Category: Identity Metasystem

CardSpace / OpenID Collaboration Announcement

As an outcome of the discussions that have been taking place here in the Blogosphere – and in-person meetings – it is exciting to convey the following joint announcement by JanRain, SXIP Identity, VeriSign and Microsoft:

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpaceâ„¢ to make the Internet safer and easier to use. Specifically:

  • As part of OpenID’s security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.
  • Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure.  Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.
  • JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users.  Information Cards, based on the open WS-Trust standard, are available though Windows CardSpaceâ„¢.
  • JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.
  • JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.
  • Microsoft plans to support OpenID in future Identity server products
  • The four companies have agreed to work together on a “Using Information Cards with OpenID” profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Dick Hardt, Sxip Identity
Kim Cameron, Microsoft
Michael Graves, VeriSign
Scott Kveton, JanRain
 

 

Scott Kveton on InfoCard / OpenID convergence

Here's a post by Scott Kveton, CEO of JanRain, that sums up a meeting we had during the week.  JanRain is one of the driving forces behind OpenID, and produces the libraries that a lot of people are integrating into their websites and blogs.  JanRain also operates MyOpenId, an identity service that works with OpenID software.

You want to know about the JanRain World Headquarters?  Energy radiates from everywhere.  Beside our conference table was a very impressive can of Bad Idea Repellant, which seems to have done its job.

For what it's worth, I really liked these people.  They are real engineers.  They are committed to getting an identity layer in place. 

I explained my concerns about the current OpenID proposal and  phishing, and they not only ACKed; they had ideas about how to move quickly to change things.  

Against this background it was clear how CardSpace could be one important way of strengthening their system and integrating it with others.  Meanwhile, I conveyed my enthusiasm for the great simplicity of their proposal. 

We talked about public (omnidirectional) and private (unidirectional) identifiers and we all agreed that both were necessary in different contexts.  We talked about how OpenID managed Cards could provide CardSpace with strong new capabilities around public personas for web services.

Then the conversation got pretty technical, and I showed a profile of WS-Trust that didn't involve use of a SOAP stack or anything complicated.  But over to Scott:

Mike Jones and Kim Cameron from Microsoft came in for a visit today to the JanRain World Headquarters (if you’ve ever visited here, you’d understand why that’s funny).

The JanRain engineers were interested in learning more about CardSpace. We’ve heard about it, seen Kim talk and even read his proposal on a way to integrate OpenID and CardSpace. However, we didn’t know enough about the technology to comment on it either way. Also, we wanted to hear more than just marketing hype and hand waving; we wanted some code. Kim and Mike did not disappoint … 🙂

CardSpace is an identity meta-system that you use to manage InfoCards. InfoCards are like the cards in your wallet except these cards you present to sites that you want to visit to identify yourself with. I really believe that Mike and Kim have their hearts in the right place and the technology looks solid. It looks like Microsoft has learned a lot since their last foray into identity. I think OpenID and CardSpace could really compliment each other quite nicely as well as help address the phishing concerns that have become so prevalent.

The CardSpace InfoCard manager is an interface that comes up when the user is presented with a site that supports InfoCard login. Instead of giving the user a login form in the browser that might be phished, the user is presented with a dialog that allows them to deliver an InfoCard for the site they are trying to login to. This dialog is single-modal; you are locked out of doing anything else unless you complete the task at hand. This follows along with what Mike Beltzner shared on the OpenID general list and the difficulties in fighting phishing:

I can also sum things up for you even more succinctly:

– users are task oriented, driving to complete the goal the quickest way possible
– users pay more attention to the content area than the browser chrome
– users don’t understand how easy it is to spoof a website

Kim went through several code examples where we could see how it all worked. Forget SOAP, forget complicated. There is no hook back to the mothership with this technology. As a matter of fact, OpenID and CardSpace could work together quite easily.

