Here is reporter Robert Weisman's Boston Globe article on Higgins, titled “Harvard, tech firms push data privacy”. Higgins is an open source project that has been going for quite a while, and its significant new support from IBM and Novell is one of the most concrete indicators so far of the growing momentum of the Identity Metasystem.

Before I even start, let me congratulate Higgins leader Paul Trevithik, one of the original members of the Identity Gang and one of my favorite colleagues, for getting the support he needs to advance his work.

The initiative, which is set to be spelled out at a forum in New York, is code-named Higgins, after a long-tailed Tasmanian mouse symbolizing the ”long tail” of micro-markets — dozens of websites and online retailers of interest to an individual — that sponsors believe will be tapped by the user-centric identity management system they are developing.

For individuals, such a system promises a ”single sign-on” enabling the sharing with third parties of personal information, ranging from bank and credit card accounts to medical records and phone numbers, said John H. Clippinger, senior fellow at the Berkman Center at Harvard Law School.

Clippinger said the system will enable people to share tiers of their digital data with different parties, giving broader access to doctors, for example, than to cable companies.

”The web wasn't designed with a security layer in it, so we're addressing that missing piece,” Clippinger said. ”This is a whole new system called ‘open security’ where the control point is the individual.”

For the past year and a half, a social physics research group at the Berkman Center has been studying ways to create more trusted networks, with the goals of improving the online experience for people and businesses and making it easier to avoid spam by allowing individuals to specify with whom they want to communicate.

Parity Communications, a Chestnut Hill technology company, developed software that will serve as a starting point for such a system, but larger companies like IBM and Waltham-based Novell are also contributing to the
effort. Berkman is planning a conference in June that will demonstrate some applications and benefits of the Higgins system.

Tony Nadalin, chief security architect for IBM in Austin, Texas, said Higgins will be an application framework around which developers can write and improve programs through an ”open source” approach that is gaining popularity in the world of computing.

The system would run on top of InfoCards, a new feature Microsoft plans to offer in its new Vista operating system, but it could also work on Linux or other alternative operating systems.

Many of the technical details remain to be worked out and will be rolled out incrementally, said Dale Olds, distinguished engineer at Novell in Provo, Utah. Olds said one concept under consideration is embedding applications as Internet browser plug-ins that automatically could transfer appropriate information from an individual's data profile, called a ”context” or ”persona,” when he or she visits a website.

Companies like IBM and Novell also would seek to incorporate Higgins technology into their own products or services.

”Allowing consumers to gain more trust in the Internet is a benefit to us all,” Olds said. ”And that could provide more of a space for Novell.”

Some observers might interpret the emergence of an open source identity initiative as a fracturing of our efforts into different factions. I think that view would be very wrong.

The support for InfoCard connectivity by IBM and Novell – as well as “less corporate” members of the open source community – is absolutely one of the most important steps forward we have seen. Of course every player has other ideas they want to bring to the table as well, and that is as it should be.

There will be air turbulence of various kinds as people try to bring the things they are passionate about to the fore in solving this problem. But no one should see that as problematic, or take it as being anything but healthy.

Here's what is really happening. The identity metasystem gis oing from the “world of angels” and theoretical concepts to the world of flesh and blood. This week we have seen a huge growth of momentum. And nothing could make me happier than that.

I've said from the beginning that no one owns the Identity Metasystem. Each of us contribute to it. Now we see IBM and Novell contributing and bringing in support from products like Tivoli and E-Directory. Our customers all benefit. And so will all of us who produce products for the virtual world.


Brad Hoyt responded on where to store your infocard collection:

My preference would be to store my InfoCard ‘token’ on my Volvo keyfob. It's big enough and I usually have it with me wherever I go. 🙂

It's a really attractive idea, and I'll add it to my list of potential devices. Does this turn your Volvo into an identity protector?


Clint Combs at “Thoughts at ccombs.net” has put up a nice, empathetic piece that actually made me feel better about my ongoing spam torture. He then raises great questions about use of InfoCards in exchaning user identities for email.

Kim Cameron's “Oh, And Then There's My Junk Folder” tells an all too common story of a user losing e-mail to SPAM. Whether you know it or not, your SPAM filter has probably destroyed some e-mail that you should have received, would have received – needed to receive. Kim's experience of finding this message is probably not very typical. He went wading through his SPAM folder and found a message that should not have been tagged as SPAM, but it was.

Most users happily delete their SPAM and move on without further investigation. I do it all the time. The other day a recruiter called me. I told him I wasn't interested in the full-time position he had called about, but I would be interested in part-time projects of 10 to 15 hours a week. He said he'd send me an e-mail as follow-up, but he never sent it – or did he? I have no idea. That night, as usual, I blasted my SPAM and moved on, but having read Kim's piece I wonder if it was identified as junk and redirected to the bit bucket.

