InfoCard Not Son Of Passport,

Here's an article by Robert McMillan (of IDG News Service) that appeared recently on InfoWorld. He caught me speaking to an audience of entrepreneurs and venture capitalists at the recent DataCenter Ventures 2005 Conference in Redwood City.

I participated in the conference to try and get attendees interested in building and funding software and devices whose behavior reflects identity. I was also arguing that InfoCards, as a cross-platform phenomenon providing a consistent interface to multiple underlying identity systems, finally made this plausible.

Hoping to learn from the lessons of its unsuccessful Passport initiative, Microsoft is taking a more open tack in developing its new InfoCard identity management platform, a company executive said Tuesday.

Like Passport, InfoCard, is designed to make it easier for users to surf the Web by keeping track of their user names and passwords as they move from site to site. Unlike Passport, however, InfoCard is being designed to work on client and server software that was not developed by Microsoft.

The presentation didn't deal with the fact that InfoCards uses advanced cryptography rather than passwords, so Robert can't be faulted for this assumption.

Since the beta version of InfoCard was released in May, Microsoft has been working with developers of the Firefox and Opera browsers, as well as organizations like the Apache Software Foundation and Apple Computer, said Kim Cameron, Microsoft's chief architect of identity and access, speaking at the DataCenter Ventures 2005 conference in Redwood City, California.

“These aren't your typical Microsoft customers,” he said. “The main thing is, we need a solution that works on Linux boxes as much as it works on Microsoft boxes.”

Though the Passport identity management system now processes about 1 billion authentication requests per day, making it too popular to rightly be called a failure, the service has never gained popularity outside of Microsoft's own Web properties, Cameron said.

I argued that Passport is one of the most widely used authentication service on the Web – and its success in different roles has been determined by the Third Law of Identity:

“When it comes to identity, people want to understand why the parties to any interaction are there,” he said. “It makes sense for people to use passport, run by Microsoft… to access Microsoft properties. It didn't make sense for users to use Passport to access eBay.”

Likewise, Europeans were uncomfortable with the fact that Passport data was stored on servers in Redmond, Washington, he said.

InfoCard seeks to get around this problem by operating in what Cameron calls a “polycentric,” and “polymorphic” fashion, meaning that the software will run on different operating systems, and the data will be stored in places that make sense to the user.

After its release, Passport was blasted by privacy advocates, including the Electronic Privacy Information Center, which argued that Microsoft was not taking adequate steps to protect and give users control of their data.

At the time, Microsoft disputed these concerns, but the company now needs to welcome them, Cameron said.

“We need to invite the people who used to be called privacy extremists into our hearts because they have a lot of wisdom,” Cameron said. “This (is) not the son of Passport”

Microsoft's goal is to make it easier to create “identity-aware software,” while at the same time respecting the users privacy concerns, he said.

Privacy will become an even more important issue as the implications of wireless networking become better understood, the Microsoft executive said.

At a recent security conference pranksters tracked a Bluetooth device that Cameron was using to offer attendees a real-time map of his progress through the convention center, a light-hearted hack that underlined a more serious point.

That same kind of technology could be used to build more intelligent, bombs, Cameron said. “Nobody has thought through the privacy threats that this involved,” he said. “Now I can build a device that explodes when a specific person is in the vicinity.”

With the quality of online attacks improving, and consumer confidence already somewhat shaken by recent security scares, technology vendors like Microsoft are more pressed than ever to develop a reliable, widely used identity system for the Internet, he said. “We have to put on our tinfoil hats; we have to think through these technologies; we have to fix them.”

John Fontana on InfoCards for Browsers

In a piece by Mike Shaver which I relayed here, he referred to an article in Network World by John Fontana. John is always in front of the curve – recently I came across his article on InfoCards from the 2003 PDC with great quotes from Ray Ozzie. I'm going to find that piece and quote exerpts so you can see how clearly he got what we were trying to do even back then.

Meanwhile, here's the InfoCard piece John wrote this week:

‘Looking to ease the way customers manage their digital identities, Microsoft has begun working to integrate its InfoCard authentication technology with Internet Explorer and is in discussions with the Firefox and Safari browser developers to have them include the technology on their platforms.

