Wide coverage of the Information Card Foundation

There has been a lot of coverage of the newly formed Information Card Foundation (ICF) in the last couple of days, including stories by mainstreet publications like the New York Times.  This article by Richard Thurston from SC Magazine gives you a good idea of how accurately some quite technical concepts were interpreted and conveyed by our colleagues in the press.

Google and Microsoft are among an extensive set of technology vendors aiming to spur the adoption of digital identity cards.

The two internet giants have helped form the Information Card Foundation (ICF), which aims to develop technologies to secure digital identities on the internet and which was launched today.

Digital identity cards are the online equivalent of a physical identity card, such as a driver's license. The idea is that internet users will have a virtual wallet containing an array of digital identity cards, and they can choose what information is stored on each card. The aim is to replace usernames and passwords in an effort to improve security.

Alongside Google and Microsoft, large suppliers such as Novell, Oracle, PayPal and financial information company Equifax, have joined the ICF, as well as 18 smaller suppliers and industry associations.

“Our shared goal is to deliver a ubiquitous, interoperable, privacy-respecting federated identity layer as a means to seamless, secure online transactions over network infrastructure,” said Brett McDowell, executive director of Liberty Alliance, one of the founding members.

The idea of digital identities is far from new. But so far vendors’ efforts have been fragmented and largely not interoperable.

The ICF is proposing a system based on three parties: the user, the identity provider (such as a bank or credit card issuer) and also what it calls a reliant party (which could be a university network, financial website or e-commerce website, for example).

The ICF argues that, because all three parties must be synced in real-time for the transaction to proceed, it should be more secure.

“Rather than logging into websites with usernames and passwords, information cards let people ‘click-in’ using a secure digital identity that carries only the specific information needed to enable a transaction,” said Charles Andres, executive director of the ICF. “Businesses will enjoy lower fraud rates, higher affinity with customers, lower risk and more timely information about their customers and business partners.”

The ICF now wants to expand its membership to include businesses, such as retailers and financial institutions, as well as government organizations.

It also wants to become a working group of Identity Commons, a community-driven organization which promotes the creation of an open identity layer for the internet.

You can find thousands of similar links to the Foundation here and here.  Amazing.

European Identity Awards

The recent European Identity Conference 2008 featured the presentation of Kuppinger Cole's European Identity Awards. Vendors, integrators, consultants and user companies were asked for nominations. For each category, three outstanding projects and innovations were nominated as finalists. Here is how Kuppinger Cole framed the results:

Best Innovation

“The award went to a group of companies that are driving forward the process to outsource authentication and authorisation, making it easier to control application security ‘from outside’.   There are several providers with different approaches in this field but during the past year, they all contributed a lot to promote this concept, considered as indispensable by KCP.   The winners in this category are Bitkoo, CA, iSM, Microsoft and Oracle.

“Also among the finalists were Aveksa and Sailpoint for their Identity Risk Management solutions and Microsoft for making a significant contribution to identity information protection in distributed environments through their takeover of Credentica and the planned integration of U-Prove technology into user-centric Identity Management.”

Best New/Improved Standard

“The award went to the OpenID Foundation and to Microsoft for their InfoCard initiative. These standards form the base for Identity 2.0, the so-called user-centric Identity Management.

“Other outstanding solutions nominated as finalists were the eCard API Framework and the simpleSAMLphp project driven forward by Feide RnD. The eCard API Framework has been jointly developed by Secunet and the Bundesamt für Sicherheit in der Informationstechnik (abbreviated BSI – in English: Federal Office for Security in Information Technology) to simplify the interaction of applications with different card technologies. With simpleSAMLphp, federation functions can easily be integrated into existing and new applications.”

Best Internal Identity Management Project

“The award went to BASF for their AccessIT project, which realises Identity Management within a complex corporate structure and excells in consistent approaches to centralised auditing.

“Another finalist in this category was the Royal Bank of Scotland, with its project to control a multitude of applications by an integrated role-based access control.”

Best B2B Identity Management Project

“The award went to Orange/France Telecom.  Their project is revolutionary due to the consistent use of federation and the opening of systems to partners.

