New British report on identity card technologies

There is a new report by the British House of Commons Science and Technology Committee entitled, “Identity Card Technologies: Scientific Advice, Risk and Evidence“.

For those new to this blog, the ongoing discussion of a British Identity Card interests me not only because of what it means for Britain's future, but because it is a crucible in which to watch the Laws of Identity play themselves out. The initial proposal broke a number of them – with, so far, the predicted results.

Here is the summary from the multi-party Committee's report:

This Report is the final of three case studies considering the Government’s treatment of scientific advice, risk and evidence. It focuses upon the Home Office’s identity cards scheme, which uses various technologies including biometrics, information and communication technology (ICT) and smart cards. We considered this scheme in order to explore the ways in which scientific advice, risk and evidence could be managed in relation to technologies that are continually developing.

This inquiry has found several areas in which the Home Office’s treatment of scientific advice and evidence appears to be following good practice: the establishment of advisory committees, the use of Office of Government Commerce (OGC) Gateway Reviews and the development of risk management strategies are examples. We welcome the Home Office’s commitment to implementing the scheme gradually rather than using a “big bang” approach, which could jeopardise the success of the programme.

We have also identified weaknesses in the use of scientific advice and evidence. We are disappointed with the lack of transparency surrounding the incorporation of scientific advice, the procurement process and the ICT system.

Potential suppliers are confused about the extent to which the scheme will be prescriptive and when technical specifications will be released. Whilst the Home Office has attempted to consult the wider community, stakeholders have complained that consultations have been unduly limited in scope and their objectives have been unclear.

As a result, the wider community does not have the level of confidence in the scheme that could reasonably be expected at this stage. Whilst the Home Office has determined some aspects of the scheme such as the biometrics, it has left other aspects such as the structure of the database undetermined. Its decisions demonstrate an inconsistent approach to scientific evidence and we are concerned that choices regarding biometric technology have preceded trials. Given that extensive trialling is still to take place, we are sceptical about the validity of costs produced at this stage. We note the danger of cost ceilings driving the choice of technology and call for the Home Office to publish a breakdown of the technology costs following the procurement process.

The identity cards scheme has at least another two years before identity cards begin to be introduced and the scheme has not yet entered its procurement phase. There is still time for the Home Office to make alterations to its processes. We encourage the Home Office to seek advice on ICT from senior and experienced professionals and to establish an ICT assurance committee.

Whilst biometric technology is an important part of the scheme, it must not detract from other aspects of the programme, in particular ICT. It is crucial that the Home Office increases clarity and transparency across the programme, not only in problem areas. We also emphasise that if evidence emerges that contradicts existing assumptions, changes must be made to the programme even if the timescale or cost of the project is extended in consequence.

Peddalo sir? Of course, just leave me your ID card …

Being on vacation, surrounded by bizarre identity phenomena, I liked this post by Jerry Fishenden, Microsoft's National Technology Officer in Britain 

If anyone doubts the extent to which ID cards will be demanded for the most trivial of reasons, my recent experiences on holiday in the Ardennes amused me. On going to hire a peddalo on a lake for myself and my family to inflict some gratuitous self-humiliation on ourselves, I was asked for my ID card.

“I don't have an ID card”, I explained – at which point they asked for my passport. Which I was not carrying with me.

Oh uh – it was not looking good. Was I going to be prevented from some harmless family entertainment on the lake due to the lack of a proper identity document? I couldn't but help observing beside the cash till (in full public view and easy reach) a collection of ID cards and passports provided by other peddalo tourists.

However, it turned out that they wanted the ID card/passport from me purely as some sort of sureity for the hire of the peddalo. I negotiated a cash deposit of 15 Euros instead.

But the episode did highlight to me the risks involved with any ID card that has physically printed on it a wide range of sensitive personal information – who knows what some unscrupulous peddalo hirer might do with that useful information whilst it is in their custody? Let alone someone with a more serious criminal intent.

Even odder, on returning the padlock key for the peddalo after completion of a few half-hearted circum-navigations of the lake, I was offered a choice of ID cards and/or passports to take from the pile beside the till. Until I reminded them that I only needed my 15 Euros returned – not someone else's identity document (kind as it was of them of course to offer me alternative identity documents – and free of charge at that).

The ease with which anyone with an ID card or passport meekly complied with the request and handed them over to a peddalo-hiring stranger also illustrates the extent to which people become complacent about where and who asks for such credentials. Of course, happily most of the time the people that ask us will have the best of intentions. But we still need to design our identity documents with the assumption they do not.

All the more important then that we have the time to ensure any ID card (and the personal information it provides access to) is designed to protect us against casual acquisition and misuse.

While you pondering this one, take a look at Jerry's very thought-inducing piece, “biometrics: enabling guilty men to go free? Further adventures from the law of unintended consequences“.

He focusses on the fact that biometrics are progressively becoming public information, as are many other aspects of our identity.  Because they are being stored in an ever-widening circle of computer systems and without serious security precautions, they may in fact lose the power to convince and convict.  We need to understand these issues if we are to understand the role of biometrics in identity.

The law of unintended consequences seems to be making itself felt a lot these days.

