Slashdot Mirror

It sounds familiar, it's almost based on Kim Cameron's seven laws of identity and claims based authentication.

His list was

• User Control and Consent - where the user can stop information flowing from the identity provider to the system asking for it.
• Minimal Disclosure for a Constrained Use - if a system needs to know if a user is over 21 then send true or false, not a date of birth
• Justifiable Parties
• Directed Identity
• Pluralism of Operators and Technologies - standardise it, and let everyone play
• Human Integration
• Consistent Experience Across Contexts - a client side app, no more changing login pages depending on where you are

It's interesting reading, but CardSpace, the sole implementation of this, isn't being pushed any more.

I can't speak on the figure-out-who-you-are-by-your-browsing-habits bit, but Cardspace was specifically designed to *not* be Passport 2.0. Kim Cameron is one of the big names in the identity community, and his Laws of Identity are considered the standard by which identity solutions are judged. Microsoft bought the identity startup (Zoomit) where he was working and once they realized who they had on their hands, gave him the title Architect of Identity.

With Passport, users were expected to trust Microsoft with their personal information, including their credit card numbers. The data would be stored on Microsoft's servers, and customers weren't willing to trust Microsoft with that data given all the privacy & security problems going on with Hotmail at the time.

Cardspace stores your data on your machine, in a tightly-controlled section of Windows. The UI runs in a separate desktop overlaid on top of your current one, and there is a limited API for getting access to the data in the "vault". If you give one of your cards to a site, the UI tells you what information they're requesting and lets you decide which required and optional fields to send.

It's a major step forward in user-centric identity.

BTW, Kim Cameron has a blog at http://www.identityblog.com/

Because if she has, she would know that Jobs himself opposes the DRM scheme.

Aaaah right, I've read Jobs' little blog - and he's it's entirely correct.

However. Why doesn't Jobs' allow the artists who want to sell DRM free music on itunes? There's DRM encumbered music on itunes that's available elsewhere in DRM free formats.

I find the disconnect between Steve Jobs essay & the reality of iTunes.... well, lets just say that perhaps interoperability pressure from the EU was a bigger motivation for Jobs to write that essay then a desire to help remove DRM from the marketplace.

I have no doubt that someone is going to reply to this post saying that consumer 'confusion' is what prevents Apple from having DRM on some music, but not on others. To those people, please read this link.

For the lazy, the link is about four Dylan songs (virtually indistinguishable via the ITMS interface to other songs). These songs have more restrictive DRM on them and cannot be burnt to CD at all. Apple didn't seem to mind confusing their customers in that case.

So far nobody has mentioned InfoCard/CardSpace. I think you will find that one of the major pushes for the new extended certificates is to improve the user experience with respect to security. Presently anyone can get an ordinary SSL certificate - a phishing site can easily obtain an existing SSL certificate that will allow them to fool more average joe users that no certificate at all. With an extended certificate a company's name, location and logo are also included as part of the certificate so it should be much easier for uneducated users to make the connection between the certificate and the organization whose site they are visiting and more difficult for the phishing sites to do so. So the new certificates provide a better way for websites to prove their identity to users and aim to provide a consistent way of presenting this information to users so that they can make a choice as to whether or not they trust a site.

For details see the section titled Improved User Confidence in the Identity of Web Applications in Introducing Windows CardSpace: http://msdn.microsoft.com/library/en-us/dnlong/htm l/introinfocard.asp/

CardSpace is a Good Thing. Check out Kim Cameron's blog http://www.identityblog.com/ for ongoing coverage. Microsoft is doing everyone a big favor in the identity space - they fully acknowledge their mistakes of the past (e.g. Passport) and are very open in terms of what they are doing and how they are doing it. Further, the specifications behind all of this are unencumbered (see http://www.identityblog.com/?p=574/.

So far nobody has mentioned InfoCard/CardSpace. I think you will find that one of the major pushes for the new extended certificates is to improve the user experience with respect to security. Presently anyone can get an ordinary SSL certificate - a phishing site can easily obtain an existing SSL certificate that will allow them to fool more average joe users that no certificate at all. With an extended certificate a company's name, location and logo are also included as part of the certificate so it should be much easier for uneducated users to make the connection between the certificate and the organization whose site they are visiting and more difficult for the phishing sites to do so. So the new certificates provide a better way for websites to prove their identity to users and aim to provide a consistent way of presenting this information to users so that they can make a choice as to whether or not they trust a site.

