reveal all too.  If there's a one in one thousand chance that someone will sell or misuse that information, when you have given it to one thousand people the probability of misuse has reached one.

Right now we give all our identifying information to every Tom, Dick and Harry, each of whom remember who we are by storing it – probably unsafely. 

What if we just gave it to Tom, or a couple of Toms, and the Toms then vouched for who we are?  We would “register” with the Toms, and the Toms would make claims about us.  Then the chances of having our identity stolen would drop, in the example above, from certainty, to one or two in a thousand.  Not perfect, but hey, I'll take it.

If Tom stands behind our identity for a number of years, he can become progressively more certain about our behavior, if not our childhood.

So I'm hoping that in the description given above of how a verification service operates, once you have registered with a service, it stands behind assertions about you, so you no longer need to release identifying information

Anyone understand the MySpace “salute”?

Following our recent conversation on finding the time to blog, Ted Howard pointed me to this fascinating page from MySpace.com:

In order to verify your identity, please send us a “salute”. This means we will need an image of yourself holding a handwritten sign with the word “MySpace.com” and your Friend ID (your Friend ID number appears immediately after “friendID=” in the web address/URL when viewing your profile). We can then remove the profile that uses your identity without your permission.

Please be sure to include the web address/URL to the profile in question when you send your salute.

If you do not have a profile on MySpace please write in the email address that you are emailing us from instead of your Friend ID.

If the profile is an extremely obvious attempt to be cruel/false, you may not need to send a salute. Sending a salute will definately help expediate things, though! If you are a teacher/faculty member at a school, please click on this link.

That's so bizarre.  I'm missing something here.  I asked Ted if he had any idea how this works:

I think the MySpace “salute” is just a photo of yourself holding a piece of paper that has your login name on it. Apparently, they consider this to be physical proof of identity – they have physical proof that a given face is linked to a given login name. Now, I don’t understand how this helps anything, which is why I find it interesting.

What stops me from saying that your MySpace account that claims you are “Kim Cameron” is a fake and then sending a picture of me holding a piece of paper with my account name that claims I am “Kim Cameron”.

Crap! I’m on your technical advisory team I guess. Are the benefits good?

Welcome to the team, Ted.  Someone will get back to you on the benefits question.

The truth is that Ted is one of those very lucky guys who gets to program video games.  I sure would like to see him blogging about what that's like.

 

 

How old are you? Are you single?

From post-gazette.com Business News, here is a nice article by Jessica E. Vascellaro of The Wall Street Journal on identity-proofing.  It's amazing how well she understands the emerging options:

Rob Barbour has found a new way of enhancing his reputation online: showcasing his newly verified identity. When he put up an eBay Inc. listing a few weeks ago, the Ashburn, Va., technology consultant embedded a link to his new online profile on verification service Trufina Inc.

He soon will paste the link in his emails and on a Web site where he sells software and offers programming advice. “I needed a tool that will prove to somebody that this is who I am,” says Mr. Barbour, 39 years old.

Proving who you are is increasingly important on the Web, amid growing concern that pervasive Internet fraud is making it difficult to know whom to trust. In response, companies are developing a slew of new tools to help people confirm their identities. The new services allow consumers to create and share verified personal profiles with people they meet or do business with online.

In recent weeks, many of these services have announced new partnerships with popular social-networking, shopping and dating sites, which face particular pressure to keep out cyber crooks. Trufina, which has recently joined up with dating sites like HonestyFirst.com and Loveaccess.com, relaunched last week with a wider menu of verification tools. Opinity Inc., a new profile-sharing service that verifies a user's age, hometown and, in coming weeks, education and employment history, has recently announced partnerships with social-networking sites like GoingOn.com, classified site Edgeio.com and technology-news site CNET.com. IDology Inc., which performs age and identity checks on customers for high-end online merchants, will this week announce a deal with Zoey's Room, a networking site for girls, marking the first time its age and identity-verification technology will be part of a social-networking site.

Whether they're shopping, chatting, doing business or looking for dates, consumers are increasingly on edge about online safety. In 2005, 59 percent of Americans “completely or strongly” agreed that Internet-based financial transactions were secure, down from 70 percent in 2003 according to Informa Research Services. A recent report from the Pew Internet & American Life Project found that 66 percent of Internet users believe online dating is dangerous because it puts personal information online.

Concerns about the safety of minors, in particular, have exposed the need for more effective ways to confirm a person's identity than a user name and a password. Social-networking sites attempt to protect their members by imposing minimum age restrictions but can't easily enforce them. News Corp.’s MySpace.com, which requires members to be at least 14 years old, told Congress in June that it is looking at age-verification technology but hasn't yet found any effective options.

