Join 3,425 readers in helping fund MetaFilter (Hide)


The Laws of Identity
April 22, 2006 11:57 PM   Subscribe

The Laws of Identity was a white paper written about a year ago by Kim Cameron, chief Identity and Access Architect for Microsoft. In it, he described a set of laws meant to govern the next generation of access control on the internet (also of note is his discussion about the failure of Passport). These ideas eventually evolved into Infocard, Microsoft's specific implementation of the laws, and a key software component of a larger identity metasystem that Microsoft proposes to introduce. The implications of this are very real, and quite sweeping in magnitude, as this infrastructure might one day be able to completely replace the current "login/password" type of access control system. [more inside]
posted by Drunken_munky (37 comments total) 2 users marked this as a favorite

 
Also, here's a video describing the nitty gritty of how the whole thing works, and a nice in depth interview with the man himself, wherein he talks about issues of vender neutrality, privacy, and how to get this whole darn thing to work. Highly recommended if you have the time.
posted by Drunken_munky at 11:57 PM on April 22, 2006


While I'm no expert on the topic, I don't think I agree with their basic premise of there being a need for a general "identity framework". What is the advantage to the user of this? Why would joe-consumer trust this meta-meta-keyholder system? Do we need central (realworld) key authorities, or meta-frameworks?
posted by signal at 12:30 AM on April 23, 2006


It's similar to the kind of certs that are assigned to web servers for https. Instead of 5 million different username/password/biometric/whatever, it is one single format for identification. From what I see, it's more of a format, than microsoft trying to become the Verisign of user identification. Although they'll probably provide that service.

Shame it's microsoft though. Their marketers will envariably make it proprietary in some form or fashion, and it will fail because it can be used on a mac, or with Solaris machines, and no one will want it.
posted by zabuni at 12:50 AM on April 23, 2006


can, or can't, zabuni?
posted by edgeways at 1:06 AM on April 23, 2006


errr can't. Shouldn't post at 1 AM.
posted by zabuni at 1:09 AM on April 23, 2006


Their marketers will envariably make it proprietary

Actually, it's interesting that you should mention that. One of the key points that Cameron makes in that interview I linked is that the system absolutely will not work if it's a Microsoft only technology. He says "Nothing that is proprietary is of any use in this world." So that's a fairly strong statement.

I would argue that recently (and only very recently) Microsoft has become a pretty hip company. I think that they recognize the importance of creating an open standard, and I think they especially recognize the importance of having that system be successful. It's technologies like that will really push Vista (heh, as if it required any pushing), because Infocard is a key component of both IE7 and WinFX. The platform is independent, though - Infocard is just the Microsoft specific implementation.

I had my doubts, too, when I first started to research this, but I really think they're on to something. Watch the technical video, it will really blow your mind. Well maybe not... but it'll at least gently nudge your mind in the other direction, anyway.
posted by Drunken_munky at 1:48 AM on April 23, 2006


It can't push Vista and be successful though, because if it doesn't work as well or doesn't have some features if it isn't in Vista, then that screws backwards compatibility and cross platformness. If the system is universal, it gives them no competitive advantage. Any competitive advantage will not make it universal. This is like TCP/IP or WiFi, too important to be left to the whims of one company.

Have they started a multi-organization group to talk about this? The guy's blog has a high level overview, but I would at least want to see a full level rfc like spec before I believed in full interoperability.
posted by zabuni at 3:08 AM on April 23, 2006


From What Infocard Is and Isn't:
The browser, which also has to be up-to-date, recognizes that this object has a “type” parameter that identifies it as an InfoCard request. It therefore triggers the InfoCard dynamic link library (DLL) module.
Subtext: hello proprietary Internet Explorer extensions!

It's a solution to a slightly different problem, but I'm going to sit here and whistle the OpenID song for a while.
posted by bwerdmuller at 3:33 AM on April 23, 2006


It's a solution to a slightly different problem, but I'm going to sit here and whistle the OpenID song for a while.