 

Will industry rescue the identity card?

IT Week recently ran a story quoting Simon Davies, director of Privacy International, that has raised an eyebrow or two in the blogosphere.

Industry may need to lead the way if the UK is ever to get a national identity card scheme that can deliver significant security and efficiency benefits.

That is the view of Simon Davies, one of the academics behind the London School of Economics’ controversial report last year on the cost and viability of the government’s ID card scheme. Davies told IT Week that now leaked emails from Whitehall officials have revealed their doubts about the viability of the scheme, the private sector may have to step in to save the project.

“I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the government about effectively taking over the project.”

The Home Office has long argued that the introduction of ID cards will deliver many business benefits, such as more efficient identity verification processes, less fraud, and more secure e-business transactions, and has maintained that it has been working closely with business leaders about how the technology should be used.

Speaking in her office at the newly formed Identity and Passport Service (IPS) earlier this year, Katherine Courtney, director of business development for the government’s ID card scheme, argued that while much of the coverage of ID cards has focused on the ability to tackle fraud and terrorism, it will also deliver such significant business benefits that “we will all be asking ourselves in 10 years’ time how we ever got along without them”.

Courtney added, “Because of the mobility of society and the development of the digital economy, people are leading more complicated lives and want to be able to conduct their personal administration more easily and out of office hours. These changing social trends mean that the capability to prove your identity is vital and this scheme will deliver the enabling technology [to do that].”

The Home Office is talking to public-sector bodies, such as the police and the NHS, and private firms, including banks, retailers, e-businesses and other large employers, about how they could use ID cards. The theory is that if everyone has a national identity card that can be checked against a central register containing biometric and personal details, tapping in a personal PIN code or undergoing a biometric scan will quickly replace the need to photocopy utility bills or show a passport for tasks such as enrolling for a doctor or applying for a loan.

Perhaps unsurprisingly, firms have broadly welcomed plans that the Home Office estimates will save the private sector £425m a year through streamlined identity verification processes and reduced exposure to fraud. In fact, these benefits could prove so significant that organisations will offer incentives for customers to have cards, according to Ed Schaffner, director of enterprise security at IT supplier Unisys – one of the companies likely to bid for part of the Home Office contract…

“The cost of identity fraud is built into the cost of any service,” Schaffner said. “So businesses and banks can say that if you use this card to verify your ID you can have a discount.”

A spokesman for one bank also said identity cards could make it easier it to serve disenfranchised sections of society, such as migratory workers and students, who are less likely to have currently accepted forms of identity proof such as utility bills and passports.

Another way the Home Office hopes the cards will deliver significant benefits for businesses and consumers is by enhancing the security of online transactions. The Home Office argues that asking customers for an ID card number and PIN code that can verify identity against a national register would give organisations a more secure means of identifying online users.

It is a technique already used in Belgium, where 2.5 million people currently hold electronic ID cards and government agencies and banks are using information on the cards to authorise online access to their services. Chatrooms have also started to use ID card checks to ensure age limits are enforced.

In future, attaching card readers and fingerprint scanners, such as those already found on some laptops, to PCs could further strengthen security. If the technology proves as secure as the Home Office promises, retailers and banks would be able to authorise far larger online transactions than at present.

Like many observers, Jeremy Beale, head of e-business at the CBI, has concerns about the technical challenges the scheme will face, but he also argues that a working system could bring huge benefits. “ID cards are not so much a disruptive technology as a stabilising one,” he said. “Firms have been saying for years that they want a single secure standard for online identity verification, and if the government manages to deliver it there could be huge benefits for online commerce.”

But Davies added that despite these potential benefits the government has not been doing enough to form a partnership with industry and technology suppliers to develop a workable ID card system, and it is therefore time for business leaders to take a more proactive role. He argued that management of the scheme should be taken from the Home Office and handed to the Treasury and the Department of Trade and Industry (DTI). “Industry has been left high and dry [by the government’s failure to make its plans clear], and the DTI should be able to rebuild trust with industry,” he said.

Alan Rodger of analyst firm Butler Group said there is a growing belief among some identity management experts that the government should leave the scheme to the private sector. “There is a feeling from some that we should let the market sort it out,” he said. “It would allow the problem [of securing individuals’ identities] to be tackled without the need for huge public investment.”

Separately, Davies argued that now some senior civil servants have expressed fears that the project is likely to fail, the government ought to publish all its reports on the feasibility of the scheme. “It is now all about trust,” Davies added. “The government has to restore some faith in the project.”

Simon, who has been a relentless and towering force in the privacy movement, responded to his critics as follows:

It’s important to recognise that context can be lost in any media report. In this case the quotes are accurate, though of course not complete. I’ve made similar remarks to conferences over the past six months, and for good reason. While it would have been nice to have seen the full conversation published, we all know that’s not the way media does its business.

I doubt that anyone who has followed the UK ID card debate, or indeed the debates in other countries, would have any doubt about where I stand on identity. My views are well known, mainly because government has made a point of repeatedly expressing them in public. I don’t resile from anything I’ve everr done or said on the subject.

As for these particular remarks, I will clarify the position.