Kim's story also clicked with me for another reason. The SPAM problem is, at one level, an identity problem. As SMTP servers pass along e-mail messages they can't authenticate a sender's identity. Without this piece of information, these systems have no concrete way of guaranteeing the receipt of messages we really want to receive – InfoCard could be a big help for solving this little segment of the overall SPAM problem.

What if InfoCard-enabled identity systems were already woven into the fabric of internet? Would this have helped Kim and I get our e-mails? His message was from an “anonymous” person that he didn't know whereas my message was from a person whom I had only spoken to on the phone one time. Kim also mentions the loss of e-mail from a friend at the end of his article.

In today's e-mail environment with virtually no use of a real identity system we're forced to filter by sender e-mail address and hope that our friend doesn't change their address. In the future we should be able to trust that a person's identity will follow them via an InfoCard-style system and thus to a new e-mail address or even an entirely different mode of communication such as instant messaging or VoIP.

Infocard and other identity systems solve identity problems in well-known relationships, but what about the e-mail from the recruiter I spoke to on the phone? Can InfoCard be extended to a phone call? In future world I could have said to the caller, “Here's an InfoCard for my home e-mail address. Contact me at this address and we'll discuss this some more”. At that point I press a button on my phone and my InfoCard is transmitted to his phone. He then uses this card to send me an e-mail in Outlook and upon receipt my e-mail client recognizes the new relationship I have with this person and bypasses my SPAM filter.

A much harder problem is the anonymous e-mail to Kim. How can you get the SPAM filter to let this interaction through based on identity? Everyone has an identity, even SPAMMers. Maybe we need some sort of web of trust for this type of situtation. If the sender is a friend of a friend of a colleague, then maybe my filters let it through.

InfoCard has great potential, but it will only be useful with broad adoption across the industry. Verisign recently signed on and I expect others to join the party too. With Microsoft's new-found openness, the flood of SPAM, and our mountains of usernames and passwords, the potential of real Internet identity is too huge to ignore.

After a recent IM chat with Simon Brown I've started looking to move my blog to a new identity and authentication structure. He's weaving the Acegi Security System into Pebble 2.0 – Simon's blogging software I'm using today. While currently unrelated to InfoCard, I can easily see Acegi being extended to support it. Simon's use of Acegi is admission on his part that it's time to move beyond the username/password muck that we're currently enduring on most web sites. Everyone sees the identity problem and it's time to fix it.

The potential for a wide-spread identity system is enormous. In addition to the obvious beneficial side-effect of eliminating my long list of passwords, InfoCard and other identity systems could help crush some of the more annoying effects of SPAM. I'd love to hear from other developers, especially those in the Java “realm”, that are addressing this issue on many levels. Write and tell me how you're identifying your users and crushing your SPAM problems.

This reminds me that one of the things I need to do is post my PHP code showing how I've got InfoCards going on my WordPress blog. I imagine it would translate fairly easy into something that would work on Simon's system as well. Also, I need to move this stuff from my test system to my production system.


Here's a piece by Adam Shostack, bandleader at Emergent Chaos – which, by the way, is a way cool blog. Here he is talking about what it takes to get technology from the synapse into the family room. In my view, the identity problem is one of the hardest problems computer science has ever faced. I've been working on it since the mid eighties myself. And the job is far from done.

The truth is, cryptography is just one part of a much bigger problem that is insoluable using crypto alone. This said, I couldn't be more respectful of the contribution by cryptographers.

Quick! Name the speaker:

“In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing that says the government says I’m over 18. This trust ecosystem has so much good designed for privacy. This thing is amazing, where you can prove who you are to a third party and then, in the actual usage, they don’t know who you are. A lot of the previous designs had the idea that if you authenticated, then you gave up privacy. There are lots of cases where you want to be authentic but not give up your privacy – or not give up your privacy except in extreme cases. ”

No, it's not Austin Hill, circa 1999. I'd be happier if Zero-Knowledge had made us all rich, but I'm happy that the ideas that we evangelized, and that Credentica and others are building… I'm happy that these ideas are spreading to the point where Bill Gates presents them in an interview. There's a great many longtime former cypherpunks out there, helping people imagine a better future.

That imagining is important. Phillip Hallam-Baker (who has the best roundup of the RSA Cryptographers Panel I've seen) quotes Ron Rivest:

It takes about 15 years for ideas to go from concept to use. Identity based crypto may be becoming the right approach to authenticated email.

What happens along that 15 year path is that a lot of small companies come along, build great new technologies that solve a part of a problem, and then eventually, through iteration, creative destruction, skill and luck, one of them builds something that really does a great job for customers.


Here is a comment which really sent “frissons” down my spine. I mean chills. Chill chills. It might spook you out too.

Take a close look at entry 14. below from my WordPress spam editor. You'll see the URI is http://check-drug-etcetera.com. But somehow it is linked to Rohan Pinto's LID page. Rohan is a cool dude working on Identity and even InfoCard issues over in the Sun world (more later…).

I wonder what this new species of blogspam is all about – I'll ping him. Maybe they randomly read my comments, link to something in an existing comment (Rohan has written to me in the past) and then stick in their URL so they will get link inflation.

Well guys, I caught it and you won't get no link-inflation off me.


I just went into my junk mail folder for the first time in a long time and saw that many of it's 1107 items were from people who have been trying to reach me through my i-names or even through regular email. The i-names are working fine, but my corporate spam filter likes some messages and doesn't like others – for reasons that are completely beyond me. Here's an example:

Hi Kim,

We have never met, I hope you don't mind the intrusion.

I am fascinated with the InfoCard concept, the Laws of Identity, and the simplicity and similarity the InfoCard solution has with todays plastic card solutions.

( These I keep in my wallet, which I guard with my life. And like most of us, I am totally paranoid that I might somehow loose my wallet and be forever lost.)

I believe everyone will be able to easily and quickly adopt this solution for the future virtual interactions in cyberspace.

In many discussions with others promoting the InfoCard way, one question keeps coming up that I haven't been able to easially answer.

“Where should I keep my InfoCards.” USB drive, not a good idea. My laptop, but what if I'm at my desk? How about a smartcard I keep in my wallet, to add to the paranoia. Or maybe its time to have that chip installed in my forehead.:)

If you would be so kind to share your thoughts, or simply direct me to an article discussing this question.

Regardless, I am very excited about the InfoCard future, and continue to follow your progress.

Thank you.


Mark Munro

What in this email looks like spam? The use of the word “wallet”?

I don't know what to say. First, I apologize to everyone who has written to me and seen their mail go into the void. I will go through all these messages – but it may take me a while! And I'll start reading my spam folder, I promise…

Now, to answer Mark's question. InfoCards don't actually contain any personal information. They are just pointers to the place where that information is held. In this sense, they are quite different from a wallet. That's one of the reasons I don't think “digital wallet” is necessarily the right word for this.

Suppose you had an InfoCard issued by a credit card company – let's use the example of Visa. Visa (or some clearing house) would operate a service on the Internet, and your InfoCard would contain a description of what the Visa card looks like, how to connect to Visa's internet service, which bank puts out the credit card, and so on.

When you decide to submit the Visa card, what really happens is that your InfoCard Selector goes out to Visa's internet service and gets a “software token” (meaning a set of claims about you – in this case perhaps a one-time credit card number) and sends it to the company you want to purchase from. The set of claims is typically encrypted, so nothing running on your PC can get at the secrets it contains. In this example, the credit card number is never exposed on your PC.

The question now becomes one of how your system proves who you are to Visa's internet service.

This could be done by using a cryptographic key stored on your machine and unlocked with a PIN. Or it could prompt you to put a USB device into the PC (which would keeps your cryptographic keys isolated from the PC). And there are a number of other methods that could be used. One vendor has even showed use of a fingerprint to release the secret.

One of the advantages of InfoCards is that you get to choose from this rich palette of methods – and identity providers can make this palette as extensive as they want. Axalto, GemPlus and other innovators have even demonstrated complete security token services that run on “smart dongles”… And we can imagine having the whole infocard selection itself stored on such a next-generation smart device – a dongle, phone or mp3 player.

In the first release of Microsoft's version of the Identity Selector, you can export your cards – in protected form – and move them from PC to PC by “sneaker net” – namely on a USB drive, a floppy, or even in an email. This makes it easy to take your cards from home to work or visa versa.

The first release also supports use of dongles and smart cards when people and identity providers choose to use them. We will work to evolve this to allow storage and roaming of your entire InfoCard collection on such devices as well.

Gosh. I just took another look at the junk mail folder and I see a note from Johannes Ernst. Hope this hasn't ruined a beautiful friendship…

I'm afraid to look further down in the list of unopened items. But I will.


I've just come across “Adventures of an Eternal Optimist“, a new (for me) blog by Pamela Dingle. She is a systems integrator in the field of Identity Management who works for a company called Nulli Secundus. Many in the identity community will know her from the excellent and sometimes artfully rhetorical questions she comes up with at the conferences.

She's reviewing the InfoCard bits and posting good stuff. She liked the Identity MetaSystem Design Rationale Paper:

There is a lot of info packed into these 11 pages – it is densely formatted, and there are no flowery sentiments. Terse is good. I like terse.

She also posted a balanced critique of the current version of the InfoCard bits…

As most of you know, I’m pretty excited about InfoCard. I’ve been playing with it for a while now, and I think I need to mention a few of the things I’ve noticed. I’m very aware that I’m working with a CTP – and I understand that there is a finite group of people that can only do a finite amount of work before Vista goes live. I hope I’m mentioning things you already know about and are planning for, Stuart! I don’t believe that these points can be considered nitpicking – they are pretty important, in my opinion.

I expect to be posting more of these entries as I get time, so stay tuned.

1. Export Prevention

As of the Jan 2006 CTP, there is no way to prevent a person with access to your account from exporting your InfoCards. If I walked into an office where the person had not logged off or locked their screen, I could have their entire card set saved to a file on the network or to a USB key in under 60 seconds, without ever being challenged. In fact, instead of being challenged for a password, the attacker is asked to set one! This password is needed in order for the infocards to be imported elsewhere, but it doesn’t protect the user from an attacker who sets it in the first place.

One more scenario to drive the importance of this issue home – there is nothing a parent can do to prevent their child from listening to the instructions of the nice man in the chat room, who tells them how to export infocards belonging to the whole family, and email them off (this of course assumes that the family shares an account – if the child has their own account, then the question of how to control what cards are placed in that account arises). If the cards are pin-locked, they are tougher to get into – however, the attacker can take as long as they want to try and crack the pin.

Keep in mind – I can only assert this regarding self-issued infocards. I don’t have a managed infocard to test with, but my understanding is that a lot of the built-in security that Infocard developers have spent a ton of time on kicks in when you start dealing with managed infocards. With a managed card the data is no longer part of the export, and a new trust relationship has to be established between the Identity Selector and the Identity Provider in order to view managed infocard attributes. This gives you the time to cancel your card, and it gives the Identity Provider the chance to notice that all of a sudden your infocard is being viewed/used from an unknown IP address. Still, if the Identity Provider is not sophisticated enough to notice, you might be up the creek — infocard exports are not even logged under Site Usage, so if somebody does export your cards and walk away, you won’t even know it.

2. Deletion Prevention

Along the same vein – a user cannot guard against accidental or malicious deletion of infocards. In the case of self-issued cards, it isn’t tough to re-create – after all, there are no more than 14 fields to type in. Deletion of managed infocards could be much more of a pain, depending on the process involved for re-provisioning. As well, upon deletion all of the usage records are lost, and Deletion events are also not logged as part of site usage.

From a sys-admin point of view, the obvious eventual goal would be to be able to set group policy around infocards. Until then, if a network login was forced at the time the export/deletion took place, it would at least prevent malicious attacks on unattended workstations. In the case of a shared family account, I have fewer ideas.

This all boils down to control. Visibility and control are keystones of Infocard – and as such, I think that the user or sysadmin has to (a) be able to see events such as exports in the log files, and (b) be able to place X credentials and ONLY X credentials on a managed desktop or account, and to prevent those credentials from being removed or copied. I do realize that you could call that second point a loss of control from the point-of-view of the user with the managed desktop — but the truth is, such relationships exist, and for good reason. The tool has to handle such demands.

So? Am I crazy? Is this not really such a big deal after all? Let me know what y’all think…

Certainly, in the home, people should be using different accounts for different family members. With “fast user switching” this actually works very well. I'm looking for stats on how much progress we've made in getting people to do this.

While it is true that people who get physical access to your machine can delete your infocards, they can also delete your whole filesystem. Presumably if you have such people around you should at least employ an automatic screensaver with password protection, and do backups from time to time.

The deletion problem is a “denial of service” and these are mostly impossible to prevent if people have physical access. For example, the opponent could take a very large hammer to the PC and you wouldn't be able to use your InfoCards no matter what we do.

Pam's critique of the way card export works strikes me as something we must address. I'll get back to you after discussing this with the team. At the RSA convention I promised Pam that if she found something that could help in our threat analysis I would buy her dinner for two and a visit to a spa. So I fear I'm in trouble here.


A number of people have confided that they worry the committment to privacy and openness I make in my work can't “possibly” reflect the ideas of the “official Microsoft juggernaut”. So I hope this interview by Financial Times writer Richard Waters will help people see the Bill Gates I know, and how deeply he understands the need for privacy and the possibilities inherent in the virtual world. You'll also see he fully supports an identity metasystem which is open and reaches across platforms.

FT: You have talked about building a “trust ecosystem” on the internet in which users’ identity information can be shared between websites. Would this be a closed system, or an open one?

BG: It’s totally standards-based and totally open. It runs on all platforms. It’s a series of standards that we’ve worked on – in fact, IBM has been one of the key participants in these standards. It’s got to work across all systems or it’s not worthwhile. It’s a great industry standard, just liked we’ve helped to extend HMTL for everybody to use, and TCP-IP for everybody to use.

