Recently announced Infocard project from Microsoft aims to provide “a uniform way for people to log on to Web sites, conduct transactions and prove their identities online” and will be incorporated into
Kim Cameron’s website http://www.identityblog.com/, gives a good insight into the thinking that went behind the project. It begins with laws of identity that defines the architecture:
Law 1. User Information should be revealed only with consent & user has control of how and when this information is released
Law 2: Minimize the information revealed
Law 3: Information should be released to only participating entities in the relationships
Law 4: The universal identity metasystem should support “omnidirectional” identifiers (for public entities) and “unidirectional” identifiers for use by private entities
Law 5: The Universal Identity Metasystem should channel and enable interworking of multipleidentity technologies run by multiple identity providers
Law 6: The system should extend to and integrate the human user in a manner that is meaningful to him/her
Law 7: The system should provide a consistent experience across contexts,
The components that implement the above architecture are
1. A way to represent identities using claims
2. A means for identity providers, relying parties, and subjects to negotiate
3. An encapsulating protocol to obtain claims and requirements
4. A means to bridge technology and organizational boundaries using claims transformation
5. A consistent user experience across multiple contexts, technologies, and operators
The Identity Metasystem is built on interoperable Web Services (WS-*) protocols, i.e WS-Trust, WS-Metadataexchange, WS-Security Policy and secured using WS-Security
The first law concerning user consent and control has generated some controversy. What extent of control should user expect over the records of transactions he/she conducts with service providers? What about reputation information like credit score, ebay ratings etc.? What happens when regulations demand users reveal their identification? Does users control over their identity information conflict with someone else’ freedom of speech? Check out http://identity20.com/ for in depth exploration of these issues.
Within large enterprises too identity management aims to go beyond access control, SSO, directory integration and provides scalability and business agility in a way the was not possible with earlier technologies. Whether strong centralized IT departments see the need to re-engineer their legacy identity management systems yet is still unclear. But as SOA paradigm gains momentum federated digital identity cannot be far behind.
Security, trust, authentication, privacy, identity management are all interlinked and among the biggest challenges facing Internet based applications/services, yet the solution has to be “simple, and open” and Infocard from MS looks like a great start.
Other candidates include sxip.com