SAN FRANCISCO — May 12, 2005 — The Digital ID World Conference is the technology industry’s leading conference, where thought leaders, business executives, security architects, IT managers and others gather each year to discuss digital-identity technologies and solutions. This was the fourth meeting of the conference, held in San Francisco. At the event, Kim Cameron, Microsoft’s chief architect of identity and access, was one of the recipients of the 2005 Digital ID World Industry Awards for Balancing Innovation and Reality. The award was given in recognition for Cameron’s outstanding contributions to the digital identity industry.
The conference provided a forum for an important industry discussion to continue around making the Internet safer, with the potential to boost e-commerce, spark a software renaissance and combat phishing and the security problem known as “password fatigue.”
PressPass spoke with Cameron to learn more about his contributions to digital identity technology, what he calls his “Laws of Identity” and the blog he uses to exchange ideas with a wide range of industry experts on what a successful digital identity system for the Internet should look like.
PressPass: Please talk about your contributions to the digital identity industry that led to being one of the recipients of this year’s Digital ID World Industry Awards for Balancing Innovation and Reality?
Cameron: I’ve been working on digital identity since the early ’80s. I started out doing directories for e-mail systems, and later started working on ways to exchange information between multiple, competing directories. I invented a technology called metadirectory that would accept the fact that there were multiple centers of information and allow you to administer them in a unified way, and connect them up so that the information would flow from one to the other. That was a product that had a big impact on the industry, with many large players now having metadirectories. Microsoft acquired the metadirectory I developed, then I came to Microsoft to develop it further.
PressPass: What are the main problems with digital identity on the Internet today?
Cameron: The Internet was designed without a system of digital identity, so people have had to make up a patchwork of ad-hoc digital-identity solutions that are different at every Web site a user goes to, and that makes the system as a whole fragile.
As the value of what we do on the Internet has increased, so have criminal activities. We have international groups of highly educated and capable people attacking this patchwork through such practices as phishing. Compounding this is “password fatigue” — stemming from people’s need to keep track of an increasing number of passwords in order to access resources on the Internet. Microsoft and all the other parties who believe in the future of applications and business in cyberspace are being held back by this patchwork, and we predict that the situation will become a lot worse unless industry-wide action is taken.
PressPass: Why aren’t existing efforts good enough?
Cameron: A lot of good work has been done to handle specific scenarios. For example, there are standards that focus on the scenario of going to visit one company and being connected to the partners of that company. But again, these are part of a patchwork unless we can put them in the context of a unifying fabric. To date, there is no set of standards that has been proposed that would specifically enable that fabric. We need a system for digital identity that assumes people will have several digital identities based on multiple underlying identity technologies, implementations and providers — one that ultimately helps users and organizations better safeguard their digital identities and privacy.
Microsoft Passport is one of the things that started my research into what I call the “Laws of Identity.” Passport, on one hand, has been phenomenally successful, with 1 billion authentications per day and 250 million people using it to log in to MSN Hotmail and other Microsoft properties. Microsoft continues to invest in Passport for the purpose of providing the logon services for MSN, Hotmail and other Microsoft properties. On the other hand, we have learned from Passport and other approaches in the industry that a single provider or a single technology can’t meet the needs of all customers.
PressPass: How are you working with the community on your vision for digital identity on the Internet?
Cameron: To really drive a widely accepted solution for digital identity, we need more than a few big companies getting together and saying this is how it’s going to be. Achieving an interoperable and safe solution for digital identity requires collaboration among several parties, such as Web sites, vendors, government people, thinkers, legal minds and so on. The approach I have taken is one that is both born out of and is the foundation for the grass-roots nature of the Internet community.
Most recently, I became interested in the problem of how users can learn to understand and control their digital identities, and we put together a group to completely rethink that. I also set up a blog to present this thinking to other thinkers at Microsoft, and to share it and interact with other thinkers across the industry. It’s been a very exciting experience where one result of this process was defining the Laws of Identity. These are a set of seven hypotheses that we’ve worked on and refined that really defines what a successful and broadly adopted identity system looks like for the Internet. They are:
The Law of User Control and Consent: Digital identity systems must only reveal information identifying a user with the user’s consent.
The Law of Minimal Disclosure for Limited Use: The solution which discloses the least identifying information possible is the most stable, long-term solution.
The Law of Justifiable Parties: Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
The Law of Directed Identity: A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
The Law of Pluralism of Operators and Technologies: A universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers.
