Domain: identitycommons.net
Stories and comments across the archive that link to identitycommons.net.
Comments · 7
-
Passport's "death" and the "birth" of infoCards
I am not a proponent of this system, but I know a little bit about this stuff.
The Info-cards concept is mainly the brainchild of Kim Cameron, who was one of the architects for a directory server called, "ZoomIT", before it was bought by Microsoft. It is now the essential core of what we all know as Active Directory. So in that sense, the designer of the iCards is also a chief designer of AD. He described this whole solution to me several months ago, although the devs at MS were calling them "vCards" at the time. He claimed, "its like your email Vcard, but with X.509 tossed in," (digital signatures).
You can read his blog, where he postulates and proselytizes about identity, including setting forth a semi-formal set of "Laws of Identity"; essential criteria which any distributed identity system must satisfy. Like Passport (didn't). Like pingID. Like Sxip. Like i-Names. Etc., etc.
The MS guys actively follow identity trends on the Internet today. They didn't say this, but I am quite certain that they were not huge fans of Passport, knowing the technical and privacy risks associated with centrally stored identity data. Duh.
I'm sure they let Passport die. They knew it was not a workable solution. Fundamentally, the type of identity applications for which Passport was designed would never have worked if they had culminated in massive web services buy-in. How could it? Do you "sign in" to user forums (like this one) with huge requirements for security and privacy? So why would you use the same system for banking??? And that, literally, was the mission for Passport years ago! Single-signon for the web! w00t!
No. You probably don't sign in to discussion forums with the expectation of security that you would your email. Most forums and pages and all that fun stuff that we slashdotters built for fun in the late nineties is fair game for this. And who of us wanted to actually store a database of users and names and stuff for just a silly forum? And I think thats what infoCards is. It allows you to share info about yourself without an actual authentication (as we know it). Remember what Cameron said, he said it was "V-Cards with some X.509 tossed in". V-Cards are basically a set of data that you write, or even... data that is written about you and digitally signed. Name, gender, date of birth, etc. So whatever you wanna "tell" to your forum page about yourself when you sign in, you'll actually authenticate to that little local datastore they put into windows. Then this unlocks those little tidbits of info that you're sharing. You're not going to auth to the webpage (or maybe you will, but its again a super low assurance mechnism and no one expects it to be anything more than that).
So... you will authenticate locally. Want heftier security for that? Cool. Then buy our cool little one-time password token...
:-)So, once you've authenticated to your little datastore, you get to decide whom you're sending your data to. So there will be some mechanism by which you get to authenticate them. Kim said this had to be omnidirectional, right? So you're making sure that the World of Warcraft forums are indeed whom you're telling your gender to or favourite colour, etc. Then this stuff gets all packaged up and sent over the wire to wherever its supposed to go. Maybe its encrypted. Maybe its signed. Maybe its cleartext. Depends on the app. And the forum writer doesn't even have to be running Windows to accept that data.
So what is infoCards?
Low assurance localized authentication, user-controlled data exchange, nodal verification and built with personal or 3rd-party assertions about that information.
Its pretty smart, IMHO most of th
-
Re:nope
Windows Longhorn will have an identity system in it, currently code-named InfoCard. But from what I hear, they are actually looking for open standards on which to base their identity infrastructure, and this would make a *lot* of sense. If they promoted a system that was 100% decentralized (as opposed to the 100% centralized Passport), free and open source, and integrated it sweetly into their OS, they would have an identity system that would be peerless and increase their market share (or at the least, not drive people away so fast).
The only system I know of that fits the bill is the nascent Identity Commons system that is just starting to come online. (Disclaimer: I am 2idi's CTO) -
misconceptions: not centralized nor passport
One of the primary misconceptions about i-names is that they're centralized. They're not.
Another is that 2idi is just another passport controlling your information. It isn't.
It's clear that Identity Commons and 2idi have to work on their messaging... -
Identity Commons
The Identity Commons is also working on the same problem, but they have taken a more useful approach than the Liberty Alliance.
