Category: Identity

I've just come across “Adventures of an Eternal Optimist“, a new (for me) blog by Pamela Dingle. She is a systems integrator in the field of Identity Management who works for a company called Nulli Secundus. Many in the identity community will know her from the excellent and sometimes artfully rhetorical questions she comes up with at the conferences.

She's reviewing the InfoCard bits and posting good stuff. She liked the Identity MetaSystem Design Rationale Paper:

There is a lot of info packed into these 11 pages – it is densely formatted, and there are no flowery sentiments. Terse is good. I like terse.

She also posted a balanced critique of the current version of the InfoCard bits…

As most of you know, I’m pretty excited about InfoCard. I’ve been playing with it for a while now, and I think I need to mention a few of the things I’ve noticed. I’m very aware that I’m working with a CTP – and I understand that there is a finite group of people that can only do a finite amount of work before Vista goes live. I hope I’m mentioning things you already know about and are planning for, Stuart! I don’t believe that these points can be considered nitpicking – they are pretty important, in my opinion.

I expect to be posting more of these entries as I get time, so stay tuned.

1. Export Prevention

As of the Jan 2006 CTP, there is no way to prevent a person with access to your account from exporting your InfoCards. If I walked into an office where the person had not logged off or locked their screen, I could have their entire card set saved to a file on the network or to a USB key in under 60 seconds, without ever being challenged. In fact, instead of being challenged for a password, the attacker is asked to set one! This password is needed in order for the infocards to be imported elsewhere, but it doesn’t protect the user from an attacker who sets it in the first place.

One more scenario to drive the importance of this issue home – there is nothing a parent can do to prevent their child from listening to the instructions of the nice man in the chat room, who tells them how to export infocards belonging to the whole family, and email them off (this of course assumes that the family shares an account – if the child has their own account, then the question of how to control what cards are placed in that account arises). If the cards are pin-locked, they are tougher to get into – however, the attacker can take as long as they want to try and crack the pin.

Keep in mind – I can only assert this regarding self-issued infocards. I don’t have a managed infocard to test with, but my understanding is that a lot of the built-in security that Infocard developers have spent a ton of time on kicks in when you start dealing with managed infocards. With a managed card the data is no longer part of the export, and a new trust relationship has to be established between the Identity Selector and the Identity Provider in order to view managed infocard attributes. This gives you the time to cancel your card, and it gives the Identity Provider the chance to notice that all of a sudden your infocard is being viewed/used from an unknown IP address. Still, if the Identity Provider is not sophisticated enough to notice, you might be up the creek — infocard exports are not even logged under Site Usage, so if somebody does export your cards and walk away, you won’t even know it.

2. Deletion Prevention

Along the same vein – a user cannot guard against accidental or malicious deletion of infocards. In the case of self-issued cards, it isn’t tough to re-create – after all, there are no more than 14 fields to type in. Deletion of managed infocards could be much more of a pain, depending on the process involved for re-provisioning. As well, upon deletion all of the usage records are lost, and Deletion events are also not logged as part of site usage.

Thoughts/Suggestions
From a sys-admin point of view, the obvious eventual goal would be to be able to set group policy around infocards. Until then, if a network login was forced at the time the export/deletion took place, it would at least prevent malicious attacks on unattended workstations. In the case of a shared family account, I have fewer ideas.

This all boils down to control. Visibility and control are keystones of Infocard – and as such, I think that the user or sysadmin has to (a) be able to see events such as exports in the log files, and (b) be able to place X credentials and ONLY X credentials on a managed desktop or account, and to prevent those credentials from being removed or copied. I do realize that you could call that second point a loss of control from the point-of-view of the user with the managed desktop — but the truth is, such relationships exist, and for good reason. The tool has to handle such demands.

So? Am I crazy? Is this not really such a big deal after all? Let me know what y’all think…

Certainly, in the home, people should be using different accounts for different family members. With “fast user switching” this actually works very well. I'm looking for stats on how much progress we've made in getting people to do this.

While it is true that people who get physical access to your machine can delete your infocards, they can also delete your whole filesystem. Presumably if you have such people around you should at least employ an automatic screensaver with password protection, and do backups from time to time.

The deletion problem is a “denial of service” and these are mostly impossible to prevent if people have physical access. For example, the opponent could take a very large hammer to the PC and you wouldn't be able to use your InfoCards no matter what we do.

Pam's critique of the way card export works strikes me as something we must address. I'll get back to you after discussing this with the team. At the RSA convention I promised Pam that if she found something that could help in our threat analysis I would buy her dinner for two and a visit to a spa. So I fear I'm in trouble here.

A number of people have confided that they worry the committment to privacy and openness I make in my work can't “possibly” reflect the ideas of the “official Microsoft juggernaut”. So I hope this interview by Financial Times writer Richard Waters will help people see the Bill Gates I know, and how deeply he understands the need for privacy and the possibilities inherent in the virtual world. You'll also see he fully supports an identity metasystem which is open and reaches across platforms.

