Wednesday, February 15

Universal Identity Metasystem

Recently announced Infocard project from Microsoft aims to provide “a uniform way for people to log on to Web sites, conduct transactions and prove their identities online” and will be incorporated into Vista. According to Kim/MS, Infocard shows the way to a Universal Identity Metasystem.

Kim Cameron’s website, gives a good insight into the thinking that went behind the project. It begins with laws of identity that defines the architecture:

Law 1. User Information should be revealed only with consent & user has control of how and when this information is released
Law 2: Minimize the information revealed
aw 3: Information should be released to only participating entities in the relationships
aw 4: The universal identity metasystem should support “omnidirectional” identifiers (for public entities) and “unidirectional” identifiers for use by private entities
aw 5: The Universal Identity Metasystem should channel and enable interworking of multipleidentity technologies run by multiple identity providers
aw 6: The system should extend to and integrate the human user in a manner that is meaningful to him/her
aw 7: The system should provide a consistent experience across contexts,

The components that implement the above architecture are

1. A way to represent identities using claims
2. A means for identity providers, relying parties, and subjects to negotiate
3. An encapsulating protocol to obtain claims and requirements
4. A means to bridge technology and organizational boundaries using claims transformation
5. A consistent user experience across multiple contexts, technologies, and operators

The Identity Metasystem is built on interoperable Web Services (WS-*) protocols, i.e WS-Trust, WS-Metadataexchange, WS-Security Policy and secured using WS-Security

The first law concerning user consent and control has generated some controversy. What extent of control should user expect over the records of transactions he/she conducts with service providers? What about reputation information like credit score, ebay ratings etc.? What happens when regulations demand users reveal their identification? Does users control over their identity information conflict with someone else’ freedom of speech? Check out for in depth exploration of these issues.

Within large enterprises too identity management aims to go beyond access control, SSO, directory integration and provides scalability and business agility in a way the was not possible with earlier technologies. Whether strong centralized IT departments see the need to re-engineer their legacy identity management systems yet is still unclear. But as SOA paradigm gains momentum federated digital identity cannot be far behind.

Security, trust, authentication, privacy, identity management are all interlinked and among the biggest challenges facing Internet based applications/services, yet the solution has to be “simple, and open” and Infocard from MS looks like a great start.

Other candidates include

No comments: