Jamie Lewis on Open Specification Promise

The Burton Group's CEO, Jamie Lewis, discusses the OSP and what it means for the identity community: 

As has been widely reported, Microsoft announced its Open Specification Promise last week. A lot of folks have already posted about it (see here, here, and here ). But, given the overall importance of the announcement to the identity community, I wanted to make our thoughts on the subject known, and to give credit where it’s due. (Note: This entry is cross posted at both my blog and our new Identity and Privacy Strategies blog.)
In summary, Microsoft has decided to offer the Open Specification Promise (OSP) for the Web services protocols that support CardSpace in particular, and the InfoCards architecture in general. The OSP provides an alternative to Microsoft’s “reasonable and non discriminatory/royalty free” (RAND/RF) licensing agreement, which most open source developers didn’t like. As I understand it, the OSP essentially provides an assurance that Microsoft won’t sue anyone implementing the specifications covered by the document. So developers don’t even have to agree to a license; they can implement the covered specifications without fear of being sued. (With certain, mostly comprehensible exceptions.)

Before I comment on the OSP, however, let me first provide the disclaimer almost every technologist I talk with about licensing issues gives me: I’m not a lawyer, and so my comments should in no way be construed as having legal weight. (If you’d like to see an analysis of the OSP document from a legal perspective, see Andy Updegrove’s excellent post from last week.) But Microsoft’s announcement has more than legal ramifications. Microsoft’s move could have a significant impact on the market, and that’s where we come in.

In short, the OSP is a significant, positive step forward for both Microsoft and the community working to create a better identity infrastructure for the Internet. The people who have been tirelessly advocating the move within Microsoft deserve an enormous amount of credit for making it happen. (Kim Cameron deserves some special recognition at this point in what has been a long process.) At this, point, one of the most significant obstacles to widespread development around the InfoCard architecture has been removed, and that’s good news for everyone involved.

Some Background

I’ve been following the InfoCard effort for a long time with a great deal of interest, primarily because I’ve always thought it was a great idea. But I also had some concerns about how it would be received in the market, at least early on. Circa 2002, it was fair to say that, given Microsoft’s history, any idea the company put forward for addressing the identity problem—regardless of its merit—would likely meet large amounts of skepticism and, at least in some cases, outright resistance from many market players.

From the first time he ever spoke with me about the functionality we now know as CardSpace, for example, Kim has been consistently insistent about the need for and importance of cross-platform support. I certainly agree that a consistent user experience—regardless of the operating system and device a person chooses to use—is profoundly important to addressing the identity problem. But I’ll have to admit that I wondered many times if Microsoft would really let Kim do what he thought needed to be done. And as I talked with other folks about InfoCard as the concept began to take shape, I heard more than a few people express varying degrees of skepticism about Microsoft’s true intentions or Kim’s ability to convince the powers that be to move in a more open direction.

But by decidedly atypical and relentless means, Microsoft has done a great deal of what seemed nearly impossible only a few years ago, overcoming the skepticism and building good will. Consequently, there is a palpable and sincere desire on the part of a lot of people to implement the InfoCard technologies. And three or four years ago, many of these people wouldn’t have even considered working with Microsoft on a beer run, much less an identity system.

Still, licensing was a huge obstacle to seeing that good will and intention translated into demonstrable action and working code. With only a few exceptions, everyone I talked to over the last six months or so—from open source developers to commercial software companies—indicated that until the licensing issue had been put to bed, they really couldn’t (or wouldn’t) build anything. And they had a point. Were I in their shoes, I would insist on clear licensing terms as well.

Enter the OSP

With the OSP, then, Microsoft has taken what is for it a bold step, removing one of the most significant obstacles to widespread InfoCard development. The OSP makes it clear that Microsoft isn’t laying some elaborate and sinister trap for everyone, that it truly is offering something of significant value to the industry and a huge opportunity to developers looking to build better identity management systems.

Yes, there are still some details to work out (I’ll get to those in a moment). And yes, neither CardSpace nor InfoCard’s supporting system are slam dunks in today’s transitional market place. But the OSP is concrete evidence that even those with valid reasons to doubt Microsoft’s sincerity are running out of excuses for ignoring InfoCard. Without it, the overall InfoCard effort was stymied. With it, the InfoCard effort can move forward in the way Kim has always intended. And for that both Kim and Microsoft deserve recognition and gratitude.