Proposed solutions for protecting children from online predators are controversial. Last week the House of Representatives passed a bill that bans social-networking sites and chat rooms from schools and libraries that receive certain federal funding. The bill, which has been criticized as too broad and blunt by some online-privacy groups, has been referred to a Senate committee.

A growing number of businesses, too, are using online verification services to check out their customers. Wine company Kendall-Jackson uses IDology's age-verification technology to confirm that new customers on two of its e-commerce sites are at least 21 years old, and it plans to implement more-comprehensive identity verification soon to help combat credit-card fraud. Ice.com, an online jeweler, uses IDology's tools to authenticate buyers whom it flags as high-risk, which include those with particularly high transaction volumes or mismatched addresses.

Microsoft Corp. is addressing online-safety concerns by constructing its own identity technology from scratch. The technology, called Windows CardSpace, is in a very early stage but will be built into its upcoming Windows Vista operating system. CardSpace allows users to log into Web sites by clicking on different digital credentials, or information cards. Users could create their own information cards or they could get the credentials issued to them by a trusted party, like a bank. (Microsoft doesn't host or store the identity information; it just provides the technology for its transfer.) CardSpace is meant to be more secure and useful than passwords because information cards can hold more information, like an address or a credit-card number, and can be backed by a third party.

International Business Machines Corp., Novell Inc. and various other academics and vendors are working together on a similar project. Their technology, dubbed “Project Higgins,” would be open-source.

But radically new tools like these won't be rolled out widely before next year. In the meantime, current services tend to focus on creating a trusted profile that can be used across sites or shared. The services, which collaborate with background-checking companies of the sort corporations use to research future hires, often check attributes like age, address, gender, education, employment and whether a person has a criminal record. Most services provide a basic verification of name, email, and sometimes address free of charge. Anything more can cost up to around $15 a year. The information is typically checked against credit-bureau records and other publicly available data, like property listings and databases of known criminals and sex offenders.

To sign up, users enter their personal data and are sometimes asked to answer a series of tricky multiple-choice questions no one else will likely be able to answer, such as the size of their last mortgage payment. Some details are confirmed automatically; others take time. On Trufina, a basic verification takes two to three minutes, with a background check usually taking less than 10 minutes, says Christian Madsen, chief executive of the College Park, Md., company.

Users can sign up through the services’ own home pages or through a partner site, where some of the costs are absorbed into other membership fees. Loveaccess.com, an online-dating site with two million members, charges customers $145 for a year of its premium service, which requires a Trufina background check.

Currently, the services aren't in widespread use. Indeed, some consumers complain that their verified profiles aren't yet particularly helpful. Max Markidan, a 26-year-old management consultant in Arlington, Va., says he doesn't find it useful for professional networking because few users beyond dating sites appear to have adopted it. “I am married, so I can't really use Trufina at this point,” he says.

The companies’ partnerships with popular sites will make or break their adoption, analysts say, by providing them with necessary revenue and more users.

While many of the services aim to assuage privacy concerns, they may run up against them, too. Briana Doyle, a 24-year-old from New Westminster, British Columbia, joined Opinity last month hoping it would help her aggregate personal information about herself she wished to share with other people online. But she stopped short at divulging details like her address, verifying instead her user names on other Web services like Yahoo's photo-sharing site Flickr, which the service also verifies. “I didn't see any reason to put my address front and center,” says the Web editor.

The companies stress that they don't store personal information about their users. But consumers may still shrink from a service they think knows too much about them. “The minute you aggregate identity information you aggregate risk,” says Jamie Lewis, the chief executive of the Burton Group, a Salt Lake City research firm. With hackers out looking for financial information, “you create a target,” he says.

The Verification Chain

How new identity-verification services work.

  • Users sign up for a new account on a classified, social-networking or dating site and are prompted to click through to the site of an identity verifier.
  • Verification service prompts users to create profiles with details such as their age, address, and occupation.
  • Verification services — or a separate company — electronically check data in public-record databases to verify assertions.

Once it supports Information Cards, a company like Opinity might offer a card that would assert an age or marital status and yet ensure no personally identifying information is communicated.  The most important aspect of this is that users won't need to reveal secret or identifying information to anyone but the Identity Provider (Opinity for example).

Kim Cameron too prolific a blogger?

Ted Howard, who also works at Microsoft, wrote about me recently – I'm tucked in between posts on how much he hates Southwest Airlines, how much he hates Spokane, and how much he hates presidential signing statements.  I hope there's no pattern here.