FT: You have talked about building a “trust ecosystem” on the internet in which users’ identity information can be shared between websites. Would this be a closed system, or an open one?

BG: It’s totally standards-based and totally open. It runs on all platforms. It’s a series of standards that we’ve worked on – in fact, IBM has been one of the key participants in these standards. It’s got to work across all systems or it’s not worthwhile. It’s a great industry standard, just liked we’ve helped to extend HMTL for everybody to use, and TCP-IP for everybody to use.

We have an implementation of it that will compete on the implementation. But the whole notion of the protocols, how it’s done, that’s all in these WS-Trust standards. Believe me, we know a lot about this. When we did Hailstorm, four or five years ago – it wasn’t a plot to be the central root of trust or anything like that, but it was perceived as such. Our guys who work in this area have made it so clear that this is open, that everybody connects up to this. We are so clear on this.

FT: Is this the Hailstorm vision under a different name?

BG: No, no, it’s not even worth going back to that. We partly didn’t know what it was, and certainly what the press said it was wasn’t what we thought it was, but even what we thought it was we didn’t end up doing all of that. That’s old history.

This is very simple. There are statements like, “I, the employer of this person, have given them a secret” – either a password or even better a big number, a key. So I, Intel, say if they present this secret back to me, I, Intel vouch that they are an employee. Then we at Microsoft collaborate with Intel, and we decide do we accept statements of that type to decide who can get into various collaborative websites for joint projects.

That’s called federation, where we take their trust statement and we accept it, within a certain scope. So they don’t have to get another user account password. There’s no central node in this thing at all, there never can be. Banks are a key part of it, governments can be part of it. The US, probably not as much.

In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing that says the government says I’m over 18. This trust ecosystem has so much good designed for privacy. This thing is amazing, where you can prove who you are to a third party and then, in the actual usage, they don’t know who you are. A lot of the previous designs had the idea that if you authenticated, then you gave up privacy. There are lots of cases where you want to be authentic but not give up your privacy – or not give up your privacy except in extreme cases.

So all these things that exist in the real world about trust have to mirrored in these digital systems – and the real world is very complex in these respects. When you hear somebody on the phone, that’s enough evidence that you’re willing to tell them some things. The basic architectural framework lets us mirror a lot of these real world things. But these real world things, they take no set-up time.

Your brain is just so good at recognizing somebody’s voice, or somebody’s face, or somebody’s handwriting. It’s all just so implicit. When you leave your office, it would be strange for somebody nobody knows to come into your office and sit there at your computer – you didn’t write a memo to everybody nearby, it’s so implicit: give me a break, you guys just let that guy walk in there and walk away with my computer! In the digital world, there’s far less that’s implicit like this.

Describing these things is hard. Now in some ways, the digital world is superior. The ability to have anonymity is actually better when you want it. There’s no such thing as going to a soapbox and saying the government’s corrupt and not having the intelligence service see your face. In the digital world, that can be done.

I've assembled a list of some of the articles that appeared this week after Bill Gates’ keynote at the RSA security conference in San Jose.

Verisign's announcement of support also played a big role in driving home the message that InfoCards are part of an open identity metasystem reaching across platforms. As more people announce support, this part of the message will be strengthened.

The collection I have put together is far from complete, and not edited for content except to cut out all the articles which can only be read by entering a password (I just can't bear them). The idea is to show the kind of dynamic we can get going if all of us work together .

I really believe we have a unique opportunity at a precious moment in time. I hope all of us, throughout the industry, can benefit from and help create a tantalizing technology wave where privacy-based applications aware of identity open a million new possibilities for innovation and great new experiences.

The momentum which we are gaining can be extended and transformed, becoming a glow that radiates from every company in the industry.

Let's work together on giving digital identity a real architecture that will light the fire of web services.

Microsoft pushes InfoCard for secure online ID – Todd Bishop, 02-14-2006
Seattle Post-Intelligencer, Sci-Tech Today, MSNBC News Services, Top Tech News

Gates sees end to passwords in sight – Joris Evers and Ina Fried, 02-14-2006
CNET Nws.com, The New York Times, ZDNet, ZDNet Australia

Microsoft unfolds next generation authentication – Tom Sanders, 02-14-2006
vnunet.com, Computer Active Online, Computing UK, What PC UK, Computeractive

Gates calls for better computer security – Timothy Roberts, 02-14-2006
San Jose Business Journal, Silicon Valley/San Jose Business Journal, East Bay Business
Times, San Francisco Business Times, Puget Sound Business Journal, Daily News
and Analysis