I like your song (OpenID is very cool), but I don't agree that they're the same. OpenID is based around using a single ID for many different sites, and authenticating on the user side (sort of).

This identity metasystem is a whole different beast. It's made to have multiple ID's for multiple sites, both self assigned and vender assigned. Authentication occurs via a third party (I think, I'm not sure I really understand that part yet). So it's not really a single unified login, so much as a standardized credential distribution and management system. I think. Complicated, yeah?

But, definitely can't argue about possible proprietary IE extensions! Hopefully DVD John will build us something nice for Firefox on Windows if we need it.
posted by Drunken_munky at 4:10 AM on April 23, 2006


It can or can't be a third party. It decouples the authentication from the application. The authentication server can be owned by the company, or they can use a third party.

The "cards" are files with the metadata that describes where to authenticate. You authenticate, get a token, pass the token to the web server. Token is signed, web server checks signature, gives ok.

Ah, this link makes me feel a little bit better. It goes down futher into the nitty gritty of how to create the Security Token Server.
posted by zabuni at 5:04 AM on April 23, 2006


Err....the Security Token Server Signs the token. "signed" in this case is an adjective.
posted by zabuni at 5:22 AM on April 23, 2006


Any effort that aims to reduce the number of useless username/password registration forms I have to fill in on the hundreds of websites I visit I consider a good thing.
posted by moonbiter at 5:25 AM on April 23, 2006


I would argue that recently (and only very recently) Microsoft has become a pretty hip company.

Not to derail, but: Really? I fail to recognized the hipness of prorietary closed source implementations full of security holes that require 2006 or better hardware to run.

M$ is lagging behind badly, they're being eaten alive and they don't even realize it. Just like when they shrugged off TCP/IP 10+ years ago and the Internet a little more recently.

This is a company that is making the same mistake not twice but three times -- a real sign of dumbness. Hadn't the marked been handed over to them on a platter when they started, they wouldn't exist nowadays.


This marvel of an open standard is described in a video encoded in a proprietary manner -- that's all microsoft right there: sometimes the best intentions in the world but always the clumsier way to make a buck.

I'll watch this thing die, just like most of M$ standardizations initiative that they unravelled in the past, oh, 20 years or so.
posted by NewBornHippy at 6:14 AM on April 23, 2006


When I read "The ideas presented here were extensively refined through the Blogosphere in a wide-ranging conversation documented at www.identityblog.com that crossed many of the conventional fault lines of the computer industry"..., I knew this was going to be a steaming pile of ill considered dreck, and I wasn't disappointed. The linked article starts with a number of unsupported sweeping generalizations about the Internet's "design" and best uses, and sinks rapidly into a morass of puerile self-justification.

Woe is us if this passes for security thinking, in any circle that doesn't jerk.

"Problem Statement

The Internet was built without a way to know who and what you are connecting to. "


Only a very small number of possible uses for a worldwide network of networks would see authentication as either useful or desirable, and as it has turned out, only those "uses" and "users" have been asked to pay for the costs of running security/identity authentication systems. The rest of us find unsecured email, Usenet, IRC, and Web not only useful, but highly desireable, and would appreciate greatly not being inconvenienced further by idiots such as Kim Cameron. There is no problem, Mr. Cameron, as you've defined it. Please STFU.
posted by paulsc at 6:24 AM on April 23, 2006


InfoCard runs on WindowsXP with WinFX and the IE7 beta, and Cameron says they have a better version of it ready to roll out for WinXP once Vista ships, so you're not going to have to upgrade to get on board once this stuff rolls out.
posted by tiamat at 6:44 AM on April 23, 2006


paulsc, do you really believe that?
posted by sfts2 at 6:51 AM on April 23, 2006


vender neutrality

vendor.
posted by quonsar at 6:57 AM on April 23, 2006


"paulsc, do you really believe that?
posted by sfts2 at 9:51 AM EST on April 23 [!]"


