B.C. to test virtual digital ID card

Here's a story by the Canadian Broadcasting Corporation (CBC) on the British Columbia government's IDM project.  Dick Hardt of sxip played the key and even charismatic role in developing a catalytic relationship between industry and government.

British Columbia will test a virtual ID “card” that enables citizens to connect with the government's online services more safely and easily, a top technology official said.

The government plans to begin tests on an “information card” early in the new year, said Ian Bailey, director of application architecture for the province's Office of the Chief Information Officer.

The cards are in the early stages, and “there's going to be some challenges,” Bailey said.

An information card is not a card at all: it's more like a document delivered to users’ computers which they can then use to access government websites.

It's meant to replace the current method of access, which involves logging on to a site with a name and password, and has a digital signature that can't be changed or reproduced, Bailey said.

“It will give us better privacy protection for individuals,” he said.

Among other attributes, Bailey said using an information card means:

  • The government won't know which sites the user visits.
  • The user is in control of shared information.
  • The cards won't have to reveal users’ birthdates or addresses, or a student's school. Instead, it could simply confirm the user is over 19, a B.C. resident or a student.

He compared using the card to using a driver's licence for identification since, in both cases, the government does not know what the citizen is doing. Continue reading B.C. to test virtual digital ID card

MyOpenID.com supports Information Cards

If you use OpenID, you are propably running software developed by the gang of “Internet ninjas” at JanRain (yes, I've been there, and they actually do all wear black silk kung “foo” robes).  Besides writing software, JanRain runs one of the largest independent OpenID services: MyOpenID.com.  Today Jan Rain's Kevin Fox announced they had reached a major milestone:

The JanRain OpenID team is pleased to announce Information Card support has been added to MyOpenID.com

What is an Information Card?

What can I do with it? With a self-issued Information Card you can sign-in to MyOpenID, as well as sign-up and recover your account, without ever having to enter your password. Anywhere on MyOpenID that you can enter a password will now allow you to use an Information Card instead. With the addition of Information Card support MyOpenID is able to offer another solid option for people wanting to protect their OpenID account from phishing attacks and remember fewer passwords.

We were able to work with Microsoft’s Mike Jones and Kim Cameron who have both been long time proponents of OpenID  + Information Card support.

As noted by Kim Cameron “Cardspace is used at the identity provider to keep credentials from being stolen. So the best aspects of OpenID are retained.” While one of the less desirable aspects (confusing user experience) has been improved for someone using an  Information Card to login to their OpenID provider.

Support for Information Cards has been growing as more software projects implement the technology. It is important to note that this technology is being supported by many other organizations besides Microsoft. Information Card support is available for Windows platforms (Vista / XP) as well as Mac OS X and Linux.

Mike Jones beat me to the punch in heaping well-deserved praise on the Jan Rain group:

The JanRain team has done a fantastic job integrating account sign-up, sign-in, and recovery via Information Cards into their OpenID provider. I’m really impressed by how well this fits into the rest of their high-quality offering.

There’s another kind of integration they also did that makes this even more impressive in my mind: connecting their new Information Card support with their existing support for the draft OpenID phishing-resistant authentication specification. This is another significant step in fulfilling the promise of the JanRain/Microsoft/Sxip Identity/VeriSign OpenID/Windows CardSpace collaboration announcement introduced by Bill Gates and Craig Mundie at the RSA Security Conference this year. Because of this work, this sequence is now possible:

  1. A person goes to an OpenID relying party and uses an OpenID from MyOpenID.com.
  2. The OpenID relying party requests that MyOpenID.com use a phishing-resistant authentication method to sign the user in.
  3. The person signs into his MyOpenID.com OpenID with an Information Card.
  4. MyOpenID.com informs the relying party that the user utilized a phishing-resistant authentication method.

This means that MyOpenID users will be able to get both the convenience and anti-phishing benefits of Information Cards at OpenID-enabled sites they visit and those sites can have higher confidence that the user is in control of the OpenID used at the site. That’s truly useful identity convergence if you ask me!