CardSpace is really good at handling the issues around phishing and personal privacy. But what if I don’t want to be private about certain things? I like that I can identify myself as me to lots and lots of different sites and I don’t mind if people correlate that data. As a matter of fact, I like it. Wouldn’t it be nice to have an OpenID tied to my InfoCard then? One of the greatest reasons OpenID is succeeding is that its a destination. Its a unique place on the Internet where you can learn more about who I am. Coupled with microformats you start to see some interesting possibilities. CardSpace doesn’t do the public side very well and both Kim and Mike admitted this. This is an interesting possibility for OpenID IMHO. Not only that, it could be done without any changes to sites that already support OpenID. You’d get the benefits of OpenID’s strengths while leveraging the anti-phishing and privacy mojo that CardSpace has.

We already have some great technology for changing the chrome in Firefox and discussions are on-going with Mozilla about how we can integrate this further and have it truly baked in (hopefully they’ll look at Dmitry’s thoughts on this). We’ve got the CardSpace code that is now shipping on Vista and available for Windows XP. We’ve got lots of options for fighting phishing and protecting privacy with more on the way. All of these solutions play to each technologies strengths and actually just might be what we need to get to the identity holy land.

 

Drummond Reed on CardSpace and OpenID

Amongst other things, Drummond is CTO of Cordance and co-chair of the OASIS XRI and XDI Technical Committees.  He's playing an important role in getting new identity ideas into the Internet Service Provider world.  Here he responds to my first convergence post:

Earlier this month Kim Cameron starting blogging about some of the phishing concerns he’s had about OpenID that he and Mike Jones have shared with myself and other members of the OpenID community privately since Digital ID World last September. Given that anti-phishing protection is one of the greatest strengths of CardSpace, one of Kim’s and Mike’s suggestions has been for OpenID providers to start accepting CardSpace cards for customer authentication.

Today Kim blogged his proposed solution for integrating OpenID and InfoCard in detail. He does a wonderful job of it, making it very clear how using CardSpace and OpenID together can be a win/win for both. With Windows Vista shipping to consumers at the end of the month, and the CardSpace upgrade now available to XP users, this is a very practical solution to increasing OpenID security that I expect all XDI.org-accredited i-brokers (who all provide OpenID authentication service for i-name holders) to implement as soon as they can.

Kim closes his post by saying, “That said, I have another proposal [for integrating OpenID and CardSpace] as well.” That’s good, and I await it eagerly, because I too believe the integration can go much deeper, just as it can for OpenID and SAML. The heart of it is individuals and organizations being able to assert their own resolvable, privacy-protected digital identifiers. That’s the foundation of the OpenID framework, and the job for which we’ve been designing XRI i-names and i-numbers for the past five years. Microsoft’s current default CardSpace schema does not yet natively support XRIs as digital identifiers, but adding them could increase their power and utility and be another big step towards convergence on a unified Internet identity layer.

I'm going to clone myself so I can find more time to write up my second proposal.  Meanwhile, just a small clarification.  Drummond talks about the “default CardSpace schema”.  He's really talking about the “default Self-Issued Card schema.” 

CardSpace itself handles tokens of any type, containing claims of any type.  There are no limitations on your schema if you create a managed card.  I'll make that clearer in my next post. 

Further, we tried to keep the “bootstrap” Self-Issued Card provider down to a minimal set of initial schema choices – precisely to leave room for a managed card ecology.  But one of those initial claims is a URL…  I thought an i-name or i-numbers would be able to go there.  Is more needed?

 

Gabe hits the nail on the head

This post by Gabe Wachob at Digital Identity and Beyond is golden: 

There's been a lot of discussion about the fact that OpenID protocol has a special exposure to phishing/pharming and that the OpenID community needs to address these issues, either technically or through pressure on various parties to address phishing/pharming more broadly. There are a lot of proposals – in particular, we are all waiting to hear from Kim Cameron about OpenID and Cardspace (though applying Cardspace at the OpenID Provider seems like a straightforward solution).

