The Identity Metasystem Caspar Bowden, Chief Privacy Advisor EMEA EMEA Technology Office on behalf of: Kim Cameron, Architect of Identity and Access Microsoft Corporation

Copyright 2005 Microsoft Corporation 2 Problem Statement The Internet was built without a way to know who and what you are connecting to Everyone offering an internet service has had to come up with a workaround Patchwork of identity one-offs We have inadvertently taught people to be phished and pharmed No fair blaming the user – no framework, no cues, no control We are “Missing the identity layer” Digital identity currently exists in a world without synergy because of identity silos

Copyright 2005 Microsoft Corporation 3 Criminalization of the Internet Greater use and greater value attract professionalized international criminal fringe Understand ad hoc nature of identity patchwork Phishing and Pharming (Phraud) at 1000% CAGR Combine with “stash attacks” reported as “identity losses”… Unwinding of acceptance where we should be seeing progress. Opportunity of moving beyond “public-ation” Need to intervene so web services can get out of the starting gate The ad hoc nature of internet identity cannot withstand the growing assault of professionalized attackers We can predict a deepening public crisis

Copyright 2005 Microsoft Corporation 4 What is a digital identity? A set of claims someone makes about me Claims are packaged as security tokens Many identities for many uses Useful to distinguish from profiles

Copyright 2005 Microsoft Corporation 5 Identity is Matched to Context In Context Bank card at ATM Gov’t ID at border check Coffee card at coffee stand MSN Passport at HotMail Out of Context Coffee card at border check Maybe Out of Context? Gov’t ID at ATM SSN as Student ID MSN Passport at eBay

Copyright 2005 Microsoft Corporation 6 The Laws of Identity An Industry Dialog 1.User control and consent 2.Minimal disclosure for a defined use 3.Justifiable parties 4.Directional identity 5.Pluralism of operators and technologies 6.Human integration 7.Consistent experience across contexts Join the discussion at Details

Copyright 2005 Microsoft Corporation 7 The role of “The Laws”… We must be able to structure our understanding of digital identity We need a way to avoid returning to the Empty Page every time we talk about digital identity We need to inform peoples’ thinking by teasing apart the factors and dynamics explaining the successes and failures of identity systems since the 1970s We need to develop hypotheses – resulting from observation – that are testable and can be disproved The Laws of Identity offer a “good way” to express this thought Beyond mere conversation, the Blogosphere offers us a crucible. The concept has been to employ this crucible to harden and deepen the laws.

Copyright 2005 Microsoft Corporation 8 1. User Control and Consent Digital identity systems must only reveal information identifying a user with the user’s consent Relying parties can require authentication The user can choose to comply or “walk away” The system should appeal by means of convenience and simplicity and win the user’s trust Put the user in control of what identities are used and what information is released Protect against deception (destination and misuse) Inform user of auditing implications Retain paradigm of consent across all contexts

Copyright 2005 Microsoft Corporation 9 2. Minimal Disclosure for Limited Use The solution that discloses the least identifying information and best limits its use is the most stable long term solution Consider Information breaches to be inevitable To mitigate risk, acquire and store information on a “need to know” and “need to retain” basis Less information implies less value implies less attraction implies less risk “Least identifying information” includes reduction of cross-context information (universal identifiers) Limiting information hoarding for unspecified futures

Copyright 2005 Microsoft Corporation Justifiable Parties Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship Justification requirements apply both to the subject and to the relying party Example of Microsoft’s experience with Passport In what contexts will use of government identities succeed and fail? Parties to a disclosure must provide a statement about information use

Copyright 2005 Microsoft Corporation Directed Identity A unifying identity metasystem must support both “omni-directional” identifiers for public entities and “unidirectional” identifiers for private entities Digital identity is always asserted with respect to some other identity or set of identities Public entities require well-known “beacons” Examples: web sites or public devices Private entities (people) require the option to not be a beacon Unidirectional identifiers used in combination with a single beacon: no correlation handles Example of Bluetooth and RFID – growing pushback Wireless was also mis-designed in light of this law

Copyright 2005 Microsoft Corporation Pluralism of Operators and Technologies A unifying identity metasystem must channel and enable the inter-working of multiple identity technologies run by multiple identity providers Characteristics that make a system ideal in one context disqualify it in another Example of government versus employer versus individual as consumer and human being Craving for “segregation” of contexts Important new technologies currently emerging – must not glue in a single technology or require “fork-lift” upgrade Convergence can occur, but only when there is a platform (identity ecology) for that to happen in

Copyright 2005 Microsoft Corporation Human Integration A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications We’ve done a good job of securing the first 5,000 miles but allowed penetration of the last 2 feet The channel between the display and the brain is under attack Need to move from thinking about a protocol to thinking about a ceremony Example of Channel 9 on United Airlines How to achieve highest levels of reliability in communication between user and rest of system

Copyright 2005 Microsoft Corporation Consistent Experience Across Contexts A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies Make identities “things” on the desktop so users can see them, inspect details, add and delete What type of digital identity is acceptable in given context? Properties of potential candidates specified by the relying party User selects one and understands information associated with it. Single relying party may accept more than one type of identity Facilitate “Segregation Of Contexts”