“Also among the finalists in this category were Endress+Hauser for their business customer portal and education network SurfNET which is at present one of the most comprehensive federation implementations.”

Best B2C Identity Management Project

“The award went to eBay and Paypal which support strong authentication mechanisms, thus making a significant contribution to the protection of online transactions and creating more awareness on this issue among the wider public.

“Other finalists were Karlsruhe-based company Fun Communications for their innovative approach to the use of info cards as virtual customer cards, which is groundbreaking in our opinion, and KAS bank for their consistent use of strong authentication and encryption technologies to protect transactions.”

Best eGovernment Identity Management Project 

“The Republic of Austria received the prize in the “Best eGovernment Identity Management project” category for their eGovernment initiatives which we think are leading with regard to the implementation of Identity Management.

“Other finalists were Crossroads Bank, Smals and BAMF  – the Bundesamt für Migration and Flüchtlinge (Federal Office for Migration and Refugees).”

Special prizes

Dale accepting award and champagne on behalf of Higgins/Bandit“Special prizes were given to two initiatives considered as groundbreaking by KCP.

“In KCP's opinion, the VRM project by Doc Searls is an innovative approach that applies user-centric Identity Management concepts to customer management. In the VRM Unconference 2008 at the EIC 2008, this issue was intensely discussed in Europe for the first time.

“The second special prize went to open source projects Higgins and Bandit which we think are the most important open source initiatives in Identity Management.”

[Thanks to Jackson Shaw for Photos]

Drstarcat on Project Pamela

drstarcat.com is doing “A History of Tomorrow's Internet” – a dive into Information Cards, CardSpace, Higgins and now, in Part Five, The Pamela Project. The “future history” is a personal tale that is definitely worth reading.  The most recent post introduces us to Pamela Dingle herself – a woman who has played a key role – both technically and as a leader – in advancing Information Cards. 

Drstarcat writes:

“As I’ve explained more than once in this blog, a greater problem than finding reliable Identity Providers is getting the websites we know and love to become Relying Parties. That is exactly the problem that Pamela has deemed to attack with her eponymous project. As the project’s mission statement says, “The Pamela Project is a grassroots organization dedicated to providing community support for both technical and non-technical web users and administrators who wish to use or deploy information card technologies.” Given the difficulties I experienced even USING iCards as a non-technical web user, this seems like a pretty ambitious task, and as part of this post, I’m going to try to get my blog up and running. First, a few words about Pamela and the history of the project.

“Pamela first ran into the issues surrounding Identity in her role as a technology consultant in Calgary in 1999. Anyone who’s done any large-scale enterprise software installation has likely had a similar experience–try to do anything and you’ll run into a myriad of (often semi-functional) authentication and directory services before you can even get off the ground. She’d been working on Peoplesoft installations and with Oblix (an enterprise self-service password management tool later acquired by Oracle), when she attended her first Burton Identity conference in 2001. It was here she first began to think of Identity as a (the?) core technology problem, as opposed to something peripheral to what she wanted to get done. It’s a realization that, once had, can become a little consuming (trust me, I spend WAY too much time building software to be blogging about anything–especially, SOFTWARE).

“Her second “ah-ha” moment came when, if my notes serve me correctly, she was “hit on the head with a brick” by Kim Cameron at the 2002 Catalyst conference. There he drew her a brief sketch on a napkin where he showed the three party system (Subject, Relying Party, Identity Provider) that is at the core of most of the emerging identity systems. She was hooked, but it wasn’t until in 2005, when Kim added some sample PHP Relying Party code to his blog that she saw a place where she could contribute. As a sometimes PHP hacker, she took the simple code, and began to port it over to some of her favorite PHP frameworks (WordPress, Joomla, and MediaWiki). Since that time, she and about 10 other contributers have been working to get a 1.0 version of the product out, which, given Pamela’s commitment, I suspect will be about like most other project’s 2.0 release.

