EID Summer Summit 28 June 2005 EAP’s Sponsored and in Partnership with 7 Laws of Identity Kim Cameron Chief Architect of Identity and Access MS Corp, Redmond.

eID Summer eID Summer SummitSummit

28 June 200528 June 2005

EAP’s Sponsored and in Partnership with

7 Laws of 7 Laws of IdentityIdentity

Kim CameronKim CameronChief Architect of Identity and AccessChief Architect of Identity and AccessMS Corp, RedmondMS Corp, Redmond

Microsoft and e-ID

Microsoft Confidential

The Laws of IdentityThe Laws of Identity

http://www.identityblog.comhttp://www.identityblog.comKim CameronKim CameronArchitect of Identity and AccessArchitect of Identity and AccessMicrosoft CorporationMicrosoft Corporation

Problem StatementProblem Statement

The Internet was built without a way to The Internet was built without a way to know who and what you are connecting toknow who and what you are connecting to

Everyone offering an internet service has had Everyone offering an internet service has had to come up with a workaroundto come up with a workaroundPatchwork of identity one-offsPatchwork of identity one-offsWe have inadvertently taught people to be We have inadvertently taught people to be phished and pharmedphished and pharmedNo fair blaming the user – no framework, no No fair blaming the user – no framework, no cues, no control cues, no control

We are “Missing the identity layer”We are “Missing the identity layer”Digital identity currently exists in a Digital identity currently exists in a world world without synergy without synergy because of identity because of identity silossilos

Criminalization of the Criminalization of the InternetInternet

Greater use and greater value attract Greater use and greater value attract professionalized international criminal fringeprofessionalized international criminal fringe

Understand ad hoc nature of identity patchworkUnderstand ad hoc nature of identity patchworkPhishing and Pharming (Phraud) at 1000% CAGRPhishing and Pharming (Phraud) at 1000% CAGRCombine with “stash attacks” reported as “identity Combine with “stash attacks” reported as “identity losses”…losses”…

Unwinding of acceptance where we should be Unwinding of acceptance where we should be seeing progress.seeing progress.

Opportunity of moving beyond “public-ation”Opportunity of moving beyond “public-ation”Need to intervene so web services can get out of the Need to intervene so web services can get out of the starting gatestarting gate

The ad hoc nature of internet identity The ad hoc nature of internet identity cannot withstand the growing assault of cannot withstand the growing assault of professionalized attackersprofessionalized attackers

We can predict a deepening public crisisWe can predict a deepening public crisis

An Identity MetasystemAn Identity Metasystem

Diverse needs of players mean integrating Diverse needs of players mean integrating multiple constituent technologiesmultiple constituent technologies

Not the first time we’ve seen this in computingNot the first time we’ve seen this in computingThink back to things as basic as abstract display Think back to things as basic as abstract display services made possible through device driversservices made possible through device drivers

Or the emergence of sockets and TCP/IPOr the emergence of sockets and TCP/IPUnified Ethernet, Token Ring, Frame Relay, X.25 and even Unified Ethernet, Token Ring, Frame Relay, X.25 and even the uninvented wireless protocolsthe uninvented wireless protocols

We need a “unifying identity metasystem”We need a “unifying identity metasystem”Protect applications from complexities of systemsProtect applications from complexities of systems

Allow digital identity to be loosely coupled Allow digital identity to be loosely coupled

Avoid need to agree on dominant technologies Avoid need to agree on dominant technologies a a priori priori – they will emerge from the ecosystem– they will emerge from the ecosystem

The role of “The Laws”…The role of “The Laws”…

We must be able to We must be able to structure our structure our understandingunderstanding of digital identity of digital identity

We need a way to avoid returning to the We need a way to avoid returning to the Empty PageEmpty Page every time we talk about digital identityevery time we talk about digital identityWe need to inform peoples’ thinking by teasing apart We need to inform peoples’ thinking by teasing apart the factors and dynamics explaining the successes and the factors and dynamics explaining the successes and failures of identity systems since the 1970sfailures of identity systems since the 1970sWe need to develop hypotheses – resulting from We need to develop hypotheses – resulting from observation – that are testable and can be disprovedobservation – that are testable and can be disprovedThe Laws of Identity offer a “good way” to express this The Laws of Identity offer a “good way” to express this thoughtthoughtBeyond mere conversation, the Blogosphere offers us Beyond mere conversation, the Blogosphere offers us a a cruciblecrucible. The concept has been to employ this crucible . The concept has been to employ this crucible to to harden and deepen the laws.harden and deepen the laws.