1. You will know through the recent leaked emails that it is government, rather than Privacy International, that has lost the plot over the ID card. The Home Office is in disarray and Treasury wants it scrapped or severely limited;

2. You’ll also know from the leaked Market Soundings report that industry no longer supports the goverrnment’s scheme. I’ve know that for more than a year. Industry wants a manageable project that has a light structure and that carries public trust;

3. Into this context comes the idea that industry wanting to pursue the “right” approach (no compulsion, no central register etc) now have the opportunity to do so. Companies like EDS will always support the government line. Others are moving quickly to establish an alternative position.

4. The idea of the “White Knight Consortium” has been around since mid 2005, when it was first discussed at an industry-wide meeting of the Enterprise Privacy Group. I supported the idea then because it seemed the best way to derail the government approach.

I don’t see any need to defend myself, other than to observe how odd it feels to be hailed one day as the master strategist behind the ill-fortunes of the scheme, and the next to be condemned as a guy who lost the plot.

The “plot” is something I have well and truly in mind, and maybe you just need to reflect a little more on what I’m supporting and why I’m supporting it, rather than lashing out. Strategy and tactics on an issue like this are long term game-plans.

I've met Simon – in fact he's a privacy mentor for me.  It's true he's put a few noses out of joint over the last couple of decades.  No wonder – he was so far ahead of the rest of us in his thinking.  Talk to him for two minutes and you can see that he has worked with these issues for a long time, and understands them in a many-sided way.

Incredibly, in 1994, when people like me didn't yet have a clue we might encounter privacy issues with digital technology, he had already written Touching Big Brother – How biometric technology will fuse flesh and machine.   I don't throw out the word visionary lightly, but read this article and wonder.

Through his work at the London School of Economics he has spent a lot of time talking with cryptographers and computer scientists to understand what can actually be done to replace current systems with ones which really are privacy enhancing.  After all, does anyone think the current situation represents a Nirvanna?  Not me – I've seen too many of the existing systems.

It's true that through unlikely initiatives such as the proposed UK Identity Card system, replete with panopticon observation post and massive centralized database, the handling of our personal information and threat to our privacy could actually get worse than it currently is.  But I don't think this type of initiative will succeed – it's like building a sixty-foot man.

So, surely, it is just as possible that we can take advantage of the increased awareness around these issues – and the amazing new technological possibilities that have emerged in the last few years – to allow government and business to become more secure and more privacy enhancing than they currently are.

Given the proper adult supervision by privacy advocates and policy experts, industry could, as Simon says, bring to life alternatives to the Dr. No blueprints that have emerged so far. 

It may still be hard to imagine a national (or international) conversation that includes notions like “directional identity”, but I think it will come.  Governments will inevitably see that the way to best strengthen their own security is to build strong social consensus by protecting the privacy of citizens at the same time they look after the interests of the state.

As always, the key here is “User Control and Consent”.  Citizens have to want to use the system.  Close behind are “Minimal Disclosure” and “Directed Identifiers” and all the other Laws of Identity.  Any successful ID card will have to be more attractive than the status quo – proving it is a step forward, not backward, and winning support.

   

Yeah, I'm a 27 year old single guy, but should I tell my wife?

Intel's Conor Cahill points out the problems with the “verification chains” being used by some of the emerging commercial identity verification services: 

In “How old are you, are you single?, my friend, Kim Cameron, quotes an article in the post-gazette.com Business News talking about identity verification services. The article, describes the process as:

The Verification Chain

How new identity-verification services work.

  • Users sign up for a new account on a classified, social-networking or dating site and are prompted to click through to the site of an identity verifier.
  • Verification service prompts users to create profiles with details such as their age, address, and occupation.
  • Verification services — or a separate company — electronically check data in public-record databases to verify assertions.

At first glance, this verification service looks like a good step forward. However, if you look closely, the process appears to mimic the same procedures that provide the foundation for much of the identity theft that exists to date — that being the fact that all I need to do to steal your identity is know a few key pieces of information (which will verify correctly).

I would hope that they start to add stronger verification that the person who “knows” this stuff is actually the person who's data is being verified. Things like what Paypal does for bank account verification (deposit two small sums in your account and require you to input the actual deposit values to prove you have access to the account).

We really need to move away from knowledge of basic facts as a verification of identity, especially when many of those facts are published in one form or another.

Paypal's approach is one of the best ways to prove that you have control of a particular bank account. 

But it doesn't say much about how old you are – or whether you are single.  So it's not a silver bullet in the wider scheme of things.

Too bad, because I couldn't agree more that knowing things about me doesn't prove you are me.

Isn't it amazing how many times we are required to tell people far too much about ourselves? 

I've been asked so many times for the name of my first pet that I've had to make one up.  My first pet was a turtle, and as far as I can remember, his short life didn't involve a name – we were both too young.  Yet I have to use this silly name to avoid giving people my mother's date of birth.

Once you've revealed all, the party you've given it to can reveal all too.  If there's a one in one thousand chance that someone will sell or misuse that information, when you have given it to one thousand people the probability of misuse has reached one.

Right now we give all our identifying information to every Tom, Dick and Harry, each of whom remember who we are by storing it – probably unsafely. 