“Before writing about my experience installing the WordPress v0.9 plugin, a word about the seemingly self-promulgatory name of the project because I think it says a lot about Pamela as a person and the Identity movement she’s part of. According to Pamela it’s the last name she would have thought of as a woman working as a technologist. As she explains, it’s hard enough as a woman to get recognized as a serious technologist without drawing unnecessary attention to yourself. Having a wife who is one the best Java engineers in NYC, but who also is regularly asked if she REALLY wrote the stunning code she produces, I can attest this is true. It’s because of this stereotype though that Pamela chose the name. She was tired, as someone who is self-admittedly “vocal”, of this kind of self-inflicted sheepishness. So in “defiance to self-regulation”, and at Craig Burton’s urging, she chose The Pamela Project…

“I’ll let you know how my experience actually USING the Pamela project goes in my next post. In the mean time, as you wait in breathless anticipation, why not go over to the project’s site and ask Pamela how you can be of use. This is a big project and they’re going to need all the help they can get.”

[More here.]

Ralf Bendrath on the Credentica acquisition

Privacy, security and Internet researcher and activist Ralf Bendrath is a person who thinks about privacy deeply. The industry has a lot to learn from him about modelling and countering privacy threats. Here is his view of the recent credentica acquisition:

Microsoft has acquired Montreal-based privacy technology company Credentica. While that probably means nothing to most of you out there, it is one of the most important and promising developments in the digital identity world.

My main criticism around user-centric identity management has been that the identity provider (the party that you and others rely on, like your credit card issuer or the agency that gave you your driver's license) knows a lot about the users. Microsoft's identity architect Kim Cameron explains it very well:

[W]ith managed cards carrying claims asserted by a third party authority, it has so far been impossible, even for CardSpace, to completely avoid artifacts that allow linkage. (…) Though relying parties are not able to collude with one another, if they collude with the identity provider, a set of claims can be linked to a given user even if they contain no obvious linking information.

This is related to the digital signatures involved in the claims flows. Kim goes on:

But there is good news. Minimal disclosure technology allows the identity provider to sign the token and proof key in such a way that the user can prove the claims come legitimately from the identity provider without revealing the signature applied by the identity provider.

Stefan Brands was among the first to invent technology for minimal disclosure or “zero knowledge” proofs in the early nineties, similar to what David Chaum did with his anonymous digital cash concept. His technology was bought by the privacy firm Zero-Knowledge until they ran out of funding and gave it back to Stefan. He has since then built his own company, Credentica, and, together with his colleagues Christian Paquin and Greg Thompson, developed it into a comprehensive middleware product called “U-Prove” that was released a bit more than a year ago. U-Prove works with SAML, Liberty ID-WSF, and Windows CardSpace.

The importance of the concept of “zero-knowledge proofs” for privacy is comparable to the impact public key infrastructures (PKIs) described by Witfield Diffie and Martin Hellmann had on internet security. The U-Prove technology based on these concepts has been compared to what Ron Rivest, Adi Shamir and Leonard Adleman (RSA) did for security when they were the first to offer an algorithm and a product based on PKIs.

When I was at the CFP conference in Montreal last May, I was meeting Kim and Stefan, and a colleague pointed me to the fact that Kim was being very nice to Stefan. “He has some cool patents Microsoft really wants”, my colleague said. Bruce Schneier recently also praised U-Prove, but questioned the business model for companies like Credentica. He added, “I’d like to be proven wrong.”

Kim Cameron is now bragging about having proven Bruce wrong (which is hard to imagine, given the fact that “Bruce Schneier feeds Schrödinger's cat on his back porch. Without opening the box”), while admitting that he still has no business model:

Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash. That will be worth billions.

Stefan Brands is also really happy:

For starters, the market needs in identity and access management have evolved to a point where technologies for multi-party security and privacy can address real pains. Secondly, there is no industry player around that I believe in as much as Microsoft with regard to its commitment to build security and privacy into IT systems and applications. Add to that Microsoft’s strong presence in many of the target markets for identity and access management, its brain trust, and the fact that Microsoft can influence both the client and server side of applications like no industry player can, and it is easy to see why this is a perfect match.

A good overview of other reactions is at Kim's latest blog post. The cruicial issue has, again, been pointed out by Ben Laurie, who quotes the Microsoft Privacy Team's blog:

When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments, and consumers all stand to benefit from the enhanced security and privacy that it will enable.