Kim Cameron is way, way too prolific of a blogger. I don't see how he can possibly find the time to read all the blogs he reads, write all the posts he posts, and still do his job as an architect.

I wonder if he just has a technology assistance team like BillG that is posting to his blog. Maybe if I had confidence about the identity of the real-world entity publishing entries on his blog, then I would know.

If you want to be overloaded with highbrow thoughts and debates on identity, head over to Kim's blog.

That's pretty funny.  Truth is, I have a bunch of friends who send me links to posts I should read, and I make time to read them.  When I've finished, I have a pretty good handle on what's happening.   

So my “technology assistance team” comes from across the industry, which has really expanded my thinking. 

But I'd prefer to call them a blogging community.  And I try to channel this back to this community.

I'd put Ted's question about how I find time to blog and do my job as an architect somewhat differently than he does.  There are all kinds of architects, who contribute in all kinds of ways.  But to me the most important thing an architect can do is see very clearly what needs to be built.  It's not that hard to come up with an idea that could be built.  But I'm talking about something different:  what needs to be built depends on understanding the objective factors that allow you to tap into some kind of historical inevitability.  That's a high bar, but when you are talking about hundreds or thousands of person years, you need a high bar.

I don't think you reach this bar by cutting yourself off and meditating – as healthy as meditation may be.  Nor do I think you do it by working on technical minutae from morning to night – even if I might find that more relaxing. 

You have to “get out” and see what's happening.  You have to put your ear to the ground.  You have to feel the pulse of the world. 

For me the blogosphere is “essence of pulse”.  It makes me question everything.  What I've done right;  what I've done wrong.  What I've just assumed was true, or assumed that others thought. 

If you look at Cardspace and Information Cards, my work on the laws of identity was effectively architectural work on the principles of the design, even though it was done in the blogosphere. 

Identity represents a central problem of computer science – a complex problem which doesn't have a simple “algorithmic” solution.  To understand it deeply, you need to understand every side of it.  You need to “integrate the tangents”.  What better way than to share your thinking widely and have others help you figure out what is wrong and missing – both from your theory or your presentation.

So there you go – more highbrow thoughts, I fear.  Of course, let me point out one more time that I'm happy for this blog to be “the hair on the end of the long tail”.  I couldn't help thinking it was a clerical error when CNET named it one of the top 100 technology blogs.  Identityblog is super specialized.  So one man's highbrow might be another's Iggy Pop.  To me they're the same thing, and furthermore, I don't really care.  I just do my thing.

 

Bob Blakley joins the Burton Group

News from Ceci n'est pas un Bob (Bob Blakley): 

As of today, I've moved from IBM to The Burton Group, where my job title will be Principal Analyst. I'll be working on Identity, Privacy, Security, and Risk Management. The views expressed here are still mine, and don't necessarily reflect the positions or opinions of either employer.

Bob was a great spokesperson for IBM, wasn't he?  He's such a thoughtful person. 

I wish him the best of luck in his new role.

Yes or No?

Ben Laurie of Google writes that something important was left unsaid in the recent discussion of federation and large Internet properties:

The end result of the blog deathmatch between me, Kim, Eric and Dick was a deathly silence on what I consider to be the core issue.

OK, its nice that Microsoft are developing identity management software that might not suck (but remember, it still doesn’t satisfy my Laws of Identity) but the question that’s being posed about Google applies equally to Microsoft, and, indeed, anyone else with an identity silo.

So, here’s the question: is Microsoft going to accept third party authentication for access to Microsoft properties?

How about it, Kim?

OK.  The answer to your question is “yes”.  Windows Live ID is going to accept third party authentication for access to Microsoft properties.

Let me quote from the Windows Live ID Whitepaper.  It seems like I gave the wrong link before, so I've checked that this one works.  I've also copied the paper onto my blog as I always do so my links will be permanent.  The original appears here.  The quote below is one of several places where these issues are discussed in the paper, so it's probably worth checking out the whole paper (about 8 pages).

How Does Windows Live ID Participate in the Identity Metasystem and Work with “InfoCard”?

Microsoft is working with others in the industry to create an identity metasystem that brings existing and future identity providers into a connected identity ecosystem and empowers end users to control the use of their identities. The Windows Live ID service will participate in the identity metasystem as one identity provider among many, able to accept claims from other identity providers and transform them so they can be used within Microsoft online services. This participation will include acceptance of self-issued and managed “InfoCards.” It will thus provide full support for the “InfoCard” identity model.