1. User Control and Consent1. User Control and Consent

Digital identity systems must only reveal Digital identity systems must only reveal information identifying a user with the information identifying a user with the user’s consentuser’s consent

Relying parties can require authenticationRelying parties can require authentication

The user can choose to comply or “walk away”The user can choose to comply or “walk away”

The system should appeal by means of The system should appeal by means of convenience and simplicity and win the user’s convenience and simplicity and win the user’s trusttrust

Put the user in control of what identities are used and Put the user in control of what identities are used and what information is releasedwhat information is released

Protect against deception (destination and misuse)Protect against deception (destination and misuse)

Inform user of auditing implicationsInform user of auditing implications

Retain paradigm of consent across all contextsRetain paradigm of consent across all contexts

2. Minimal Disclosure for 2. Minimal Disclosure for Limited UseLimited Use

The solution that discloses the least The solution that discloses the least identifying information and best limits its identifying information and best limits its use is the most stable long term solutionuse is the most stable long term solution

Consider Information breaches to be inevitableConsider Information breaches to be inevitable

To mitigate risk, acquire and store information To mitigate risk, acquire and store information on a “need to know” and “need to retain” basison a “need to know” and “need to retain” basis

Less information implies less value implies less Less information implies less value implies less attraction implies less riskattraction implies less risk

““Least identifying information” includes Least identifying information” includes reduction of cross-context information reduction of cross-context information (universal identifiers)(universal identifiers)

Limiting information hoarding for unspecified Limiting information hoarding for unspecified futuresfutures

3. Justifiable Parties3. Justifiable Parties

Digital identity systems must limit Digital identity systems must limit disclosure of identifying information to disclosure of identifying information to parties having a necessary and justifiable parties having a necessary and justifiable place in a given identity relationshipplace in a given identity relationship

Justification requirements apply both to the Justification requirements apply both to the subject and to the relying partysubject and to the relying party

Example of Microsoft’s experience with Example of Microsoft’s experience with PassportPassport

In what contexts will use of government In what contexts will use of government identities succeed and fail?identities succeed and fail?

Parties to a disclosure must provide a Parties to a disclosure must provide a statement about information usestatement about information use

4. Directed Identity4. Directed Identity

A unifying identity metasystem must A unifying identity metasystem must support both “omni-directional” identifiers support both “omni-directional” identifiers for public entities and “unidirectional” for public entities and “unidirectional” identifiers for private entitiesidentifiers for private entities

Digital identity is always asserted with respect Digital identity is always asserted with respect to some other identity or set of identitiesto some other identity or set of identitiesPublic entities require well-known “beacons”Public entities require well-known “beacons”

Examples: web sites or public devicesExamples: web sites or public devices

Private entities (people) require the option to Private entities (people) require the option to not be a beaconnot be a beacon

Unidirectional identifiers used in combination with a Unidirectional identifiers used in combination with a single beacon: no correlation handlessingle beacon: no correlation handles

Example of Bluetooth and RFID – growing Example of Bluetooth and RFID – growing pushbackpushbackWireless was also mis-designed in light of this Wireless was also mis-designed in light of this lawlaw

5. Pluralism of 5. Pluralism of Operators and TechnologiesOperators and Technologies

A unifying identity metasystem must A unifying identity metasystem must channel and enable the inter-working of channel and enable the inter-working of multiple identity technologies run by multiple identity technologies run by multiple identity providersmultiple identity providers