The Law of Human Integration: A universal identity metasystem must define the human user to be a component of the distributed system, integrated through unambiguous human-machine communications mechanisms offering protection against identity attacks.
The Law of Contexts: A universal identity metasystem must define the human user to be a component integrated through protected and unambiguous human-machine communications.
Others can join the discussion of the Laws of Identity, at www.identityblog.com.
PressPass: What is the identity metasystem that you talk about on your blog?
Cameron: These seven laws lead to the conclusion that a successful and broadly adopted identity system on the Internet needs to be a “system of systems” with a single and consistent user experience. You want that unified experience, but you want that openness underneath. An identity metasystem for the Internet would integrate all the different identity technologies into it — X.509, which is used in SmartCards; Kerberos, which is used in Active Directory and some UNIX environments; and SAML (Security Assertions Markup Language), which is used increasingly in federation across the Web. It could live on Windows platforms, Linux, UNIX, mainframes, devices and others. To develop this metasystem, we need four things:
Policy Negotiation. This enables the underlying hardware and software to figure out common formats needed for two parties to interoperate within the metasystem. Policies include type of technology being used (Kerberos or X.509, for example) and type of information to be provided.
Encapsulating Protocol. This is a technology-neutral way to exchange policies and “claims” — keys, secrets or pieces of information that a user “claims” to be true — between parties within the metasystem.
Claims Transformers. These bridge organizational and technology boundaries by translating a claim written to one system so it can be understood by the other system.
Consistent User Experience. This provides a single, predictable experience across multiple systems, enabling the user to make better-informed decisions.
PressPass: How will the identity metasystem get built?
Cameron: We have a unique opportunity that doesn’t come around too often in our industry. Web Services really represents an opportunity for us to define an architecture for connecting systems that run on different platforms in ways we have only dreamed of previously — or spent millions to achieve. The interoperable architecture for Web Services that Microsoft and others in the industry are driving toward provides the underlying protocols for building the identity metasystem. WS-* Web Services Architecture, as it has been named in the industry, provides a set of open, royalty-free protocols that enable existing, emerging and new identity technologies and standard to be used and to interoperate.
PressPass: What are the main benefits of an identity metasystem?
Cameron: It will help prevent the industry from moving into an Internet Dark Age, where we have no safety on the Internet. Secondly, once we have a way of understanding our identities and using them consistently, we can do things like let our friends and family access digital resources we have — photo albums or home movies online, for example — without opening them up to everyone in the world. Right now, our only manageable alternative is to keep everything completely to ourselves or share it with everybody.
My view is that all software will change as this becomes possible. Our e-mail experience will be a lot different if we have a good identity infrastructure, as will our interaction with PCs, mobile phones and media devices in the home, and our ability to represent people in documents. For instance, a blog reference to another party could be a doorway into a part of that party’s identity that they want to share publicly.
PressPass: Who are the key participants with the identity metasystem?
Cameron: There are many categories of players, including identity providers, relying parties, software innovators and end users. Identity providers, which issue identities, could include community organizations that would offer an identity for community interaction, governments that want to make credentials available for use on government Web sites that protect citizens’ privacy between the different government departments, or large Web sites that want to offer identities to their hundreds of thousands, or millions of subscribers.
Relying parties include anyone running a Web site that could consume the identities offered by other parties. They present integration opportunities for software producers and platform producers. Software innovators might want to rethink their software in light of interpersonal computers, or so-called social computing, rather than just individual computers.
And then there are the end users, many of whom would love to eliminate the annoyance of the current patchwork system to get this metasystem so they can be safe and do things more easily, using secure tokens as the means to authenticate and verify identity information, instead of multiple usernames and passwords.
PressPass: How does the identity metasystem fit in with Microsoft’s vision and product strategy for digital identity?
Cameron: Web services — one of Microsoft’s most important strategies for building interoperable or connected systems — cannot reach its potential if we don’t have an identity system in place. Our goal is to help the emergence of an identity system that results in great interoperable Web services software where identity is forethought and not something that gets bolted on afterwards. As I said earlier, this is important in beginning to move from a patchwork system to one that is more fully integrated and simpler and easier to apply.
Regarding product strategy, Microsoft is working on a Web services-based implementation, code-named “InfoCard,” to make the end-user experience around using digital identity simpler and safer. In the coming weeks, we will ship a technical preview targeted at the developer community. For the enterprise, Active Directory will plug into the identity metasystem. Active Directory Federation Services, a new Active Directory feature coming with Windows Server 2003 R2 later this year, is the first step to integrating identities in Active Directory with the identity metasystem.