Congratulations to all.

Business, Model, Scenario and Technology

Reading more of the discussion about Identity Oracles, I've come to agree with the importance of having separate names for the business model and the underlying technology that would be used to deliver services.  So I buy Dave Kearns's advice

Drop it while you can, Kim. Bob's right on this one. The “Identity Oracle” is a business model, not a technology feature.

Why was I conflating things?

Well, when we were devising the technology for claims transformers, we were specifically trying to enable the scenario of providing answers to questions without releasing the information on which the answers are based (in other words, support derived claims).  We intended the claims transformer to be the technology component that could supply such answers. 

I saw the name “Identity Oracle” as describing the scenario.

Now I see the advantages of having very precise naming for a number of interrelated things.  It can leave us with this taxonomy: 

Reading Dave Kearn's post on how a service like HealthVault might evolve in the direction of an Identity Oracle, I couldn't help wondering about the problems of liability implied by some of these behaviors.

For example, consider a health-related Identity Oracle that could answer the question, “Can Kim take drug X without fear of drug interactions?”.  The resultant “yes” or “no” would be a lot more privacy friendly than releasing all of Kim's drug prescriptions and the medical information necessary to adequately answer the question. 

However, the Identity Oracle presumably assumes more liability by “selling” its “yes” or “no” conclusion than it would by releasing simple facts (assuming the right permissions and use restrictions were in place). 

In other words, success of this model will involve a transfer of liability from the party currently making a decision to the oracle.  This liability has to be factored into the cost structure of the identity oracle business model, and the resultant pricing must make sense to the requesting party.

Zend PHP Information Cards

Dr. Dobb's Journal is dear to my heart.  My wife Adele Freedman, an architecture critic, always used to point to the copies I left lying around and tell our friends, “Check it out.  It's amazing to watch him read it.  No two words fit together.”

But to me it was like candy.  So it was exciting to read the following article today on Dobb's Portal:

Microsoft and Zend Technologies have announced a collaboration to enable support for information cards by PHP developers through a component built for Zend Framework. Using this as a stand-alone component or as part of the Framework, PHP developers will be able to specify a Web site's security policy and accept information cards from trusted third parties.

“Microsoft and Zend are making a commitment to deliver information card support to PHP developers, which will reduce development costs and help make the Web safer and more secure for people,” said Vijay Rajagopalan, principal architect for Platform & Interoperability Strategy at Microsoft.

The cooperative work on information cards extends Microsoft's previous interoperability efforts in this area. Microsoft, in collaboration with Fraunhofer Institute FOKUS and ThoughtWorks, has developed open source interoperability projects on information cards for systems based on Java and Ruby.

“Web sites developed on ASP.NET can already accept information cards,” Rajagopalan explained. “With this work, a Java-based Web site, for example, built on the Sun Java System Web Server, Apache Tomcat or IBM WebSphere Application Server can now accept a digital information card for security-enhanced identity. A Web site built on Ruby on Rails can accept an information card. There is also an open source information card library project implemented in C, developed by Ping Identity Corp.”

Information about Microsoft open source interoperability identity card projects can be found at:

When support for information cards within the Zend Framework (an open source PHP application framework for developing Web applications and Web services) is enabled, users who access PHP-enabled Web sites will receive consistent user control of their digital identities and improved confidence in the authentication process for remote applications, all with greater security than password-based Web logins offer. Zend Technologies’ implementation of information cards lets users provide their digital identities in a familiar, security-enhanced way. They are analogous to business cards, credit cards or membership cards that people use every day.

I guess everyone familiar with this blog knows I've developed a deep affection for PHP myself, so I'm very happy to see this.

Bob Blakley on the Identity Oracle

As you can read here, Bob Blakley thrashes me for my characterization of an Identity Oracle as “his sexy name for the claims transformer generating “minimal disclosure tokens”.   He thinks I'm being geeky, and I probably am, but hey, geeks are people too.

