After months of hearing about Windows Vista eye candy (and hardly scraping the surface with anything of real substance with regards to the operating system platform), there seems to be a lot of talk about digital identity at Microsoft right now. A couple of weeks back I was at the Microsoft UK Security Summit, where I saw Kim Cameron (Microsoft’s Chief Architect for identity and access) give a presentation on CardSpace (formerly codenamed “InfoCard”) – a new identity metasystem contained within the Microsoft .NET Framework v3.0 (expected to be shipped with Windows Vista but also available for XP). Then, a couple of days ago, my copy of the July 2006 TechNet magazine arrived, themed around managing identity.

This is not the first time Microsoft has attempted to produce a digital identity management system. A few years back, Microsoft Passport was launched as a web service for identity management. But Passport didn’t work out (Kim Cameron refers to it as the world’s largest identity failure). The system works – 300 million people use it for accessing Microsoft services such as Hotmail and MSN Messenger, generating a billion logons each day – but people don’t want to have Microsoft controlling access to other Internet services (eBay used Passport for a while but dropped it in favour of their own access system).

Digital identity is, quite simply, a set of claims made about a subject (e.g. “My name is Mark Wilson”, “I work as a Senior Customer Solution Architect for Fujitsu Services”, “I live in the UK”, “my website is at http://www.markwilson.co.uk/”). Each of these claims may need to be verified before they are acted upon (e.g. a party to whom I am asserting my identity might like to check that I do indeed work where I say I do by contacting Fujitsu Services). We each have many identities for many uses that are required for transactions both in the real world and online. Indeed, all modern access technology is based on the concept of a digital identity (e.g. Kerberos and PKI both claim that the subject has a key showing their identity).

Microsoft’s latest identity metasystem learns from Passport – and interestingly, feedback gained via Kim Cameron’s identity weblog has been a major inspiration for CardSpace. Through the site, the identity community has established seven laws of identity:

1. User control and consent.
2. Minimal disclosure for a defined use.
3. Justifiable parties.
4. Directional identity.
5. Pluralism of operators and technologies.
6. Human integration.
7. Consistent experience across contexts.

Another area where CardSpace fundamentally differs from Passport is that Microsoft is not going it alone this time – CardSpace is based on WS-* web services and other operating system vendors (e.g. Apple and Red Hat) are also working on comparable (and compatible) solutions. Indeed, the open source identity selector (OSIS) consortium has been formed to address this technology and Microsoft provides technical assistance to OSIS.

The idea of an identity metasystem is to unify access and prevent applications from the complexities of managing identity, but in a manner which is loosely coupled (i.e. allowing for multiple operators, technologies and implementations). Many others have compared this to the way in which TCP/IP unified network access, which paved the way for the connected systems that we have today.

The key players in an identity metasystem are:

• Identity providers (who issue identities).
• Subjects (individuals and entities about which claims are made).
• Relying parties (require identities).

Each relying party will decide whether or not to act upon a claim, depending on information from an identity provider. In the real world scenario, that might be analogous to arriving at a client’s office and saying “Hello, I’m Mark Wilson from Fujitsu Services. I’m here to visit your IT Manager”. The security/reception staff may take my word for it (in which case this is self-issued identity and I am both the subject and the provider) or they may ask for further confirmation, such as my driving license, company identity card, or a letter/fax/e-mail inviting me to visit.

In a digital scenario the system works in a similar manner. When I log on to my PC, I enter my username to claim that I am Mark Wilson but the system will not allow access until I also supply a password that only Mark Wilson should know and my claims have been verified by a trusted identity provider (in this case the Active Directory domain controller, which confirms that the username and password combination matches the one it has stored for Mark Wilson). My workstation (the relying party) then allows me access to applications and data stored on the system.

In many ways a username and password combination is a bad identity analogy – we have trained users to trust websites that ask them to enter a password. Imagine what would happens if I was to set up a phishing site that asks for a password. Even if the correct password is entered then the site would claim that it was incorrect. A typical user (and I am probably one of those) will then try other passwords – the phishing site now has an extensive list of passwords available which can then be used to access other systems pretending to be the user whose identity has been stolen. A website may be protected by many thousands miles of secure communications but as Kim Cameron put it, the last one metre of the connection is from the computer to the user’s head (hence identity law number 6 – human integration) – identity systems need to be designed in a way that is easy for users to make sense of, whilst remaining secure.

CardSpace does this by presenting the user with a selection of digital identity cards (similar to the plastic cards in our wallets) and highlighting only those that are suitable for the site. Only publicly available information is stored with the card (so that should hold phishers at bay – the information to be gained is useless to them) and because each card is tagged with an image (and only appropriate cards are highlighted for use), I know that I have selected the correct identity (why would I send my Government Gateway identity to a site that claims to be my online bank?). Digital identities can also be combined with other access controls such as smartcards. The card itself is just a user-friendly selection mechanism – the actual data transmitted is XML-based.

CardSpace runs in a protected subsystem (similar to the Windows login screen) – so when active there is no possibility of another application (e.g. malware) gaining access to the system or of screenscraping taking place. In addition, user interaction is required before releasing the identity information.

Once selected, services that require identities can convert the supplied token between formats using the WS-Trust service for encapsulating protocol and claims transformation. For negotiations, WS-MetadataExchange and WS-SecurityPolicy are used. This makes the Microsoft implementation fully interoperable with other identity selector implementations, with other relying party implementations and with other identity provider implementations.

Microsoft is presently building a number of components to its identity metasystem:

• CardSpace identity selector (usable by any application, included within .NET Framework v3.0 and hardened against tampering and spoofing).
• CardSpace simple self-issued identity provider (makes use of strong PKI so that the user does not disclose passwords to relying parties).
• Active Directory managed identity provider (to plug corporate users in to the metasystem via a full set of policy controls to manage the use of simple identities and Active Directory identities).
• Windows Communication Foundation (for building distributed applications and implementing relying party services.

Post-Windows Vista, we can expect the Windows Login to be replaced with an CardSpace-based system. In the meantime, to find out more about Microsoft’s new identity metasystem, check out Kim Cameron’s identity blog, The Windows CardSpace pages and David Chappell’s Introducing InfoCard article on MSDN, and the July 2006 issue of TechNet magazine.