‘According to Microsoft officials, InfoCard integration could show up in Internet Explorer 7.0 even though InfoCard is currently not on the feature list. The goal is to improve security and privacy on the Internet using the InfoCard model, which puts users in control of their personal identity information and would eliminate the need for user names and passwords to sign into a Web site.

‘”We are still working on if there is enough time to get this done” for Internet Explorer 7, says Michael Stephenson, Microsoft's group product manager for Windows Server. “We expect many different applications, smart apps, Web apps and browsers, to use InfoCard. Our own browser will take advantage of it.”

‘In addition, Microsoft is hoping others will adopt its InfoCard model on the Web to help improve security and privacy with a common identity layer.

‘”We are having concrete discussions with Firefox and others about specific mechanisms that would communicate between a Web site and the browser so we can enable credential selection such as InfoCard,” says John Shewchuk, CTO of distributed systems for Microsoft. “If we do this right, all browser vendors could provide a common mechanism for identity.”

‘Experts say that would improve security on the Internet.

‘”Adoption of a common user-friendly metaphor for identity can only help,” says Daniel Blum, an analyst with Burton Group.

‘In June, Microsoft unveiled its identity metasystem, which includes user-centric privacy controls in the form of InfoCard, a middleware technology called Windows Communication Foundation, Active Directory and a slate of Web services-based protocols led by WS-Trust that Microsoft and IBM have been developing.

‘WS-Trust is key for creating Security Token Service (STS), lightweight gateways for servers and clients that negotiate the exchange of security tokens, such as Kerberos or the Security Assertion Markup Language (SAML). IBM supports the technology in its federation server, and Ping Identity has an open source implementation of WS-Trust.

‘In the browser model, Web sites would need to run an STS in order to signal browser users to provide their InfoCard identity credentials.

‘”If there is useful information from the InfoCard work that doesn't necessarily require InfoCard technology and makes browsers more secure then we would like to see that happen,” says Scott Cantor, who works on the Internet2’s Shibboleth identity project and the SAML technical committee at the Organization for the Advancement of Structured Information Standards (OASIS). He also is the author of OpenSAML and the security architect at Ohio State University.

‘Another key to recruiting partners is standardization of WS-Trust. Microsoft's Stephenson says the company and partner IBM are finalizing the language on a charter to get WS-Trust, WS-SecurityPolicy and WS-SecureConversation submitted this month to OASIS for standardization.’

[tags: , , , ]

Mike Shaver on Metasystem

Readers may be interested in this posting by Mike Shaver, the architect working on technology strategy issues that are of significant interest to the Mozilla community and products – including Firefox:

I ran across this article this morning, about how Microsoft is reaching out to other browsers like Firefox and Safari to encourage adoption of InfoCard technologies. The article is certainly true as written, and I’ve written before about some of my involvement in those discussions, but I would like to caution people against reading into it that we have made or announced concrete plans to support InfoCard as a piece of the Firefox platform.

I think that support for rich and user-empowering identity infrastructure is an important element of the future growth of both the web and Firefox, and I think — perhaps somewhat more controversially — that InfoCard’s principles and protocols are a pretty strong basis for that infrastructure, but there’s a big gap between those beliefs and an item in the committed Firefox roadmap.

For better or for worse, my still-forming opinions about technologies do not Mozilla technology policy make.

Mike was clear from the first day I met him that there is a whole process to go through here – first of investigation and consultation, then of considering the alternatives and figuring out what is best for his community, and finally of making a decision and winning consensus. Mozilla – and all of us in the industry – are very lucky to have him around. I wish each of us, in pushing identity forward, could just snap our fingers – and everything would just fall into place. But the world demands more of us and then gives us more in return.

[tags: , , , ]

Britain's Internal Revenue Slips a Disk

I got a note recently from Paul Sweeney, who sent me to a digital rights landscape mindmap that is worth pondering. He also pointed us to this macabre report from the BBC via the very cool (I hadn't seen it before) via the register:

A CD Rom Revenue and Customs has apologised to customers of investment bank UBS Laing and Cruickshank after losing sensitive account information. The Revenue lost a computer disc, sent by the bank, which contained address and account details of UBS's Personal Equity Plan (Pep) investors.

The Revenue is investigating how the disc went missing from its offices.

The bank has offered to change the account details of customers whose personal information was on the disc.

Worried customers

UBS said the CD Rom was sent in late April at the request of the Revenue.

