The Identity Metasystem Caspar Bowden, Chief Privacy Advisor EMEA EMEA Technology Office on behalf of: Kim Cameron, Architect of Identity and Access Microsoft.

The Identity MetasystemThe Identity MetasystemCaspar Bowden, Chief Privacy Advisor EMEACaspar Bowden, Chief Privacy Advisor EMEAEMEA Technology Office EMEA Technology Office

on behalf of:on behalf of:Kim Cameron, Architect of Identity and AccessKim Cameron, Architect of Identity and AccessMicrosoft CorporationMicrosoft Corporation

Copyright 2005 Microsoft CorporationCopyright 2005 Microsoft Corporation 22

Problem StatementProblem Statement

The Internet was built without a way to The Internet was built without a way to know who and what you are connecting toknow who and what you are connecting to

Everyone offering an internet service has had Everyone offering an internet service has had to come up with a workaroundto come up with a workaroundPatchwork of identity one-offsPatchwork of identity one-offsWe have inadvertently taught people to be We have inadvertently taught people to be phished and pharmedphished and pharmedNo fair blaming the user – no framework, no No fair blaming the user – no framework, no cues, no control cues, no control

We are “Missing the identity layer”We are “Missing the identity layer”Digital identity currently exists in a Digital identity currently exists in a world world without synergy without synergy because of identity silosbecause of identity silos


Criminalization of the Criminalization of the InternetInternet

Greater use and greater value attract Greater use and greater value attract professionalized international criminal fringeprofessionalized international criminal fringe

Understand ad hoc nature of identity patchworkUnderstand ad hoc nature of identity patchworkPhishing and Pharming (Phraud) at 1000% CAGRPhishing and Pharming (Phraud) at 1000% CAGRCombine with “stash attacks” reported as “identity Combine with “stash attacks” reported as “identity losses”…losses”…

Unwinding of acceptance where we should be Unwinding of acceptance where we should be seeing progress.seeing progress.

Opportunity of moving beyond “public-ation”Opportunity of moving beyond “public-ation”Need to intervene so web services can get out of the Need to intervene so web services can get out of the starting gatestarting gate

The ad hoc nature of internet identity The ad hoc nature of internet identity cannot withstand the growing assault of cannot withstand the growing assault of professionalized attackersprofessionalized attackers

We can predict a deepening public crisisWe can predict a deepening public crisis


What is a digital identity?What is a digital identity?

A set of A set of claimsclaims someone makes someone makes about meabout me

ClaimsClaims are are packaged as packaged as security tokenssecurity tokens

Many identities Many identities for many usesfor many uses

Useful to Useful to distinguish from distinguish from profilesprofiles


Identity is Matched to Identity is Matched to ContextContextIn ContextIn Context

Bank card at ATMBank card at ATM

Gov’t ID at border checkGov’t ID at border check

Coffee card at coffee Coffee card at coffee standstand

MSN Passport at HotMailMSN Passport at HotMail

Out of ContextOut of Context

Coffee card at border Coffee card at border checkcheck

Maybe Out of Context?Maybe Out of Context?

Gov’t ID at ATMGov’t ID at ATM

SSN as Student IDSSN as Student ID

MSN Passport at eBayMSN Passport at eBay


The Laws of IdentityThe Laws of IdentityAn Industry DialogAn Industry Dialog

1.1. User control and consentUser control and consent

2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use

3.3. Justifiable partiesJustifiable parties

4.4. Directional identityDirectional identity

5.5. Pluralism of operators and Pluralism of operators and

technologiestechnologies

6.6. Human integrationHuman integration

7.7. Consistent experience across Consistent experience across

contextscontexts

Join the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com

DetailsDetails


The role of “The Laws”…The role of “The Laws”…

We must be able to We must be able to structure our structure our understandingunderstanding of digital identity of digital identity

We need a way to avoid returning to the We need a way to avoid returning to the Empty PageEmpty Page every time we talk about digital identityevery time we talk about digital identityWe need to inform peoples’ thinking by teasing apart We need to inform peoples’ thinking by teasing apart the factors and dynamics explaining the successes and the factors and dynamics explaining the successes and failures of identity systems since the 1970sfailures of identity systems since the 1970sWe need to develop hypotheses – resulting from We need to develop hypotheses – resulting from observation – that are testable and can be disprovedobservation – that are testable and can be disprovedThe Laws of Identity offer a “good way” to express this The Laws of Identity offer a “good way” to express this thoughtthoughtBeyond mere conversation, the Blogosphere offers us Beyond mere conversation, the Blogosphere offers us a a cruciblecrucible. The concept has been to employ this . The concept has been to employ this crucible to crucible to harden and deepen the laws.harden and deepen the laws.