For details see the section titled Improved User Confidence in the Identity of Web Applications in Introducing Windows CardSpace: http://msdn.microsoft.com/library/en-us/dnlong/htm l/introinfocard.asp/

CardSpace is a Good Thing. Check out Kim Cameron's blog http://www.identityblog.com/ for ongoing coverage. Microsoft is doing everyone a big favor in the identity space - they fully acknowledge their mistakes of the past (e.g. Passport) and are very open in terms of what they are doing and how they are doing it. Further, the specifications behind all of this are unencumbered (see http://www.identityblog.com/?p=574/.

Information Cards / Windows CardSpace attempts to fix this problem:
http://msdn.microsoft.com/winfx/reference/infocard /default.aspx

It's the brainchild of Kim Cameron: http://www.identityblog.com/

Unlike Passport, Microsoft does not own your identity when you use Information Cards.

Microsoft is working on this problem -- a way to computerize the release of authentication information but not identification information (and vice versa). See the "Laws of Identity" over at http://www.identityblog.com/.

In particular, they are discussing a way to build an 'identity wallet' into the OS that will allow you to choose what identifying or authenticating bits of information to give to whom. And the wallet will be kept in a hardened UI that only humans can access.

It's about damn time, too. The real world already works like this: for everyone you interact with, you dynamically choose what data to reveal, and you never reveal it all in the manner presently demanded by many websites.

x.509 has a useful niche. PGP has a useful niche. I believe you are confusing tools.

I admin a PKI system inside the company I work for and it's the bees knees. I add public keys to the keychain. If you aren't on the keychain, then you won't have access to some things on the LAN. Simple, discreet control.

Let me be clear: There is a way around *every* security system. Running PGP/PKI systems meaningfully raises the bar.

Declaring x.509 "the winner" sounds like you have a very serious investment in it's success as opposed to the more professional perspective, right tool for the job.

OT Info:
As a general warning to all: MS's efforts in x.509 are the usual Embrace, Extend, Extinguish thereby crippling interoperability. Note that they've got Red Hat publicly endorsing their efforts now. http://www.identityblog.com/

Whereas shibboleth http://shibboleth.internet2.edu/ is supposed to be the neutral party.

Just as a point of clarification: Yes, "InfoCard" is a Microsoft proprietary implementation of the core user-agent of the Identity Metasystem. However, the Identity Metasystem is not Microsoft proprietary and is (definitely) not Passport v.next: In the Identity Metasystem, all communications are carried out using standard HTTP & WS-* protocols, "InfoCard" will communicate with Identity Providers running on any other platform that supports the same protocols. Further, we openly welcome other platform vendors to implement "InfoCard" like capabilities in their platforms and products. You get to store your own identity information (in the case of self-issued cards) or store cards containing metadata referencing information stored by trusted third parties (your bank, your airline frequent-flyer club, your insurance company, your whatever).

At the same time, the company [Microsoft] says it doesn't want InfoCard to be the only program of its kind. The program uses non-proprietary communications standards, and Microsoft says it would like to see the people and companies behind other operating systems, such as Linux and Apple's Mac OS X, create their own programs similar to InfoCard, to make the approach more common.

The approach "essentially adds an identity layer to the Internet," said Microsoft's Turner, calling such a layer sorely needed in today's online world.

Not only is InfoCard open source and standards based, but you are invited to participate in the design process. Just go to Kim Cameron's blog, he is the chief architect of identity at Microsoft.

Think about this for a minute.

Everyone of you that live in fear of a national ID might tell me that whatever agency gets to build the thing will share with any agency that comes calling? Simple human nature tells me this won't happen. No sharing of information, no real substantial coordination between agencies. Nothing.

I am concerned that centralizing law enforcement authority will be a more desirable outcome of the legislation, with no intention of ever actually issuing an ID card.

There are quite a number of commercial information agencies many of which have gov't contracts for your personal data. Let's not forget the latest revelation regarding GWB's authorizing domestic survielance without any oversight.

Your detailed personal activity is already being collected. Many of you are up in arms because they want to issue a national ID????! It's water under the bridge. Done.

This guy http://www.identityblog.com/ (warning microsoftie) has the same hue and cry about privacy and yet the guy is advocating a system to collect far more detailed activity in a more revocable/authenticatable manner (whatever that means) than what's available now. I asked him to clarify his stance in comments to his blog. Surprise! Neither was the comment posted nor a response given.

A national ID card won't change a thing.

i thought this article written by Kim Cameron addresses some of the issues mentioned here:
http://www.identityblog.com/stories/2004/12/09/the laws.html

Didn't Passport get cancelled? Are they building new systems based on a deprecated system?