Customer information on the data disc included addresses, dates of birth, national insurance numbers, UBS account numbers and the value of their Peps.

Last week, UBS Laing and Cruickshank wrote to its customers telling them of the loss.

A UBS spokesman told BBC News that worried customers who wanted to change their account numbers would be allowed to do so.

It is not clear how many UBS customers had their account details on the CD Rom.

However, a spokesman for the bank told BBC News that it was only a “small percentage” of investors.

In a statement, the Revenue apologised for losing the disc, which it said had been “mislaid within a local office”.

“Following exhaustive searches, we contacted UBS Wealth Management to apologise,” it added.

“This is a one off incident in a single office which receives thousands of pieces of post per week. We are urgently reviewing our procedures to make sure this does not happen “

Another recent register link people may find interesting is this story on onion routing and associated technologies.

[tags: , , ]

Federated Identity and Access Resource Kit

After a whole lot of development effort, we finally have a resource kit available which allows you to build and experiment with most aspects of the InfoCard world – identity provider, identity selector and relying party. I think everyone, including those whose primary interest is in developing compatible components on other platforms, will find this version of the software very helpful. This is still not the final look – we are still learning from and responding to usability studies, and adjusting “the glass”. Further, we can't claim that we won't have to tweak the protocols slightly if we need to fix problems. But there's enough here that you see exactly what is possible – and most important, how simple it is.

Here's the view from Andy's InfoCard Blog.

What a great week, last week! I met many of you at PDC, discussing InfoCard and the Identity Metasystem. I learned plenty from you, understanding the scenarios, your customers’ requirements, or discussing how other technologies could use “InfoCard”. Thank you!

As I promised at the PDC, we'll make the resource kit available to the public this week. This resource kits contains a document and samples, describing step-by-step instructions on how to build “Indigo” (WCF) applications/services that use “InfoCard”. In addition, it also includes Security Token Services (STS) samples that you can customize. Now, you could build an end-to-end scenario, and play the role of Identity Provider, or Relying Party or both.

As the name indicates, this release only works with WinFX Sept 2005 CTP and VS 2005 Extensions for Sept 2005 CTP. Please install in the followin order:

Since you'll be using pre-release versions, I recommend using a test machine.

Enjoy, and I'm looking forward to hearing your feedback!

If you have problems or comments on your experiences trying out the resource kit, Andy has comments enabled on his site and wants to use these to help guide everyone through the process of understanding the technology.

[tags: , , , ]

The mysterious Mr. Andrews

Some may have seen my piece a few days ago called “So many phish, so little time“. It's about a letter I received from a Mr. Fredrick Andrew, who introduces himself as being an auditor in Singapore but has an email domain name located in Israel. I quoted Mr. Andrew (can I call him Fredrick?) as saying:

‘I have taken pains to find your contact through personal endeavours because a late investor, who bears the same last name with you, has left monies totaling a little over $10 million United States Dollars with Our Bank for the past twelve years and no next of kin has come forward all these years.’

Fredrick “expected (my) prompt response” and wrote, “To affirm your willingness and cooperation to my proposal please do so by email, stating your full names, date of birth, telephone number and fax number.” Although he mentioned that “uttermost CONFIDENTIALITY is of vital importance”, I felt it was only fair to my readers to indicate that “if one day I just stop blogging, you'll know this has come through for me..”

Well, I recently got a message from someone called Ian through my i-name (which does not reveal my actual email address). Here goes:


‘One of my friend Also receives an email from Mr Fredrick Andrew. Is that a spam or true email?

‘My friend replied to him and they exchanged email for about a week. My friend also send the signed agreement to him. Which my friend thinks that there is nothing wrong if he sends it to Fredrick.

‘Actually Fredrick also called my friend last week. Asking about the Signed Agreement.

‘So what is your verdict? IS the email coming from Fredrick Andrew is tru?

