1 Introducing the “Longhorn” Identity System Stuart Kwan Product Unit Manager Microsoft Corporation Stuart Kwan Product Unit Manager Microsoft Corporation Session Code: ARC343

Communication AvalonWinFSIndigo Windows Forms ASP.NET ObjectSpaces DataSet SQL XML Providers Framework Services Schemas Data Model ADO.NET Connectivity Synchronization (WinFS, Win32..) InfoAgent (PreferenceRules..) InfoAgent (PreferenceRules..) FileSystem Services (MetaDataHandlers..) FileSystem Services (MetaDataHandlers..) Calendar Media Document … … Items Relationships Extensions Communications Manager (Port) Messaging Services Transport Channels (IPC, HTTP, TCP…) Transport Channels (IPC, HTTP, TCP…) Channels (Datagram, Reliable, Peer, …) Policy Engine Policy Engine Message Encoder Message Encoder Channel Security Channel Security Queuing Eventing Routing Transaction Desktop Services Desktop Services Desktop Window Manager Desktop Window Manager Presentation Object Manager Desktop Composition Engine Animation and Composition Media Services Hardware Rendering Hardware Rendering Media Processing Capture and Sourcing Capture and Sourcing Software Rendering and Sinks Software Rendering and Sinks Adaptive UI Engine Adaptive UI Engine Page/Site Composition Personalization and Profiling Services Personalization and Profiling Services Membership and Security Services Membership and Security Services Designer Services Designer Services Controls Interop Engine Controls Interop Engine Controls Windows Forms Application Services Application Services People Group Collaboration People and Groups People and Groups Collaboration History Collaboration History Real-Time Activities Real-Time Activities Signaling Federation System Services TransactionsStorage Protocols Network Services Kernel Mode Base Class Libraries Memory Manager Hosting Layer Code Execution Loader Security Serialization Lightweight Transactions Lightweight Transactions Transaction Coordinator Kernel Transaction Manager Logging Service Kernel Hardware Abstraction Layer Process Manager Process Manager Security Reference Monitor LPC Facility Memory Manager Power Manager Config Manager Plug and Play Transacted NTFS Transacted NTFS Cache Manager Cache Manager Universal Data Format Universal Data Format Filter Engine Filter Engine TCP, UDP IPV4, IPV6 TCP, UDP IPV4, IPV6 IPSEC QOS HTTP Listener HTTP Listener Internet Connection Firewall Demand Activation and Protocol Health PNRP Native WiFi Native WiFi SIP TCP Listener TCP Listener UDP Listener UDP Listener IPC Listener IPC Listener Network Class Library GDI/GDI+ Window Manager Window Manager Global Audio Engine Global Audio Engine Direct 3D Graphics Graphics drivers DDI Input Manager Input Manager Audio Drivers Audio Drivers DirectX Graphics Mini port DirectX Graphics Mini port Redirectors SCSI/FC Device Drivers Management Services (Event Logs, Tracing, Probes, Auto Update, Admin) Management Services (Event Logs, Tracing, Probes, Auto Update, Admin) IO Manager Application Deployment Engine (Click-Once) Application Deployment Engine (Click-Once) FAT 16/32 Filter Manager Filter Manager Distributed File System Distributed File System Virtual Shadow Copy Service Virtual Shadow Copy Service File Replication Service File Replication Service Virtual Disk Service Virtual Disk Service Models Service Object T/SQL XML Document UI Media CLR PresentationDataCommunication Base Operating System Services AvalonWinFSIndigo Identity & SecuritySystem SecuritySystem Security System Identity & Security System PeoplePeople GroupGroup

3 Agenda A taxonomy of digital interactions The “Longhorn” Identity System “Information Cards” Usage scenarios Summary and call to action A taxonomy of digital interactions The “Longhorn” Identity System “Information Cards” Usage scenarios Summary and call to action

4 How People Interact Digitally 1. Person to Person 2. Within Home 3. Person to Organization 4. Organization to Organization 5. Department to Department 6. Within Organization

5 Common Challenges  Name resolution Addresses are dynamic DNS namespace is global but not universally updateable and sometimes disjoint  Intentional connectivity barriers Organizations behind firewalls Home networks behind NATs and firewalls  Recognizing identities outside your system To enable secure communication To grant access to your stuff  Name resolution Addresses are dynamic DNS namespace is global but not universally updateable and sometimes disjoint  Intentional connectivity barriers Organizations behind firewalls Home networks behind NATs and firewalls  Recognizing identities outside your system To enable secure communication To grant access to your stuff