We have an implementation of it that will compete on the implementation. But the whole notion of the protocols, how it’s done, that’s all in these WS-Trust standards. Believe me, we know a lot about this. When we did Hailstorm, four or five years ago – it wasn’t a plot to be the central root of trust or anything like that, but it was perceived as such. Our guys who work in this area have made it so clear that this is open, that everybody connects up to this. We are so clear on this.

FT: Is this the Hailstorm vision under a different name?

BG: No, no, it’s not even worth going back to that. We partly didn’t know what it was, and certainly what the press said it was wasn’t what we thought it was, but even what we thought it was we didn’t end up doing all of that. That’s old history.

This is very simple. There are statements like, “I, the employer of this person, have given them a secret” – either a password or even better a big number, a key. So I, Intel, say if they present this secret back to me, I, Intel vouch that they are an employee. Then we at Microsoft collaborate with Intel, and we decide do we accept statements of that type to decide who can get into various collaborative websites for joint projects.

That’s called federation, where we take their trust statement and we accept it, within a certain scope. So they don’t have to get another user account password. There’s no central node in this thing at all, there never can be. Banks are a key part of it, governments can be part of it. The US, probably not as much.

In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing that says the government says I’m over 18. This trust ecosystem has so much good designed for privacy. This thing is amazing, where you can prove who you are to a third party and then, in the actual usage, they don’t know who you are. A lot of the previous designs had the idea that if you authenticated, then you gave up privacy. There are lots of cases where you want to be authentic but not give up your privacy – or not give up your privacy except in extreme cases.

So all these things that exist in the real world about trust have to mirrored in these digital systems – and the real world is very complex in these respects. When you hear somebody on the phone, that’s enough evidence that you’re willing to tell them some things. The basic architectural framework lets us mirror a lot of these real world things. But these real world things, they take no set-up time.

Your brain is just so good at recognizing somebody’s voice, or somebody’s face, or somebody’s handwriting. It’s all just so implicit. When you leave your office, it would be strange for somebody nobody knows to come into your office and sit there at your computer – you didn’t write a memo to everybody nearby, it’s so implicit: give me a break, you guys just let that guy walk in there and walk away with my computer! In the digital world, there’s far less that’s implicit like this.

Describing these things is hard. Now in some ways, the digital world is superior. The ability to have anonymity is actually better when you want it. There’s no such thing as going to a soapbox and saying the government’s corrupt and not having the intelligence service see your face. In the digital world, that can be done.


I've assembled a list of some of the articles that appeared this week after Bill Gates’ keynote at the RSA security conference in San Jose.

Verisign's announcement of support also played a big role in driving home the message that InfoCards are part of an open identity metasystem reaching across platforms. As more people announce support, this part of the message will be strengthened.

The collection I have put together is far from complete, and not edited for content except to cut out all the articles which can only be read by entering a password (I just can't bear them). The idea is to show the kind of dynamic we can get going if all of us work together .

I really believe we have a unique opportunity at a precious moment in time. I hope all of us, throughout the industry, can benefit from and help create a tantalizing technology wave where privacy-based applications aware of identity open a million new possibilities for innovation and great new experiences.

The momentum which we are gaining can be extended and transformed, becoming a glow that radiates from every company in the industry.

Let's work together on giving digital identity a real architecture that will light the fire of web services.

Microsoft pushes InfoCard for secure online ID – Todd Bishop, 02-14-2006
Seattle Post-Intelligencer, Sci-Tech Today, MSNBC News Services, Top Tech News

Gates sees end to passwords in sight – Joris Evers and Ina Fried, 02-14-2006
CNET Nws.com, The New York Times, ZDNet, ZDNet Australia

Microsoft unfolds next generation authentication – Tom Sanders, 02-14-2006
vnunet.com, Computer Active Online, Computing UK, What PC UK, Computeractive

Gates calls for better computer security – Timothy Roberts, 02-14-2006
San Jose Business Journal, Silicon Valley/San Jose Business Journal, East Bay Business
Times, San Francisco Business Times, Puget Sound Business Journal, Daily News
and Analysis