If you ask me, things are happening EXACTLY how I would have wanted and expected them to. Why? Becuase OpenID is a platform for innovation in authentication. People who want to innovate in authentication methods (Mozilla/Firefox, Cardspace, VxVsolutions, etc) do NOT have to be the same people who innovate in offering services on the web (any one of a million folks running mediawiki, drupal, etc). That “delinking” of authentication innovation and service innovation is what is valuable in OpenID.

No, OpenID doesn't solve all problems, and maybe today it only solves a very narrow set of problems with an acceptable risk profile. But to me, thats not the point – its the unleashing of creativity and the power to let developers and architects focus on what they are interested in and good at. Security and identity nuts can focus on authentication and let the social networking, wiki-touting, web 2.0-heads do what they do best! OpenID is an abstraction, a key middle ground for these folks to meet and leverage each other's work – that OpenID is deployed for use in a fairly narrow set of use cases TODAY should not mean that it will not be very important in they very near future

Very interesting thinking and way to put things.

 

Dmitry Shechtman's Undevelopment Blog

So much is happening in the identity discussion it's hard to keep up with it.  Through the miracles of ping-back I came across The Undevelopment Blog by Dmitry Shechtman, and this posting on a new proposal called Identity Manager: 

It seems like the OpenID community is currently bothered with the following two questions:

  1. OpenID facilitates phishing. What can be done about this?
  2. FireFox 3.0 will have CardSpace and OpenID support. What does that mean?

I addressed the OpenID phishing problem even before it became wildly discussed. Unfortunately, the method wasn’t foolproof, to say the least. Several other suggestions have been brought up, but none seemed to solve the problem without making OpenID unusable.

Kim Cameron of Microsoft has been repeatedly promising to elaborate on how CardSpace and OpenID could converge. Although he has yet to keep his promise, we can make an educated guess. We recently saw the FireFox extension Identity Selector act as an in-browser OpenID-to-InfoCard bridge. That is definitely something CardSpace folks would love to see as a standard browser feature, since it would effectively turn an OpenID into nothing more than a fairly insecure InfoCard.

Of course, OpenID could simply dismiss CardSpace (I was trying to get into the average kool-aid drinker’s shoes). Or it could very well learn from it. The CardSpace UI seems very intuitive:

  • A Sign In button on a website
  • An identity selection dialog
  • Seamless secure login

This is exactly what OpenID needs in order to become both widely used and insusceptible to phishing. And since CardSpace planned support is now a reality, why shouldn’t OpenID be integrated? This is no trivial requirement, but one that can be met with some additions to the browser logic.

The combination of UI and business logic outlined in this proposal is dubbed Identity Manager. The proposal uses informal language (should, must, be and do are used interchangeably); handle with care.

Whenever a web page presents an OpenID sign in option, the OpenID field and the Sign In button are replaced by a single OpenID Sign In button. Moreover, separate OpenID Sign In and CardSpace Sign In buttons are replaced with a Secure Sign In button.

Once such a button is pushed, an Identity Manager window is presented with a list of the user’s identities — OpenIDs, InfoCards or both, depending on what the relying party accepts. The user must be able to decline; we treat this case as trivial. The user must be able to make a persistent selection (e.g. a checkbox with the text Always use this ID for example.com).

(Dmitry's piece continues here…)

I would never characterize OpenID as “nothing more than a fairly insecure infocard”. It is a system where the root of trust is defined to be control over the content at a URL.  Folks, this is innovative.  I like it as what I call an “underlying identity system” that should live within the identity metasystem.  Given its theoretical starting point in terms of trust, OpenID has the security characteristics, good and bad, of the Internet which it harnesses in the name of identity.  That makes it very exciting, especially for bottoms up use cases involving public personna.

But “exciting” doesn't mean “good for every purpose.”  OpenID won't replace all other forms of digital identity!

Is it necessary to explain further?

I'm fine with blog comments being associated with my URL.  But I don't want access to my bank account to be gated by nothing more than the ability to set the header in what a system thinks is https://www.identityblog.com (I'm thinking here about all the potential attacks on DNS as well as the ways in which third parties could gain unauthorized access to my page). 