Indeed, I do, for several reasons:

1) Only a limited range of commercial and information uses of a common information network, such as the Internet, depend upon, or are enhanced by, authentication.

2) Nothing prevents people and organizations with a great interest or need for highly reliable identification and authentication mechanisms from building a network, or networks, of their own that incorporate(s) features that satisfy their needs, and I, for one, encourage them to do so immediately, so that I may never subscribe to them. No need to muck up the existing Internet, except for the self-seeking desire of those wanting such systems to piggyback their efforts upon the existing insecure but broadly built infrastructure.

3) No general system of pervasive ID is likely to be secure enough for the most secure needs, or the most sensitive uses. There is no universal circle of trust. There is no system of identification worth using that doesn't, sooner or later, depend upon some trust relationship. Thus, a "universal" system of authentication and identification management is a chimera.

4) Authentication systems which are broadly deployed want to become codified in law and commercial practice, in order to justify their costs of development, deployment, and on-going support. I don't want lawmakers telling me what I can and cannot do, insofar as authentication and identity management is concerned, as such centralized control is inimical to common law respect for anonymity, and the protections of disclosure of identity I now enjoy, and expect to continue to do so.
posted by paulsc at 7:14 AM on April 23, 2006


vender neutrality

vendor.


venda.
posted by 517 at 7:16 AM on April 23, 2006


paulsc is pretty much dead-on in his analysis here. There's really not much more to say.
posted by Ryvar at 7:33 AM on April 23, 2006


How do I know you're not paulsc's sockpuppet?
posted by srboisvert at 8:18 AM on April 23, 2006


How do I know you're not paulsc's sockpuppet?

Oh, I get it. This is supposed to show why we all need to identify ourselves online? The funny thing is, my first reaction was that you should be trusting or distrusting ideas, not usernames, which I'm guessing is not the point you intended to make.
posted by scottreynen at 8:32 AM on April 23, 2006


All I'll say is that at after reading your post, is that I hope you are not involved in a meaningful way in the development, maintenance or support of any systems that I use on the Internet that do require security.

Actually, I'll say this as well, with all due respect and I am sure that you are well-meaning, but I do not think you could be more wrong.
posted by sfts2 at 8:39 AM on April 23, 2006


I would also argue that Microsoft is becoming more open. They're not there yet, but seem to be making steps in that direction. I think they've started to realize that the market won't accept them doing their own thing. They're coming onboard with standards in Ie7, publishing open standards for C#, implementing OpenDocument formats in Office12, removing InternetExplorer from the core of the OS, and so on. Of course they're no linux, and probably never will be, but they're going in the right direction, at last.
posted by blue_beetle at 8:45 AM on April 23, 2006


Oh, I get it. This is supposed to show why we all need to identify ourselves online? The funny thing is, my first reaction was that you should be trusting or distrusting ideas, not usernames, which I'm guessing is not the point you intended to make.

No you don't get the point I was making at all and I don't think you really tried. You are ignoring the real problems of identity. Trusting ideas is a fine idea if we were all 100% objective robots operating with perfect logic. Creating an illusion of general consensus or of a small group of dissenters is psychologically powerful attitude manipulation. People do it because it works.

Ever since it became clear that there was quite a bit of sockpuppetry going on here the sense of community has suffered (at least it has for me). Dismissals of the importance of identity for all but high security or commercials applications doesn't fly for me because of communities. I like this place because of the people here. Their identities are key. Do I need to know where they live? No. Do I need to know their real name? No. Do I need to know that when someone posts the username they use is their username and that the people in the discussion are all individuals? Yes.
posted by srboisvert at 9:01 AM on April 23, 2006


Thanks paulsc, well said.

srboisvert, paulsc may have overstated the case with "[o]nly a limited range of commercial and information uses ... depend upon, or are enhanced by, authentication" - but not by much. If message boards - really just a subset of them - are added to the list I think that probably captures it (tho there may be some other example I can't think of right now). Think what a small proportion the set of "better off with authentication" sites and services bears to the whole range of sites, channels, etc. that an internet user may interact with.
posted by jam_pony at 9:42 AM on April 23, 2006


"... People do it because it works. ..."
posted by srboisvert at 12:01 PM EST on April 23 [!]"