Gates Outlines Computer Security Efforts – Matthew Fordahl, 02-14-2006
Associated Press, The Monterey County Herald, Inland Valley Daily Bulletin, Bradenton Herald, The Macon Telegraph, Belleville News-Democrat, Journal Gazette, Durant Daily Democrat, Press-Enterprise, The Tribune-Democrat, Centre Daily Times, Ottawa Sun, Grand Forks Herald, Pittsburgh Post-Gazette, The Washington Post, Boston Herald, Houston Chronicle, The Charlotte Observer, The State, Fort Worth Star-Telegram, San Jose Mercury News, St. Paul Pioneer Press, Sacramento Bee, The News & Observer, Columbus Ledger-Enquirer, Casper Star-Tribune, North County Times, The Globe and Mail, Contra Costa Times, The Ledger, The Herald, KCCI-TV, KETV-TV, Forbes.com, BusinessWeek Online, MSN Money, detnews.com, timesunion.com, Kansas.com, Kentucky.com, phillyburbs.com, The Norman Transcript, cbs5.com, click2houston.com, kesq.com, kgw.com, kcra.com, nbc11.com, king5.com, wesh.com, newsnet5.com, ktvu.com, local6.com, wral.com, nbc4.com, koin.com, komotv.com, MSNBC.com, NewsFactor.com, Canada.com, New Mexico, Gameday, Daily Journal, CIO Today, SiliconValley.com, Los Angeles Times, Montreal Gazette, Pioneer Press, wjactv.com, wtov9.com, kfoxtv.com, foxreno.com, nbc13.com, The Canadian Press, Journal Gazette Company(The), Biloxi Sun Herald, San Luis Obispo Tribune, Myrtle Beach Sun News, Duluth News Tribune, Milwaukee Channel.com, Hawaii Channel.com, INDYchannel.com, Boston Channel.com, Click10.com, Lakeland Ledger, News Factor Network, ChamplainChannel, San Diego Union Tribune, Worcester Telegram, Record-Searchlight, ABC Newspapers, WPBF-TV, Inside Bay Area, Malaysia Star, NW Indiana Times, Cnews, Jackson Channel, WBAL Channel, IT News Online, erald News Daily, Leading the Charge, Playfuls.com, Top Tech News, Mainichi Daily News, Pierceland Herald, New Mexico Channel, Mumbai Mirror

Gates Issues Call to Action for Security – Nathan Mook, 02-14-2006

Gates Says Security Is Job One For Vista – Aaron Ricadela, 02-14-2006

Microsoft promises Passport redux with ‘InfoCards’ – Ashlee Vance, 02-14-2006
The Register, Computer Crime Research Center

InfoCard on the way from Microsoft – Nate Anderson, 02-14-2006
Ars Technica

Reporter's notes from the RSA conference – Jaikumar Vijayan, 02-14-2006

Gates’ latest vision brings controversy – Richard Waters, 02-14-2006 (subscribers only)
Financial Times

RSA: Gates outlines ID management for Vista, XP – Elizabeth (Liz) Montalbano, 02-14-2006
IDG News Service, CRN, Network World, InfoWorld, PCWorld.com, ITworld.com, Techworld, PC Advisor (Online), ARNnet.com

Microsoft, RSA, Sun And Encryption – Erin Joyce, 02-14-2006
internetnews.com, DevX.com, Inc.

Gates calls for the end of passwords – Bill Brenner, 02-14-2006
TechTarget, searchCIO.com

Gates discusses security protections at S.J. conference – Jessie Seyfer, 02-14-2006
San Jose Mercury News, Bradenton Herald, The Kansas City Star, The Charlotte Observer, Kentucky.com, Ledger-Enquirer.com, GrandForksHerald.com, SiliconValley.com, Pioneer Press, Biloxi Sun Herald, San Luis Obispo Tribune, Duluth News Tribune, Express India

Gates says security boils down to four focus areas – John Fontana, 02-14-2006
Network World, Computerworld

Gates Pushes Maximum Security – Katie Dean, 02-14-2006

Gates Outlines Microsoft's Security Vision – Luc Hatlestad, 02-14-2006
VARBusiness, CRN

Beyond Microsoft Passport Is InfoCard – Staff Writer, 02-14-2006
NewsFactor.com, CIO Today

Microsoft Wants Zero Passwords – Staff Writer, 02-14-2006
Red Herring

Gates Outlines Vista Security Features – Staff Writer, 02-14-2006
Top Tech News, CIO Today, News Factor Network

Microsoft plans virtual information wallet: Gates – Staff Writer, 02-14-2006
Reuters, The Washington Post, Boston Globe, The New York Times, The Australian IT, CNN International, TVNZ, News24, Reuters UK, CIOL IT, IT News Australia, Reuters India, Reuters Canada, CRN Australia, Herald News Daily, DNA India

Microsoft Updates Active Directory Roadmap – Stuart Johnston, 02-14-2006
Redmond, ENT

McNealy and Gates as hunting partners? – Todd Bishop, 02-14-2006
Seattle Post-Intelligencer

Microsoft talks security, InfoCard – William Harris, 02-15-2006
Bit Tech.net

Gates: Security is #1 Vista Priority – Albert Sacco, 02-15-2006

Microsoft introduces Infocard for improved security – Staff Writer, 02-15-2006

Bill Gates Plans On Replacing Passwords With ‘InfoCard’ – Staff Writer, 02-15-2006
All Headline News

