{"id":675,"date":"2006-07-17T09:06:00","date_gmt":"2006-07-17T09:06:00","guid":{"rendered":"http:\/\/markwilson.me.uk\/blog\/2006\/07\/microsofts-digital-identity-metasystem.htm"},"modified":"2007-03-09T11:56:23","modified_gmt":"2007-03-09T11:56:23","slug":"microsofts-digital-identity-metasystem","status":"publish","type":"post","link":"https:\/\/www.markwilson.co.uk\/blog\/2006\/07\/microsofts-digital-identity-metasystem.htm","title":{"rendered":"Microsoft’s digital identity metasystem"},"content":{"rendered":"

After months of hearing about Windows Vista eye candy (and hardly scraping the surface with anything of real substance with regards to the operating system platform), there seems to be a lot of talk about digital identity at Microsoft right now. A couple of weeks back I was at the Microsoft UK Security Summit, where I saw Kim Cameron (Microsoft’s Chief Architect for identity and access) give a presentation on CardSpace (formerly codenamed “InfoCard”) – a new identity metasystem contained within the Microsoft .NET Framework<\/a> v3.0 (expected to be shipped with Windows Vista but also available for XP). Then, a couple of days ago, my copy of the July 2006 TechNet magazine<\/a> arrived, themed around managing identity.<\/p>\n

This is not the first time Microsoft has attempted to produce a digital identity management system. A few years back, Microsoft Passport<\/a> was launched as a web service for identity management. But Passport didn’t work out (Kim Cameron refers to it as the world’s largest identity failure). The system works – 300 million people use it for accessing Microsoft services such as Hotmail and MSN Messenger, generating a billion logons each day – but people don’t want to have Microsoft controlling access to other Internet services (eBay<\/a> used Passport for a while but dropped it in favour of their own access system).<\/p>\n

Digital identity is, quite simply, a set of claims made about a subject (e.g. “My name is Mark Wilson”, “I work as a Senior Customer Solution Architect for Fujitsu Services”, “I live in the UK”, “my website is at http:\/\/www.markwilson.co.uk\/”). Each of these claims may need to be verified before they are acted upon (e.g. a party to whom I am asserting my identity might like to check that I do indeed work where I say I do by contacting Fujitsu Services). We each have many identities for many uses that are required for transactions both in the real world and online. Indeed, all modern access technology is based on the concept of a digital identity (e.g. Kerberos and PKI both claim that the subject has a key showing their identity).<\/p>\n

Microsoft’s latest identity metasystem learns from Passport – and interestingly, feedback gained via Kim Cameron’s identity weblog<\/a> has been a major inspiration for CardSpace. Through the site, the identity community has established seven laws of identity<\/a>:<\/p>\n

    \n
  1. User control and consent.<\/li>\n
  2. Minimal disclosure for a defined use.<\/li>\n
  3. Justifiable parties.<\/li>\n
  4. Directional identity.<\/li>\n
  5. Pluralism of operators and technologies.<\/li>\n
  6. Human integration.<\/li>\n
  7. Consistent experience across contexts.<\/li>\n<\/ol>\n

    Another area where CardSpace fundamentally differs from Passport is that Microsoft is not going it alone this time – CardSpace is based on WS-* web services<\/a> and other operating system vendors (e.g. Apple and Red Hat) are also working on comparable (and compatible) solutions. Indeed, the open source identity selector<\/a> (OSIS) consortium has been formed to address this technology and Microsoft provides technical assistance to OSIS.<\/p>\n

    The idea of an identity metasystem is to unify access and prevent applications from the complexities of managing identity, but in a manner which is loosely coupled (i.e. allowing for multiple operators, technologies and implementations). Many others have compared this to the way in which TCP\/IP unified network access, which paved the way for the connected systems that we have today.<\/p>\n

    The key players in an identity metasystem are:<\/p>\n