Characteristics that make a system ideal in Characteristics that make a system ideal in one context disqualify it in anotherone context disqualify it in anotherExample of government versus employer Example of government versus employer versus individual as consumer and human versus individual as consumer and human beingbeingCraving for “segregation” of contextsCraving for “segregation” of contextsImportant new technologies currently Important new technologies currently emerging – must not glue in a single emerging – must not glue in a single technology or require “fork-lift” upgradetechnology or require “fork-lift” upgradeConvergence can occur, but only when there is Convergence can occur, but only when there is a platform (identity ecology) for that to a platform (identity ecology) for that to happen inhappen in

6. Human Integration6. Human Integration

A unifying identity metasystem must A unifying identity metasystem must define the human user as a component define the human user as a component integrated through protected and integrated through protected and unambiguous human-machine unambiguous human-machine communicationscommunications

We’ve done a good job of securing the first We’ve done a good job of securing the first 5,000 miles but allowed penetration of the last 5,000 miles but allowed penetration of the last 2 feet2 feetThe channel between the display and the brain The channel between the display and the brain is under attackis under attackNeed to move from thinking about a protocol Need to move from thinking about a protocol to thinking about a ceremonyto thinking about a ceremonyExample of Channel 9 on United AirlinesExample of Channel 9 on United AirlinesHow to achieve highest levels of reliability in How to achieve highest levels of reliability in communication between user and rest of communication between user and rest of systemsystem

7. Consistent Experience 7. Consistent Experience Across ContextsAcross Contexts

A unifying identity metasystem must A unifying identity metasystem must provide a simple consistent experience provide a simple consistent experience while enabling separation of contexts while enabling separation of contexts through multiple operators and through multiple operators and technologiestechnologies

Make identities “things” on the desktop so Make identities “things” on the desktop so users can see them, inspect details, add and users can see them, inspect details, add and deletedeleteWhat type of digital identity is acceptable in What type of digital identity is acceptable in given context?given context?

Properties of potential candidates specified by the Properties of potential candidates specified by the relying partyrelying partyUser selects one and understands information User selects one and understands information associated with it.associated with it.

Single relying party may accept more than one Single relying party may accept more than one type of identitytype of identity

Facilitate “Segregation Of Contexts”Facilitate “Segregation Of Contexts”

Identity MetasystemIdentity Metasystem

An identity metasystem is framework An identity metasystem is framework that unifies the world of that unifies the world of

multiple identity technologiesmultiple identity technologies

multiple operatorsmultiple operators

and multiple implementationsand multiple implementations

An identity metasystem enables An identity metasystem enables users to manage identity in a users to manage identity in a heterogeneous worldheterogeneous world

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

EAP’s Sponsored and in Partnership with

Joeri Van HerrewegheJoeri Van Herreweghe

15 year old eID Wizard15 year old eID WizardFirst encounter eID InfoSessions First encounter eID InfoSessions Erpe-MereErpe-MereSelected as a finalist in Microsoft’s Selected as a finalist in Microsoft’s World-Wide World-Wide You Can Make a You Can Make a DifferenceDifference scholarship program scholarship programeID Project for Simon & Odil eID Project for Simon & Odil

EAP’s Sponsored and in Partnership with

EAP’s Sponsored and in Partnership with

Joeri Van HerrewegheJoeri Van Herreweghe

““We received many qualified We received many qualified applications from all over the world, and applications from all over the world, and

the judging panel was particularly the judging panel was particularly impressed with your technology impressed with your technology

proposal.  We at Microsoft look forward proposal.  We at Microsoft look forward to working with you to turn your project to working with you to turn your project

proposal into a reality.”proposal into a reality.”

Mario JobbeMario JobbeTechnical Product ManagerTechnical Product Manager

Academic & Developer Community GroupAcademic & Developer Community GroupServers & Tools BusinessServers & Tools Business

Microsoft Corporation, RedmondMicrosoft Corporation, Redmond

EAP’s Sponsored and in Partnership with

Joeri Van HerrewegheJoeri Van Herreweghe

Small CeremonySmall CeremonyGet in contact with Kim CameronGet in contact with Kim CameronSome travel equipment as presentSome travel equipment as presentPlease give a strong applause for Please give a strong applause for Joeri !Joeri !

EAP’s Sponsored and in Partnership with

© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.