Gates Outlines Computer Security Efforts – Matthew Fordahl, 02-14-2006
Associated Press, The Monterey County Herald, Inland Valley Daily Bulletin, Bradenton Herald, The Macon Telegraph, Belleville News-Democrat, Journal Gazette, Durant Daily Democrat, Press-Enterprise, The Tribune-Democrat, Centre Daily Times, Ottawa Sun, Grand Forks Herald, Pittsburgh Post-Gazette, The Washington Post, Boston Herald, Houston Chronicle, The Charlotte Observer, The State, Fort Worth Star-Telegram, San Jose Mercury News, St. Paul Pioneer Press, Sacramento Bee, The News & Observer, Columbus Ledger-Enquirer, Casper Star-Tribune, North County Times, The Globe and Mail, Contra Costa Times, The Ledger, The Herald, KCCI-TV, KETV-TV, Forbes.com, BusinessWeek Online, MSN Money, detnews.com, timesunion.com, Kansas.com, Kentucky.com, phillyburbs.com, The Norman Transcript, cbs5.com, click2houston.com, kesq.com, kgw.com, kcra.com, nbc11.com, king5.com, wesh.com, newsnet5.com, ktvu.com, local6.com, wral.com, nbc4.com, koin.com, komotv.com, MSNBC.com, NewsFactor.com, Canada.com, New Mexico, Gameday, Daily Journal, CIO Today, SiliconValley.com, Los Angeles Times, Montreal Gazette, Pioneer Press, wjactv.com, wtov9.com, kfoxtv.com, foxreno.com, nbc13.com, The Canadian Press, Journal Gazette Company(The), Biloxi Sun Herald, San Luis Obispo Tribune, Myrtle Beach Sun News, Duluth News Tribune, Milwaukee Channel.com, Hawaii Channel.com, INDYchannel.com, Boston Channel.com, Click10.com, Lakeland Ledger, News Factor Network, ChamplainChannel, San Diego Union Tribune, Worcester Telegram, Record-Searchlight, ABC Newspapers, WPBF-TV, Inside Bay Area, Malaysia Star, NW Indiana Times, Cnews, Jackson Channel, WBAL Channel, IT News Online, erald News Daily, Leading the Charge, Playfuls.com, Top Tech News, Mainichi Daily News, Pierceland Herald, New Mexico Channel, Mumbai Mirror

Gates Issues Call to Action for Security – Nathan Mook, 02-14-2006
BetaNews

Gates Says Security Is Job One For Vista – Aaron Ricadela, 02-14-2006
InformationWeek

Microsoft promises Passport redux with ‘InfoCards’ – Ashlee Vance, 02-14-2006
The Register, Computer Crime Research Center

InfoCard on the way from Microsoft – Nate Anderson, 02-14-2006
Ars Technica

Reporter's notes from the RSA conference – Jaikumar Vijayan, 02-14-2006
Computerworld

Gates’ latest vision brings controversy – Richard Waters, 02-14-2006 (subscribers only)
Financial Times

RSA: Gates outlines ID management for Vista, XP – Elizabeth (Liz) Montalbano, 02-14-2006
IDG News Service, CRN, Network World, InfoWorld, PCWorld.com, ITworld.com, Techworld, PC Advisor (Online), ARNnet.com

Microsoft, RSA, Sun And Encryption – Erin Joyce, 02-14-2006
internetnews.com, DevX.com, Inc.

Gates calls for the end of passwords – Bill Brenner, 02-14-2006
TechTarget, searchCIO.com

Gates discusses security protections at S.J. conference – Jessie Seyfer, 02-14-2006
San Jose Mercury News, Bradenton Herald, The Kansas City Star, The Charlotte Observer, Kentucky.com, Ledger-Enquirer.com, GrandForksHerald.com, SiliconValley.com, Pioneer Press, Biloxi Sun Herald, San Luis Obispo Tribune, Duluth News Tribune, Express India

Gates says security boils down to four focus areas – John Fontana, 02-14-2006
Network World, Computerworld

Gates Pushes Maximum Security – Katie Dean, 02-14-2006
TheStreet.com

Gates Outlines Microsoft's Security Vision – Luc Hatlestad, 02-14-2006
VARBusiness, CRN

Beyond Microsoft Passport Is InfoCard – Staff Writer, 02-14-2006
NewsFactor.com, CIO Today

Microsoft Wants Zero Passwords – Staff Writer, 02-14-2006
Red Herring

Gates Outlines Vista Security Features – Staff Writer, 02-14-2006
Top Tech News, CIO Today, News Factor Network

Microsoft plans virtual information wallet: Gates – Staff Writer, 02-14-2006
Reuters, The Washington Post, Boston Globe, The New York Times, The Australian IT, CNN International, TVNZ, News24, Reuters UK, CIOL IT, IT News Australia, Reuters India, Reuters Canada, CRN Australia, Herald News Daily, DNA India