‘Please email me… thanks…’

You know what, Ian? I don't think it was a good idea for your friend to send his personal identifying information to Mr. Andrews. But I may be wrong. Almost all my investment decisions have turned out to be mediocre. I mean, I even think Google is overpriced. And this may be yet another instance of missing on an investment opportunity! So keep me posted on how things turn out…

[tags: , , , ]

British Criminologist Focuses on Identity Technology

In my recent comments about tracking beacons (radio-enabled devices with an unchanging identifier that becomes associated with a human subject) I argued that while they represent a threat to the privacy of the general population, they will not be effective against criminals and terrorists:

‘Criminals will soon come to understand the need to “cover their tracks”. They will gain access to alternate (fraudulently obtained or freshly stolen) tokens and employ the alternate tokens in endeavors that require secrecy. In this case tokens may actually make it easier for criminals to dissimulate their activities. Only bottom rung vandals, those prone to unpremeditated stupidity, and ordinary citizens can be monitored through this type of technology.’

By co-incidence, here is a story from Britain's The Telegraph about criminologist Emily Finch, who is about to publish results of a study which led her team to very similar conclusions:

‘The introduction of identity cards will fail to solve the growing problem of identity theft and could lead to an increase in fraud, according to a new study.

‘Researchers have concluded that the shift from human vigilance to a reliance on new technologies is failing to prevent the activities of fraudsters and in some cases is providing them with new opportunities.

‘Emily Finch, a criminologist at the University of East Anglia, believes that criminals will find ways around the proposed security measures designed to ensure that those applying for identity cards are who they say they are.

‘She and her colleagues reached their conclusions after interviewing criminals and observing the ways they use new technologies to their advantage.

‘Dr Finch, who will today outline her findings at the British Association, said: “There is a worrying assumption that advances in technology will provide the solution to identity theft whereas it is possible that they may actually aggravate the problem.

‘”Our research has shown that fraudsters are tenacious, merely adapting their strategies to circumvent new security measures rather then desisting from fraudulent behaviour.

‘”Studying the way that individuals disclose sensitive information would be far more valuable in preventing identity fraud than the evolution of technologically advanced but ultimately fallible measures to prevent the misuse of personal information after it has been obtained. We don't think identity cards will solve the problem of identity theft, and they have the potential to increase fraudulent behaviour.

‘”The plan is to use documents such as birth certificates and driving licences for authentication, but these are easy to obtain in someone else's name.”

‘The controversial Identity Cards Bill passed its second reading in the Commons with the Government's majority of 67 cut to 31 at the end of June. Under the proposals, citizens would have to disclose details of bank accounts, proof of residency and address, birth certificate, passport number, NHS number, National Insurance number and a credit reference number when applying for ID cards.

‘In America criminals have been able to bribe credit reference agency staff and hack into their databases in order to obtain false references.

‘Fraudsters can easily obtain fake documents such as driving licences and birth certificates, and even passports.

‘Dr Finch studied the recent introduction of chip and pin, a measure designed to cut down on the fraudulent use of other people's bank cards.

‘She added: “Chip and pin has not stopped fraud or even reduced it. It has altered the way people behave, and so fraudsters have just changed their strategies.

‘”The focus has shifted to acquiring the pin – something which is very easy to do if you look at the till.” Dr Finch said staff, who are told to look away when customers enter their details, have become less vigilant. She and a male colleague were able to use each others’ cards to make purchases.

‘Figures published by Cifas, a fraud advice service set up by the credit card industry, suggest instances of identity theft rose by 13 per cent in the first six months of this year compared with the same period last year. The Government has estimated that identity fraud costs the economy more than £1.3 billion a year.’

More when I get access to her study.

[tags: , , , , , ]

Engineering Disaster Lessons for Digital Security

Richard Bejtlich has captured a lot about the kinds of concerns which motivate me to do this blog, and which lay behind my work on the Laws of Identity, in this piece from TaoSecurity.

I watched an episode of Modern Marvels on the History Channel this afternoon. It was Engineering Disasters 11, one in a series of videos on engineering failures. A few thoughts came to mind while watching the show. I will provide commentary on each topic addressed by the episode.

  • ‘First discussed was the 1944 Cleveland liquified natural gas (LNG) fire. Engineers built a new LNG tank out of material that failed when exposed to cold, torching nearby homes and businesses when ignited. 128 people died. Engineers were not aware of the metal's failure properties, and absolutely no defensive measures were in place around the tank to protect civilian infrastructure.

    ‘This disaster revealed the need to (1) implement plans and defenses to contain catastrophe, (2) monitor to detect problems and warn potential victims, and (3) thoroughly test designs against possible environmental conditions prior to implementation. These days LNG tanks are surrounded by berms capable of containing a complete spill, and they are closely monitored for problems. Homes and businesses are also located far away from the tanks.