1. User Control and 1. User Control and ConsentConsent

Digital identity systems must only reveal Digital identity systems must only reveal information identifying a user with the information identifying a user with the user’s consentuser’s consent

Relying parties can require authenticationRelying parties can require authentication

The user can choose to comply or “walk The user can choose to comply or “walk away”away”

The system should appeal by means of The system should appeal by means of convenience and simplicity and win the user’s convenience and simplicity and win the user’s trusttrust

Put the user in control of what identities are used Put the user in control of what identities are used and what information is releasedand what information is released

Protect against deception (destination and misuse)Protect against deception (destination and misuse)

Inform user of auditing implicationsInform user of auditing implications

Retain paradigm of consent across all contextsRetain paradigm of consent across all contexts


2. Minimal Disclosure for 2. Minimal Disclosure for Limited UseLimited Use

The solution that discloses the least The solution that discloses the least identifying information and best limits its identifying information and best limits its use is the most stable long term solutionuse is the most stable long term solution

Consider Information breaches to be Consider Information breaches to be inevitableinevitable

To mitigate risk, acquire and store information To mitigate risk, acquire and store information on a “need to know” and “need to retain” on a “need to know” and “need to retain” basisbasis

Less information implies less value implies Less information implies less value implies less attraction implies less riskless attraction implies less risk

““Least identifying information” includes Least identifying information” includes reduction of cross-context information reduction of cross-context information (universal identifiers)(universal identifiers)

Limiting information hoarding for unspecified Limiting information hoarding for unspecified futuresfutures


3. Justifiable Parties3. Justifiable Parties

Digital identity systems must limit Digital identity systems must limit disclosure of identifying information to disclosure of identifying information to parties having a necessary and justifiable parties having a necessary and justifiable place in a given identity relationshipplace in a given identity relationship

Justification requirements apply both to the Justification requirements apply both to the subject and to the relying partysubject and to the relying party

Example of Microsoft’s experience with Example of Microsoft’s experience with PassportPassport

In what contexts will use of government In what contexts will use of government identities succeed and fail?identities succeed and fail?

Parties to a disclosure must provide a Parties to a disclosure must provide a statement about information usestatement about information use


4. Directed Identity4. Directed Identity

A unifying identity metasystem must A unifying identity metasystem must support both “omni-directional” identifiers support both “omni-directional” identifiers for public entities and “unidirectional” for public entities and “unidirectional” identifiers for private entitiesidentifiers for private entities

Digital identity is always asserted with respect Digital identity is always asserted with respect to some other identity or set of identitiesto some other identity or set of identitiesPublic entities require well-known “beacons”Public entities require well-known “beacons”

Examples: web sites or public devicesExamples: web sites or public devices

Private entities (people) require the option to Private entities (people) require the option to not be a beaconnot be a beacon

Unidirectional identifiers used in combination with a Unidirectional identifiers used in combination with a single beacon: no correlation handlessingle beacon: no correlation handles

Example of Bluetooth and RFID – growing Example of Bluetooth and RFID – growing pushbackpushbackWireless was also mis-designed in light of this Wireless was also mis-designed in light of this lawlaw


5. Pluralism of 5. Pluralism of Operators and TechnologiesOperators and Technologies

A unifying identity metasystem must A unifying identity metasystem must channel and enable the inter-working of channel and enable the inter-working of multiple identity technologies run by multiple identity technologies run by multiple identity providersmultiple identity providers

Characteristics that make a system ideal in one Characteristics that make a system ideal in one context disqualify it in anothercontext disqualify it in anotherExample of government versus employer Example of government versus employer versus individual as consumer and human versus individual as consumer and human beingbeingCraving for “segregation” of contextsCraving for “segregation” of contextsImportant new technologies currently emerging Important new technologies currently emerging – must not glue in a single technology or – must not glue in a single technology or require “fork-lift” upgraderequire “fork-lift” upgradeConvergence can occur, but only when there is Convergence can occur, but only when there is a platform (identity ecology) for that to happen a platform (identity ecology) for that to happen inin


6. Human Integration6. Human Integration

A unifying identity metasystem must A unifying identity metasystem must define the human user as a component define the human user as a component integrated through protected and integrated through protected and unambiguous human-machine unambiguous human-machine communicationscommunications

We’ve done a good job of securing the first We’ve done a good job of securing the first 5,000 miles but allowed penetration of the last 5,000 miles but allowed penetration of the last 2 feet2 feetThe channel between the display and the brain The channel between the display and the brain is under attackis under attackNeed to move from thinking about a protocol to Need to move from thinking about a protocol to thinking about a ceremonythinking about a ceremonyExample of Channel 9 on United AirlinesExample of Channel 9 on United AirlinesHow to achieve highest levels of reliability in How to achieve highest levels of reliability in communication between user and rest of communication between user and rest of systemsystem


7. Consistent Experience 7. Consistent Experience Across ContextsAcross Contexts

A unifying identity metasystem must provide a A unifying identity metasystem must provide a simple consistent experience while enabling simple consistent experience while enabling separation of contexts through multiple separation of contexts through multiple operators and technologiesoperators and technologies

Make identities “things” on the desktop so users can Make identities “things” on the desktop so users can see them, inspect details, add and deletesee them, inspect details, add and delete

What type of digital identity is acceptable in given What type of digital identity is acceptable in given context?context?