Microsoft Updates Active Directory Roadmap – Stuart Johnston, 02-14-2006
Redmond, ENT

McNealy and Gates as hunting partners? – Todd Bishop, 02-14-2006
Seattle Post-Intelligencer

Microsoft talks security, InfoCard – William Harris, 02-15-2006
Bit Tech.net

Gates: Security is #1 Vista Priority – Albert Sacco, 02-15-2006
CIO

Microsoft introduces Infocard for improved security – Staff Writer, 02-15-2006
24X7

Bill Gates Plans On Replacing Passwords With ‘InfoCard’ – Staff Writer, 02-15-2006
All Headline News

Gates unveils ID security tool ‘Infocard’ – Abdul Salaam Masheer, 02-15-2006
EarthTimes.org

Microsoft Finds Unlikely InfoCard Ally – Ryan Naraine, 02-15-2006
eWeek, The Channel Insider, Neowin.net

Microsoft specs out InfoCard security credentials – Staff Writer, 02-15-2006
Finextra

Security Isn't "One Size Fits All" – Larry Greenemeier, 02-15-2006
InformationWeek, CRN, Security Pipeline

The oldest question in IT – Tom Sullivan, 02-15-2006
InfoWorld

Sparks of Life (and Green) in Smart Cards – Erin Joyce, 02-15-2006
internetnews.com

Keynoters push for ID federation, harsher laws – Annet Saita, 02-15-2006
TechTarget

Windows will feature better locks – Bob Keefe, 02-15-2006
The News Tribune, Atlanta Journal-Constitution, Austin American-Statesman, Hispanic Business.com

Gates calls for better PC security – Dan Fost, 02-15-2006
San Francisco Chronicle

Microsoft pushes standardized SSO at RSA – George Ou, 02-15-2006
ZDNet

Gates Outlines Microsoft Security Strategy – Jay Wrolstad, 02-15-2006
NewsFactor.com, CIO Today, Sci-Tech Today, Top Tech News

Gates unveils new kind of PC security – Jessie Seyfer, 02-15-2006
San Jose Mercury News

Taking the pain out of passwords – Louisa Hearn, 02-15-2006
The Age, Sydney Morning Herald Business

Microsoft Developing Virtual Wallet – Nathan Weinberg, 02-15-2006
WebProNews.com

Bill Gates: RSA Keynote 2006 – Paul Krevs, 02-15-2006
Neowin.net

Gates Pushes Smart Cards To Replace Passwords – Ryan Naraine, 02-15-2006
PC Magazine

Microsoft and Sun show commitment to online security – Phil Muncaster, 02-15-2006
IT Week

Microsoft Finds Unlikely InfoCard Ally – Ryan Naraine, 02-15-2006
The Channel Insider

Gates Outlines Microsoft Security Efforts – Staff Writer, 02-15-2006
NewsFactor.com, Sci-Tech Today

Passwords a thing of the past – Staff Writer, 02-15-2006
Monsters and Critics

Bill Gates presents a new software security program – Staff Writer, 02-15-2006
Pravda.ru

Gates tries to win over skeptics on security – Todd Bishop, 02-15-2006
Seattle Post-Intelligencer

Microsoft InfoCard's first backer: VeriSign– Todd Bishop, 02-15-2006
Seattle Post-Intelligencer

Active Directory, identity management get tighter – Matt Mondok, 02-16-2006
Ars Technica

Newsmaker: Ending Microsoft's identity crisis – Ina Fried, 02-16-2006
CNET News.com, ZDNet, ZDNet India

VeriSign SSL Business Could Get Vista Boost – Kevin Murphy, 02-16-2006
Computer Business Review, CommentWire

Microsoft plans virtual information wallet to manage your online IDs – Staff Writer, 02-16-2006
DNA India

VeriSign and Microsoft tie-up to tackle phishing crimes – Staff Writer, 02-16-2006
Finextra

Calling Cryptographers – Kate Greene, 02-16-2006
MIT Technology Review Germany

Microsoft continues push for ‘InfoCards’ – ScuttleMonkey -02-16-2006
Slashdot

Bill Gates Talks about Infocard at RSA – Staff Writer, 02-16-2006
Spotlighting News

Infocard Spells End of Passwords – Staff Writer, 02-16-2006
TechTree

Gates security program would end passwords – Staff Writer, 02-16-2006
Knight Ridder Newspapers, The Charlotte Observer

Gates outlines vision for new secure Internet Explorer – Steve Malone, 02-16-2006
PC Pro Online

Microsoft security InfoCard wins key supporter – Todd Bishop, 02-16-2006
Seattle Post-Intelligencer

McNealy on the ‘hairball,’ and other tales from RSA – Todd Bishop, 02-16-2006
Seattle Post-Intelligencer

Microsoft
demos virtual wallet – Derek Sooman, 02-16-2006
TechSpot

Bill Gates’ RSA Keynote Address – Alex Muradin, 02-16-2006
SoftPedia News

Are Passwords Passé? – Paul Roberts, 02-17-2006
eWeek

Gates: Passwords Aren't Enough – Paula Rooney, 02-17-2006
CRN

Ina Fried interviewed me for CNET News a few days ago. She took the picture with a preposterously small James Bond type camera that doubled as a voice recorder. You can see she asked a lot of interesting questions.