-
Re:who cares?Yes, Liberty has done some great thinking about privacy and security, but it's still a hub-and-spoke system in which they (the 150 rich and powerful members) own your identity and (in their parlance) "provide" you with access to it through an "Identity-Provider".
Still, it's a lot better than Microsoft, where the only good thing to say about Passport is you know that the database won't get bought by Microsoft.
There are other personal identity platforms coming in the open source/grassroots arena. One promising entry is being put forward by the Identity Commons [disclaimer: I'm the CTO
;-)] where each person owns and controls their own identity. We're launching a fund raiser in a few weeks in which people will be able to buy a 50 year duration i-name for somewhere under $50 U.S. There's a bit more on i-names on our technology page, but we're still working hard on the code (and the site!).Bottom line: don't put all your eggs (or identity) in one basket - unless you own and control that basket!
-
Re:who cares?Yes, Liberty has done some great thinking about privacy and security, but it's still a hub-and-spoke system in which they (the 150 rich and powerful members) own your identity and (in their parlance) "provide" you with access to it through an "Identity-Provider".
Still, it's a lot better than Microsoft, where the only good thing to say about Passport is you know that the database won't get bought by Microsoft.
There are other personal identity platforms coming in the open source/grassroots arena. One promising entry is being put forward by the Identity Commons [disclaimer: I'm the CTO
;-)] where each person owns and controls their own identity. We're launching a fund raiser in a few weeks in which people will be able to buy a 50 year duration i-name for somewhere under $50 U.S. There's a bit more on i-names on our technology page, but we're still working hard on the code (and the site!).Bottom line: don't put all your eggs (or identity) in one basket - unless you own and control that basket!
-
The Identity Commons
As you suggest, a distributed, global (federated) identity would make this all a lot easier and work a lot better. Persistent profile information is powerful and offers many advantages to citizens, corporations and all those middlemen, but can lead to serious privacy abuses if the information is not securely - and absolutely - controlled by the profile owner.
The fact that global identity is so valuable has not escaped the eye of marketing departments everywhere, and there are several projects aimed at establishing global identities for consumers. (Note that I say "consumers" here rather than "citizens" as the systems being designed generally only see you as a consumer and nothing more. Therefore, since there's nothing to buy on Slashdot or Poliglut, you probably wouldn't exist on those systems.)
There are two main problems with the currently proposed systems: Passport, designed by Microsoft, is a wholly centralized system. (The only thing good about this is that your profile data in Passport is not in danger of being bought by Microsoft!) The other system is Project Liberty, a system being put together by a scary consortium of BigCos. EPIC has a good, short paper on the privacy considerations of Liberty here.
There's a new group in this area working...
I'm a member of the tech group and suffice to say we're looking at a very hard problem. One of the key insights into this work is that we don't need to build a global namespace. Not only is that hard (viz PKI) but it's not even what people really want. Rather, people belong to groups and have local names for people within their groups. As people from other groups get introduced into one's local group, they either get local names or become known as "xyz from 123 group". While global URIs may exist to uniquely point to every object in the universe, they are generally difficult to manage and use. ...to create the world's premier electronic system for individuals and organizations to interact commercially, socially and personally, while providing every entity with control of its information, identity, and relationships consistent with healthy communities.So where does one go? First, of course it has to be open source. PGP's web of trust, Ron Rivest's and Carl Ellison's SPKI/SDSI, and Matt Blaze's Keynote all offer secure local name spaces and even integrated trust management systems. (Thought I had forgotten about your original point, didn't you?) We're nearing completion of a requirements specification and hope to have an initial implementation by years end. And this is being done mostly by volunteers, as there's no money (yet).
BTW, one of the most difficult problems facing federated identity systems such as Liberty is how to get all these BigCos to work together. We're following Chaordic approach that, like the Visa payment system, melds simple but powerful global unilateral agreements (Principles) with local control of agreements that control inter-group relationships.