Copyright 2005 Microsoft Corporation 15 The Laws Define a Metasystem Me Devices PCs, Mobile, Phone Businesses Organizations Governments Applications Existing & New Technologies X.509, SAML, Kerberos Individuals Work & Consumer

Copyright 2005 Microsoft Corporation 16 Metasystem Players Relying Parties Require identities Subjects Individuals and other entities about whom claims are made Identity Providers Issue identities

Copyright 2005 Microsoft Corporation 17 Identity Metasystem Consistent way to use multiple identity systems Remove friction without requiring everyone agree on one identity technology for everything Leverage current successes Enable us to move from past to future Four key characteristics Negotiation Encapsulating protocol Claims transformation Consistent user experience

Copyright 2005 Microsoft Corporation 18 Negotiation Enable relying party, subject, and identity provider to negotiate Which claims are required Who can make them What type of technology is acceptable Under what conditions claims will be issued How parties prove who they are How information will be used

Copyright 2005 Microsoft Corporation 19 Encapsulating Protocol Technology-agnostic way to exchange policies and claims between Identity Provider and Relying Party Content and meaning of what is exchanged determined by participants, not metasystem

Copyright 2005 Microsoft Corporation 20 Claims Transformation Trusted way to change one set of claims into another Specialized server + policy and trust framework for translating foreign claims to locally relevant claims Bridge organizational and technical boundaries Transform semantics “Microsoft Employee” -> “Book Purchase OK” Transform formats X.509, SAML1.0, SAML 2.0, SXIP, LID, etc Provides interoperability needed today plus flexibility required for future evolution

Copyright 2005 Microsoft Corporation 21 Consistent User Experience Single experience across multiple systems Two-way authentication Uniform logon and registration experience User consent to disclosure of claims Policies exposed and accessible to user Reduced cognitive load on user Make identity experience “real” and tangible instead of ad-hoc Predictable - better informed decision making

Copyright 2005 Microsoft Corporation 22 What plugs in to the Identity Metasystem? Smartcards Smartcards Self-issued identities Self-issued identities Corporate identities Corporate identities Gov’t identities Gov’t identities Passport identities Passport identities Liberty identities Liberty identities Client applications Client applications Operating Systems Operating Systems Governments Governments Organizations Organizations Companies Companies Individuals Individuals Mobile phones Mobile phones Computers Computers Hard ID tokens Hard ID tokens Online services Online services

Copyright 2005 Microsoft Corporation 23 Benefits of Participating Bet on the “playing field”, not some particular solution Increased reach Claims transformer enables new relationships Increased flexibility Policy, claims transformation “knobs and levers” enable wide variety of relationships Easy to add support for new technology Simple, safe user experience

Copyright 2005 Microsoft Corporation 24 An Identity Metasystem Architecture Microsoft worked with industry to develop protocols that enable an identity metasystem: WS-* Web Services Encapsulating protocol and claims transformation: WS-Trust Negotiation: WS-MetadataExchange and WS-SecurityPolicy Only technology we know of specifically designed to satisfy requirements of an identity metasystem

Copyright 2005 Microsoft Corporation 25 WS-Trust, WS-MetadataExchange WS-* Metasystem Architecture Security Token Server Kerberos WS-SecurityPolicy SAML Security Token Server WS-SecurityPolicy … ID Provider X.509 ID Provider Subject Relying Party Identity Selector

Copyright 2005 Microsoft Corporation 26 Microsoft’s Implementation “InfoCard” identity selector Component of WinFX, usable by any application Hardened against tampering, spoofing “InfoCard” simple identity provider Self-issued identity for individuals running on PCs Uses strong public key-based authentication – user does not disclose passwords to relying parties Active Directory managed identity provider Plug Active Directory users into the metasystem Full set of policy controls to manage use of simple identities and Active Directory identities Windows Communications Foundation (“Indigo”) for building distributed applications and implementing relying party services

Copyright 2005 Microsoft Corporation 27 Microsoft’s Implementation Data stored for each card in card collection Name, logo, names of claims available (not values) Address of identity provider, required credential Data stored in simple identity provider Name, address, , telephone, age, gender User must opt-in InfoCard data not visible to applications Stored in files encrypted under system key User interface runs on separate desktop Managed identity provider may store information needed to generate claims

Copyright 2005 Microsoft Corporation 28 Microsoft’s Implementation Fully interoperable via published protocols With other identity selector implementations With other relying party implementations With other identity provider implementations Detailed implementation guide available

Copyright 2005 Microsoft Corporation 29 Summary Laws of Identity define an identity metasystem WS-* makes possible an identity metasystem using widely-accepted published protocols Microsoft implementing full support for an open identity metasystem in Windows Identity metasystem has potential to remove friction, accelerate growth of connectivity Let the identity big bang begin!

Copyright 2005 Microsoft Corporation 30 For More Information Two whitepapers on MSDN: Microsoft’s Vision for an Identity Metasystem The Laws of Identity Links to both from: standing/advancedwebservices/ © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Copyright 2005 Microsoft Corporation 31 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.