SAN JOSE, Calif.–If Microsoft needs a lesson on how to do identity management wrong, it needs only look at its past.

With Passport, Microsoft had exactly the wrong approach as the software maker needlessly stepped between businesses and their customers–so says Kim Cameron, the identity expert who leads Microsoft's current effort, known as InfoCard.

Microsoft Chairman Bill Gates on Tuesday touted InfoCards as one of the technologies that could finally help cement the death of the username and password as the means of verifying identity on the Internet.

But before InfoCard can supplant anything, Microsoft will have to line up Web sites to use it, banks and credit card companies to support it and then get consumers to buy in, too. Cameron sat down with CNET News.com this week to talk about InfoCard, how it works and what Microsoft needs to do to make sure it doesn't whiff again.

What makes this attractive to others–to, say, Web site owners?
Cameron: When you first go to a Web site, their mantra, somebody told me, is “acquire, acquire, acquire.” I didn't know what that meant. But what that means is: Get that customer relationship going. At that moment, a lot of people will want to accept any InfoCard they can, then later, they get pickier. For example, if you want to buy something they will probably want something from a credit card company or a bank.

It's a bit of a chicken and egg thing. How do you guys get enough of the right people on board, build enough of an ecosystem?
Cameron: One of the things is people don't have to throw out their current authentication mechanism for InfoCard. And you don't have to change much at your site. It's just one very small component of the site that changes. The rest of the site all just stays the same. So, the investment required is small. And it becomes easier to acquire (new customers).

Now the question is: “Can we as Microsoft put together the right partnerships?” It’s hard. I've never worked on anything this hard, but the payoff is huge if it can be done. Then the question is: “Does the industry want to do it?” Microsoft can't do it by ourselves. Nobody can do it by themselves.

If I'm a user of Vista (the next version of Windows). How do I get an InfoCard. Is it something that is just there?
Cameron: A self-issued one you create yourself. If you get one, say from your bank, you go to your bank's Web site and you double click on it. It will give you your InfoCard–you might have to enter a one-time password or something that they have given you. It just appears in your InfoCard collection. You go through the verification process and it will appear in your InfoCard collection.

Is it limited to Internet Explorer. You have talked about it being implemented in the browser, but is it limited to that?
Cameron: It's not implemented i tnhe browser. It’s integrated with the browser. The browser uses it, but it's an underlying platform service. Mozilla can use it just as well as IE (Internet Explorer). That's key. If that isn't the case, it just won't get the reach that we need.

It seems like the intent is for there to be multiple and compatible things there, a mechanism that keeps it so that when Apple does it, it's compatible with InfoCard?
Cameron: This is the nice thing. It's built on these standards that a lot of companies have adopted, Web services standards. It's really a precise collection of standards–WS-Trust, WS-Security, WS-Security Policy.

What about the whole Liberty Alliance specification?
Cameron: This is not positioned against Liberty. I am an admirer of Liberty. Liberty has done a lot of great things around policy, leadership on federation. This is something that a Liberty-enabled site can use for interacting with their customers.

Now, in terms of WS standards and Liberty, currently Liberty runs on the SAML (Security Assertion Markup Language) protocol, and WS standards are slightly different, although they share components. We're also working to try and align those things. But those things don't impact InfoCard.

Microsoft has said that InfoCard will be available for XP machines through IE7. How do XP users get access to the necessary code.
Cameron: In XP it comes in on WinFX.

So it's a client-side software download?
Cameron: Yes. Our hope is that will be really easy.

So, I can have my InfoCards on my work machine and on my home machine and they could be the same. Does that expose it to security risks? If you are able to transfer InfoCards then people can steal it?
Cameron: No, because the InfoCard doesn't actually contain the identity information. What it is is a visualization and a way of contacting the identity provider. You can't go and steal the InfoCard. I mean if you did, it wouldn't give you anything.

What, if any, personal data lives on other people's servers?
Cameron: Let's take the case of a credit card company. Because I go to the credit card provider each time I want to use one, it can give me a one-time credit card number. It actually never has to release my real credit card number.

Obviously InfoCard comes with Vista, but what do you think is a realistic time frame for when this will be usable?
Cameron: I think people will be people offering InfoCard-enabled services by the time Vista ships. I'm at a disadvantage because I can't tell you who we are working with. What I can say is there are thought leaders around this in each industry. Those are the guys who we will be working with and who will have these applications that are InfoCard ready.