He puts it this way:

 This statement is utterly and completely wrong.  An Identity Oracle is NOT a “claims transformer generating minimal disclosure tokens”.  It’s not even a claims transformer.  It’s not even a server.  It’s not even technology.

“It's not even technology.”  I guess it “just happens”.  Reminds me of how Bentley Motorcars describe what others would call a factory:

This isn’t a factory visit. It’s the Bentley Experience.

But let's not turn our backs on Bob's pain:

I’ve said twenty times from various stages and in writing on my personal blog and here that as long as we continue to try to solve privacy problems using technology, we are going to continue to fail, and the Internet will continue to lack an identity layer, and it will continue to be a privacy hazard.  Identity and privacy are not technology problems – they’re social, legal, and economic problems – and no technology can solve these problems.

Of course I agree that technology can't solve problems, only its design and usage can.  Although identity and privacy are social, legal and economic problems, they are technical ones too.

It's paradoxical that I have to be the person to suggest that The Burton Group take in a bit of lawyer Lawrence Lessig's thinking about these matters, nicely summarized here:

Lessig… addresses the two forms of code that dominate the Internet: legal code (law) and machine code (the technology supporting the Internet).  As Lessig points out, the influence of both must be understood, as both will determine the shape of the future.

That has become a bit of a mantra for me, and one of the reasons why, when I see interesting policy ideas, I try to understand how they relate to “code”.

Anyway, let's get to all the good points Bob makes.  Here's the basic dialog a service has with the Identity Oracle: Continue reading Bob Blakley on the Identity Oracle

Burton Group goes to Mainstreet

In this cogent article, the New York Times’ Denise Caruso distinguishes herself with a compelling treatment of complex identity and privacy issues.  For instance, her characterization of Mint.com is enough to turn the Flying Nun into a paranoid: 

“In exchange for customers uploading their account information and allowing sponsors to offer them specialized services, Mint will connect nightly to their credit-card providers, banks and credit unions. Then it automatically updates transactions and accounts, balances their checkbooks, categorizes their transactions, compares cash with debt and, based on their personal spending habits, shops for better rates on new accounts and credit cards.”

I sure would like to know more about how mint.com protects itself, who oversees it, how it protects me, and most important, what it does and doesn't and will never do with the massively detailed personal information it collects.  Today, not even my accountant or my wife scrutinizes my credit card spending.

To the rescue

Just as the reader is losing all hope, in rides – are you ready? – Mike Neuenschwander from the Burton Group.   He puts forward the ideas all of us in the community are working on, but with a twist that is very novel – and perhaps even “American”:

“We’re in a situation where business holds all the cards…  â€œBusinesses put the deal in front of the consumer, they control the playing field and the consumer doesn’t have any say in how the deal plays out.”

ONE way to change this, he said, is to make people more like organizations.

To this end, Mr. Neuenschwander and his colleagues have floated the intriguing concept of the L.L.P.: the Limited Liability Persona. This persona would be a legally recognized virtual person in which users could “invest” the financial or identity resources of their choosing.

Once their individual personas are created, consumers would be able to use them as their legal “alter ego,” even in financial transactions. “My L.L.P. would have its own mailing address, its own tax ID number, and that’s the information I’d give when I’m online,” Mr. Neuenschwander said. Other benefits include the ability for “personas” to limit their financial exposure in ways that individuals cannot. Continue reading Burton Group goes to Mainstreet

Information Card Thermometer

I’ve started publishing a “sockets guage” on my homepage – a thermometer that represents my best estimate of the percentage of desktops running Information Card bits (and thus capable of using Information Cards).  As of October, 2007, this is just over 10.2%. 

I’ll try to update this estimate monthly, working with others so our estimates are across Windows, Macs and Linux Desktops. 

It will be interesting to watch developments as this percentage moves up to 30% and then to 60% and then to 90%, each with  potentially greater network effects. 