It's being replaced in the upcoming Windows Communication Foundation (a.k.a. Indigo) with a more paranoid-friendly digital identity system. You can get your hands on a beta already. I expect that'll be a drop-in replacement and they need something to work with.

(In fact, MS Identity guy Kim Cameron's latest blog entry is called InfoCard Not Son Of Passport.)

Seems to be true sometimes. So I've got a link that works and won't change now: http://www.identityblog.com/stories/2005/07/25/the laws.html

As an interested party in the online identity world and very aware of Microsoft's role in it, I have met with Kim Cameron several times with respect to his Seven Laws and Microsoft's imminent InfoCard identity system that he is sheparding. Kim is a great guy - very sincere - but is but one tornado in a company of a thousand tornados. So I wrote an addendum, Four More "Laws of Identity" that addresses some of my concerns. (Kim said he enjoyed reading them and would comment after Digital ID World, but as yet I suppose he hasn't found the time.)

Some of my concerns stem from a basic distrust of Microsoft as well as the fact that some of the InfoCard technology - though supposed to be open standards - is still bases on WS-Trust, which itself is based on the WS-Security Suite, which as yet is RAND but not RANDz.

I also feel a bit of personal responsibility, as Passport came from Firefly which is partially descended from my 1980 MIT (Media Lab) thesis on a personalized newspaper - NewsPeek - so named as while it provided a "peek at the news", it was also clear even then that centralization of such resources could lead to a Big Brother state (and New Speak). Now Microsoft's InfoCard is not an identity system - it is a trust system - and actually a very noble and good goal. I just worry - as with many Microsoft systems - about how they may seek to "embrace and extend" in the trust arena, perhaps with disastrous consequences. On the other hand, if they manage to free all the necessary standards and really push an open standards/source identity/trust "metasystem", I think it could be excellent not only for Microsoft (sporting an extremely well-integrated UI) but also for the wider community - including all us F/OSS friendlies.

I'll end with two plugs: one for a host of free identity systems that exist (such as the one I worked on for the last couple years until we ran out of angel funding, 2idi; and one for a promising "open standard" InfoCard-like system that could easily be built as a Firefox plugin (alas, in PDF form) that could help in the battle against phishing.

Sorry for the above crappy formatting.

For those having a hard time getting to the PDF, here are the 7 Rules of Identity according to Kim. I've removed the text for brevity.

1. User Control and Consent: Technical identity systems must only reveal information identifying a user with the user's consent.

2. Minimal Disclosure for a Constrained Use: The solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution.

3. Justifiable Parties: Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

4. Directed Identity: A universal identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

5. Pluralism of Operators and Technologies: A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.

6. Human Integration: The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.

7. Consistent Experience Across Contexts: The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.
--------
I'm really shocked that someone who works at Microsoft came up with this. This is a constructive, interesting set of ideas. The PDF link is : http://www.identityblog.com/stories/2005/05/13/The LawsOfIdentity.pdf

For those having a hard time getting to the PDF, here are the 7 Rules of Identity according to Kim. I've removed the text for brevity. 1. User Control and Consent: Technical identity systems must only reveal information identifying a user with the user's consent. 2. Minimal Disclosure for a Constrained Use: The solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution. 3. Justifiable Parties: Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. 4. Directed Identity: A universal identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. 5. Pluralism of Operators and Technologies: A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers. 6. Human Integration: The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks. 7. Consistent Experience Across Contexts: The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. -------- I'm really shocked that someone who works at Microsoft came up with this. This is a constructive, interesting set of ideas. The PDF link is : http://www.identityblog.com/stories/2005/05/13/The LawsOfIdentity.pdf

"Something strange is a brewin' at Microsoft these days. To see what I mean, check out this video interview with Kim Cameron, Microsoft's Architect of Identity, about Kim's now famous now famous Laws of Identity. Personally, I was so schocked to see Micrsoft come down this hard on the side of open standards and corporate responsibility that I almost choked on my tinfoil hat. Is this the beginning of a new Microsoft? But more importantly, now is the time to start an open and ongoing discussion about the future of digital identity. Is Kim's vision something the Slashdot community could get behind?"

"Something strange is a brewin' at Microsoft these days. To see what I mean, check out this video interview with Kim Cameron, Microsoft's Architect of Identity, about Kim's now famous now famous Laws of Identity. Personally, I was so schocked to see Micrsoft come down this hard on the side of open standards and corporate responsibility that I almost choked on my tinfoil hat. Is this the beginning of a new Microsoft? But more importantly, now is the time to start an open and ongoing discussion about the future of digital identity. Is Kim's vision something the Slashdot community could get behind?"