About Those Remaining Issues Several folks have commented that it’s not just the specifications that matter, but the implementation details. And they’re right. (While I’ve heard similar things from a few people, most of these issues are summarized in the Higgins project’s draft response to the OSP.)

Microsoft has published an implementation guide for CardSpace, but the details it includes on how to implement the specifications covered by the OSP aren’t covered by the OSP. (You can find the guide, as well as other details on implementation, on MSDN.) In particular, there are schema and meta-data models that are crucial to getting what Paul Trevithick calls “functional equivalence” with CardSpace on other platforms. The CardSpace user interface is an equally important issue. While efforts like the Higgins Trust Framework may not copy the CardSpace UI down to every pixel, interoperable implementations must emulate the basic sequence of events in the CardSpace interface (what Kim Cameron has called “ceremony”) if we’re to get the common user experience to which Kim aspires. These implementation details must be covered by the same kind of promise.

But if Microsoft can accomplish what’s embodied in the OSP as it now stands, then it seems reasonable to assume that what remains is haggling over details, that the licensing issue is finally on a downhill path. In other words, the fat lady has sung, and we’re just waiting for the coda. And now the onus has shifted to those who have professed a willingness to implement InfoCard technologies and interoperate with Microsoft if the licensing details could be favorably resolved. Microsoft is living up to its end of the bargain, and now it’s your turn. Those who’ve already started development, without waiting on the licensing issues, have some advantage. My advice to those who have been waiting? Get busy.

Could the world be upside down?

In my last post I shared Jon Udell's conversation about “translucent databases” as a way to protect us from identity catastrophies.  He mentions a lender (e.g. Prosper) who needs information from a credit bureau (e.g. Equifax) about a borrower's reputation.

I'll start by saying that I see the credit bureau as an identity provider that issues claims about a subject's financial reputation.  The lender is a relying party that depends on these claims.

The paradigm currently used is one where the borrower reveals his SSN (and other identifying information) to the lender, who then sends it on to the credit bureau, where it is used as a key to obtain further reputation and personal information.  In other words, the subject deals with the lender, and the lender deals with the credit bureau, which returns information about the subject.

There are big potential problems with this approach.  The lender initially knows nothing about the subject, so it is quite possible for the borrower to pose as someone else.  Further, the borrower releases someone's SSN to the lender – as each of us has given ours away in thousands of similar contexts – so if the SSN might once have been considered secret, it becomes progressively better known with every passing day.

What's next?  The lender uses this non-secret to obtain further private information from the identity provider – and since the user is not involved, there is no way he or she can verify that the lender has any legitimate reason to ask for that information.  Thus a financial institution can ask for credit information prior to spamming me with a credit card I have not applied for and do not want.  Worse still, as happened in the case of Choicepoint, an important opportunity to determine that criminals are phishing for information is lost when the subject is not involved.

Jon proposed ways of changing the paradigm a bit.  He would obfuscate the SSN such that a service operated by the user could later fill it in on its way from the lender to the credit bureau.  But he actually ends up with a more complex message flow.  To me it looks like the proposal has a lot of moving parts, and makes us wonder how the service operating on behalf of the user would know which lenders were authorized.  Finally, it doesn't answer Prosper's claim that it needs the SSN anyway to submit tax information.

Another simpler paradigm

 I hate to be a single trick pony, but “click, clack, neigh, neigh”.  What if we tried a user-centrilc model?  Here's a starting point for discussion:

The borrower asks the lender for a loan, and the lender tells him which credit bureaus it will accept a reputation from. 

The borrower then authenitcates to one of those credit bureaus.  Since the bureaus know a lot more about him than the lender does, they do a much better job of identifying and authenticating him than the lender can.  In fact, this is one reason why the lender is interested in the credit bureau in the first place.

The credit bureau could even facilitate future interactions by giving the subject an InfoCard usable for subsequent credit checks and so on.  (Judging by the email I constantly get from Equifax, it looks like they really want to be in the business of having a relationship with me, so I don't think this is too far-fetched as a starting point).

After charging the borrower a fee, the credit bureau would give out a reputation coupon encrypted to the lender's key.

The coupon would include the borrower's SSN encrypted for the Tax Department (but not visible to the lender).  The coupon might or might not be accompanied by a token visible to the borrower;  the borrower could be charged extra to see this information (let's give the credit bureaus some incentive for changing their paradigm!)