  • ‘Next came the 1981 Kansas City Hyatt walkway collapse that killed 114 people. A construction change resulted in an incredibly weak implementation that failed under load. Cost was not to blame; a part that might have prevented failure cost less than $1. Instead, lack of oversight, poor accountability, broken processes, a rushed build, and compromise of the original design resulted in disaster. This case introduced me to the term “structural engineer of record,” a person who assigns a seal to the plans used to construct a building. The two engineers of record for the Hyatt plans lost their licenses.

    ‘I wonder what would happen if network architectures were stamped by “security engineers of record?” If they were not willing to afix their stamp, that would indicate problems they could not tolerate. If they are willing to stamp a plan, and massive failure from poor design occurs, the engineer should be fired.

  • ‘The third event was a massive sink hole in 1993 in an Atlanta Marriott hotel parking lot. A sewer drain originally built above ground decades earlier was buried 40 feet under the parking lot. A so-called “safety net” built under the parking lot was supposed to provide additional security by giving hotel owners time to evacuate the premises if a sink hole began to develop.

    ‘Instead, the safety net masked the presence of the sink hole and let it enlarge until it was over 100 feet wide and beyond the net's capacity. Two people standing in the parking lot died when the sewer, sink hole, and net collapsed. This disaster demonstrated the importance of not operating a system (the sewer) outside of its operating design (above ground). The event also showed how products (the net) may introduce a false sense of security and/or unintended consequences.

  • ‘Next came the 1931 Yangzi River floods that killed 145,000 people. The floods were the result of extended rain that overcame levees built decades earlier by amateur builders, usually farmers protecting their lands. The Chinese government's relief efforts were hampered by the Japanese invasion and subsequent civil war. This disaster showed the weaknesses of defenses built by amateurs, for which no one is responsible. It also showed how other security incidents can degrade recovery operations.

    ‘Does your organization operate critical infrastructure that someone else built before you arrived? Perhaps it's the DNS server that no one knows how to administer. Maybe its the time service installed on the Windows server that no one touches. What amateur levee is waiting to break in your organization?

  • ‘The final disaster revolved around the deadly substance asbestos. The story began by extolling the virtues of asbestos, such as its resistance to heat. This extremely user-friendly feature resulted in asbestos deployments in countless products and locations. In 1924 a 33-year-old, 20-year textile veteran died, and her autopsy provided the first concrete evidence of asbestos’ toxicity. A 1930 British study of textile workers revealed abnormally high numbers of asbestos-related deaths. As early as 1918 insurance companies were relucant to cover textile workers due to their susceptibility to early death. As early as the 1930s the asbestos industry suppressed conclusions in research they sponsored when it revealed asbestos’ harmful effects.

    ‘By 1972, the US Occupational Safety and Health Administration arrived on the scene and chose asbestos as the first substance it would regulate. Still, today there are hundreds of thousands of pending legal cases, but asbestos is not banned in the US. This case demonstrated the importance of properly weighing risks against benefits. The need to independently measure and monitor risks outside of a vendor's promises was also shown.

‘I believe all of these cases can teach us something useful about digital security engineering. The main difference between the first four cases and the digital security world is the failure in the analog world is blatantly obvious. Digital failures can be far more subtle; it may take weeks or months (or years) for secuirty failures to be detected, unlike sink holes in parking lots. The fifth case, describing asbestos, is similar to digital security because harmful effects were not immediately apparent.

Much of our work is intended to correct early initiatives involving identity and identification so we don't end up as the subject matter for some future generation's history of engineering disasters.

Queryable fixed tracking devices when wrongly used can result in death (in the literal sense) as surely as the other disasters outlined above. Designing and massively deploying an infrastructure which is an identity-catastrophe-in-waiting is as irresponsible as the actions of earlier generations of engineers who lacked the doubt and capability for self-criticism and re-examination necessary to be an engineering professional.

This is very much what we were trying to get at when proposing the Laws of Identity.