Ben sarcastically reads it like “the Microsoft we all know and love”, implying market domination based on proprietary technology. But the Microsoft we all know in the identity field is not the one we used to know with Passport and other crazy proprietary surveillance stuff. They have released the standards underlying the CardSpace claims exchange under an open specification promise, and Kim assures us that they will have their lawyers sort out the legal issues so anybody can use the technology:

I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo. Like, it’s 2008, right? Give me a break, guys!

Well. Given the fact that U-Prove is not just about claims flows, but involves fancy advanced cryptography, they really should do everybody a favour and release the source code and some libraries that contain the algorithm under a free license, and donate the patent to the public domain.

First of all, because yes – it's 2008, and “free is the new paid”, as even the IHT has discovered in January 2007.

Second, because yes – it's 2008, and there has been an alternative product out there under a free license for more than a year. IBM Research Labs Zurich have finished their Idemix identity software that works with zero-knowledge proofs in January 2007. It is part of the Higgins identity suite and will be available under an open source license. (The Eclipse lawyers seem to have been looking into this for more than a year, though. Does anybody know about the current status?)

Third, because yes – it's 2008, it's not 1882 anymore, to quote Bruce Schneier again:

A basic rule of cryptography is to use published, public, algorithms and protocols. This principle was first stated in 1883 by Auguste Kerckhoffs.

While I don't follow Ralf into every nook and cranny of his argument, I think he has a pretty balanced view.

But Ralf, you should tell your friend I was being very nice to Stefan in Montreal because I find him very amusing, especially with a scotch in him.  I would have tried to get his technology into widescale use whether I liked him or not, and I would have liked him just as much if he didn't have any patents at all.

I don't want to get into a “free is the new paid” discussion.  As the article you cite states, “Mass media given away freely or at low cost is hardly new, of course. In many countries, over-the-air television and radio have long been financed primarily by advertisers, at no direct cost to consumers.”  So what is new here?  When I can apply this paradigm to my next dinner, tell me about it. 

This having been vented, I come to exactly the same general conclusions you do:  we want a safe, privacy-friendly identity infrastructure as the basis for a safe, privacy-friendly Internet, and we should do everything possible to make it easier for everyone to bring that about.  So your suggestions go in the right direction.  If we were ultimately to give the existing code to a foundation, I would like to know what foundation people in the privacy community would suggest.

As for the business model issue, I agree with you and Bruce – and Stefan – that there is no obvious business model for a small company.  But for companies like Microsoft, our long term success depends on the flourishing of the Internet and the digital economy.  The best and most trustworthy possible identity infrastructure is key to that.  So for the Microsofts, the IBMs, the Suns and others, this technology fits very squarely into our business models.

As for the Identity and Access group at Microsoft, our goal is to have the most secure, privacy-friendly, interoperable, complete, easy to use and manageable identity products available.  As the Internet's privacy and identity problems become clearer to people, this strategy will attract many new customers and keep the loyalty of existing ones.  So there you have it.  To us, U-Prove technology is foundational to building a very significant business.

From “Screen-Names in Bondage” to OpenID

Google's Ben Laurie proposes using “functions of passwords” rather than plain passwords as a way to avoid phishing: 

Kim Cameron writes about fixing OpenID’s phishing problems by using Cardspace. Certainly I agree that using strong authentication to the OpenID provider fixes the phishing problem – but if you have strong authentication, why bother to use OpenID at all? Why not strongly authenticate to the site you are really trying to log into, instead?

Of course, Cardspace is a pretty heavyweight solution for this, so perhaps that’s what Kim’s getting at? It also doesn’t work well if you have more than one machine – moving your credentials around is not something Cardspace does well.

In my view, there’s a sweeter spot for solving this problem than Cardspace (or OpenID, obviously) – and that is to do strong authentication based purely on a password. That way, you can use the same password everywhere, so no problem with moving between machines, but can still resist phishing attacks and don’t have to make yourself linkable across all sites. Obviously supporting this would be way easier than taking the whole of Cardspace on board, but would have all of the immediate advantages. Clearly it would get you nowhere with advanced identity management, but its not like we don’t already have protocols for that and nor does there seem to be much demand for it yet.