When the lender gets the coupon, it decrypts it and gains access to the borrower's reputation.  It stores the encrypted version of the borrower's SSN in its database (thus Jon's goal of translucency is achieved).  At the end of the year it sends this encrypted SSN to the tax department, which decrypts it and uses it as before.  The lender never needs to see it.

All of this can be done very simply with Information Card technology.  The borrower's experience would be that Prosper's web site would ask for an Equifax infocard.  If he didn't have one, he could get one from Equifax or choose to use the oldworld, privacy-unfriendly mechanisms of today.

Once he had an InfoCard, he would use it to authenticate to Equifax and obtain the token encrypted for Prosper.  One of the claims generated when using the Equifax card would be the SSN encrypted for the Tax Department. 

When you use an Information Card, the identity selector contacts the identity provider to ask for the token.  This is how the credit brueau can return the up-to-date status of the borrower.  This is also how it knows how to charge the borrower, and possibly, the lender.

InfoCard protocol flow

In my view, the problem Jon has raised for discussion is one of a great many that have surfaced because institutions “elided” users from business interactions.  One of the main reasons for this is that institutions had computers long before it could be assumed that individuals did. 

It will take a while for our society to rebalance – and even invert some paradigms – given the fact that we as individuals are now computerized too.

Jon Udell and InfoCards…

Good news and a good question from Jon Udell.

Last night I logged into your identity blog using Chuck Mortimore's Firefox extension — very cool!

It's great to see Jon excited about Information Cards.

Now on to that really good question…

It reminded me to ask you something I've been wondering about. How might following scenario map onto this technology:

  1. I join a site (A) that wants to communicate a doc containing my SSN to another site (B)
  2. Instead of allowing A to hold my SSN, I require A to flow SSN-bearing documents through me enroute to B.
  3. When the doc arrives, I tack on the SSN. If A must see the doc again before handing off to B, I encrypt the SSN for B's eyes only.
  4. Along with the SSN I attach a use-once-only-and-then-discard request directed at B.

(In the example I've been exploring on my blog, and in a podcast with Phil Windley, A is Prosper.com and B is Experian or Equifax.)

It would be interesting to know whether (and if so, how) the Cardspace tech could apply here. Some questions I've thought of:

At step 2, do we construe me as the identity provider asserting the claim that is my SSN?

Since I am not always online — and assuming the protocol tolerates asynch delay — would we model this as my use of a self-asserted SSN-bearing InfoCard in a B context that was set up by A?

I was a bit confused without refering back to Jon's blog, so here's the piece with which he began the discussion:

Back in 2003 I was trying to drum up interest in Peter Wayner’s book, Translucent Databases, which shows how to build and operate databases whose contents are opaque to their operators. Three years later, there’s still no serious discussion of why translucency should be a key architectural principle, or how it might be applied.

A couple of recent examples show why it’s an issue that belongs on IT’s agenda. The first involves Prosper, a service whose tagline is “people-to-people lending.” Using a social network to broker connections between groups of borrowers and groups of lenders, Prosper aims to do for loans what eBay has done for auctionable goods. I wanted to invest a small amount as a lender in order to find out more about how the system works, so I began the sign-up process. To enable a credit check, Prosper asked for my Social Security number. That seems like an obvious requirement but, when you stop and think, why should it be? Prosper doesn’t actually need to receive and store that number. It only needs to relay it to Equifax, Experian, and TransUnion.

If Prosper ran its database translucently, I would be able to encrypt the number so that nobody inside Prosper, legitimate or otherwise, could read it. Equifax and others would ask me to unlock it. Ideally they’d promise to use it once and then discard it.

At this point, of course, it becomes clear that Prosper shouldn’t need to store my encrypted number in its database. It should only need to sign a request to the bureaus for a credit check. The request should then bounce to me, acquire my encrypted Social Security number along with permission for one-time use, and hop along to the bureaus. This protocol won’t work synchronously, but it doesn’t have to. If asynchronous message flow gives me the control I want, that’ll be just fine.

Translucency shouldn’t apply to only databases; it should govern service networks too. Unfortunately, with the lone exception of SSL, every effort to make cryptographic protocols useful to ordinary folks has gone down in flames. How will that ever change?

