I personally think we are just beginning to understand what it would mean if everything we do is both remembered and automatically related to everything else we do.\u00a0 No evil “Dr. No” is necessary to bring this about, although evil actors might accelerate and take advantage of the outcome.\u00a0\u00a0Linkage is just a natural tendency of\u00a0digital reality, similar to entropy in the physical world.\u00a0 When designing phsyical systems\u00a0a big part of our job is countering entropy.\u00a0 And in the digital sphere,\u00a0our designs need to counter linkage.\u00a0<\/p>\n
This has led me to the idea of the “Need-to-Know Internet”.<\/p>\n
The Need-to-Know Internet<\/strong><\/p>\n “Need to Know” thinking\u00a0comes from the military.\u00a0 The precept is that if\u00a0people in dangerous situations\u00a0don't know\u00a0things they don't need to know<\/em><\/strong>, that information can't leak or be used in ways\u00a0that increase danger.\u00a0 Taken as a starting point, it leads to a safer environment.<\/p>\n As Craig Burton pointed out many years ago, one key defining aspect of the Internet is that everything is equidistant from everything else.\u00a0<\/p>\n That means we\u00a0can get easily to the most obscure possible resources, which makes\u00a0the Internet\u00a0fantastic.\u00a0 But\u00a0it also means\u00a0unknown\u00a0“enemies” are as “close” to us as our “friends” – just a packet away.\u00a0 If something is just a packet away, you can't see it coming, or prepare for it.\u00a0 This aspect of digital\u00a0“physics”\u00a0is one of the main reasons the Internet can be a dangerous place.<\/p>\n That danger can be addressed by adopting a need-to-know approach to the Internet.\u00a0 As little personal information as possible should be released, and to the smallest possible number of parties.\u00a0 Architecturally, our infrastructure should lead naturally to this outcome.<\/p>\n Need-to-Know and Minimal Disclosure<\/strong><\/p>\n CardSpace is an important\u00a0step in this direction – offering much less visibility of identity providers onto users’ activities than “redirection protocols” like SAML WS-Federation and OpenID, which reveal the DNS names of all the sites you employ,\u00a0continuously, in real time.\u00a0 On the contrary, when using self-issued cards,\u00a0CardSpace transmits no\u00a0linking artifacts that allow one party to collude with another about your identity. However, with managed cards carrying claims asserted by a third party authority, it\u00a0has\u00a0so far been\u00a0impossible, even for CardSpace, to completely avoid artifacts that allow linkage. (I've treated\u00a0these issues in depth\u00a0in\u00a0my\u00a0Series on Linkage<\/a>.)\u00a0 Though relying parties are not able to collude with\u00a0one another, if they collude with the identity provider, a set of claims can be linked to a given user even if they contain no obvious\u00a0linking information.<\/p>\n The\u00a0reason is that to\u00a0prevent a\u00a0set of claims from being\u00a0shared and replayed,\u00a0we need an identifier and\/or\u00a0“proof key” in it.\u00a0 The authority then needs to sign the identifier and key<\/em> as well as the claims.\u00a0<\/p>\n With conventional (e.g. RSA) technology, any set of claims presented to a site will have the signature\u00a0present, and so can potentially be traced back to a given authentication and token issuance.\u00a0If\u00a0a relying party is willing to take\u00a0its claimset\u00a0to the identity provider, and the identity provider is willing to investigate, the colluding duo can figure out which user presented which set of claims<\/p>\n Magic Signatures?<\/strong><\/p>\n But there is good news.\u00a0 Minimal disclosure technology allows the identity provider to sign the token and proof key in such a way that the user can prove the claims come legitimately from the identity provider\u00a0without revealing the signature applied by the identity provider.\u00a0<\/p>\n I've tried to represent that in the diagram where the set of claims ‘C’ has a “green signature” applied by the issuer, but what is conveyed to the relying party is a proof (“blue signature”) that doesn't reveal the green signature.\u00a0<\/p>\n If the\u00a0relying party takes the “proof” back to the issuer, the issuer won't recognize it, because all it knows about is the “green signature”.\u00a0 So it can't be linked to specific user unless\u00a0the claims themselves\u00a0contains overt identifying information.\u00a0 In other words, no linking artifacts<\/em>.<\/p>\n The RSA of Privacy<\/strong><\/p>\n Stefan Brands<\/a> has been working on\u00a0this minimal disclosure technology since the early 1990’s.\u00a0 As I've said on many occasions, his system is incredibly well thought through and elegant.