What if we just gave it to Tom, or a couple of Toms, and the Toms then vouched for who we are?  We would “register” with the Toms, and the Toms would make claims about us.  Then the chances of having our identity stolen would drop, in the example above, from certainty, to one or two in a thousand.  Not perfect, but hey, I'll take it.

If Tom stands behind our identity for a number of years, he can become progressively more certain about our behavior, if not our childhood.

So I'm hoping that in the description given above of how a verification service operates, once you have registered with a service, it stands behind assertions about you, so you no longer need to release identifying information

Anyone understand the MySpace “salute”?

Following our recent conversation on finding the time to blog, Ted Howard pointed me to this fascinating page from MySpace.com:

In order to verify your identity, please send us a “salute”. This means we will need an image of yourself holding a handwritten sign with the word “MySpace.com” and your Friend ID (your Friend ID number appears immediately after “friendID=” in the web address/URL when viewing your profile). We can then remove the profile that uses your identity without your permission.

Please be sure to include the web address/URL to the profile in question when you send your salute.

If you do not have a profile on MySpace please write in the email address that you are emailing us from instead of your Friend ID.

If the profile is an extremely obvious attempt to be cruel/false, you may not need to send a salute. Sending a salute will definately help expediate things, though! If you are a teacher/faculty member at a school, please click on this link.

That's so bizarre.  I'm missing something here.  I asked Ted if he had any idea how this works:

I think the MySpace “salute” is just a photo of yourself holding a piece of paper that has your login name on it. Apparently, they consider this to be physical proof of identity – they have physical proof that a given face is linked to a given login name. Now, I don’t understand how this helps anything, which is why I find it interesting.

What stops me from saying that your MySpace account that claims you are “Kim Cameron” is a fake and then sending a picture of me holding a piece of paper with my account name that claims I am “Kim Cameron”.

Crap! I’m on your technical advisory team I guess. Are the benefits good?

Welcome to the team, Ted.  Someone will get back to you on the benefits question.

The truth is that Ted is one of those very lucky guys who gets to program video games.  I sure would like to see him blogging about what that's like.

 

 

How old are you? Are you single?

From post-gazette.com Business News, here is a nice article by Jessica E. Vascellaro of The Wall Street Journal on identity-proofing.  It's amazing how well she understands the emerging options:

Rob Barbour has found a new way of enhancing his reputation online: showcasing his newly verified identity. When he put up an eBay Inc. listing a few weeks ago, the Ashburn, Va., technology consultant embedded a link to his new online profile on verification service Trufina Inc.

He soon will paste the link in his emails and on a Web site where he sells software and offers programming advice. “I needed a tool that will prove to somebody that this is who I am,” says Mr. Barbour, 39 years old.

Proving who you are is increasingly important on the Web, amid growing concern that pervasive Internet fraud is making it difficult to know whom to trust. In response, companies are developing a slew of new tools to help people confirm their identities. The new services allow consumers to create and share verified personal profiles with people they meet or do business with online.

In recent weeks, many of these services have announced new partnerships with popular social-networking, shopping and dating sites, which face particular pressure to keep out cyber crooks. Trufina, which has recently joined up with dating sites like HonestyFirst.com and Loveaccess.com, relaunched last week with a wider menu of verification tools. Opinity Inc., a new profile-sharing service that verifies a user's age, hometown and, in coming weeks, education and employment history, has recently announced partnerships with social-networking sites like GoingOn.com, classified site Edgeio.com and technology-news site CNET.com. IDology Inc., which performs age and identity checks on customers for high-end online merchants, will this week announce a deal with Zoey's Room, a networking site for girls, marking the first time its age and identity-verification technology will be part of a social-networking site.

Whether they're shopping, chatting, doing business or looking for dates, consumers are increasingly on edge about online safety. In 2005, 59 percent of Americans “completely or strongly” agreed that Internet-based financial transactions were secure, down from 70 percent in 2003 according to Informa Research Services. A recent report from the Pew Internet & American Life Project found that 66 percent of Internet users believe online dating is dangerous because it puts personal information online.

Concerns about the safety of minors, in particular, have exposed the need for more effective ways to confirm a person's identity than a user name and a password. Social-networking sites attempt to protect their members by imposing minimum age restrictions but can't easily enforce them. News Corp.’s MySpace.com, which requires members to be at least 14 years old, told Congress in June that it is looking at age-verification technology but hasn't yet found any effective options.

Proposed solutions for protecting children from online predators are controversial. Last week the House of Representatives passed a bill that bans social-networking sites and chat rooms from schools and libraries that receive certain federal funding. The bill, which has been criticized as too broad and blunt by some online-privacy groups, has been referred to a Senate committee.

A growing number of businesses, too, are using online verification services to check out their customers. Wine company Kendall-Jackson uses IDology's age-verification technology to confirm that new customers on two of its e-commerce sites are at least 21 years old, and it plans to implement more-comprehensive identity verification soon to help combat credit-card fraud. Ice.com, an online jeweler, uses IDology's tools to authenticate buyers whom it flags as high-risk, which include those with particularly high transaction volumes or mismatched addresses.