Quixotic jousts with the likes of Prosper over individual Social Security numbers won’t move the needle. But AOL’s recent data spill, or another such Exxon Valdez-like disaster, just might. “My goodness,” said Thelma Arnold, AOL’s user #4417749, when her search history was linked to her identity and revealed to her. “It’s my whole personal life.”

It’s time for a public conversation about the uses and limits of translucency. Is it really necessary to retain my Social Security number, or my search history, in order to provide a service? If not, what does it cost the provider of a service — and cost the user, for that matter — to achieve the benefit of translucency? Is this kind of opt-out a right that users of services should expect to enjoy for free, or is it a new kind of value-added service that provider can sell?

Realistically, given the very real technical challenges, I think it would have to be a service. Until recently, that hadn’t been a service that many folks would have considered paying for. But Thelma Arnold and 658,000 other AOL customers probably see things differently now. If you’d rather not be liable for storing more of your customers’ data than is strictly necessary, that’s a step in the right direction.

This is one of several related items, all of which are interesting.  I'll let you rest your eyes, and respond in my next post.

Identityblog and your identity information

Matt, a reader who downloaded Ian Brown's early version of Information Cards for Safari, wrote to me with the following question:

I just signed up to your identity blog using the Safari CardSpace selector you mentioned on your blog.

I'm interested to know whether the (genuine) identity data in my CardSpace selector (populated out of my Address Book entry I think) is transmitted to you, if it is where it is stored, and what is done with it and to protect it.

Matt is unclear about what information he has sent to Identityblog because the Safari and Firefox user interfaces don't yet deal with displaying what subset of the information in a card is being asked for by the site he is visiting. 

That's because the current versions are very much prototypes and works in progress.  As Ian says on his blog:

This is currently still at the proof of concept stage, and is lacking most of the features found in the official CardSpace selector from Microsoft.

This being said, I have verified that the demo Firefox selector only releases required claims, and I'm pretty sure the Safari selector follows suit. 

The current Cardspace interface design was refined through ongoing “usability work” in which we encountered this kind of confusion and explored (and measured the efficacy of) different alternatives for avoiding it.

As a result, when you release any new information to a site within Cardspace you see a screen like this one:

 

It doesn't matter whether a user has filled out other fields in their chosen Information Card.  Only the fields asked for by the site will be presented for approval.  Then the user can decide whether to proceed or not.

On subsequent visits to a site, the information release screen is not shown by default.  The thinking is that once information has been released once, it forms part of the “contract” between the user and the site.  If we were to ask the user to “approve” the release time after time, the release page would become nothing more than a “click through page” – meaning the user wouldn't even “see” it.

As for what I store, my approach is to ask for as little information as I can. 

I request an email address so I can verify that you are not a spammer, and so you can change your infocard by using the email address as an “alternate authentication channel” (more on this in a future post).  I'm working with some friends on a version where we won't store the actual email address – we will use a hash of it instead so we can recognize you but not expose your address to possible breaches.

I also store what you've given me as a first and last name because WordPress uses that to show who has written posts and comments.  I will eventually change this so I only store your names once you have written a post or comment (i.e. done something ‘public’).

 

Identityblog effect

It seems like I ended up sending too many people to Chuck Mortimore's server at once. At 11:40 am he wrote:

Looks like Kim's two new posts have melted my server. He's the slashdot of the Identity world.

Sorry – the crack sys-admin team has been deployed. Hopefully we're back up soon!

By 1:00 pm he added:

Thanks to Ian, Ebe, and a new router, xmldap.org is back online.

Kim – you owe us $65.00 🙂

One of the mysterious things about RSS is the “publication effect”. 

Mortimore publishes code for managed information cards

Amazing news from Chuck Mortimore at xmldap.org – source for java-based managed cards:

I've just checked in code that can create Managed Cards that import into CardSpace RC1.

To allow people to play around, I've also added a quick little web app, which creates cards for you. You can try this out at:

https://xmldap.org/sts/cardmanager

If you'd like to try it out, you can download the source from http://xmldap.org

 

InfoCards for Firefox users

From Chuck Mortimore at xmldap.org

It sounds like Craig Burton has been having trouble with the demo Cardspace Selector I put together for Firefox. I'm not sure what trouble he's been having, but I thought I'd toss up some quick instructions, and a screen cast.

