Stephen Mcgibbon, senior director of Microsoft's European technology office, is in the midst of a lively identity discussion on the Danish blog Overskudsdanmark. In a posting called, “What CardSpace enables, Vista prevents…“, Stephen quotes Stephan Engberg – who is on the international advisory board of Privacy International and other important organizations – as saying,
“I can easily see that Cardspace in itself COULD be a step in the positive direction, but MS is sending mixed signals by pushing the aggressive Live Id and “trusted” computing simultaneously with Cardspace.
“That might be ok if someone else had access to make usable solutions, but it is not my understanding that VISTA and Cardspace provide that access. What Cardspace enables, VISTA prevents.”
I guess there are several issues here. I'll defer the discussion of how CardSpace provides openness until Stephan has had a chance to look around this blog – the “HelloWorld Card” series would probably help get a technology orientation. Or just poke through the articles, or look at comments like this recent one from Dale Olds at Novell. While that's happening, I'll try to get more up to speed on his criticisms of Live ID and Vista.
Perhaps I can move the discussion forward by sharing some high level information about the current Windows Live ID service.
It's quite a bit different, conceptually, than Passport was – even though it is a technical evolution of that system. At core, Live ID sees itself as part of a very distributed and multi-centered world, whereas Passport was centralized and technologically monolithic.
You can get a sense for this by looking at the most recent Windows Live ID Whitepaper. Let me pass on a few quotes which I hope will entice you to read more of the paper:
How Does Windows Live ID Participate in the Identity Metasystem and Work with “InfoCard�
Microsoft is working with others in the industry to create an identity metasystem that brings existing and future identity providers into a connected identity ecosystem and empowers end users to control the use of their identities. The Windows Live ID service will participate in the identity metasystem as one identity provider among many, able to accept claims from other identity providers and transform them so they can be used within Microsoft online services. This participation will include acceptance of self-issued and managed “InfoCards.†It will thus provide full support for the “InfoCard†identity model.
Roles of the Windows Live ID Service in the Identity Metasystem
Microsoft has published its vision of a universal identity solution that is inclusive of a plurality of identity operators and technologies—the identity metasystem. In such a metasystem, identity providers, relying parties, and subjects can select, request, transfer, transform, and consume identities through a suite of well-defined and open Web Services (WS-*) protocols. Microsoft is working to implement components of the identity metasystem, as are many other companies in the industry. As a result, various building blocks for the metasystem are being developed. Some of these components will be delivered to end users in the form of software installed and running locally on their computers and devices, while others will be online services.
The design philosophy of the identity metasystem is not to replace the existing identity systems in use today, but instead to bring these existing systems together by enabling interoperation among subjects, relying parties, and identity providers through industry standard protocols. The Windows Live ID service will participate in the identity metasystem as a “managed†identity provider already at Internet scale. Windows Live ID will bring a large base of end users and relying parties to the metasystem, taking us one step closer to Internet-wide identity federation and doing our part to help the industry move beyond the “walled garden†paradigm.
The Windows Live ID service will play several essential roles that are strategic for Microsoft. The service:
- Is an Internet-scale identity provider intended primarily for users of Microsoft online services, which are all relying parties of the Windows Live ID service.
- Is open and issues claims in a form that can be consumed by any relying party, any device, and any other trusted identity authority.
- Serves Microsoft online services as a “claims transformer,†allowing those services to accept identities issued by third-parties. Third-party identity providers include other Internet service providers and managed-identity providers, such as the planned Active Directory Security Token Service (STS).
- Will be the identity provider and federating authority for third party services and software built on top of the Microsoft online services platform
In short, I see Windows Live ID as the identity component for the MSN properties, which speaks standard protocols, and is trying to be open and do business with the other parties who want to engage. This is all a new model – not only for Microsoft, but for the industry as a whole. There are many business details to be worked out, as there are elsewhere in the industry. But I see a progressively deeper committment to putting privacy first, and think my Live ID colleagues deserve a lot of credit for that. In fact, we have invited Stephan's Privacy International colleague Simon Davies to review and criticize our structures and initiatives, and have tried to act on his recommendations just as we would act on the recommendations of world-renouned security experts or other leading thinkers.
So I'm interested in the disconnect Stephan and I have in our perceptions. Is it because Microsoft hasn't communicated broadly enough? Or is there something substantive here? I would really like to understand.
In terms of Stephan's comments about Vista being controlling in some way, I just don't understand at all. It's the opposite of what we were trying to do.
Not everything about Vista is perfect, but we have been very hard core about putting our customers totally in control. User-centriic is a big deal for me, and for everyone I know. So are open interfaces and protocols. I don't understand his objection to our “trusted computing” effort.
So Stephan, let me know what you're thinking, and let's try to figure this out.