Microsoft Corp. is addressing online-safety concerns by constructing its own identity technology from scratch. The technology, called Windows CardSpace, is in a very early stage but will be built into its upcoming Windows Vista operating system. CardSpace allows users to log into Web sites by clicking on different digital credentials, or information cards. Users could create their own information cards or they could get the credentials issued to them by a trusted party, like a bank. (Microsoft doesn't host or store the identity information; it just provides the technology for its transfer.) CardSpace is meant to be more secure and useful than passwords because information cards can hold more information, like an address or a credit-card number, and can be backed by a third party.

International Business Machines Corp., Novell Inc. and various other academics and vendors are working together on a similar project. Their technology, dubbed “Project Higgins,” would be open-source.

But radically new tools like these won't be rolled out widely before next year. In the meantime, current services tend to focus on creating a trusted profile that can be used across sites or shared. The services, which collaborate with background-checking companies of the sort corporations use to research future hires, often check attributes like age, address, gender, education, employment and whether a person has a criminal record. Most services provide a basic verification of name, email, and sometimes address free of charge. Anything more can cost up to around $15 a year. The information is typically checked against credit-bureau records and other publicly available data, like property listings and databases of known criminals and sex offenders.

To sign up, users enter their personal data and are sometimes asked to answer a series of tricky multiple-choice questions no one else will likely be able to answer, such as the size of their last mortgage payment. Some details are confirmed automatically; others take time. On Trufina, a basic verification takes two to three minutes, with a background check usually taking less than 10 minutes, says Christian Madsen, chief executive of the College Park, Md., company.

Users can sign up through the services’ own home pages or through a partner site, where some of the costs are absorbed into other membership fees. Loveaccess.com, an online-dating site with two million members, charges customers $145 for a year of its premium service, which requires a Trufina background check.

Currently, the services aren't in widespread use. Indeed, some consumers complain that their verified profiles aren't yet particularly helpful. Max Markidan, a 26-year-old management consultant in Arlington, Va., says he doesn't find it useful for professional networking because few users beyond dating sites appear to have adopted it. “I am married, so I can't really use Trufina at this point,” he says.

The companies’ partnerships with popular sites will make or break their adoption, analysts say, by providing them with necessary revenue and more users.

While many of the services aim to assuage privacy concerns, they may run up against them, too. Briana Doyle, a 24-year-old from New Westminster, British Columbia, joined Opinity last month hoping it would help her aggregate personal information about herself she wished to share with other people online. But she stopped short at divulging details like her address, verifying instead her user names on other Web services like Yahoo's photo-sharing site Flickr, which the service also verifies. “I didn't see any reason to put my address front and center,” says the Web editor.

The companies stress that they don't store personal information about their users. But consumers may still shrink from a service they think knows too much about them. “The minute you aggregate identity information you aggregate risk,” says Jamie Lewis, the chief executive of the Burton Group, a Salt Lake City research firm. With hackers out looking for financial information, “you create a target,” he says.

The Verification Chain

How new identity-verification services work.

  • Users sign up for a new account on a classified, social-networking or dating site and are prompted to click through to the site of an identity verifier.
  • Verification service prompts users to create profiles with details such as their age, address, and occupation.
  • Verification services — or a separate company — electronically check data in public-record databases to verify assertions.

Once it supports Information Cards, a company like Opinity might offer a card that would assert an age or marital status and yet ensure no personally identifying information is communicated.  The most important aspect of this is that users won't need to reveal secret or identifying information to anyone but the Identity Provider (Opinity for example).

Kim Cameron too prolific a blogger?

Ted Howard, who also works at Microsoft, wrote about me recently – I'm tucked in between posts on how much he hates Southwest Airlines, how much he hates Spokane, and how much he hates presidential signing statements.  I hope there's no pattern here.

Kim Cameron is way, way too prolific of a blogger. I don't see how he can possibly find the time to read all the blogs he reads, write all the posts he posts, and still do his job as an architect.

I wonder if he just has a technology assistance team like BillG that is posting to his blog. Maybe if I had confidence about the identity of the real-world entity publishing entries on his blog, then I would know.

If you want to be overloaded with highbrow thoughts and debates on identity, head over to Kim's blog.

That's pretty funny.  Truth is, I have a bunch of friends who send me links to posts I should read, and I make time to read them.  When I've finished, I have a pretty good handle on what's happening.   

So my “technology assistance team” comes from across the industry, which has really expanded my thinking. 

But I'd prefer to call them a blogging community.  And I try to channel this back to this community.

I'd put Ted's question about how I find time to blog and do my job as an architect somewhat differently than he does.  There are all kinds of architects, who contribute in all kinds of ways.  But to me the most important thing an architect can do is see very clearly what needs to be built.  It's not that hard to come up with an idea that could be built.  But I'm talking about something different:  what needs to be built depends on understanding the objective factors that allow you to tap into some kind of historical inevitability.  That's a high bar, but when you are talking about hundreds or thousands of person years, you need a high bar.

I don't think you reach this bar by cutting yourself off and meditating – as healthy as meditation may be.  Nor do I think you do it by working on technical minutae from morning to night – even if I might find that more relaxing. 