Let me go out here on an old, well trodden limb from Usenet days...

Once upon a time, there was hope by many that this network of networks would, finally, be the mechanism by which a true global meritocracy of the intellect would become manifest in the world. Until about 1993, while the emergent DARPAnet transitioned through the Merit/ NSFNET management phase, such ambitions were even, perhaps by happenstance, prominent in the names of backbone organizations. The concept of a meritocracy of ideas is a powerful one in this medium, because, by means only of this medium in all of human history, can one individual really have a soapbox of his own, from which the whole world can, if it wants, hear him. But for many reasons, any real assurance that this medium can ever really function as a true meritocracy, requires that it protect, to a practical degree, real anonymity.

Why? Because in a marketplace of ideas, arguments which succeed on the strength of logos are best. Once personalities come into an argument, we have rhetorical jujitsu involving mythos and other methods which have no known reductions regarding truth, decideability, or error. Where we can, then, we try to stay away from these, in writing, since once we cross beyond the realm of logos, we are in political territory, and there be monsters lacking all reason there.

Not to say that it isn't fun to go play with the monsters at times. Capable men need not live in a meritocracy all their lives, or even, entirely, any day of their lives. But to be civilized, we have learned we must have some place to which we can always retreat, where respect for reason is inviolate, and the power and truth of an idea is independent entirely of the reputation of the person who utters it.

So, yeah, anonymity is vital to reasonable discourse. Along with anonymity come sock puppets and madmen, and it is only by the strength of the logos that you can live in a real meritocracy. Surprisingly, so far, it works...
posted by paulsc at 9:57 AM on April 23, 2006


paulsc is right that users don't need this. 99% of user needs can be taken care of with a technology like the Mac's keychain or Firefox's stored passwords -- you store your credentials in a central location encrypted with a master password. Syncing these among multiple computers is sort of a pain, but this could be solved without introducing a whole identity infrastructure. The company I used to work for, OneName, had a consumer identity technology as far back as last century, but they gave up on trying to get consumers interested in it. People who are willing to give up their personal information for a free candy bar, as most of us will, do not care much about a technology that promises to protect it. There were people who cared, but not enough to make a market selling identity solutions to companies who wanted to cater to them. We actually let you download a program that let you host your identity on your own computer, so you had complete control of privacy and so forth, and there was just no interest. Of course one reason for the lack of interest was the fact that no Web sites supported XNS, our protocol, but the reason that no Web sites supported it was that none of their customers were demanding it.

Identity is much more interesting to governments and enterprises as a means of system integration and decentralized access control. The US government has an initiative for an information-sharing environment that is essentially an identity application, for example (Google "Markle report" for details on their needs). The company I work for now is doing some work with some Middle Eastern countries for immigration and customs integration. Our newest product is intended to address these needs. It's odd to see government taking the lead on adopting a new technology, but the government needs are real and urgent, while business needs are mostly externally imposed on them by government (HIPAA, GLBA, etc.) that can be addressed in a kludgey but less expensive way.

I'm kind of surprised to see Microsoft chasing the consumer market. If anyone can force consumers to adopt identity technology, Microsoft can, but it's not where the easy money is by any means.
posted by kindall at 10:05 AM on April 23, 2006


It seems to me that mutual authentication with certainty is impossible in principle. (Maybe this is already a well known truism in CS but it seems obvious enough for some of us self-taught types to notice it too.)

