February 27, 2006

Identity on the move III - some ramblings on "we'll get it right this time, honest injun!"

Kim Cameron - who writes for Microsoft over on his Identity blog - published an interview where Bill Gates says:

This is very simple. There are statements like, “I, the employer of this person, have given them a secret” – either a password or even better a big number, a key. So I, Intel, say if they present this secret back to me, I, Intel vouch that they are an employee. Then we at Microsoft collaborate with Intel, and we decide do we accept statements of that type to decide who can get into various collaborative websites for joint projects.

The statement! That is something that has been lacking from just about all of the popular designs, and is at the root of the harm of identity theft on the net. If Microsoft are heading in this direction, this is an encouraging development. However, when we take it a bit further:

That’s called federation, where we take their trust statement and we accept it, within a certain scope. So they don’t have to get another user account password. There’s no central node in this thing at all, there never can be. Banks are a key part of it, governments can be part of it. The US, probably not as much.

That's scary. If the point of system is to allow corporates to exchange statements about you, do we really believe that just because they say they are limited statements that users' privacy isn't being shredded? James also questions Federated Identity, the sum of which seems too many people with too many acronyms and too much reliance on adoption and users' blind religious trust.

In contrast there is this tantalising snippet in another interview that suggests that the system might be sort of maybe usable for nyms:

Cameron: I think people will be people offering InfoCard-enabled services by the time Vista ships. I’m at a disadvantage because I can’t tell you who we are working with. What I can say is there are thought leaders around this in each industry. Those are the guys who we will be working with and who will have these applications that are InfoCard ready.

You can get not just identity but sort of very interesting semi-anonymous things that are very privacy-friendly. One of the things we have been doing with this project is to work with the privacy advocates and have them as colleagues in the design of the thing. This is not one of those things where a bunch of nerds get in to a garage and come up with something that is going to gross out the privacy advocates.

Who are these shy thought leaders, and what do they mean by semi-anonymous?

If you read the (first) entire interview with Bill Gates, you like I might get the impression that Bill Gates remains a wolf in sheep's clothing. Kim Cameron says "A number of people have confided that they worry the committment to privacy and openness I make in my work can’t “possibly” reflect the ideas of the “official Microsoft juggernaut”' but is he trying on the same suit? Some of these comments read pretty thin, when we factor in Microsoft's history (which, again, shouldn't be taken to mean that any other company is any more concerned about privacy). Even their recent history isn't encouraging:

BG: No, no, it’s not even worth going back to that. We partly didn’t know what it was, and certainly what the press said it was wasn’t what we thought it was, but even what we thought it was we didn’t end up doing all of that. That’s old history.

Only the blindly religious would see Bill Gates' dismissal of past errors as anything but a warning sign. So, now we are here in not-old-history. What is it that is being said that gives us confidence that old istory isn't just around the corner, yet again? Not only does he decline to simply say "Passport was wrong," he's inviting everyone to trust him, this time. In Passport V3, we'll get it right, honest injun! Being blind and religious might help, but even that has limits.

The curious thing about this is that regardless of how Microsoft is going to get parts of this wrong, we now have a re-emerging competition in security. These ideas will be put into play in the Microsoft suite of software, and the few that work will be copied. Yes, some of them are going to work. The ones that won't work will end up in the dust heap (but not before being re-named mid-programme).

Is that the best we can do? To paraphrase Churchill, competition is a terrible way to do security, but it's better than all the other ways. So maybe we no longer care what Microsoft says, only what they succeed at.

Posted by iang at February 27, 2006 02:09 PM | TrackBack

IBM leads challenge to Infocard / By Brier Dudley / Seattle Times technology reporter

An IBM-led coalition is announcing an open-source project today that will challenge Microsoft's new Infocard online identity-management system. IBM and Microsoft worked closely to develop industry standards for establishing online identity, a cornerstone of the new services they and other companies hope to deliver via the Internet in coming years.

Microsoft used those standards to build Infocard, which will be part of the Windows Vista operating system coming out later this year. Infocard will replace Microsoft's Passport identity system, giving users what's designed as an improved and more secure way to register and log into multiple Web sites.

Infocard is geared largely toward consumers. The IBM-backed Higgins system is primarily aimed at corporate technology users, where it could manage and process a variety of identity systems.

But because Higgins will be freely shared with anyone, a company such as Google could use it to develop a consumer-identity system that directly competes with Infocard, said Tony Nadalin, IBM's chief security architect. "I could see Google offering something, I could see Yahoo! offering something, what I would call these content-information providers," he said.

Higgins was conceived by Harvard Law School's Berkman Center for Internet & Society and a company called Parity Communications. They offered it to the open-source community for collaborative development, but it was unlikely to take off until IBM came looking for an alternative to Infocard, said Mike Neuenschwander, research director at the Burton Group consulting firm in Salt Lake City.

"IBM is coming to it and saying we need to develop something similar to Infocard. What Microsoft is producing, they can't get the source code to, and it's Microsoft-centric and where do we do that?" he said. "They've chosen Higgins, to go and expand it."

Novell, another Microsoft rival, is backing the project and participating in today's announcement, along with the Berkman Center and Parity Communications. Nadalin asked Microsoft to participate in the Higgins project, but he has not heard back. He said he discussed it earlier this month at the RSA security conference in San Jose, Calif., with Kim Cameron, Microsoft's chief identity architect. Cameron did not return a call for comment Friday.

IBM started working on Higgins after it learned of Microsoft's plans for a new authentication system to replace its controversial Passport system. Although Passport is widely used by Microsoft sites such as Hotmail, it was mostly rejected by other companies wary of Microsoft becoming a central repository for online identity credentials.

In 2001, Sun Microsystems organized a coalition of big companies to develop an alternative, decentralized approach. After that feedback, Microsoft developed Infocard as a more transparent successor to Passport that would be less centralized and more palatable to the industry.

Although Infocard is a more open system, Nadalin said, Microsoft has not yet shared all the details of how it will work. In particular, he's concerned the system will require Web sites to use Microsoft's Active Directory technology in their infrastructure.

As IBM envisions it, companies could use Higgins to process Infocards and the dozens of other authentication products being used online. It will begin adding Higgins technology to server products it plans to sell starting in 2007.

Neuenschwander said users will likely end up with different ways to manage their digital identities, but Microsoft's Infocard could be widely used if the company does a good job with the technology and developers appreciate it's widely available via Windows.

Brier Dudley: 206-515-5687 or bdudley@seattletimes.com

Posted by: Semi-anon at February 27, 2006 12:40 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.