My site is hosted by the good people at http://www.textdrive.com.  As administrators of the shared systems there, they could certainly, for example, gain access to my pages. 

Are their employees bonded?  Do they practice strict separation of duties for access to web pages?  Do they have HR practices that will protect them from organized crime?  I don't think so!  And if they did,  wouldn't they turn into the world's most bureaucratic mess as a web hosting service?  Their flexibility and personal touch is what makes them so good.  I like them just as they are, thank you very much.

So it all comes back to the Laws of Identity.  There will be a pluralism of providers and technologies, optimal in different use cases.  And, as the potential phishing attacks demonstrate, there remains the requirement of giving users a consistent and controlled experience across these multiple systems.

My conclusion?

Combine CardSpace (insert your favorite replacement identity selector here) with OpenID and you have the best of both worlds.  You have the web-based identity system.  You have a consistent anti-phishing user experience.  And you have continuity between OpenID and other underlying systems in a metasystem.  Wouldn't we all want this?

As Dmitry reports, I have promised to share my own technical ideas about how to move forward but haven't come through on my promise yet.  So I'm going to do that now.  One idea is very simple (and effective) – I'll start with that.  The second is in many ways more interesting (at least to me) but I need to explain a bit more about managed cards before I get to it.

 

State of the market or chance to get things right?

Eric Norlin of Digital Identity World comments on my concerns (note:  concerns are not allegations) about the need for client-side anti-spoofing components: 

Every now and then a technical disagreement betrays the state of a marketplace. That phenomenon is currently happening in the user-centric identity trenches.

The players are Kim Cameron (InfoCards/CardSpace) of Microsoft on one side and Dick Hardt (OpenID) of Sxip Identity on the other.  The issue: Kim's recent allegations that OpenID will make identity *less* secure and possibly result in security breaches that will set the user-centric identity work back in the minds of users.

The debate highlights where we are with user-centric identity.

The technical details all focus around the need (or lack of need) for client-side identity selectors with Kim arguing that its necessary to prevent spoofing, and Dick arguing that the spoofing security threat is acknowledged and defensible via OpenID. But the technical details (and argument) are not the most interesting thing.

Arguments like this, as all engineers know, are common in the world of the engineering. The reason is simple: the “engineer's mind” (versus the “marketer's mind”) naturally seeks the “perfect solution.” That's the blessing of the engineer's mind. It is, of course, also the curse.

As any student of technology history knows, the “perfect solution” has rarely won the battle of the marketplace. Instead, the solution that solved the problem set using “the principle of good enough”, and *also* attained a critical mass of adoption has won. Does that result in further problems to be solved? Of course it does! That, my friends, is the cycle of innovation.

The current debate between Kim and Dick actually serves to show us where the user-centric identity market actually is. Several years ago, two groups were competing around federation standards (the Liberty Alliance and Microsoft/IBM's WS-* standards). For what seemed like forever, they held obscure debates about the details of the standards. Eventually, the market moved forward (seemingly without either group's help), and now today we find ourselves witnessing a new Liberty Alliance President saying that the “gloves are off” and they'd like to find ways to converge with the WS-* standards.

That simple, recent analogy shows us where we are with user-centric identity. We're on the verge of the market beginning to really adopt some technology. These conversations don't reach this level unless those involved see this potential.

In the meantime, the engineers will continue to debate the details, and that's good for all of us.

I want people to understand I'm not against OpenID, and I don't see this as something that should turn into a war, marketing or other.  We should do everything we can to make OpenID as secure as possible, and that includes integrating it with InfoCards wherever this is possible.

 

 

Separating apples from oranges

Dick Hardt of Sxip posted a reply to my recent comments on the fears I have about attacks on OpenID:

My good friend Kim Cameron posted the following misinformation on OpenID:

InfoCards change the current model in which the user can be controlled by an evil site. OpenID doesn’t. 