Roles of the Windows Live ID Service in the Identity Metasystem

Microsoft has published its vision of a universal identity solution that is inclusive of a plurality of identity operators and technologies—the identity metasystem. In such a metasystem, identity providers, relying parties, and subjects can select, request, transfer, transform, and consume identities through a suite of well-defined and open Web Services (WS-*) protocols. Microsoft is working to implement components of the identity metasystem, as are many other companies in the industry. As a result, various building blocks for the metasystem are being developed. Some of these components will be delivered to end users in the form of software installed and running locally on their computers and devices, while others will be online services.

The design philosophy of the identity metasystem is not to replace the existing identity systems in use today, but instead to bring these existing systems together by enabling interoperation among subjects, relying parties, and identity providers through industry standard protocols. The Windows Live ID service will participate in the identity metasystem as a “managed” identity provider already at Internet scale. Windows Live ID will bring a large base of end users and relying parties to the metasystem, taking us one step closer to Internet-wide identity federation and doing our part to help the industry move beyond the “walled garden” paradigm.

The Windows Live ID service will play several essential roles that are strategic for Microsoft. The service:

  • Is an Internet-scale identity provider intended primarily for users of Microsoft online services, which are all relying parties of the Windows Live ID service.
  • Is open and issues claims in a form that can be consumed by any relying party, any device, and any other trusted identity authority.
  • Serves Microsoft online services as a “claims transformer,” allowing those services to accept identities issued by third-parties. Third-party identity providers include other Internet service providers and managed-identity providers, such as the planned Active Directory Security Token Service (STS).
  • Will be the identity provider and federating authority for third party services and software built on top of the Microsoft online services platform

So now some other questions remain.  Who can federate with Windows Live ID and what are the conditions?  What will the business model be?  What services will people want to use that cause them to seek to federate? 

So don't take me as sounding glib.  There are lots of important issues that the Windows Live ID folks are still thinking about.

Meanwhile your comment that “its nice that Microsoft are developing identity management software that might not suck” is one of the nicest things anyone has ever said to me, and I'll treasure it.

 

Carspace Sandbox

If you want to try out Cardspace, you should go to Cardspace Sandbox and follow the install instructions there.

Pamela Dingle has written about the site here.  Her description of Cardspace is great, although I really do recommend following the installation instructions.  In fact, if you don't follow them you will likely have problems.

Remember that if you have installed previous versions of various components, they probably won't work properly for login until you put in the new versions.  The reason is that in response to customers and other vendors, we have had to introduce “breaking changes”.  People tell us about things that can be improved, and we try to do so.  We've chosen not to become enmired in “premature backward compatibility” given that we are still in beta.

So I'll review some of what it tells you at the Sandbox:

Install Internet Explorer 7.0
  The Sandbox site currently requires Internet Explorer 7.0 Beta 3 when using Windows CardSpace.
Install the .NET Framework 3.0 Runtime Componetns July CTP
  The Sandbox site requires the .NET Framework 3.0 Runtime Components July CTP to be installed on your local Windows XP or Windows Server 2003 computer in order to use Windows CardSpace.
Start using Windows CardSpace!
  Create a new user account or login using your Information Card.  

Log into the Sandbox, and log into my site using the “Login” button.  You won't need to create an account.  Just answer the email my system sends you and you will be registered and able to comment.

Remember, if you have previous beta versions of .NET framework or IE 7 components above you need to go to the Control Panel->Add or Remove Programs, and delete them.  You'll find detailed instructions if you follow the install links.  I did it myself and didn't find it onerous at all, though I needed help removing the earlier version of IE 7.

Craig Burton writes:

Cardspace Sandox looks like a good place to have some guidance for Infocards and Cardspace. However, I have tried some of the stuff they recommend and got stopped because of the requirements.

In the mean time, I have issued myself an infocard but I have yet to find a place that accepts it–including Kim Cameron's identityweblog.

Waiting for Kim to respond. I would make a comment on his blog about all of this but I can't because I haven't figured out how to create an account.

This is ridiculous.

Indeed – there is a bit of Catch 22 since to put a comment on my blog, you need to log in with an infocard.

More and more people are getting Cardspace runing.  For example, while I was writing this, in came a comment posted by Bavo De Ridder, who wrote:

Ok, I have installed .NET 3.0 July CTP and since I already had IE7 Beta 3, it took only a few minutes, no reboot required. This stuff seems to be of good quality already! 

Bavo was able to add his comment without going through “moderation” – contributing to the identity silo thing.

Bavo was able to add his comment without going through “moderation” – contributing to .So courage my friends, and please follow the instructions posted at the Sandbox.  Like Bavo, I think the quality is getting quite good – the hard part is making sure your versions are right.