As paulsc observed,
"There is no system of identification worth using that doesn't, sooner or later, depend upon some trust relationship."
This is the fundamental, irreducible problem. Supose A and B are interacting remotely, and there's some device or system that gives A a certainty equal in some sense to the strength of modern cryptography that the other party really is B. Then that device or system must be sealed off from B such that it cannot be considered trustworthy from B's point of view.

So from a CS point of view, you can have certainty one way but not both ways.

What you can have with equal certainty and trust on both sides is something less than authentication - each runs his/her own identity server; then at best you can verify that the party purporting to be A on one occasion has the same private key as the party purporting to be A on another occasion.

So I suspect that what we're looking at here is a scheme that's intended to get into wide use by making nice noises about "privacy" and "control" and so forth and glossing over the one-way nature of the trust involved; and then once accepted is intended to be used as a much more effective way for businesses and government to track users from site to site, match up emails with senders, etc. - basically to abolish anonymity.
posted by jam_pony at 10:06 AM on April 23, 2006


Those defending this plan; I want to know: Where are you finding yourself in a position where you say "Gee, I wish all of my internet-related authentications were controlled by a single entity, that way it wouldn't be any easier for me than it already is, but the chances of the system failing would be exponentially greater."

Because that's what this is. Centralization is contrary to the very framework of the internet. When you have one authority, and that authority goes down for 20 minutes, all hell breaks loose. When you have multiple authorities, and one goes down for 20 minutes, a significantly smaller portion of hell breaks loose.
posted by odinsdream at 10:17 AM on April 23, 2006


odinsdream, MS is promoting infocard precisely on the basis that it's decentralized. They admit that MS Passport failed to spread beyond MS services because other organizations didn't want MS involved. This is more like a protocol that MS is offering a spec for, and which anyone can implement (so they say).

BTW, technical specifications can be copyrighted or patented and royalties charged for use, even if all the underlying tech is open. Maybe that's another Microsoft angle here.
posted by jam_pony at 10:23 AM on April 23, 2006


How about they close up the top forty or fifty security holes in the latest version of Windows, and get back to me about securing the all of the Internets for everybody after they have their own product secure?

**Grumble**Kalifornia busybodies**Hey! You Kids Get Off My Damn OS!**Grumblemutter**
posted by Ken McE at 10:39 AM on April 23, 2006


Mmmmmm! Sounds like Unicard has arrived!

(Walker is wetting himself with bitter amusement, I'm sure.)
posted by adamgreenfield at 11:05 AM on April 23, 2006


The concept of identity ought to be replaced by the concept of reputation.

For example, rather then having a Equifax type credit rating tied to your identity, you would provide a prospective creditor with a list of references. The referents would then contact you to validate the request, and pass along whatever praises they have to sing of you. If a creditor has a negative experience with you, they can pass that information back to the original referent who might then reconsider sending positive information about you again in the future.

All of this would be done automatically using computer systems.

Many federal and state laws are predicated on the concept of identity, but those could be rewritten if we were really serious. On the other hand removing identity from the commercial sphere would be much simpler, although regulation would probably be required to push it forward.
posted by delmoi at 3:19 PM on April 23, 2006


srboisvert: my point exactly
posted by Ryvar at 9:50 AM on April 24, 2006


Holy derails batman!

Ok, I actually do this stuff for a living. Google SAML and read up on it's profile definitions. It's not centralized at all, and it doesn't require an encrypted password store on the client either.

It's actually quite simple and transparent to the user, and depends on trust relationships between enterprises. I'd love it if mefi trusted delicious, and once i was logged into one i was logged into the other.
posted by butterstick at 10:18 AM on April 24, 2006


Just wanted to say very nice comments all. I'm learning all kinds of things
posted by Smedleyman at 11:16 AM on April 24, 2006


« Older Ripples of Genocide....  |  Legio Patria Nostra... Newer »


This thread has been archived and is closed to new comments