Today we are in the “Sockets and Ecology” phase where we can see:

  • CardSpace and DigitalMe and other Card Selector sockets growing towards a tipping point
  • software for building relying parties becoming widely available and understood on all platforms and in all languages
  • the early versions of the software put out by Microsoft and others being refined and perfected through community feedback and experience
  • leading applications raising the competitive bar by adopting the technology

Our view is that as these phenomena accelerate, CardSpace and its sister implementations will be increasingly used across many different contexts and their ability to support minimal disclosure and prevent the use of universal identifiers will become increasingly valued and apparent.

Success brings complexities too

Pamela Dingle is the awesome, programming, geek, girl Canadian who runs The Pamela Project.   She produced the WordPress InfoCard plugin that I use on my blog.  In this piece, she has a different take on Information Card adoption:

“It has been a while since I’ve meandered through my thoughts on where the world of the Identity Metasystem is going these days.

“A few entries in the blogosphere have examined what this system is not – which is in common use. I can’t deny the truth of such statements. However, what I do see, is a growing number of people who are contacting me, because they are working hard to change this fact.

“I can honestly say that I don’t worry about whether Information Cards will succeed. What I worry about, is what happens when it does. To me, this is why it is critical to run interops via OSIS, and not only that, but to create a body of work that anyone can use to understand, test, and create correctly operating components. We are in the lull before the storm.

“Have you ever heard the term ‘victims of our own success’? This is what we will be, if the wave of mass adoption comes, and we haven’t made it easy to be a GOOD member of the Identity Metasystem. If we don’t set community consensus on edge cases, abuse cases, some common standards for basic user interface, and other such things now, if we all don’t get busy implementing and learning from our mistakes and fixing them while it is still easy to do so, it is going to be chaos when suddenly the big thing is for every site out there to accept Information Cards.

“My view is, that user-centric technology in general is a massive tsunami moving towards the coast. It doesn’t look like much now because the wavelength is long — but once we get close to shore… If I’m right, there will be a sudden, immediate, and critical demand for architects, sys-admins, and developers with experience in this space. The more mistakes we make now and learn from, the less mistakes these future techies will have to make en masse.

“… and if I’m wrong about the tsunami — well I guess we’ll all have stories to tell around the campfire…. :)

Continue reading Success brings complexities too

EPIC opposes Google / Doubleclick merger

Last week the Electronic Privacy Information Center (EPIC) made an agenda-setting intervention on the newest dangers in digital privacy.  EPIC is perhaps the world’s most influential privacy advocacy group,  and presented its brief to a US Senate hearing looking into Google’s proposed acquisition of Doubleclick

According to USA Today,

“The Federal Trade Commission is already reviewing whether the Google-DoubleClick combination would violate antitrust law.  Consumer groups are pressing the agency to also scrutinize Google's privacy practices.  Marc Rotenberg, executive director of the Electronic Privacy Information Center, told the Senate committee that Google should be required to strengthen its privacy practices as a condition of the acquisition.”

Continue reading EPIC opposes Google / Doubleclick merger

What if we fail?

As innovators we need to think about what happens if our systems fail.  I've argued, for example, that the starting point for designing a secure system is to recognize it will be breached.

So I took Ben Laurie's recent piece on CardSpace as an invitation to review one more time what can go wrong with Information Cards and CardSpace. 

For those who don't know him, Ben has been a leading innovator in terms of open source SSL, and currently works at Google.  In his piece he writes that OpenID isn't gaining much traction.  Then he turns to CardSpace, which he says “appears to be supported only by Microsoft products.”

A number of people gagged on this, including Dale Olds of Novell (who none the less retained his unflappable charm).  Dale had just released his new DigitalMe product providing Information Card support for Mac and Linux.  In fact, at Digital ID World, the open source Bandit Project had launched a “Control Your Identity” campaign to promote awareness and use of information card technology. Hmmm.  I wonder if Linux is a Microsoft product? 
Continue reading What if we fail?