If a user ends up at an evil site today, it can pose as a good site known to the user by scooping the good site’s skin so the user is fooled into entering her username and password.

An evil site proxying a web based OpenID Provider is a known security threat in OpenID. There are a number of ways of thwarting this attack, and given that the user has a close relationship with their OP, not difficult to deploy. Similar to the advantages that CardSpace has with a client side implementation, Sxipper is a Firefox plug-in that provides an OpenID user with the same client side protections as CardSpace. OpenID is a protocol, similar at a high level to WS-* — so this is somewhat of an apples an oranges comparison. CardSpace could support OpenID and protect the user.

I’d like to see OpenID and InfoCard technologies come together more. I’ll be presenting a plan for that over the next little while.

I’m looking forward to seeing your thoughts Kim! Perhaps supporting OpenID in Cardspace?

I'm not just talking about (realtime) proxying.  I'm talking about social engineering attacks in general.  Where is the misinformation in my description of these attacks?  

Dick reassures us that use of the protocol to help convince uers to reveal their credential is a known attack.  Should this make me feel better?  I don't think so. 

I also don't think the mitigations I've heard about are too convincing – with a couple of exceptions. 

One of those is the mitigation devised by Dick himself – called Sxipper.  This is a plugin for the browser which, as I understand it, take control away from the evil party.  If all OpenID implementations were to add this feature it would be a big step forward!

But in that case, if we want to separate apples from oranges, let's not say that InfoCards require a client component and OpenID doesn't.  Let's say that to offer reasonable protection, InfoCards require a client component and so does OpenID.  That would, as Dick proposes, properly separate discussion of protocols from the overall delivery of an identity solution.

Use of a hardware token at the OpenID site also mitigates the social engineering attack, though not the man in the middle attack.

More later about how Cardspace and OpenID can converge further.

Firefox support for Windows CardSpace

Via Mary Jo Foley's Unblinking Eye on Microsoft,  here's a piece on a new Firefox plugin supporting CardSpace on Window's Platforms:

A new plug-in providing Firefox support for Microsoft's CardSpace digital-identity framework is now available for public download.

Solution architect Kevin Miller, who played an instrumental role in developing the technology, announced the availability of his Firefox add-on for Windows via his blog.

Why is Firefox support important? Until there is more third-party support for Microsoft's CardSpace, it will be slow to gain traction. But until CardSpace gains more traction, developers will be reluctant to build applications that make use of it. CardSpace, the technology formerly known as InfoCard, is a key piece of Microsoft's proposed Internet-wide identity metasystem.

CardSpace is designed to store centrally an individual's multiple digital identities used to log into different secure sites (not quite – see below). Microsoft built support directly into Internet Explorer 7.0. And CardSpace is one of the elements of the .Net Framework 3.0, which Microsoft introduced alongside Windows Vista and has back-ported to Windows XP and Windows Server 2003.

Miller blogged: “You can download the (Mozilla CardSpace) extension here for now. I'll jump through the hoops over at addons.mozilla.org this week, and hopefully it will be available there soon. I'll post an update when it is there. I've also set up a project over at Codeplex (as mentioned briefly in my first post), and will get the code posted there in the next day or so.”

Scott Hanselman, chief architect with Corillian Corp., a Hillsboro, Ore.-based financial-services integrator, is bullish about CardSpace's prospects. “CardSpace is going to change it all. It’s likely the biggest thing to happen to security since HTTPS. CardSpace changes the game for consumers. It’ll take a few years, but after IE7 and FireFox and MacOSX all have CardSpace implementations – and it won’t take long – we’ll see Identity 2.0 happen,” Hanselman said.

“If you contrast (CardSpace) with the way certificate management has traditionally worked on nearly any OS, it’s significant because it makes secure certificates accessible to my mom. CardSpace and its related specifications make a secure identity experience accessible, both to the user and to the programmer.”