You can get not just identity but sort of very interesting semi-anonymous things that are very privacy-friendly. One of the things we have been doing with this project is to work with the privacy advocates and have them as colleagues in the design of the thing. This is not one of those things where a bunch of nerds get in to a garage and come up with something that is going to gross out the privacy advocates.

When do you anticipate talking about some of the partners?
Cameron: It will be as we get closer to (the launch date for) Vista.

News.com's Joris Evers contributed to this report.

Todd Bishop of the Seattle Post Intelligencer posted another good read – this time about Versign's support for InfoCards. Now, in addition to Microsoft having an InfoCard Project, Verisign has one. This is a big step forward for an Identity Metasystem that gives people increased control over their digital identities.

I hope people see that when enough industry players buy in, the system will no longer be ascribed to Microsoft. It will be a lot clearer that InfoCard does not “belong” to any particular vendor. Microsoft will have its Identity Selector, and its Active Directory InfoCard support, but many other vendors and platforms and organizations will offer InfoCard components. The Identity Metasystem will be like TCP/IP or the Web.

There will be an ecology that will lead us all to a period of great creativity – where a million new possibilities open up as identity becomes easy to program and use. That world is what Microsoft is trying to foster – not brand recognition around InfoCard.

SAN JOSE, Calif. — Microsoft Corp.’s fledgling InfoCard online identification project has won support from one of the biggest names in the field.

VeriSign Inc. showed plans Wednesday to let people use Microsoft's InfoCard program as one way to log into Web sites that are part of its VeriSign Identity Protection Network — which already has signed up Internet heavyweights eBay, PayPal and Yahoo! as its initial participants.

Analysts called it an important first step for Microsoft, which needs to bring aboard a variety of Web sites and identity providers for the InfoCard project to work. VeriSign announced its system, known as the VIP Network, earlier this week.

“That's a really valuable win for Microsoft,” said industry analyst Rob Helm, research director at Kirkland-based research firm Directions on Microsoft. VeriSign's involvement means Microsoft's InfoCard stands a better chance of being “something more than an academic exercise,” Helm said.

VeriSign Chief Executive Stratton Sclavos announced the company's plan to link up with InfoCard during an address Wednesday morning at the RSA security conference here. Before the announcement, the VIP network appeared to pose a potential competitive threat to Microsoft's InfoCard project, as an alternative system.

The VIP network provides people with a common way of securely logging in to a variety of sites. It will work in conjunction with one-time digital passwords generated by devices such as specially equipped mobile phones, key chains and USB keys.

The InfoCard program is designed to serve almost as a virtual wallet on the computer screen, with different cards representing a person's various online identities.

Microsoft hopes to persuade many identity providers — such as banks, governmental agencies and online services — to issue InfoCards. People using the InfoCard program could then select one of the cards to securely provide their digital credentials when they need to log into online sites, authenticating their identity without using a password each time.

Users of the VIP Network would still be able to log into sites using VeriSign's system alone, but the company's decision to work with InfoCard would give them the option of using the Microsoft program as an alternative interface.

On stage at RSA Wednesday, VeriSign demonstrated the ability to access an InfoCard associated with the VIP Network using a digital password generated by one of the VeriSign devices. After that step, the InfoCard program lets the user select that virtual card to securely log in to one of the VIP Network sites.

The InfoCard program, demonstrated by Microsoft Chairman Bill Gates at the RSA conference earlier this week, will be included in the upcoming Windows Vista operating system and made available for the existing Windows XP. It also will work in conjunction with Microsoft's upcoming Internet Explorer 7 browser.

Kerry Loftus, director of product management for VeriSign's authentication services, said the sites with which the company is working were interested in making sure the VIP System was integrated with Microsoft InfoCard, as well.

“They understand it's a reality that's coming down the pike for them,” Loftus said. “It's another alternative log-on for them.”

Loftus said the arrangement between VeriSign and Microsoft is a technology partnership, with no financial terms involved. During his speech, VeriSign's Sclavos cited it as an example of companies in the information-security industry “coming together around standards that can be shared.”

InfoCard is the Redmond company's latest effort to give computer users a uniform way of logging into Web sites and verifying their identities online. It works with a variety of identity providers, unlike the company's Passport log-in program.

As a security measure, InfoCard doesn't store sensitive personal data from identity providers on the computer itself. Instead, after a user clicks on a card, the program retrieves the necessary digital credentials from an identity provider, then forwards them to a site to authenticate the person's identity.

In addition, people would be able to create their own virtual cards inside the program for submitting basic log-in information to Web sites. The InfoCard program itself runs in a secure area separate from the standard PC desktop.