Properties of potential candidates specified by the relying Properties of potential candidates specified by the relying partyparty

User selects one and understands information associated User selects one and understands information associated with it.with it.

Single relying party may accept more than one type Single relying party may accept more than one type of identityof identity

Facilitate “Segregation Of Contexts”Facilitate “Segregation Of Contexts”


The Laws Define a The Laws Define a MetasystemMetasystem

MeMeDevicesDevices

PCs, Mobile, PhonePCs, Mobile, Phone

BusinessesBusinesses

OrganizationsOrganizations

GovernmentsGovernments

ApplicationsApplicationsExisting & NewExisting & New

TechnologiesTechnologiesX.509, SAML, KerberosX.509, SAML, Kerberos

IndividualsIndividualsWork & ConsumerWork & Consumer


Metasystem PlayersMetasystem Players

Relying PartiesRelying PartiesRequire identitiesRequire identities

SubjectsSubjectsIndividuals and other Individuals and other entities about whom entities about whom

claims are madeclaims are made

Identity Identity ProvidersProviders

Issue identitiesIssue identities


Identity MetasystemIdentity Metasystem

Consistent way to use multiple identity Consistent way to use multiple identity systemssystems

Remove friction without requiring everyone Remove friction without requiring everyone agree on one identity technology for agree on one identity technology for everythingeverything

Leverage current successesLeverage current successes

Enable us to move from past to futureEnable us to move from past to future

Four key characteristicsFour key characteristicsNegotiationNegotiation

Encapsulating protocolEncapsulating protocol

Claims transformationClaims transformation

Consistent user experienceConsistent user experience


NegotiationNegotiation

Enable relying party, subject, and Enable relying party, subject, and identity provider to negotiateidentity provider to negotiate

Which claims are requiredWhich claims are required

Who can make themWho can make them

What type of technology is acceptableWhat type of technology is acceptable

Under what conditions claims will be Under what conditions claims will be issuedissued

How parties prove who they areHow parties prove who they are

How information will be usedHow information will be used


Encapsulating ProtocolEncapsulating Protocol

Technology-agnostic way to Technology-agnostic way to exchange policies and claims exchange policies and claims between Identity Provider and between Identity Provider and Relying PartyRelying Party

Content and meaning of what is Content and meaning of what is exchanged determined by exchanged determined by participants, not metasystemparticipants, not metasystem


Claims TransformationClaims Transformation

Trusted way to change one set of claims Trusted way to change one set of claims into anotherinto another

Specialized server + policy and trust Specialized server + policy and trust framework for translating foreign claims to framework for translating foreign claims to locally relevant claimslocally relevant claims

Bridge organizational and technical Bridge organizational and technical boundariesboundaries

Transform semanticsTransform semantics““Microsoft Employee” -> “Book Purchase OK”Microsoft Employee” -> “Book Purchase OK”

Transform formatsTransform formatsX.509, SAML1.0, SAML 2.0, SXIP, LID, etcX.509, SAML1.0, SAML 2.0, SXIP, LID, etc

Provides interoperability needed today Provides interoperability needed today plus flexibility required for future plus flexibility required for future evolutionevolution


Consistent User Consistent User ExperienceExperience

Single experience across multiple Single experience across multiple systemssystems

Two-way authenticationTwo-way authentication

Uniform logon and registration Uniform logon and registration experienceexperience

User consent to disclosure of claimsUser consent to disclosure of claims

Policies exposed and accessible to userPolicies exposed and accessible to user

Reduced cognitive load on userReduced cognitive load on userMake identity experience “real” and Make identity experience “real” and tangible instead of ad-hoctangible instead of ad-hoc

Predictable - better informed decision Predictable - better informed decision makingmaking


What plugs in to the What plugs in to the Identity Metasystem?Identity Metasystem?