There are a number of other third-party companies and coalitions beyond Mozilla developing CardSpace-compatible providers and support.  Even Microsoft's own Windows Live team is looking to throw its backing behind the effort. The Windows Live ID team is developing a security token service (STS) that supports CardSpace, according to Richard Turner, senior product

(Live ID is the successor to Microsoft's Passport authentication system.)

“We need a proliferation of ID providers,” Turner said. “LiveID is just one of those providers.”

Mary Jo does an admirable job of describing what's at stake here, though I need to remind readers that CardSpace doesnt actually store digital identities centrally – it just stores metadata (pointers) to identity providers.  This may sound like nit-picking, but it's hugely important in mitigating risk. 

The main point is that Kevin has done some great work here.  I've used his plugin with Firefox and it works beautifully.  If you use Firefox on Windows, give it a try.

I'll try to start compiling a list of resources so people can easily see what to download given various configurations and predelictions.

 

Podleaders Interview for those new to the Laws

Tom Raftery at http://www.podeladers.com/ interviewed me recently for his PodLeaders show (42 mins 15 secs).  Here is his description of what we talked about:

My guest on the show this week is Kim Cameron. Kim is Microsoft’s Identity Chief and as such is responsible for developing CardSpace – Microsoft’s successor to the much reviled Passport. Kim elucidated the Seven Laws of Identity and is developing CardSpace to conform to those laws. If he manages this, he will have changed fundamentally how Microsoft deals with people.

Kim is also responsible for Microsoft recently releasing 35 pieces of IP and promising to never charge for them.

Here are the questions I asked Kim and the times I asked them:

Kim, I introduced you as Microsoft’s Identity Chief, what is your official title in Microsoft? – 0:35

What does the Chief Architect of Identity do in Microsoft? – 01:02

Why is it necessary to have identity products in software? – 01:29

How do I know who I am dealing with on the internet? How is that problem being solved? – 03:56

And you as Microsoft’s Identity Architect are coming up with a way to resolve this called CardSpace… – 07:08

You were saying CardSpace is to be platform independent, I run a Mac, will it run on the Mac? – 15:26

You mentioned a couple of companies, are the offerings from these companies going to interoperate or are we going to have another version of the VHS/BetaMax wars? – 17:45

Audience questions
Rob Burke

Perhaps more than any of the other Vista-era technologies, in order to really catch on, CardSpace requires broad cross-platform adoption. Kim personally is doing a lot to showcase the use of CardSpace’s open standards. What does the broader effort to engage with other platforms and communities look like, and how is CardSpace being received? – 21:10

CardSpace uses an intuitive wallet-and-credit-card metaphor. One of the features of a wallet is that it’s portable – I several pieces of identity with me at all times. I tend to move between computers a lot. What provisions are there in CardSpace for helping me keep mobile (in a secure way)? – 25:07

What happens if your laptop containing your InfoCards gets lost and/or stolen? – 28:00


Dennis Howlett

What’s cooking on the identity managemnt front at MSFT? We’ve been hearing about this on and off for a while – we need progress if we’re not to be weighed down byt having to remember so many usernames and passwords for the servics we consume. – 30:35


My questions again:

Will there be a lot of re-engineering of web apps required to roll out these technologies? – 34:03

And finally you mentioned that this is the first version what can we expect in the next versions and when will they be released? – 39:58

Download the entire interview here
(19.3mb mp3)
Let me make one thing clear about Microsoft's Open Specification Promise: many people were involved, and Microsoft's legal people, along with their colleagues representing open source thinkers aned companies, deserve all the credit. 

Check out the other interviews on the site (I think I'm number 48).  Doug Kaye was number 47, and there are lots of good things to listen to while on the treadmill (physical or metaphorical).

 

Feedback from Urs Gasser at Berkman

Here's some feedback on Rubinstein and Daemen's new Metasystem Privacy paper posted by Urs Gasser on his Law and Information blog.  Urs is an expert in cyber law associated with the Berkman Center at Harvard Law School.