[tags: , , ]

Contactless Payment Cards Move Forward

Britain's David Birch, director of Consult Hyperion, reports on the latest developments in contactless payment systems in an article that appeared recently on Principia. He also reviews the associated security and privacy implications. I recommend you read the whole piece, since it is a thorough look at an important new technology; but here are some morsels to pique your interest:

‘The announcement of schemes such as MasterCard's Paypass, American Express ExpressPay and Visa's contactless initiatives is a sign that contactless smart cards are moving out of mass transit (e.g. London's Oyster card) and into the mass market.

‘Indeed, Datamonitor have forecast that the market for these ‘payment tokens’ will grow at 47 per cent per annum over the next five years. The international payment schemes’ interest is obvious. At a time when it's hard to explain to a consumer why a contact smart card (such as the ‘chip and PIN’ payment cards being deployed around the world) is better than a magnetic stripe card, payment tokens immediately differentiate themselves by offering a completely different (and significantly more convenient) consumer experience.

‘Why? Because the token needs only to be waved close to the terminal. In many cases, it will work fine while still in a bag or briefcase providing it is close enough to the terminal. The distance depends on the type of device used; the type of ‘proximity interface’ chip being discussed in this article will work up to a few centimetres from the terminals…

‘Nokia have said that they think payment tag technology is better than Bluetooth or Infra-red for mobile payments and, in Japan, NTT DoCoMo and Sony have formed a joint venture (FeliCa Networks) to develop a version of the Sony FeliCa contactless chip for embedding into mobile phones and to operate the FeliCa platform for m-commerce. For many consumers, this will be the ultimate in convenience because the phone provides the communications link for managing the payment account as well as the physical payment device. The dreams of the mobile payment community will come true, but not in the way that they thought.

‘Payment tokens

‘So how do payment tokens work to deliver the appropriate levels of both security and privacy? To answer this question, it's necessary to understand how they work. In the general case, the payment token comprises a microprocessor with hardware support for cryptographic operation and an RF interface. There are various standards in this space, but the one most widely used for payment tokens at present is ISO/IEC 14443.

‘In a typical retail environment the retailer's point-of-sale (POS) terminal and the payment token both contain a microprocessor; the microprocessors communicate using a payment protocol (on top of the ISO 14443 protocol for basic data exchange).

‘When it is time to pay, the customer brings their tag close to the POS terminal. The terminal interrogates the card and gets back the serial number and a cryptogram (a one-time code calculated inside the token). It feeds these to the acquiring bank, which passes them back to the issuer. From the serial number, the issuer knows which account to authorise and from the cryptogram the issuer knows that the token is valid.

‘The cryptogram is made up from the serial number and a transaction counter, encrypted using the token security key. This key is inserted in the token during manufacturing; it is derived from the serial number and a bank master key. Once in the token, it is never divulged. This kind of solution provides:

  • Privacy, because the token ID is meaningless to anyone other than the issuing bank which can map that ID to an actual account or card number;
  • Security, because knowing the token ID is insufficient to create a cloned token. Also, a cloned token would not generate a correct cryptogram because it would not have the right security key and if the transaction is replayed the transaction counter will be wrong.

‘Please note that this is an example given for the purpose of discussion; it is not meant to represent any of the operational schemes discussed in this article. The security of this typical example scheme is not absolute. There is no cardholder verification (i.e. a signature or a PIN), but all transactions are authorised online, so a lost or stolen card can be blocked as soon as it is reported (although it has to be said that consumers will generally notice the loss or their keys or mobile phone pretty quickly). For this example scheme, it might be useful to add an online PIN only for transactions above £20 or so. ‘

The attention to privacy considerations in these scenarios is essential.

How many users of public transit would want to generate a computerized record of every place they have gone, the time of day they have traveled, and how long they have remained there – throughout their lives?

If the use of the tokens generalizes and they become an important method of payment, it becomes easy to combine this information with the rest of an individual's purchasing history, potentially including everything from books and magazines to digital media.

Is it is true you would have to ask the issuing authority about who had purchased the contactless tracking device? I don't think so. What if you had some other way to establish the link between the device and the user's identity? For example, requiring another piece of identification – even once – and using it to perform the association.

So in my view, these scenarios call for a more sophisticated cryptographic approach than that used as an example by David. To be clear, in his very imformative article, he certainly leaves such alternatives open. I can understand that in introducing the technology he didn't want to get diverted into a privacy threat analysis.