SmartcardsSmartcards Self-issued Self-issued

identitiesidentities Corporate Corporate

identitiesidentities Gov’t identitiesGov’t identities Passport identitiesPassport identities Liberty identitiesLiberty identities Client applicationsClient applications Operating Operating

SystemsSystems

GovernmentsGovernments OrganizationsOrganizations CompaniesCompanies IndividualsIndividuals Mobile phonesMobile phones ComputersComputers Hard ID tokensHard ID tokens Online servicesOnline services


Benefits of ParticipatingBenefits of Participating

Bet on the “playing field”, not some Bet on the “playing field”, not some particular solutionparticular solution

Increased reachIncreased reachClaims transformer enables new Claims transformer enables new relationshipsrelationships

Increased flexibilityIncreased flexibilityPolicy, claims transformation “knobs Policy, claims transformation “knobs and levers” enable wide variety of and levers” enable wide variety of relationshipsrelationships

Easy to add support for new technologyEasy to add support for new technology

Simple, safe user experienceSimple, safe user experience


An Identity Metasystem An Identity Metasystem ArchitectureArchitecture

Microsoft worked with industry to Microsoft worked with industry to develop protocols that enable an develop protocols that enable an identity metasystem: WS-* Web identity metasystem: WS-* Web ServicesServices

Encapsulating protocol and claims Encapsulating protocol and claims transformation: WS-Trusttransformation: WS-Trust

Negotiation: WS-MetadataExchange Negotiation: WS-MetadataExchange and WS-SecurityPolicyand WS-SecurityPolicy

Only technology we know of Only technology we know of specifically designed to satisfy specifically designed to satisfy requirements of an identity requirements of an identity metasystemmetasystem


WS-Trust, WS-MetadataExchange

WS-* Metasystem WS-* Metasystem ArchitectureArchitecture

SecurityTokenServer

Kerberos

WS-SecurityPolicy

SAML

SecurityTokenServer

WS-SecurityPolicy

…

ID ProviderID Provider

X.509

ID ProviderID Provider

SubjectSubject

Relying PartyRelying Party Relying PartyRelying Party

Identity Selector


Microsoft’s Microsoft’s ImplementationImplementation

““InfoCard” identity selectorInfoCard” identity selectorComponent of WinFX, usable by any applicationComponent of WinFX, usable by any applicationHardened against tampering, spoofingHardened against tampering, spoofing

““InfoCard” simple identity providerInfoCard” simple identity providerSelf-issued identity for individuals running on PCsSelf-issued identity for individuals running on PCsUses strong public key-based authentication – user Uses strong public key-based authentication – user does not disclose passwords to relying partiesdoes not disclose passwords to relying parties

Active Directory managed identity providerActive Directory managed identity providerPlug Active Directory users into the metasystemPlug Active Directory users into the metasystemFull set of policy controls to manage use of simple Full set of policy controls to manage use of simple identities and Active Directory identitiesidentities and Active Directory identities

Windows Communications Foundation (“Indigo”) Windows Communications Foundation (“Indigo”) for building distributed applications and for building distributed applications and implementing relying party servicesimplementing relying party services



Data stored for each card in card Data stored for each card in card collectioncollection

Name, logo, names of claims available (not Name, logo, names of claims available (not values)values)

Address of identity provider, required Address of identity provider, required credentialcredential

Data stored in simple identity providerData stored in simple identity providerName, address, email, telephone, age, genderName, address, email, telephone, age, gender

User must opt-inUser must opt-in

InfoCard data not visible to applicationsInfoCard data not visible to applicationsStored in files encrypted under system keyStored in files encrypted under system key

User interface runs on separate desktopUser interface runs on separate desktop

Managed identity provider may store Managed identity provider may store information needed to generate claimsinformation needed to generate claims



Fully interoperable via published Fully interoperable via published protocolsprotocols

With other identity selector With other identity selector implementationsimplementations

With other relying party With other relying party implementationsimplementations

With other identity provider With other identity provider implementationsimplementations

Detailed implementation guide Detailed implementation guide availableavailable


SummarySummary

Laws of Identity define an identity Laws of Identity define an identity metasystemmetasystemWS-* makes possible an identity WS-* makes possible an identity metasystem using widely-accepted metasystem using widely-accepted published protocolspublished protocolsMicrosoft implementing full support for an Microsoft implementing full support for an open identity metasystem in Windowsopen identity metasystem in Windows

Identity metasystem has potential to Identity metasystem has potential to remove friction, accelerate growth of remove friction, accelerate growth of connectivityconnectivityLet the identity big bang begin!Let the identity big bang begin!


For More InformationFor More Information

Two whitepapers on MSDN:Two whitepapers on MSDN:Microsoft’s Vision for an Identity Microsoft’s Vision for an Identity MetasystemMetasystem

The Laws of IdentityThe Laws of Identity

Links to both from:Links to both from:http://msdn.microsoft.com/webservices/understanding/advancedwebservices/

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

The Identity Metasystem Caspar Bowden, Chief Privacy Advisor EMEA EMEA Technology Office on behalf of: Kim Cameron, Architect of Identity and Access Microsoft.

Documents

laws of identity

architect of identity

identity silos

directional identity

identity losses

nature of internet identity

failures of identity

ebay slide