You have to “get out” and see what's happening.  You have to put your ear to the ground.  You have to feel the pulse of the world. 

For me the blogosphere is “essence of pulse”.  It makes me question everything.  What I've done right;  what I've done wrong.  What I've just assumed was true, or assumed that others thought. 

If you look at Cardspace and Information Cards, my work on the laws of identity was effectively architectural work on the principles of the design, even though it was done in the blogosphere. 

Identity represents a central problem of computer science – a complex problem which doesn't have a simple “algorithmic” solution.  To understand it deeply, you need to understand every side of it.  You need to “integrate the tangents”.  What better way than to share your thinking widely and have others help you figure out what is wrong and missing – both from your theory or your presentation.

So there you go – more highbrow thoughts, I fear.  Of course, let me point out one more time that I'm happy for this blog to be “the hair on the end of the long tail”.  I couldn't help thinking it was a clerical error when CNET named it one of the top 100 technology blogs.  Identityblog is super specialized.  So one man's highbrow might be another's Iggy Pop.  To me they're the same thing, and furthermore, I don't really care.  I just do my thing.

 

Bob Blakley joins the Burton Group

News from Ceci n'est pas un Bob (Bob Blakley): 

As of today, I've moved from IBM to The Burton Group, where my job title will be Principal Analyst. I'll be working on Identity, Privacy, Security, and Risk Management. The views expressed here are still mine, and don't necessarily reflect the positions or opinions of either employer.

Bob was a great spokesperson for IBM, wasn't he?  He's such a thoughtful person. 

I wish him the best of luck in his new role.

Yes or No?

Ben Laurie of Google writes that something important was left unsaid in the recent discussion of federation and large Internet properties:

The end result of the blog deathmatch between me, Kim, Eric and Dick was a deathly silence on what I consider to be the core issue.

OK, its nice that Microsoft are developing identity management software that might not suck (but remember, it still doesn’t satisfy my Laws of Identity) but the question that’s being posed about Google applies equally to Microsoft, and, indeed, anyone else with an identity silo.

So, here’s the question: is Microsoft going to accept third party authentication for access to Microsoft properties?

How about it, Kim?

OK.  The answer to your question is “yes”.  Windows Live ID is going to accept third party authentication for access to Microsoft properties.

Let me quote from the Windows Live ID Whitepaper.  It seems like I gave the wrong link before, so I've checked that this one works.  I've also copied the paper onto my blog as I always do so my links will be permanent.  The original appears here.  The quote below is one of several places where these issues are discussed in the paper, so it's probably worth checking out the whole paper (about 8 pages).

How Does Windows Live ID Participate in the Identity Metasystem and Work with “InfoCard”?

Microsoft is working with others in the industry to create an identity metasystem that brings existing and future identity providers into a connected identity ecosystem and empowers end users to control the use of their identities. The Windows Live ID service will participate in the identity metasystem as one identity provider among many, able to accept claims from other identity providers and transform them so they can be used within Microsoft online services. This participation will include acceptance of self-issued and managed “InfoCards.” It will thus provide full support for the “InfoCard” identity model.

Roles of the Windows Live ID Service in the Identity Metasystem

Microsoft has published its vision of a universal identity solution that is inclusive of a plurality of identity operators and technologies—the identity metasystem. In such a metasystem, identity providers, relying parties, and subjects can select, request, transfer, transform, and consume identities through a suite of well-defined and open Web Services (WS-*) protocols. Microsoft is working to implement components of the identity metasystem, as are many other companies in the industry. As a result, various building blocks for the metasystem are being developed. Some of these components will be delivered to end users in the form of software installed and running locally on their computers and devices, while others will be online services.

The design philosophy of the identity metasystem is not to replace the existing identity systems in use today, but instead to bring these existing systems together by enabling interoperation among subjects, relying parties, and identity providers through industry standard protocols. The Windows Live ID service will participate in the identity metasystem as a “managed” identity provider already at Internet scale. Windows Live ID will bring a large base of end users and relying parties to the metasystem, taking us one step closer to Internet-wide identity federation and doing our part to help the industry move beyond the “walled garden” paradigm.

The Windows Live ID service will play several essential roles that are strategic for Microsoft. The service:

  • Is an Internet-scale identity provider intended primarily for users of Microsoft online services, which are all relying parties of the Windows Live ID service.
  • Is open and issues claims in a form that can be consumed by any relying party, any device, and any other trusted identity authority.
  • Serves Microsoft online services as a “claims transformer,” allowing those services to accept identities issued by third-parties. Third-party identity providers include other Internet service providers and managed-identity providers, such as the planned Active Directory Security Token Service (STS).
  • Will be the identity provider and federating authority for third party services and software built on top of the Microsoft online services platform

So now some other questions remain.  Who can federate with Windows Live ID and what are the conditions?  What will the business model be?  What services will people want to use that cause them to seek to federate? 

So don't take me as sounding glib.  There are lots of important issues that the Windows Live ID folks are still thinking about.

Meanwhile your comment that “its nice that Microsoft are developing identity management software that might not suck” is one of the nicest things anyone has ever said to me, and I'll treasure it.