"Something strange is a brewin' at Microsoft these days. To see what I mean, check out this video interview with Kim Cameron, Microsoft's Architect of Identity, about Kim's now famous now famous Laws of Identity. Personally, I was so schocked to see Micrsoft come down this hard on the side of open standards and corporate responsibility that I almost choked on my tinfoil hat. Is this the beginning of a new Microsoft? But more importantly, now is the time to start an open and ongoing discussion about the future of digital identity. Is Kim's vision something the Slashdot community could get behind?"

Indeed. Passport should be proof enough that most Internet users are not interested in an identity layer.

On the other hand, the Internet is sorely lacking in appropriate identity verification measures for the sorts of e-commerce being done by people who don't grasp the concept of spyware (despite it having a firm grasp on them).

The problem in this case is, who gets to implement such a standard? The list of laws sounds good on paper, but once corporations or governments start trying to implement it, any concept of user privacy goes out the window. And as commercialized as the Internet has become, it's becoming incredibly difficult for benevolent users to set these standards and have them perpetuated without abuse or wanton modification.

Not Found Very apropriate..... heheheheh

Funny ;-)

Seriously, MS replacement for Passport seems to be InfoCard. Now I know this is MS, but this does actually look like a cool concept (we'll have to wait and see about the implementation).

Kim Cameron (the lead guy on this) is actually pretty adament that this need to be an "Open" system that others can implement. We'll see if that ends up meaning "open source", but interesting none the less.

It is exactly *not* like passport. In fact, the whole passport disaster is often referred to as a lesson learned.

Here is the latest philosophical trend in Identity, and the founding principles for the SSO and IdM movement of the moment:

The Laws of Identity

If you read this, you will see that certain of the digerati are working very hard, even within Microsoft itself, to ensure that future identity systems are exactly the opposite of 'distrusted and irrelevant'....

Pixie

Everybody is focusing on those two guys smiling together, instead of looking at why they called the press release together, and why what they announced is considered important enough to warrant a Ballmer/McNealy co-presentation!

The reason why this is news, is that both companies, along with a ton of other groups of all sorts of sizes and purposes, have been working on creation of standards that will allow web authentication on the internet to cross boundaries of OS platform, browser platform, and development platform. The Metadata Exchange and Interop protocols are just two of a whole HOST of protocols that are going to link everything up.

Some of you will say - who cares? But the technology they are working on now will be used in the future by most people, on most platforms, to access protected web content.

That's pretty big. This little niche of the industry is set to explode into mainstream consciousness, just wait and see...

If you want to be ahead of the curve:

Check out the Fact Sheet from the MS-Sun announcement.

Check out the WS-* White Paper

Check out Microsoft's Vision For an Identity Metasystem

Check out the Liberty Alliance Technology Review

And if prefer blogs to White Papers, check out Kim Cameron's Blog. That's really the happening place in Identity Management right now...

Pixie

I am not a proponent of this system, but I know a little bit about this stuff.

The Info-cards concept is mainly the brainchild of Kim Cameron, who was one of the architects for a directory server called, "ZoomIT", before it was bought by Microsoft. It is now the essential core of what we all know as Active Directory. So in that sense, the designer of the iCards is also a chief designer of AD. He described this whole solution to me several months ago, although the devs at MS were calling them "vCards" at the time. He claimed, "its like your email Vcard, but with X.509 tossed in," (digital signatures).

You can read his blog, where he postulates and proselytizes about identity, including setting forth a semi-formal set of "Laws of Identity"; essential criteria which any distributed identity system must satisfy. Like Passport (didn't). Like pingID. Like Sxip. Like i-Names. Etc., etc.

The MS guys actively follow identity trends on the Internet today. They didn't say this, but I am quite certain that they were not huge fans of Passport, knowing the technical and privacy risks associated with centrally stored identity data. Duh.

I'm sure they let Passport die. They knew it was not a workable solution. Fundamentally, the type of identity applications for which Passport was designed would never have worked if they had culminated in massive web services buy-in. How could it? Do you "sign in" to user forums (like this one) with huge requirements for security and privacy? So why would you use the same system for banking??? And that, literally, was the mission for Passport years ago! Single-signon for the web! w00t!