Microsoft released a white paper entitled “The Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity.” The excellent paper, authored by Microsoft’s Internet Policy Council Ira Rubinstein and Tom Daemen, senior attorney with Microsoft, and posted on Kim Cameron’s blog, is a must-read for everyone interested in user-centric ID management systems. (Disclosure: As you can take from the acknowledgments, I have commented on a draft version of the paper, based on my earlier observations on “Identity 2.0”-like initiatives.)

Among my main concerns – check here for other problem areas – has been Microsoft’s claim that the i-card model is “by design” in compliance with the unambiguous and informed consent requirement as set forth, for instance, by EU data protection law. I’ve argued that the “hardwired”-argument (obviously a variation on the theme “regulation by code”) might be sound if one focuses on a particular relationship between one user and one identify provider and/or one relying party – as the white paper does. However, at the aggregated level, the i-card model’s complexity – i.e. the network of informational relationships between one user and multiple ID providers and relying parties – increases dramatically. If we were serious about the informed consent requirement, so my argument goes, one would wish that the user could anticipate not only the consequences of consent vis-à-vis one ID provider, but would understand he interplay among all the components of the ID-system. Even in less complex informational environments, experience has shown that the making available of various privacy policies can’t be the answer to this problem – as the white paper seems to acknowledge.

In this regard, I particularly sympathize with the white paper’s footnote 23. It might indeed be a starting point for an answer to what we might call the “transparency challenge” to create “a system enabling web sites to represent privacy policies in a simple, iconic fashion analogous to food labels. This would allow consumers to see at a glance how a site’s practices compared to those of other Web sites using a small number of universally accepted visual icons that were both secure against spoofing and verified by a trusted third party.” (p. 19, FN 23.) Such a system could become particularly effective if the icons – machine-readable analogous to creative commons labels – would be integrated in search results and monitored by “Neighborhood campaigns” similar, for instance, to Stopbadware.com.

Although Microsoft’s paper leaves some important issues unadressed, it seems plain to me that it takes the discussion on identity and privacy protections as code and policy an important step further – in a sensible and practical manner.

I agree with Urs when he talks about where we can go with visual icons representing the practices and policies of sites and identity providers.  Let's do it.

Just to be clear, I see Information Card technology as providing a platform for people to control their digital identity.  As a platform, it leaves people the freedom to put things of their choice onto that platform.

Let's make an analogy with some other technology – say plasma screens.  The technologists can produce a screen with fantastic resolution, but people can still use it to view blurry, distorted signals if they want to.  But once people see the crsytal clarity of high definition, they move away from the inferior uses.  Even so, there still might be artifacts that are important historically that they want to watch in spite of their resolution.

In the same way, people can use the Information Card technology to host identity providers with different characteristics.  It's a platform.  And my belief is that a high fidelity and transparent identity platform will lead to uses that respect our rights.  If this requires help from legislators and the policy community, that's just part of the process.  In other words, I don't think CardSpace is the magic bullet that solves all privacy problems.  But it is an important step forward to have a platform finally allowing them to be solved.

Once you let one party send information to another party, there is no way to prevent it – technically – from sending a correlating identifier.  As a morbid example, terrorists have been known to communicate by depositing and withdrawing money from bank accounts.  The changes in the account are linked to a codebook.  So any given information field can be used to communicate unrelated information.  

What you can do is prevent the platform itself from creating correlation handles or doing things without a user's knowledge.  You can use policy, legal frameworks and market forces so providers and consumers of identity are transparent about what they are doing. You can create technology that can help discover and prove breaches of transparency.  You can facilitate holding third parties to their promises.  And you can put in place social and legal protections of technology users, along the lines of the privacy-embedded laws of identity.

That's why I see the contributions of legal and policy experts as being just as fundamental as the contribution of technologists in solving identity problems.  In in the long term, the social issues may well be more important than the technical ones.  But the success of the technology is what will make it possible for people to understand and discuss those issues.

I advise following some of the thoughtful links to which Urs refers.