 

Window Live ID Whitepaper

Introduction

Since its inception, the Microsoft Passport service has existed in a digital world that is increasingly multi-centered and rich in contexts. This digital world requires the sharing and federation of identities and close attention to matters of user control. These requirements have led Microsoft to evolve the Passport service continuously. To emphasize this evolution, Microsoft is changing the name of the service to something more indicative of its specific contribution to the emerging “identity metasystem”: the Windows Live ID service.

Windows Live and Office Live are Internet-based software services designed to deliver rich, seamless experiences to individuals and small businesses. The offerings combine the power of software with online services to make compelling new tools that complement Microsoft Windows and Microsoft Office products.

Microsoft online services need to know who is interacting with them—just as users need to know that the services themselves are legitimate. This mutual need requires the use of digital identities. The Windows Live ID service is designed to manage identity and trust within the Windows Live ecosystem.

For end users, the Windows Live ID service provides roaming access to the broad array of Microsoft online services. For developers, it enables over 300 million potential online users to access their applications.

What Are Windows Live ID and the “Service”?

A digital ID is a set of claims made by one entity about another.

A Windows Live ID is a set of claims that the Windows Live ID service makes.

These claims can refer to individual users, organizations, devices, and services. Initially, most claims will be based on information stored in accounts the service maintains on behalf of its users, in much the same way that Passport has worked in the past. Moving forward, the service will also rely upon the claims issued by other federated identity providers, transforming them to make sense within the Windows Live ecosystem.

What kinds of claims can a Windows Live ID contain?

  • User's e-mail address
  • Type of entity (such as organization, group, or namespace)
  • Relationships among subjects, such as:
  • Parent-child relationship.
  • Administrator status or ownership of an organization, group, or namespace.
  • Membership in an organization, group, or namespace.
  • Authorization for specific scenarios, such as enforcement of parental controls
  • User ownership of a public-and-private key pair, for use in peer-to-peer communications

Windows Live IDs that are based on Windows Live ID accounts (as opposed to federated IDs) can be authenticated using traditional user-name/password pairs, strong passwords and security PIN combinations, and smart cards. Windows Live ID will also support the use of self-issued “InfoCards.” For example, users will be able to employ “InfoCards” to access Windows Live Mail. For more information, see “InfoCard” Support later in this document.

The Windows Live ID service also maps federated IDs supplied by other identity providers into a form that works within Microsoft online services. This is done through protocols like WS-Trust, WS-Security, and WS-Federation—widely accepted, royalty-free industry protocols that can be (and have been) implemented on any platform. WS-Security is already an OASIS (Organization for the Advancement of Structured Information Standards) standard, while WS-Trust and other related protocols are in the standardization process now. Because “InfoCards” also implement WS-Trust, the Windows Live ID services federation servers will be able to accept “managed InfoCards” too.

So that customers can access Microsoft online services by using any device, the Windows Live ID service also supports specialized mechanisms (like the Radius protocol) for authentication from cell phones, televisions, and Xbox 360. Through these devices, Windows Live ID also supports applications that range from dial-up service to peer-to-peer instant messaging.

For developers, Windows Live ID provides programmable interfaces that reduce development time on both the client and relying-party server sides, making it easier to develop new identity-aware services for the ecosystem and new client products to access them. The Windows Live ID services are also accessible through soon-to-be-published protocols.

High-Level Architecture

The following figure is a high-level illustration of the ecosystem in the Windows Live ID world.

architecture

How Does Windows Live ID Relate to Passport?

The Windows Live ID service represents the evolution of Microsoft Passport into a world based on federation. Windows Live ID will be the authentication system for all existing and future Microsoft online services. Relying parties (Microsoft properties and those of close partners) who have implemented Passport will be compatible with the Windows Live ID service.

Another area of evolution is towards support for “rich clients” using Web services. By supporting WS-Trust and “InfoCard,” Windows Live ID will extend its single sign-in framework to the Windows Communication Framework (WCF) employed in many emerging applications.

End users will be offered an automatic upgrade path for using their Passport accounts as Windows Live IDs. Similarly, the Windows Live ID service will be backward compatible with relying parties that have already integrated with the Microsoft Passport Network. However, to take advantage of the new features and scenarios provided by the new Windows Live ID service, relying parties may have to adopt new software development kit (SDK) components and protocols.

How Does Windows Live ID Participate in the Identity Metasystem and Work with “InfoCard”?

Microsoft is working with others in the industry to create an identity metasystem that brings existing and future identity providers into a connected identity ecosystem and empowers end users to control the use of their identities. The Windows Live ID service will participate in the identity metasystem as one identity provider among many, able to accept claims from other identity providers and transform them so they can be used within Microsoft online services. This participation will include acceptance of self-issued and managed “InfoCards.” It will thus provide full support for the “InfoCard” identity model.

Roles of the Windows Live ID Service in the Identity Metasystem

Microsoft has published its vision of a universal identity solution that is inclusive of a plurality of identity operators and technologies—the identity metasystem. In such a metasystem, identity providers, relying parties, and subjects can select, request, transfer, transform, and consume identities through a suite of well-defined and open Web Services (WS-*) protocols. Microsoft is working to implement components of the identity metasystem, as are many other companies in the industry. As a result, various building blocks for the metasystem are being developed. Some of these components will be delivered to end users in the form of software installed and running locally on their computers and devices, while others will be online services.