Reflecting the fact that it was a surprise, Sclavos preceded the announcement of VeriSign's InfoCard integration with a nod to Apple Chief Executive Steve Jobs’ signature move — appearing as if he were about to conclude his speech but then saying he had “one more thing” to show.

I thought the demo was great – I hope our friends at Verisign will do a screen-capture video so I can link to it for people who missed the live event.

I hope everyone thinks hard about what happened here. Verisign and Microsoft could have gone in separate directions and the result would be further confusion in the identity landscape. But it didn't happen. There is a lot of vision at Verisign, and my team really enjoyed working with them as they built their proof of concept.

Ping Identity continues to be a leader in getting product into the marketplace and building an Identity Metasystem. I don't know much about their MedCommons alliance but it looks interesting.

Today at the the RSA Conference in San Jose, CA, Ping Identity announced that PingTrust v1.0 is now available for free download . Previously called PingSTS, PingTrust is a WS-Trust Security Token Service that creates, validates and exchanges security tokens to identity-enable Web Services and to extend federated single sign-on to incorporate Web Services.

Meanwhile at the HIMSS conference in San Diego, CA, Ping Identity and MedCommons announced a partnership to bring standards-based single sign-on to electronic health records. Ping and MedCommons are demonstrating their combined products this week at a HIMSS interoperability showcase sponsored by the Liberty Alliance.

Todd Bishop at the Seattle Post Intelligencer published this article this morning:

SAN JOSE, Calif. — Microsoft Corp. is set to take another crack at creating a uniform way for people to log on to Web sites, conduct transactions and prove their identities online.

Code-named InfoCard, the project will be outlined by Microsoft executives at the RSA computer security conference here this week. It reflects a change in approach for the company after its Passport initiative fell far short of the original goal of becoming a universal method of identification on the Internet.

Unlike Passport, the InfoCard project is meant to work with a variety of online identity providers, not just one. Microsoft hopes to persuade governmental agencies, banks, online services and others to issue digital cards that people could use to establish different levels of identity for themselves at online sites.

The project is only one of many approaches to online identity across the industry, and analysts say Microsoft faces significant challenges as it tries to make InfoCard widely used. But it's one of the company's biggest moves in the field since Passport's launch more than five years ago.

Passport remains in place, but primarily as an identity service for Microsoft sites, not as a central identity provider for accessing sites across the Internet.

“No one has sufficient trust of any one organization to put all their eggs in that one basket,” explained Richard Turner, program manager for Microsoft's Web services strategy, calling it a lesson learned by the company. “There will be multiple issuers of identity out there on the Internet. Passport is just one of those.”

Reflecting that notion, Microsoft's InfoCard project creates a program akin to a virtual wallet on the PC, designed to let people securely store and distribute various forms of online identification, represented on-screen as cards.

The company says users would log in to a site by clicking on one of the cards, reducing the need to type in a user name and password. The InfoCard program would securely retrieve the necessary digital credentials from an identity provider, then forward them to the site to authenticate the user's identity.

People would be able to create their own virtual cards inside the program for submitting basic log-in information to Web sites.

But Microsoft's InfoCard concept also faces competition. A variety of alternative approaches are expected to be on display at this week's conference.

In the latest example, VeriSign said Monday that eBay and Yahoo! had signed on as supporters of its new online authentication system, the VeriSign Identity Protection Network, which will include keychain-based tokens that generate passwords to be entered as part of the online authentication process.

For Microsoft's InfoCard project to work, the company would need to attract the interest of a variety of online identity providers and online sites that need to authenticate user identity. Turner says the company has received positive responses during discussions in recent months.

But not everyone is convinced that the concept will take off as Microsoft hopes.

“There has to be a few widely accepted cards — kind of the Visa and MasterCard of the identity world — and it's not clear that anyone wants that job,” said analyst Rob Helm, research director at Kirkland-based research firm Directions on Microsoft.

At the same time, Microsoft is in a more influential position than most because of the wide availability of its Windows PC operating system. The underlying software for InfoCard will be available as part of Windows Vista, due out later this year, and it's expected to be accessible through the company's Internet Explorer 7 browser. It will also be offered as an add-on for the current Windows XP.

The company also has set up its new WinFX software development system to let outside programmers incorporate InfoCard into Windows-based programs.

Microsoft's concept of a virtual wallet where people can select and control their online identities makes sense for individual computer users, said Roger Sullivan, vice president of the Liberty Alliance, a digital identity consortium formed in part out of concerns over Microsoft's original Passport vision.

But Sullivan, who is also vice president of business development for Oracle Corp.’s identity management solutions, said he believes stronger authentication would be needed “in the context of large-scale, serious business transactions.” The Liberty Alliance focuses on standards for managing identity across different companies.

Microsoft acknowledged that InfoCard and the Liberty Alliance approach “address different parts of the digital identity problem.”