I take it Ben is talking about having a toolbar that asks for your password, and transforms it based on the site's identity so you can use the same password everywhere.  Perhaps he is even thinking about a digest protocol where this transformed password would be used to calculate a “proof” rather than transported over the wire.

Phished or Pharmed 

Problem is, such a toolbar is as easily “pharmable” as OpenID is phishable.

How does a user know she is typing her password into the legitimate toolbar – rather than an “evil replica”?  Our experience with toolbars teaches us that is easy to trick a LOT of people into using fakes.  In fact, sometimes the fakes have propagated faster than the real thing!  Once people get used to typing passwords into a toolbar you have truly opened Pandora's Box.

Let's look at what happens when the kind of “common password” Ben proposes is stolen. In fact, let's compare it to having money stolen. 

If you go into a store and are short-changed, you just lose money in one store.  If you are pick pocketed, you just lose what's in your wallet – you can cancel your cards.  But if your “common password” is intercepted, it is as though you have lost money in ALL the stores you have been in.   And sadly, you will have lost a lot more than money.

The ultimate advantage of moving beyond passwords is that there is then NO WAY a user can inadvertantly give them away.

Is CardSpace too heavy-weight? 

CardSpace should be a lighter-weight experience than it is today.  We're working on that, making it less “in-your-face” while actually increasing its safety.  I also agree with Ben that it needs to be easier to roam credentials.  We're working on that too. 

The point is, let's evolve CardSpace – and the interoperable software being developed by others – to whatever is needed to really solve the relevant privacy and security problems, rather than introducing more half-measures that won't be effective.

So why OpenID?

If that's all true, Ben wonders why we bother with OpenID at all…

The most important reason is that OpenID gives us common identifiers for public personas that we can use across multiple web sites – and a way to prove that we really own them.

That is huge.  Gigantic.  Compare it to the cacophony of “screen-names” we have today – screen-names in bondage, prisoners of each site.

Technology people are sometimes insulted when you imply they haven't solved the world's problems.  But to be really important, OpenID doesn't have to solve the world's problems.  It just has to do this one common-identifier thing really well.  And it does.  That's what I love about it.

CardSpace doesn't address the same problem.  CardSpace plus OpenID solve it together. 

Why OpenID leads to CardSpace…

The recent announcements about OpenID made enough impact that I've had a number of people ask what our interest in OpenID means for Information Cards in general and CardSpace in particular.

The answer is simple.  OpenID provides Single Sign On to social networking sites and blogs.  It means we can use a public personna across sites, and just log in once to use that persona.

But OpenID doesn't have the privacy characteristics that would make it suitable for government applications or casual web surfing.  And it doesn't have the security characteristics necessary for financial transactions or access to private data.  In other words, its good for a specific set of purposes, and we are interested in it for those purposes, but we remain as committed to more secure and privacy-oriented technologies as ever.  In other words, we are interested in OpenID as part of a spectrum.

Information Cards are a way of safely organizing a palette of digital identities into a “digital wallet”.  Over time, some of these identities will be very valuable, controlling access to government information, bank accounts, and corporate resources.  Other identities will be very private, like those associated with health information or perhaps dating.  Others will be the kind of public personas we are talking about with OpenID.

These different identities will co-exist in a metasystem with contextual separation but a similar use model.  Importantly, the metasystem won't replace the underlying technologies – it will unify them and provide a consistent experience. 

The relation between OpenID and CardSpace provides a good example of the issues involved here.   OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become.  I've created a visual demo to help explain how this works – and how CardSpace works with OpenID to solve the problems.

My takeaway is that OpenID leads to CardSpace.  I don't mean by this that Information Cards replace OpenID.  I just mean that the more people start using cross-site identities, the more the capabilities of CardSpace become relevant as a way of strengthening OpenID and put it in a broader technology context.  