The design philosophy of the identity metasystem is not to replace the existing identity systems in use today, but instead to bring these existing systems together by enabling interoperation among subjects, relying parties, and identity providers through industry standard protocols. The Windows Live ID service will participate in the identity metasystem as a “managed” identity provider already at Internet scale. Windows Live ID will bring a large base of end users and relying parties to the metasystem, taking us one step closer to Internet-wide identity federation and doing our part to help the industry move beyond the “walled garden” paradigm.

The Windows Live ID service will play several essential roles that are strategic for Microsoft. The service:

  • Is an Internet-scale identity provider intended primarily for users of Microsoft online services, which are all relying parties of the Windows Live ID service.
  • Is open and issues claims in a form that can be consumed by any relying party, any device, and any other trusted identity authority.
  • Serves Microsoft online services as a “claims transformer,” allowing those services to accept identities issued by third-parties. Third-party identity providers include other Internet service providers and managed-identity providers, such as the planned Active Directory Security Token Service (STS).
  • Will be the identity provider and federating authority for third party services and software built on top of the Microsoft online services platform.

“InfoCard” Support

“InfoCard” is the code name for the Microsoft implementation of an identity selector for the identity metasystem. “InfoCard” provides a consistent experience for users to manage, control, and exchange their digital identities. It is an important step towards eliminating user names and passwords as the primary mechanism by which users identify themselves. “InfoCard” provides a safer way for users to manage and exchange their digital identity information, helping to protect them from various forms of identity fraud.

For more information, see the InfoCard site in the WinFX Developer Center.

Since Windows Live ID is designed to robustly manage user identities, it will support “InfoCard” when “InfoCard” is broadly available (expected in the fourth quarter of 2006 for Windows XP, Windows Server 2003, and Windows Vista).

The current plan is that Windows Live ID will support both self-issued and third-party managed cards as a mechanism to authenticate users when accessing Windows Live services. Subsequently, Windows Live ID will also issue managed cards to enable users to use their Windows Live ID with third parties.

Together, Windows Live ID and “InfoCard” will enable users to enjoy the rich array of Windows Live services more easily than ever before.

Programmability

The Microsoft online services are designed to become an Internet programming platform for developers to build desktop applications and online services. (For more information about this platform, see the Windows Live Developer Center.)

So Microsoft must make it easy to program for the Windows Live ID service.

To simplify integration on both the server side and the client side, the Windows Live ID service will release software development kits (SDKs) later this year. In addition, the Windows Live ID service uses industry standard protocols. For cloud server-to-server scenarios, the Windows Live ID service exposes programmatic interfaces by way of SOAP services.

The Relying Party Suite (RPS) SDK makes it easier and cheaper to develop a new Microsoft Live service by providing interfaces that prepare authentication requests, decrypt, parse, and validate security tokens, and manage authentication-state cache in a browser session.

But more importantly, RPS reduces operational cost by providing support for configuration refresh—critical for partners that host services from different global geographic locations, and for times when it is necessary to change cryptographic keys.

A second SDK—the Windows Live ID Client SDK—runs on end users’ computers. This SDK makes it easier to write new client applications that understand Windows Live IDs and supports the sharing of authentication state across multiple rich clients and browsers. It also manages short-lived certificates issued by the Windows Live ID Certificate Authority; these certificates can be used in security-sensitive applications such as peer-to-peer communication channels.

Like the Relying Party Suite, the Client SDK supports the automatic configuration and refresh mechanisms critical to accommodating the Windows Live ID services “geo-hosting” plans.

Windows Live Messenger is an example of a client built on top of the Client SDK.

Advantages of the Windows Live ID Service

Through years of developing and operating one of the largest identity providers on the Internet, Microsoft has learned valuable lessons from customers, Internet security professionals, and developer communities worldwide.

Large Scale
The Windows Live ID service is the next-generation version of a system that does over 22 billion authentications per month and is used to access a large set of online services operated by Microsoft and its close partners.

Security
Security is a priority for the Windows Live ID service, which undergoes regular audits performed by independent auditors. Microsoft is committed to investing in security to help protect customers and relying parties against ever-evolving threats.

Quality of Service
The Windows Live ID service is built on top of a highly available infrastructure, including redundant networking elements, front-end and back-end servers, and fault-tolerant software components. The services are continuously monitored by multiple automated agents including internal tools and external monitoring services. Windows Live ID is built on components that have demonstrated a high quality of service.

APIs to Speed and Simplify Deployment

The Windows Live ID service is designed with development support in mind. All functionality is exposed through programmable SOAP interfaces that will be published soon. The Relying Party and Client SDKs ease development efforts for both relying-party services and rich-client applications, and help to deliver robust and efficient components to run on relying party servers or end-user computers. The SOAP interfaces are documented and will be available to all, enabling Windows Live ID services to be used in contexts not using the other SDKs.

Seamless User Experiences

The Windows Live ID service delivers a seamless user experience across client applications and Web browsers accessing relying-party services.