Step 1) Make sure you're on Firefox 1.5 or greater.

Step 2) Make sure you've got J2SE 1.4x installed on your machine. The xmldap selector doesn't use any .net or Microsoft code…its a cross platform implementation written from scratch in Java. You can hit http://java.sun.com if you need to download a JDK

Step 3) Go to http://xmldap.org and download the Firefox extension. You may need to allow the popup blocker to trust my site. Restart firefox.

Step 4) Go to a Cardspace enabled site like xmldap, identityblog, or ping

Step 5) Click to login, create a card, and submit.

Note that you'll still get a warning saying: “Additional plugins are required to display all the media on this page” Ignore it…I haven't figured out how to make it go away yet. Please email me or comment if you know!

Craig and others – email me at cmort at xmldap.org if you have questions or issues!

When I tried it I was using an earlier version of Firefox and had no luck – so make sure you get onto Firefox 1.5 or later.

By the way, this is a must-see demo not only for its general coolness, but for the special coolness of its sound track.  It's really a wonderful, no-nonsense piece of work.

Pretexting and Privacy

I've never seen Craig Burton write about privacy before.  Clearly he's had enough of the recent goings-on: 

  1. I was listening to Talk of the Nation on National Public Radio this afternoon. There was a good discussion going on sparked by the fiasco that happened at HP the last few weeks. Since I cover lexicon, identity, and security, I thought it would be a good idea to cover some of the conversation.
  2. What has emerged new to the general conversation is the term “pretexting”. This is the practice that investigators–both private and internal–use to pretend that they are someone else to obtain personal information from service companies. This includes, the phone company, cell phone companies, banks, utilities, county ownership records, and other private and public agencies.
  3. This is not a new term, but one that is getting public recognition as a result of the HP fiasco.
  4. According to the conversation that I heard, there is a synonymous term in the hacker community for pretexting called “social engineering.” There are some states that have made pretexting and social engineering illegal. California, Tennessee and Florida are exceptions maybe. This is a gray area and is only coming to light after these events.
  5. The previous hacker turned consultant in the conversation is the author of the book The Art of Deception.
  6. Here is my take on this. The government and agencies are not going to be able to cope with this problem. This means that it is your responsibility to protect yourself. There are a few major areas that you can focus on that will help you.
  7. Use InfoCards for login when you can. I admit this is new stuff, but it is fundamental in protecting your information from phishing and hijacking. InfoCard technology will change the future of hackers and thieves. You can support this by understanding it and using it.
  8. Stop using common methods of identification. Your social security number, you mother's maiden name and your birth place are redily accessible to social engineering agents.
  9. Use encryption for your data and emails. There are several technologies that will help you with this. You can do it at work and for your personal emails where needed. Without encryption, you have to assume that your emails are totally accessible to anyone who wants them. The current email technology is hackable and in clear text that is readable by anyone.
  10. You have to assume that at work, there are people keeping track of what you do with your computer. This is an issue, but you can also understand that your employer probably doesn't have the resources to look that closely at what you do.
  11. However, they also had a guy on the program that was being offered a job–a high profile and high paying job–that was revoked after the person had some email conversations about the terms of employment with his attorney. The company actually monitored his email conversations and gave him the choice of resigning or being fired as a result of the interchange. Scary.

Ms. Dunn at HP has struck a deal with the HP board to resign as a result of the press and fiasco. Did she know what the legal dept. was doing? Probably not. My opinion is that she should have found out on an issue of this importance at that she should probably step down now and not later.

I appreciate his comment about the role of Cardspace. 

And while we're talking about Craig, Has everyone seen his recent Poser sculpture entitled, “If I just give this Web 2.0 bubble a flick, nobody will get hurt, right?“:

A take on Microsoft, OSP and Open Source

Here is how Martin LaMonica from CNET interpets the Open Specification Promise:

The software giant on Tuesday published the Microsoft Open Specification Promise, a document that says that Microsoft will not sue anyone who creates software based on Web services technology, a set of standardized communication protocols designed by Microsoft and other vendors.

What's new…
Microsoft has promised not to sue anyone who creates software based on Web services technology covered by patents it owns.

Bottom Line
The move reflects how Microsoft has had to come to terms with open-source products and development models.

Reaction to the surprise news was favorable, even from some of Microsoft's rivals.

“The best thing about this is the fundamental mind shift at Microsoft. A couple of years ago, this would have been unthinkable. Now it is real. This is really a major change in the way Microsoft deals with the open-source community,” said Gerald Beuchelt, a Web services architect working in the Business Alliances Group in Sun Microsystems’ chief technologist's office.

Microsoft has never sued anyone for patent infringement related to Web services. But its pledge not to assert the patents alleviates lingering concerns among developers who feared potential legal action if they incorporate Web services into their code, said analysts and software company executives.

Open-source developers, for example, should have fewer worries about writing open-source Web services products. Also, other software companies could create non-Windows products that interoperate with Microsoft code via Web services.

The move reflects how Microsoft has had to come to terms with open-source products and development models.

When Linux began to take hold in the late 1990s, company executives seemed shaken by the shared code foundations of the open-source model. CEO Steve Ballmer famously called Linux a “cancer,” while founder Bill Gates derided the “Pacman-like” nature of open-source licensing models.

Other Microsoft executives, such as Windows development leader Jim Allchin, have in years past painted open source as “an intellectual property destroyer.”

But in the past two years, Microsoft has stepped up its Shared Source program, in which it gives free access to source code under terms similar to those in popular open-source licenses. It has also said it will make Windows-based products work better with those from other vendors, including Linux and other open-source software.

Standards in play
To be sure, Microsoft, which spends more than $6 billion a year on research and development, remains committed to generating proprietary intellectual property. In some cases, that means commercial licensing, rather than opening up access to others.

“In the future, I am sure we will take positions on IP (intellectual property) that will not be so agreeable to various constituencies,” wrote Jason Matusow, Microsoft's director of standards affairs, in his blog.

In the case of Web services, having a pledge not to assert patents around these protocols–which are the communications foundation of Vista, the next version of Windows due early next year–helps drive adoption of those standards in the marketplace, said analysts and software company executives.

Open-source projects, in particular, have become powerful forces within the industry for establishing standards, both de facto and those sanctioned by standards bodies.

“I expect that more and more vendors will realize that a software standard cannot be successful if the relevant patents are incompatible with open-source licenses and principles,” said Cliff Schmidt, vice president of legal affairs at the Apache Software Foundation, which hosts several open-source projects.

Patent pledges of various forms have become more common, he noted. Sun recently said that it would not assert patents relating to the SAML (Security Assertion Markup Language) standard and the OpenDocument Format. IBM gave open-source communities access to 500 patents last year.

More to come?
Microsoft's Matusow said that the Open Specification Promise is part of the company's efforts to “think creatively about intellectual property.”

For the Open Specification Promise, the company sought input from open-source legal experts, including Red Hat's deputy general counsel Mark Webbink and Lawrence Rosen, an open-source software lawyer at Rosenlaw & Einschlag in Northern California.

Matusow said Microsoft is still a big believer in intellectual property but added that the company has chosen a “spectrum approach” to it, which ranges from traditional IP licensing to more permissive usage terms that mimic open-source practices.

“That is the point of a spectrum approach. Any–and I do mean any–commercial organization today needs to have a sophisticated understanding of intellectual property and the strategies you may employ with it to achieve your business goals,” he said.

The current Open Specification Promise does not specifically cover CardSpace, formerly called InfoCard. But the promise not to assert patents could be extended from current Web services standards, said Michael Jones, Microsoft's director of distributed systems customer strategy and evangelism.

“Licensing additional specifications under these same terms should be much easier to do at this point, but I obviously can't make public commitments yet beyond those we already have buy-off on,” Jones said on a discussion group at OSIS, the open-source identity selector project.

Old concerns
Web services standards are authored by several vendors, often including Microsoft and IBM, and are built into products from many vendors.

IBM lauded the move in a statement on Wednesday. “We've provided open-source friendly licenses for Web services specifications and have made non-assert commitments for a broad set of open-source projects including Linux,” said Karla Norsworthy, vice president for software standards at IBM.

Web services specifications are standardized in the World Wide Web Consortium and in the Organization for the Advancement of Structured Information Standards. Both bodies allow people to license standards either royalty-free or on so-called RAND terms (reasonable and non-discriminatory terms).

But Microsoft's Open Specification Promise goes a bit further. It means that developers at Apache projects, for example, no longer have to worry about Microsoft asserting Web services patents down the road, said Apache's Schmidt.