6 The Identity System Ubiquitous store, development platform for applications that consume identity Built on “WinFS” storage subsystem (CLI201) Schema for unified representation of identity API with specialized types, methods for principals Provides recognition between principals Bootstrap and manage recognition between people, computers, groups, organizations Extends Windows security services, can be used by existing applications Principals can be serialized, exchanged using document we call an”Information Card” Ubiquitous store, development platform for applications that consume identity Built on “WinFS” storage subsystem (CLI201) Schema for unified representation of identity API with specialized types, methods for principals Provides recognition between principals Bootstrap and manage recognition between people, computers, groups, organizations Extends Windows security services, can be used by existing applications Principals can be serialized, exchanged using document we call an”Information Card”

7 What is an Information Card? Exchangeable identity statement allowing verification of signature Display name Identity claims Disclosed information Certificate Use policy Unique identifier(s) For a person: address For organization: web site Unique identifier(s) For a person: address For organization: web site Data I choose to disclose Home address Phone number Data I choose to disclose Home address Phone number Public key certificate Local account: self-signed Domain account: signed by CA in Active Directory Public key certificate Local account: self-signed Domain account: signed by CA in Active Directory

8 How Are Information Cards Used? Information Cards are used to manage secure digital relationships with people and organizations When an Information Card is imported, it becomes a contact in the contact explorer Can be recognized using Windows security services (SSPI) Can be granted access to shared spaces Will seek broad adoption of Information Card, encourage others to implement Information Cards are used to manage secure digital relationships with people and organizations When an Information Card is imported, it becomes a contact in the contact explorer Can be recognized using Windows security services (SSPI) Can be granted access to shared spaces Will seek broad adoption of Information Card, encourage others to implement

9

10 Person to Person Scenario Chris Macaulay Program Manager Directory and Identity Services Chris Macaulay Program Manager Directory and Identity Services

11 Person to Person Bob’s computer can look up address of Alice’s computer using info from contact Share: Name resolution:  public key  PNRP name  IPv6 Bob’s computer traverses NAT using IPv6 For more information: ARC382 Bob’s computer can look up address of Alice’s computer using info from contact Share: Name resolution:  public key  PNRP name  IPv6 Bob’s computer traverses NAT using IPv6 For more information: ARC382 Internet

12 Identity-Based Host Firewall Only people you recognize and to whom granted access can make inbound connections to your computer Other callers see IPSEC negotiation port, nothing else Greatly reduces exposed attack surface of a Windows computer on a network Only people you recognize and to whom granted access can make inbound connections to your computer Other callers see IPSEC negotiation port, nothing else Greatly reduces exposed attack surface of a Windows computer on a network

13 Authentication Versus Authorization Accepting an Information Card does not grant a contact access to the computer Recognition only – clear separation of authentication, authorization A contact must have no implicit access To revoke someone’s access to computer Remove from access policies on resources Optionally, delete contact object, no longer recognize that person Accepting an Information Card does not grant a contact access to the computer Recognition only – clear separation of authentication, authorization A contact must have no implicit access To revoke someone’s access to computer Remove from access policies on resources Optionally, delete contact object, no longer recognize that person

14 Within Home Bob, Sally purchase second computer Computer joined to server-less domain for home/office (codename “Castle”) Identity system data, including principals, replicate to computer via “WinFS” sync Bob, Sally can log in, access resources (local or remote) from either computer Bob, Sally purchase second computer Computer joined to server-less domain for home/office (codename “Castle”) Identity system data, including principals, replicate to computer via “WinFS” sync Bob, Sally can log in, access resources (local or remote) from either computer “WinFS” sync

15 Within Home Scenario Chris Macaulay Program Manager Directory and Identity Services Chris Macaulay Program Manager Directory and Identity Services

16 Person to Organization Sally submits Information Card to site Sally controls what information is disclosed No need to retype address, phone number Site recognizes Sally on next visit Automatic sign on using key from Information Card Sally submits Information Card to site Sally controls what information is disclosed No need to retype address, phone number Site recognizes Sally on next visit Automatic sign on using key from Information Card

17 Person to Organization Site sends organization’s Information Card to Sally Sally can find invoices, , objects associated with the organization Sally can recognize organization: secure , even grant access to desktop Site sends organization’s Information Card to Sally Sally can find invoices, , objects associated with the organization Sally can recognize organization: secure , even grant access to desktop

18 Organization to Organization Org 1 sends Information Card to Org 2 Org 2 verifies integrity of Information Card, adds to extranet Active Directory Org 1 represented as “Organization object” with mapped cert Org 1 sends Information Card to Org 2 Org 2 verifies integrity of Information Card, adds to extranet Active Directory Org 1 represented as “Organization object” with mapped cert Extranet Intranet

19 Organization to Organization Active Directory issues Information Card to Bob’s domain account Bob visits site, recognized to be from Org 1 “Trustbridge”: use key from org information card to verify signature on Bob’s token Active Directory issues Information Card to Bob’s domain account Bob visits site, recognized to be from Org 1 “Trustbridge”: use key from org information card to verify signature on Bob’s token Extranet Intranet