Gates unveils ID security tool ‘Infocard’ – Abdul Salaam Masheer, 02-15-2006

Microsoft Finds Unlikely InfoCard Ally – Ryan Naraine, 02-15-2006
eWeek, The Channel Insider, Neowin.net

Microsoft specs out InfoCard security credentials – Staff Writer, 02-15-2006

Security Isn't "One Size Fits All" – Larry Greenemeier, 02-15-2006
InformationWeek, CRN, Security Pipeline

The oldest question in IT – Tom Sullivan, 02-15-2006

Sparks of Life (and Green) in Smart Cards – Erin Joyce, 02-15-2006

Keynoters push for ID federation, harsher laws – Annet Saita, 02-15-2006

Windows will feature better locks – Bob Keefe, 02-15-2006
The News Tribune, Atlanta Journal-Constitution, Austin American-Statesman, Hispanic Business.com

Gates calls for better PC security – Dan Fost, 02-15-2006
San Francisco Chronicle

Microsoft pushes standardized SSO at RSA – George Ou, 02-15-2006

Gates Outlines Microsoft Security Strategy – Jay Wrolstad, 02-15-2006
NewsFactor.com, CIO Today, Sci-Tech Today, Top Tech News

Gates unveils new kind of PC security – Jessie Seyfer, 02-15-2006
San Jose Mercury News

Taking the pain out of passwords – Louisa Hearn, 02-15-2006
The Age, Sydney Morning Herald Business

Microsoft Developing Virtual Wallet – Nathan Weinberg, 02-15-2006

Bill Gates: RSA Keynote 2006 – Paul Krevs, 02-15-2006

Gates Pushes Smart Cards To Replace Passwords – Ryan Naraine, 02-15-2006
PC Magazine

Microsoft and Sun show commitment to online security – Phil Muncaster, 02-15-2006
IT Week

Microsoft Finds Unlikely InfoCard Ally – Ryan Naraine, 02-15-2006
The Channel Insider

Gates Outlines Microsoft Security Efforts – Staff Writer, 02-15-2006
NewsFactor.com, Sci-Tech Today

Passwords a thing of the past – Staff Writer, 02-15-2006
Monsters and Critics

Bill Gates presents a new software security program – Staff Writer, 02-15-2006

Gates tries to win over skeptics on security – Todd Bishop, 02-15-2006
Seattle Post-Intelligencer

Microsoft InfoCard's first backer: VeriSign– Todd Bishop, 02-15-2006
Seattle Post-Intelligencer

Active Directory, identity management get tighter – Matt Mondok, 02-16-2006
Ars Technica

Newsmaker: Ending Microsoft's identity crisis – Ina Fried, 02-16-2006
CNET News.com, ZDNet, ZDNet India

VeriSign SSL Business Could Get Vista Boost – Kevin Murphy, 02-16-2006
Computer Business Review, CommentWire

Microsoft plans virtual information wallet to manage your online IDs – Staff Writer, 02-16-2006
DNA India

VeriSign and Microsoft tie-up to tackle phishing crimes – Staff Writer, 02-16-2006

Calling Cryptographers – Kate Greene, 02-16-2006
MIT Technology Review Germany

Microsoft continues push for ‘InfoCards’ – ScuttleMonkey -02-16-2006

Bill Gates Talks about Infocard at RSA – Staff Writer, 02-16-2006
Spotlighting News

Infocard Spells End of Passwords – Staff Writer, 02-16-2006

Gates security program would end passwords – Staff Writer, 02-16-2006
Knight Ridder Newspapers, The Charlotte Observer

Gates outlines vision for new secure Internet Explorer – Steve Malone, 02-16-2006
PC Pro Online

Microsoft security InfoCard wins key supporter – Todd Bishop, 02-16-2006
Seattle Post-Intelligencer

McNealy on the ‘hairball,’ and other tales from RSA – Todd Bishop, 02-16-2006
Seattle Post-Intelligencer

demos virtual wallet
– Derek Sooman, 02-16-2006

Bill Gates’ RSA Keynote Address – Alex Muradin, 02-16-2006
SoftPedia News

Are Passwords Passé? – Paul Roberts, 02-17-2006

Gates: Passwords Aren't Enough – Paula Rooney, 02-17-2006


Ina Fried interviewed me for CNET News a few days ago. She took the picture with a preposterously small James Bond type camera that doubled as a voice recorder. You can see she asked a lot of interesting questions.

SAN JOSE, Calif.–If Microsoft needs a lesson on how to do identity management wrong, it needs only look at its past.