There are well known mechanisms for doing everything described here while making it impossible to distinguish one individual device from another unless it is being misused (e.g. has been cloned in an attempt to defraud). Let's use them.

Given problems such as terrorism, there may be some who think a fixed tracking ID could be used to monitor the travel of criminal elements. We should make it clear that this won't work for very long.

Criminals will soon come to understand the need to “cover their tracks”. They will gain access to alternate (fraudulently obtained or freshly stolen) tokens and employ the alternate tokens in endeavors that require secrecy. In this case tokens may actually make it easier for criminals to dissimulate their activities. Only bottom rung vandals, those prone to unpremeditated stupidity, and ordinary citizens can be monitored through this type of technology.

Worse, continuing to promulgate fixed beacon technology is a bit like doling out Cruise missile guidance systems to enemy agents. They allow terrorists and agents of organized crime to mount increasingly accurate surgically directed attacks.

Even if someone could imagine a scenario where fixed-beacon tracking were useful enough to justify the security and privacy problems it causes, there are ways the same high level goals could be met without endangering the privacy of the whole population. For example, it is possible to encrypt the fixed identifier of the device under a key which can only be accessed through a highly controlled process – and include the encrypted identifier in the cryptogram which is otherwise anonymous. This would make it possible, in specific circumstances approved by the courts, to follow individual itineraries, without compromising the privacy of every single user of the system by tying identifiers into mineable records.

[tags: , , , , , ]

InfoCard and Identity Metasystem at Microsoft PDC

On Wednesday, John Shewchuk gave a presentation at the Microsoft Professional Developer's Conference (PDC05) on Microsoft's approach to Digital Identity.

Session Level(s): 200
Session Type(s): Breakout
Top Picks(s): Windows Server “Longhorn”
Track(s): Communications
In this session, we discuss Microsoft's vision for an Identity Metasystem using the industry-developed, interoperable WS-* Web services architecture. The Identity Metasystem was designed to give Internet users a practical sense of safety, privacy, and certainty about who they are relating to in cyberspace. This session discusses the rationale behind the architecture of the metasystem, shows how developers can take advantage of the metasystem, and introduces the components of the Windows implementation including the identity technologies codenamed “InfoCard” and Active Directory Federation Services.

The presentation included what I thought were convincing demos – using “PDC Bits”, meaning the software made available to conference attendees – showing the new InfoCard and Indigo working together. Indigo is the code name for the Windows Communication Foundation – our implementation of Web Services (development environment, deployment framework and runtime). Information is available here.

The new InfoCard bits are not only less visually displeasing (!) than the initial (wireframe) beta, but support what we call “managed cards”, meaning identity relationships with identity provider vendors and operators – independent of any particular platform (e.g. Windows, Linux, Unix, etc). Basically, by implementing a Security Token Service (STS), and then giving a user to whom you are willing to issue tokens a (signed) configuration file, your identity provider can be set up as an InfoCard in the user's Identity Selector. For those unfamiliar with the terminology, an STS is simply a service that implements WS-Trust – anyone can build one, and the PDC bits include an example of a simple Identity Provider STS built using Indigo.

Now we have all the pieces in place that make it is possible for third parties to create metasystem components that plug into the Windows Identity Selector through the Infocard metaphor.

Andy Harjanto then gave a more detailed presentation on Thursday:

Developing Federated Identity Applications Using “InfoCard” and the Windows Communications Foundation (“Indigo”)

Session Level(s): 300
Session Type(s): Breakout
Top Picks(s): Windows Server “Longhorn”
Track(s): Communications
“InfoCard” is the Windows user experience for managing and submitting identities in the Identity Metasystem, which allows multiple identity technologies to interoperate. This session focuses on “InfoCard's” roles as an Identity Selector and Identity Provider. We look at federated identity scenarios with real-life code and enhance existing Windows Communications Foundation (formerly codename “Indigo”) applications by integrating with InfoCard. Each of the elements in the Identity metatsystem (Identity Provider, Relying Party, Identity Selector, User) are discussed and built. We also create a simple security token service that interops with “InfoCard”.

I thought Andy did a great job – and it was standing room only. An overflow area had to be set up in the hallway.

I'll make both presentations available for readers of this blog. In addition, the software that was distributed to the conference attendees will be available very soon for general download. I'll keep you posted on how to do this.