20 Department to Department Bob submits Information Card to extranet site owned by department in Org 2 Similar to person to organization Bob submits Information Card to extranet site owned by department in Org 2 Similar to person to organization Extranet Intranet

21 Department to Department Site recognizes Bob, Bob can secure connection by various means Department does not burden IT of Org 2 with identity, credential management Site recognizes Bob, Bob can secure connection by various means Department does not burden IT of Org 2 with identity, credential management Extranet Intranet

22 Department to Department Possible configuration: SOAP-filtering application proxy SOAP-filtering proxy Intranet

23 Department to Department Possible configuration: “departmental extranet” Firewall allows IPSEC traffic from “any” to servers in “Castle” “Quarantined Castle” Intranet

24 Tracking Disclosed Information Identity system tracks Information Card disclosure To whom Information Cards were sent What information was sent If information changes, can selectively or automatically send updates Updates signed thus known to be from you, can process automatically at destination For example: your mailing address changes – automatically update magazine subscriptions Identity system tracks Information Card disclosure To whom Information Cards were sent What information was sent If information changes, can selectively or automatically send updates Updates signed thus known to be from you, can process automatically at destination For example: your mailing address changes – automatically update magazine subscriptions

25 Roaming Within home: “Castle” replicates data Within organization Credentials, data stored in Active Directory Download to Identity System on clients To arbitrary other computers Identity system data can be backed up, encrypted, and stored in vault in “cloud” Can also use combination smartcard storage “dongle” for any of the above Within home: “Castle” replicates data Within organization Credentials, data stored in Active Directory Download to Identity System on clients To arbitrary other computers Identity system data can be backed up, encrypted, and stored in vault in “cloud” Can also use combination smartcard storage “dongle” for any of the above

26 Identity Loss and Recovery What happens if your computer dies? If a “Castle”, data is on other computer(s) Or, restore from system backup Mechanisms used for roaming can also apply to recovery Upload from smart dongle Download from vault in cloud or from Active Directory What happens if your computer dies? If a “Castle”, data is on other computer(s) Or, restore from system backup Mechanisms used for roaming can also apply to recovery Upload from smart dongle Download from vault in cloud or from Active Directory

27 Identity Theft What if computer, smart dongle is stolen? Send signed revocation message to people you have sent an Information Card If backup in cloud vault, service could send revocation for you, like canceling credit card Bootstrap replacement identity using disclosure information from backup How know if identity has been stolen? How discover this today? For example, by checking credit card statement May need similar mechanisms online What if computer, smart dongle is stolen? Send signed revocation message to people you have sent an Information Card If backup in cloud vault, service could send revocation for you, like canceling credit card Bootstrap replacement identity using disclosure information from backup How know if identity has been stolen? How discover this today? For example, by checking credit card statement May need similar mechanisms online

28 Programming Model Contacts and principals integral part of WinFS API, allowing reuse of skills Fully integrated with system controls Identity is first class concept in “Longhorn” Check out CLI310 “People and Group Controls” (repeats Wednesday morning) Supports secure communication in “Indigo” Check out ARC241 on federated web services and “Trustbridge” Contacts and principals integral part of WinFS API, allowing reuse of skills Fully integrated with system controls Identity is first class concept in “Longhorn” Check out CLI310 “People and Group Controls” (repeats Wednesday morning) Supports secure communication in “Indigo” Check out ARC241 on federated web services and “Trustbridge”

29 Call to Action Think about how new digital interaction scenarios will impact your applications Simulate/experiment using Active Directory Build applications that use Windows integrated authentication (SSPI, NEGO) Check out walkthroughs and code samples with “Longhorn” PDC build Think about how new digital interaction scenarios will impact your applications Simulate/experiment using Active Directory Build applications that use Windows integrated authentication (SSPI, NEGO) Check out walkthroughs and code samples with “Longhorn” PDC build

30 Summary Consolidated store and platform for applications that consume identity Exchange identity with Information Card, control disclosure, create secure relationships Concepts span continuum from person-to-person to organization-to-organization Longhorn provides solutions to all three common challenges of digital interaction Name resolution Connectivity barriers Recognizing identities from outside your system Consolidated store and platform for applications that consume identity Exchange identity with Information Card, control disclosure, create secure relationships Concepts span continuum from person-to-person to organization-to-organization Longhorn provides solutions to all three common challenges of digital interaction Name resolution Connectivity barriers Recognizing identities from outside your system

31 Community Resources See Identity System team at the Pavilion Ask The Experts tonight 7-9pm Hall G,H Attend the Collaboration panel (PNL11) PDC Weblogs: Newsgroup: microsoft.private.identitysystem username=identity, password=identity See Identity System team at the Pavilion Ask The Experts tonight 7-9pm Hall G,H Attend the Collaboration panel (PNL11) PDC Weblogs: Newsgroup: microsoft.private.identitysystem username=identity, password=identity

32 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.