With Passport, Microsoft had exactly the wrong approach as the software maker needlessly stepped between businesses and their customers–so says Kim Cameron, the identity expert who leads Microsoft's current effort, known as InfoCard.

Microsoft Chairman Bill Gates on Tuesday touted InfoCards as one of the technologies that could finally help cement the death of the username and password as the means of verifying identity on the Internet. /wp-content/images/people/cameron.kim.architect.jpg

But before InfoCard can supplant anything, Microsoft will have to line up Web sites to use it, banks and credit card companies to support it and then get consumers to buy in, too. Cameron sat down with CNET News.com this week to talk about InfoCard, how it works and what Microsoft needs to do to make sure it doesn't whiff again.

What makes this attractive to others–to, say, Web site owners?
Cameron: When you first go to a Web site, their mantra, somebody told me, is “acquire, acquire, acquire.” I didn't know what that meant. But what that means is: Get that customer relationship going. At that moment, a lot of people will want to accept any InfoCard they can, then later, they get pickier. For example, if you want to buy something they will probably want something from a credit card company or a bank.

It's a bit of a chicken and egg thing. How do you guys get enough of the right people on board, build enough of an ecosystem?
Cameron: One of the things is people don't have to throw out their current authentication mechanism for InfoCard. And you don't have to change much at your site. It's just one very small component of the site that changes. The rest of the site all just stays the same. So, the investment required is small. And it becomes easier to acquire (new customers).

Now the question is: “Can we as Microsoft put together the right partnerships?” It’s hard. I've never worked on anything this hard, but the payoff is huge if it can be done. Then the question is: “Does the industry want to do it?” Microsoft can't do it by ourselves. Nobody can do it by themselves.

If I'm a user of Vista (the next version of Windows). How do I get an InfoCard. Is it something that is just there?
Cameron: A self-issued one you create yourself. If you get one, say from your bank, you go to your bank's Web site and you double click on it. It will give you your InfoCard–you might have to enter a one-time password or something that they have given you. It just appears in your InfoCard collection. You go through the verification process and it will appear in your InfoCard collection.

Is it limited to Internet Explorer. You have talked about it being implemented in the browser, but is it limited to that?
Cameron: It's not implemented i tnhe browser. It’s integrated with the browser. The browser uses it, but it's an underlying platform service. Mozilla can use it just as well as IE (Internet Explorer). That's key. If that isn't the case, it just won't get the reach that we need.

It seems like the intent is for there to be multiple and compatible things there, a mechanism that keeps it so that when Apple does it, it's compatible with InfoCard?
Cameron: This is the nice thing. It's built on these standards that a lot of companies have adopted, Web services standards. It's really a precise collection of standards–WS-Trust, WS-Security, WS-Security Policy.

What about the whole Liberty Alliance specification?
Cameron: This is not positioned against Liberty. I am an admirer of Liberty. Liberty has done a lot of great things around policy, leadership on federation. This is something that a Liberty-enabled site can use for interacting with their customers.

Now, in terms of WS standards and Liberty, currently Liberty runs on the SAML (Security Assertion Markup Language) protocol, and WS standards are slightly different, although they share components. We're also working to try and align those things. But those things don't impact InfoCard.

Microsoft has said that InfoCard will be available for XP machines through IE7. How do XP users get access to the necessary code.
Cameron: In XP it comes in on WinFX.

So it's a client-side software download?
Cameron: Yes. Our hope is that will be really easy.

So, I can have my InfoCards on my work machine and on my home machine and they could be the same. Does that expose it to security risks? If you are able to transfer InfoCards then people can steal it?
Cameron: No, because the InfoCard doesn't actually contain the identity information. What it is is a visualization and a way of contacting the identity provider. You can't go and steal the InfoCard. I mean if you did, it wouldn't give you anything.

What, if any, personal data lives on other people's servers?
Cameron: Let's take the case of a credit card company. Because I go to the credit card provider each time I want to use one, it can give me a one-time credit card number. It actually never has to release my real credit card number.

Obviously InfoCard comes with Vista, but what do you think is a realistic time frame for when this will be usable?
Cameron: I think people will be people offering InfoCard-enabled services by the time Vista ships. I'm at a disadvantage because I can't tell you who we are working with. What I can say is there are thought leaders around this in each industry. Those are the guys who we will be working with and who will have these applications that are InfoCard ready.

You can get not just identity but sort of very interesting semi-anonymous things that are very privacy-friendly. One of the things we have been doing with this project is to work with the privacy advocates and have them as colleagues in the design of the thing. This is not one of those things where a bunch of nerds get in to a garage and come up with something that is going to gross out the privacy advocates.

When do you anticipate talking about some of the partners?
Cameron: It will be as we get closer to (the launch date for) Vista.

News.com's Joris Evers contributed to this report.