Microsoft has shown and distributed the InfoCard technology to developers, but it hopes to start winning broader industry support this week at the RSA security conference, where company Chairman Bill Gates is scheduled to give a keynote address this morning. Kim Cameron, Microsoft's architect for identity technology, is scheduled to discuss InfoCard and related concepts at two sessions during the week.

The company says it has incorporated a variety of security protections into the InfoCard system. The program runs in a secure on-screen overlay separate from the standard PC desktop, reducing the chances of infiltration by spyware or other online threats. Also, the cards from identity providers wouldn't store sensitive data on the PC. Instead, they would provide a way of retrieving data from those providers when needed, cutting the potential security risk.

At the same time, the company says it doesn't want InfoCard to be the only program of its kind. The program uses non-proprietary communications standards, and Microsoft says it would like to see the people and companies behind other operating systems, such as Linux and Apple's Mac OS X, create their own programs similar to InfoCard, to make the approach more common.

The approach “essentially adds an identity layer to the Internet,” said Microsoft's Turner, calling such a layer sorely needed in today's online world.

HOW IT WORKS

Microsoft's InfoCard is a virtual representation of a person's various online identities in an on-screen program that runs in a secure overlay separate from the regular PC desktop.

Under the company's plan, computer users would create some cards for themselves, entering information for logging into Web sites. Other cards would be distributed by identity providers — such as banks or governmental agencies or online services — for secure online authentication of a person's identity.

To log in to a site, computer users would open the InfoCard program directly, or using Microsoft's Internet Explorer browser, and then click on the card that matches the level of information required by the site. The InfoCard program would then retrieve the necessary credentials from the identity provider, in the form of a secure digital token. The InfoCard program would then transmit the digital token to the site to authenticate the person's identity.

RSA 2006

Follow the news from the RSA security conference in San Jose, Calif., this week in the Seattle P-I and on Todd Bishop's Microsoft blog.

Bill Gates did the opening keynote address at RSA today, and Ina Fried and Joris Evers from CNET had their story out within an amazing fourty-two minutes. How can they do that?

Bill made it clear that he really cares about privacy and security, just as he is committed to helping build an identity metasystem that moves the industry to the next stage of collaboration and reach.

SAN JOSE, Calif.–For years, Microsoft Chairman Bill Gates has had his sights set on the password as the weak link in the computer security chain.

Now, with Windows Vista, Gates feels he finally has the right weapons to supplant the password as a means of verifying who is who on computers and over the Internet.

The new operating system, due later this year, introduces a concept called InfoCards that gives users a better way to manage the plethora of Internet login names and passwords as well as lets third parties help in the verification process. Vista will also make it easier to log on to PCs using something stronger than a password alone, such as a smart card.

“We're laying the foundation for what we need,” Gates said in a speech at the RSA Conference 2006 here.

Even with the advancements, Gates said he wasn't naive enough to think the password would go away overnight.

“I don't pretend that we are going to move away from passwords overnight, but over three or four years for corporate systems this change can and should happen,” he said.

Microsoft has described InfoCard as a technology that gives users a single place to manage various authentication and payment information, in the same way that a wallet holds multiple credit cards.

InfoCard is Microsoft's second try at an authentication technology after its largely failed Passport single sign-on service unveiled in 1999.

InfoCard attempts to address the complaint many critics had with Passport, which was that people's information was managed by Microsoft instead of by the users themselves and the businesses they dealt with.

Although Microsoft has talked previously about InfoCard and early versions of the InfoCard code were released to developers last year, Gates’ speech marked one of the first times Microsoft has demonstrated publicly just how it might work.

In a demonstration, Microsoft showed how a consumer could use a self-generated InfoCard to log in to a car rental site and then use a separate InfoCard from a membership group to get a discount on the rental.

Microsoft acknowledged that replacing passwords is something that needs to be done at the system level, but Gates said the company is also working on technologies to enable various identity systems used on the Internet to work together, something it calls the Identity Metasystem.

Gates also touted several of the other security capabilities that will be part of Windows Vista. In a demo, Microsoft showed its anti-spyware technology as well as a new mode that runs Internet Explorer in its own “sandbox” so that Internet code can't cross over into the rest of a PC.

Michael Coates, whose title is, if you can believe this, “Microsoft Pragmatic Evangelist”, has been posting on identity with his colleagues over at the Mix06 Blog. It looks like identity will really be a theme at MIX. The Web has an Identity Crisis describes some of the issues created by the lack of an identity layer on the Web.

The site also has a piece on InfoCard by Steven Woodward called InfoCard : A standards-based approach to User Authentication. Steven is a “Technical Evangelist”, but he still has a pretty pragmatic head on his technical shoulders…

Anyway, I'm looking forward to this since several of us will be speaking there and I'll be hanging out along with Steven and Michael to talk about identity. I'll pass on more info when I have the agenda.