Information Cards were created to put in place an infrastructure that can solve the security problems of the web before they explode in our faces.  It's a serious technology and involves secure high-strength products emerging across the industry.  The recent announcement by Higgins of the new user-centric identity framework for Eclipse  is a great sign of the progress being made.  And there are other important announcements coming as well.

[In this demo I use my favorite OpenID provider, which is myOpenID.com.  It is super important to point out that I think the company is great.  None of my analysis is a critique of myOpenID – I'm explaining some of the “browser-redirect” problems that face all OpenID providers (as well as SAML and Shibboleth providers). Importantly, myOpenID have supported Information Cards for a long time – and their implementation works well.  So they are at the forefront of working these problems.  Try using their Information Card solution.]

Paul Madsen's Identerati greeting cards

Paul Madsen has submitted the following card set for standardization with the ITU. 

Ashish Jain has already asked if the various options will light up according to the policy requirements of the person to whom they are sent.

Paul has assured all those concerned that the preference URLs will be standardized through the UN.

OSIS User-Centric Identity Interop at Catalyst Europe

OSIS conducted the third in our series of User-Centric Identity Interop events last week at the Burton Group Catalyst conference in Barcelona. 

As in San Francisco, the Burton Group hosted and provided support for the event, and in this posting, analyst and cat herder Bob Blakley reports on what was accomplished:

There were a few differences between the Barcelona interop and the earlier event held at Catalyst North America 2007.   The most noticeable difference is that the Barcelona interop has been conducted entirely in public.  You can visit the Interop wiki to see details of the organization, planning, use cases, and participants; if you’re in a hurry, though, I’ll summarize here.

Fourteen projects and organizations participated; you can see the list here.

The participants tested 6 identity selectors, 13 identity providers, and 24 relying parties.  The Barcelona interop added a significant amount of testing of OpenID interoperability; 6 OpenID providers and 5 OpenID relying parties participated.

The participants have posted their results on the wiki, and a few words are in order about these results.  The first thing you’ll notice is that there are a significant number of “failure” and “issue” results.  This is very good news for two reasons.

The first reason it’s good news is that it means enough new test cases were designed for this interop to uncover new problems.  What you don’t see in the matrix is that when testing began, there were even more failures – which means that a lot of the new issues identified during the exercise have already been fixed.

The second reason the “failure” and “issue” results are good news is that they’re outnumbered by the successes.  When you consider that the things tested in Barcelona were all identified as problems at the previous interop, you’ll get an idea of how much work has been done by the OSIS community in only 4 months to improve interoperability and agree on standards of component behavior.

I’d like to call your attention to one more thing.  At the Catalyst North America interop in San Francisco, all the interop participants were onsite, sitting in a room together.

Here in Barcelona, as you can see in the Participant Profile table, about half the participants worked remotely.  What this means in practical terms is that a lot of the components in this interop were accessed over the Internet, in the same configuration you’d use if you deployed them in your business.

I expect that the results table will continue to evolve for a while as additional information from the event is digested and entered into the wiki; I’ll probably post another blog entry with some analysis of the significance of the results after the conference is over and I’ve gotten some sleep.  But my preliminary sense is that this interop continued to demonstrate progress toward an open, deployable, interoperable identity metasystem. Continue reading OSIS User-Centric Identity Interop at Catalyst Europe

MSN and Windows Live hook up InfoCard Beta

Video of Hotmail Beta of Information Cards

In this video of the Windows Live ID beta (1:20) we use Bandit's DigitalMe to register and log into Hotmail from a Mac.  If anyone has been concerned that Information Cards won't scale to handle large sites, they can relax now.  To see another version of the demo, this time using CardSpace, watch this (2:20). 

Start using DigitalMe for Mac

Over the weekend I installed “Digital Me for Mac” on my MacBook Pro and started using it with identityblog and other sites.  It's fast and totally does the trick.  I've made a micro video demo that gives you an idea of what it's like.

The install worked just as it should.  I ended up with a Bandit managed card – then went on to create a self-issued one so I wouldn't have to enter a password.  So now I can work on my site both from my Mac and my PCs.  I'm not sure if it works with Safari – I was using it with Firefox. Continue reading Start using DigitalMe for Mac