Similarly, Rosen said that the “OSP is compatible with free and open-source licenses.”

That clarity is a far cry from the early days of Web services, which took shape around 2000, when Microsoft and IBM teamed with others to improve system interoperability using XML-based protocols.

Lingering concerns remained among outside developers and were points of dispute in some Web services standardization efforts.

In 2000, Anne Thomas Manes was the chief technology officer of a Web services start-up called Systinet. The venture capitalist backers of the company were nervous that implementing these newly published specifications, created by other companies, could lead to lawsuits down the road, she said.

Until now, there was still a “niggling concern” that Microsoft would sue people. Back in 2000, Systinet decided to accept the risk of creating software based on specifications created by others, even though they did not have a license, she said.

“We went ahead and did it anyway despite the risk, because we were of the impression that Microsoft and IBM really wanted people to implement it,” she said.

To me it isn't really very surprising that Microsoft is doing everything it can to co-operate with everyone else in the industry on fundamental infrastructure like identity and web service protocols.  It suddenly seems like this is being made into a bigger deal than it really is.  That said, I'm really glad that lingering doubts about our intentions are dissipating.   

Cardspace in the enterprise – part .001

Joris Evers at CNET wrote a piece that captures my presentation to the recent Digital Identity World. 

In a session called “Understanding Cardspace in the Enterprise”, Partrick Harding from Ping Identity went through a series of use cases and scenarios at a very practical and convincing level, and then Ashish Jain gave an amusing and clear demo of how Active and Passive technologies could be used together to solve the Enterprise's identity problems.  I'll try to get links to those presentations for the blog.

To build on this at a more theoretical level, I talked about where all of this is going within a longer term perspective, and in terms of fundamental dynamics. 

The main idea I tried to convey was that if we made access control natural and easy enough that everyone could control it – and understand it – we wouldn't need to delegate nearly as much to layers of professional configuration experts as we do today. 

That isn't to say there shouldn't be corporate oversight or purely automated systems, but if the technology works well enough, oversight can be done in as it is in other fields – by setting behavioral procedures and auditing them.

One thing that Joris didn't pick up on – it seems I wasn't clear enough about it – is that I'm not saying we solve all these problems in Vista.  

We make big strides with information cards, but need to get the access control side of things up to the same standard in terms of visualization and natural interface.  So I hope everyone understands I was expressing a vision that we could begin discussing, not doing a sales pitch for a specific product.

By using technology known as Windows CardSpace, formerly code-named InfoCard, individuals in an organization could grant access to outsiders without having to involve the IT department, Kim Cameron, identity and access architect at Microsoft, said in a presentation Wednesday at the Digital ID World Conference here.

“The main role of information cards in the enterprise is to devolve access control to the resource owners,” Cameron said. “Setting access control policies becomes a naturalistic and intuitive and visual process.”

With today's systems, granting a third party access to a corporate resource has become fraught with red tape, stifling business, Cameron argued. With CardSpace, owners of certain information resources at an organization can easily unlock those to specific outsiders by making their own risk assessment, he said.

“My belief is that trust is local,” Cameron said. “Make the granting of access easy enough so that users can do it, albeit under adult supervision.”

Layers of bureaucracy have arisen from the lack of efficiencies in today's identity management technologies, Cameron said. Typically, any kind of access control is handled by a specific department in an enterprise because the technology is very complex, he said.

“Business people can't actually do directly the kinds of things that they want because it is too hard,” Cameron said. “If we continue to organize this by doing it all in a centralized, bureaucratic way, then you end up with solutions that are increasingly complex.”

CardSpace is a component of the Microsoft .NET Framework version 3.0, which was formerly called WinFX. Microsoft has been promoting the technology as a way to make using digital identities easier and safer and replace username and password as the means of verifying identity on the Internet.

Microsoft envisions the use of CardSpace and granting access in Windows Vista to be as simple as using a Word processor. Vista, the successor to Windows XP, is due to be broadly available in January.  (Kim's note:  this is where I want to make it clear that making access control as simple as we've made identity assertion still requires a lot more research.)

“Nowadays nobody has to go and learn how to do word processing; everybody knows how to do it. That is the kind of approach that will allow us to really have secure controlled access that works for business purposes,” Cameron said.