No. You probably don't sign in to discussion forums with the expectation of security that you would your email. Most forums and pages and all that fun stuff that we slashdotters built for fun in the late nineties is fair game for this. And who of us wanted to actually store a database of users and names and stuff for just a silly forum? And I think thats what infoCards is. It allows you to share info about yourself without an actual authentication (as we know it). Remember what Cameron said, he said it was "V-Cards with some X.509 tossed in". V-Cards are basically a set of data that you write, or even... data that is written about you and digitally signed. Name, gender, date of birth, etc. So whatever you wanna "tell" to your forum page about yourself when you sign in, you'll actually authenticate to that little local datastore they put into windows. Then this unlocks those little tidbits of info that you're sharing. You're not going to auth to the webpage (or maybe you will, but its again a super low assurance mechnism and no one expects it to be anything more than that).

So... you will authenticate locally. Want heftier security for that? Cool. Then buy our cool little one-time password token... :-)

So, once you've authenticated to your little datastore, you get to decide whom you're sending your data to. So there will be some mechanism by which you get to authenticate them. Kim said this had to be omnidirectional, right? So you're making sure that the World of Warcraft forums are indeed whom you're telling your gender to or favourite colour, etc. Then this stuff gets all packaged up and sent over the wire to wherever its supposed to go. Maybe its encrypted. Maybe its signed. Maybe its cleartext. Depends on the app. And the forum writer doesn't even have to be running Windows to accept that data.

So what is infoCards?

Low assurance localized authentication, user-controlled data exchange, nodal verification and built with personal or 3rd-party assertions about that information.

Its pretty smart, IMHO most of th

I am not a proponent of this system, but I know a little bit about this stuff.

The Info-cards concept is mainly the brainchild of Kim Cameron, who was one of the architects for a directory server called, "ZoomIT", before it was bought by Microsoft. It is now the essential core of what we all know as Active Directory. So in that sense, the designer of the iCards is also a chief designer of AD. He described this whole solution to me several months ago, although the devs at MS were calling them "vCards" at the time. He claimed, "its like your email Vcard, but with X.509 tossed in," (digital signatures).

You can read his blog, where he postulates and proselytizes about identity, including setting forth a semi-formal set of "Laws of Identity"; essential criteria which any distributed identity system must satisfy. Like Passport (didn't). Like pingID. Like Sxip. Like i-Names. Etc., etc.

The MS guys actively follow identity trends on the Internet today. They didn't say this, but I am quite certain that they were not huge fans of Passport, knowing the technical and privacy risks associated with centrally stored identity data. Duh.

I'm sure they let Passport die. They knew it was not a workable solution. Fundamentally, the type of identity applications for which Passport was designed would never have worked if they had culminated in massive web services buy-in. How could it? Do you "sign in" to user forums (like this one) with huge requirements for security and privacy? So why would you use the same system for banking??? And that, literally, was the mission for Passport years ago! Single-signon for the web! w00t!

No. You probably don't sign in to discussion forums with the expectation of security that you would your email. Most forums and pages and all that fun stuff that we slashdotters built for fun in the late nineties is fair game for this. And who of us wanted to actually store a database of users and names and stuff for just a silly forum? And I think thats what infoCards is. It allows you to share info about yourself without an actual authentication (as we know it). Remember what Cameron said, he said it was "V-Cards with some X.509 tossed in". V-Cards are basically a set of data that you write, or even... data that is written about you and digitally signed. Name, gender, date of birth, etc. So whatever you wanna "tell" to your forum page about yourself when you sign in, you'll actually authenticate to that little local datastore they put into windows. Then this unlocks those little tidbits of info that you're sharing. You're not going to auth to the webpage (or maybe you will, but its again a super low assurance mechnism and no one expects it to be anything more than that).

So... you will authenticate locally. Want heftier security for that? Cool. Then buy our cool little one-time password token... :-)

So, once you've authenticated to your little datastore, you get to decide whom you're sending your data to. So there will be some mechanism by which you get to authenticate them. Kim said this had to be omnidirectional, right? So you're making sure that the World of Warcraft forums are indeed whom you're telling your gender to or favourite colour, etc. Then this stuff gets all packaged up and sent over the wire to wherever its supposed to go. Maybe its encrypted. Maybe its signed. Maybe its cleartext. Depends on the app. And the forum writer doesn't even have to be running Windows to accept that data.

So what is infoCards?

Low assurance localized authentication, user-controlled data exchange, nodal verification and built with personal or 3rd-party assertions about that information.

Its pretty smart, IMHO most of th

Kim pushes an Infocard Project that would enable any variation of identity management, from centralised servers to federation of entreprise servers or peer-to-peer systems. Whether such grand vision will make it into future Microsoft products is indeed anyone's guess...