\u00a0\u00a0The explanation I've just given touches on only one aspect of a really impressive technology grounded in innovative cryptography (more information on the Credentica<\/a> web site).<\/p>\n In my view, Stefan's technology, called “U-Prove”, is the equivalent in the privacy world of RSA in the security space.\u00a0 It does things we wouldn't have otherwise thought possible.\u00a0 At one time “public key” was\u00a0considered an oxymoron – but the properties of RSA were so compelling they completely changed our thinking about keys.\u00a0<\/p>\n The same, I think, is true of the zero knowledge proofs and “blinded signatures” Stefan has perfected.\u00a0 When you first hear about their capabilities, you say, “Well, that's impossible”.\u00a0 But if you look into the math, its not.\u00a0 It actually works.<\/p>\n Funny.\u00a0\u00a0A few weeks ago, Bruce Schneier wrote a brief blog post <\/a>saying:<\/p>\n “Cryptographer Stefan Brands has a new company, Credentica<\/a>, that allows people<\/a> to disclose personal information while maintaining privacy and minimizing the threat of identity theft.<\/p>\n “I know Stefan; he's good. The cryptography behind this system is almost certainly impeccable. I like systems like this, and I want them to succeed. I just don't see a viable business model.<\/p>\n “I'd like to be proven wrong.”<\/p><\/blockquote>\n I\u00a0think\u00a0Microsoft's acquisition of Stefan's technology and patents\u00a0does prove him wrong – and that he'll be\u00a0happy about this.<\/p>\n Our goal is that Minimal Disclosure Tokens\u00a0will become base features of identity platforms and products, leading to the safest possible intenet.\u00a0\u00a0I don't think the point here is\u00a0ultimately\u00a0to make a dollar.\u00a0 It's about building a system of identity that can withstand the ravages that the Internet will unleash. That will be worth billions.<\/p>\n My interest is in\u00a0building the very best identity system we can build, and making\u00a0it a simple option for people to deploy, so that\u00a0the binary opposition of “privacy” and “security” is replaced by a deep understand that “need-to-know” and minimal disclosure produces both the most secure and the most privacy friendly Internet.<\/p>\n Products and Roadmaps<\/strong><\/p>\n \u00a0It is\u00a0really early in the cycle for us to have worked out a roadmap.\u00a0 Getting the right user experience to accompany capabilities like this is not trivial.\u00a0 But our plan is to integrate U-Prove into both the Windows Communication Foundation (WCF)\u00a0and CardSpace.\u00a0\u00a0When that happens, all products built on the WCF Framework will easily support U-Prove.\u00a0 That would include our own servers as well as those by third parties.<\/p>\n As always, adopting U-Prove doesn't mean we reject other identity technologies.\u00a0 No one is going to take away your RSA keys!\u00a0 It means there is a new option available in building the identity metasystem, an option that is ideal for Government and\u00a0medical applications,\u00a0child protection, military systems,\u00a0and\u00a0identity outsourcing\u00a0to\u00a0name just a few.\u00a0\u00a0 The idea is that we need a spectrum of solutions, reaching all the way from systems for public and social networking\u00a0identity to those for sensitive information where need-to-know is\u00a0the key factor.<\/p>\n You can probably tell how excited I am about this.<\/em>\u00a0 I want to thank the people within Microsoft who made this possible by agreeing to take\u00a0the\u00a0plunge that will\u00a0bring\u00a0ground-breaking privacy\u00a0technology to the market.<\/p>\n Best of all, I look forward to the great things the collaboration with Stefan, Christian and Greg can bring, and the fun we will have building the\u00a0most secure identity system possible while at the same time taking privacy protection to whole new levels.<\/p>\n For more information, check out Stefan's blog<\/a>.\u00a0 You should also\u00a0look at \u00a0PrivacyImperative<\/a>\u00a0to\u00a0see the perspective of my colleagues from the Microsoft Privacy Team.\u00a0 Adam Shostack, who worked closely with Stefan at Zero Knowledge in Montreal, comments here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Stefan and his colleagues Christian Paquin and Greg Thompson have joined the Identity and Access Group at Microsoft<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[49,16,37,2,8,7,47,40,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/934"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=934"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/934\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![](\"\/wp-content\/images\/2008\/03\/linkage-4.jpg\")
<\/p>\n