[IP] Microsoft calls for online identity overhaul (long)
Begin forwarded message:
From: "Bennison, Mark M" <mark.m.bennison@xxxxxxxxxx>
Date: May 12, 2005 2:49:28 AM EDT
To: "'dave@xxxxxxxxxx'" <dave@xxxxxxxxxx>
Subject: Microsoft calls for online identity overhaul (long)
For IP if you wish...
"Microsoft calls for online identity overhaul" (http://www.vnunet.com/
news/1162956)
Tom Sanders at Digital ID World in San Francisco, vnunet.com 11 May 2005
The IT industry needs to adopt an identity meta system to overcome
existing issues with online identities, Kim Cameron, Microsoft's
architect of identity, told delegates at the Digital ID World
conference in San Francisco.
In designing such a meta system, Microsoft will unveil an identity
service to replace the failed Passport system in a keynote at the
conference on 12 May.
The meta system is required because the industry, including Microsoft
itself, has failed to create a secure and fail-safe solution for
online authentication.
Authentication suffers from an abundance of standards which are not
aligned and confuse users. This has created an opportunity for
hackers and computer criminals to launch phishing attacks and commit
identity theft.
"The ad hoc nature of the internet identity patchwork cannot
withstand the ongoing assault of professional attackers," said Cameron.
"What we have done is teach the world to indiscriminately put their
credentials and personal identifying information into almost any form
that appears on the screen. And then we make fun of them for being
subject to phishing [attacks]."
Existing standards like Secure Sockets Layer encrypted pages, the
Kerberos authentication protocol or the Liberty Alliance for digital
identities are all part of this patchwork.
But the problem, according to Cameron, is that there is no agreement
between these standards on the nature of a digital identity, and
which scientific laws play a part in digital identity.
"When we do start talking about identify, we always have to go back
to this tabula rasa," he said. "I've had people come in with all
these proposals about what we need to do with identity, and every
time it's back to square one again."
Although the problem may seem daunting, it has been solved before.
Cameron pointed to device drivers that have created an abstraction
layer between software and the display, so that software developers
were not required to know on what display their software would be
deployed.
Similarly the rise of TCP/IP allowed programmers to stop worrying
about whether they develop software for a computer that used
Ethernet, Token Ring or some other networking standard.
Cameron came up with seven laws during an online discussion which
dictate whether a online identity technology will succeed or fail.
The laws include users having the right of veto over what
technologies they do and do not use, as well as the requirement that
a party governing an identity is "justifiable".
The latter caused Microsoft's Passport service to fail as a general
online authentication service, but made it successful as a log-in
service for Hotmail and MSN Messenger, according to Cameron.
"[Users] want to have a relationship with Microsoft within a context
that makes sense to them," he explained. "[Passport] is fine within
their relationship with Microsoft, but it's not fine in their
relationship with Amazon or eBay."
Cameron also claimed that the Bluetooth wireless technology is
wrongly designed because it constantly transmits a signal, turning
the owner of a Bluetooth device into a beacon. Radio Frequency ID
suffers from the same problems.
A RFID tag in a passport, for instance, could be used by terrorists
to identify an American citizen.
"RFID is fine for a can of beans, but it's not suitable to be
impregnated into our children," he said. "We have designed all this
technology in a very naive way."
Cameron promised to publish an overview of his seven laws on his
Identity Weblog, although the list had not been posted at the time of
going to press.
John Shewchuck, chief technology officer for distributed systems at
Microsoft, will unveil the company's plans for the next generation of
digital identity in a keynote presentation on 12 May.
Part of the proposal is a structure where individuals can use
multiple identity sets, each containing different information and
having different privacy risks and characteristics. It will be up to
the user to decide which set he chooses to hand out.
Microsoft declined to provide any additional details about its plans
prior to Thursday's keynote.
Note although the article states that the "seven laws" weren't posted
at the time of the article they appear to be now, and I reproduce
them below (from http://www.identityblog.com/stories/2004/12/09/
thelaws.html)
The Laws of Identity
People who work on or with identity systems need to obey the Laws of
Identity. When we don't, we leave behind us a wake of reinforcing
side-effects that eventually undermine all resulting technology. The
result is similar to what would happen if civil engineers were to
flaunt the law of gravity.
The Laws of Identity are not about the "philosophy of identity" -
which is a compelling but entirely orthogonal pursuit.
Instead, they define the set of "objective" dynamics that constrain
the definition of an identity system capable of being widely enough
accepted that can serve as a backplane for distributed computing on a
universal scale. Our goal is to change the identity conversation
enough that its laws are no longer argued as "moral imperatives", but
rather as explanations of dynamics which must be mastered to craft
such a universal system.
Our intentions are pragmatic. For example, when we articulate the
Law of Control (stated below), we do so because a system which does
not put users in control of their own identity will - on day one or
over time - be rejected by enough users that it cannot become and
remain a unifying technology. The accordance of this law with our
own sense of values is essentially irrelevant. Instead, the law
represents a contour limiting what a unifying identity system must
look like - and must not look like - given the many social formations
and cultures in which it must be able to operate. And so on for the
other laws.
These laws are objective because they pre-exist our consciousness of
them. For example, the Law of Fewest Parties explains the successes
and failures of widely promoted real life systems in spite of the
fact that those who built the systems were totally unaware of them.
The Laws of Identity, taken together, establish significant
constraints on what a unifying identity system can be. The emergent
system must conform to all of the laws. Understanding this can help
us eliminate a lot of doomed proposals before we waste too much time
on them.
The first big breakthrough is to understand that "some set" of laws
exist. The second breakthrough comes from wrestling with what they
are. In doing this we need to invent a vocabulary allowing us to
communicate precisely about them.
We've now come to the end of the Seventh Law. I am working on a
paper that integrates all the thinking we have done together since
this discussion began. But for now, it's best (and often amusing) to
follow the actual blog conversation, which has really been helpful to
me in clarifying these ideas.
1. The Law of Control:
Technical identity systems MUST only reveal information identifying a
user with the user's consent. (Starts here...)
2. The Law of Minimal Disclosure
The solution which discloses the least identifying information is the
most stable, long-term solution. (Starts here...)
3. The Law of Fewest Parties
Technical identity systems MUST be designed so the disclosure of
identifying information is limited to parties having a necessary and
justifiable place in a given identity relationship. (Starts here...)
4. The Law of Directed Identity
A universal identity system MUST support both "omnidirectional"
identifiers for use by public entities and "unidirectional"
identifiers for use by private entities, thus facilitating discovery
while preventing unnecessary release of correlation handles.
(Starts here...)
5. The Law of Pluralism:
A universal identity system MUST channel and enable the interworking
of multiple identity technologies run by multiple identity
providers. (Starts here...)
6. The Law of Human Integration:
The universal identity system MUST define the human user to be a
component of the distributed system, integrated through unambiguous
human-machine communications mechanisms offering protection against
identity attacks. (Starts here...)
7. The Law of Contexts:
The unifying identity metasystem MUST facilitate negotiation between
a relying party and user of a specific identity - presenting a
harmonious human and technical interface while permitting the
autonomy of identity in different contexts.
© Copyright 2005 Kim Cameron.
Cheers,
Mark.
********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/