Seattle WA – September 27, 2010 – Last month, at the Privacy Identity Innovation 2010 conference in Seattle, Microsoft Senior Program Manager Christian Paquin hosted a session on the U-Prove minimal disclosure technology. ICF Executive Director Drummond Reed interviewed Christian for the following in-depth Q&A about U-Prove.
Q: First, can you tell me what is U-Prove?
A: U-Prove is an innovative privacy-enhancing security technology that can help people protect their identity-related information. U-Prove combines the security of PKI (public key infrastructure) with the flexibility of federation technologies that allow people to link identities across domains. And it does all this while providing privacy-by-design. That makes the U-Prove technology ideally suited to protect claims (attributes) in user-centric identity systems.
Q: Microsoft made a major announcement about U-Prove at RSA in March. What was the essence of that announcement?
A: The initial release of the U-Prove technology we announced at RSA consisted of two parts. First, we released the U-Prove specifications, published under the Open Specification Promise (OSP), so anyone can implement and use them freely and for any purpose. The first specification describes the core cryptographic protocols, and the second is a WS-Trust / OASIS IMI profile (the protocol used for Information Cards). We also released two open-source Software Development Kits (SDK) – one in C#, one in Java – implementing the core cryptographic specification.
Avoco Secure today announced it will launch the first "universal identity broker", a new product call Open2Connect that will make it much easier and more seamless for users to access online resources such as websites, documents, etc. using any identification/authentication method, including username/password, Information Cards, OpenID®, X509 digital certificate, Windows Live® ID, SAML, etc.
The Open2Connect UIB system ensures that a user can utilise any preferred login method, as long as that method contains the information required by the site to allow access (called a "claim"). Examples of claims include names, email addresses, or account numbers. The UIB can also go a step further by controlling access to the web resource through associating levels of assurance with the login, for example specifying that the claim must originate from a specified source.
The whole login process is handled by the UIB: the user simply clicks on the login button as usual -- vital in retaining usability of websites. The UIB will then present the user with choices of login method from their preferred list -- showing only those that the website will accept (because they contain the correct claim). The communication between the login method, the identity provisioning site (as appropriate) and the website is all handled by the UIB.
On the ICF mailing list earlier this week, ICF member Markus Sabadello, a leader of several Information Card-related open source projects, announced the availability of CardGears, a hosted service for web sites wishing to issue Managed Information Cards.
As Mr. Sabadello points out, Managed Information Cards can be issued by any website, whether just to provide a simpler and more secure sign-in mechanism, or to expand their brand to becoming part of the user experience every time a card is used. This website issuing a managed card is authoritative for the data on it. Technically, this requires two components:
- A card issuing component. This produces and sends to the user a card file (in the .crd format) each time a new card is issued.
- A Security Token Service (STS). This is the component that provides the claim values (identity information) on a card, such as first name, last name, e-mail address, etc. The STS is invoked every time a user uses or previews their card.
Mr. Sabadello explains, “CardGears makes it as simple as possible to operate both of the above components. First, you can design, issue and modify cards by using the intuitive web interface, without any programming at all. Second, you can use various APIs to integrate the CardGears service with your own applications. And you can mix and match each of these two approaches as needed for your site.”
There are currently has four demo sites illustrating various aspects of Information Cards and CardGears:
Information Card Foundation member Acxiom® Corporation (NASDAQ: ACXM), a global leader in interactive marketing and risk mitigation services, announced a beta program for the Acxiom Identity Card. This program uses Information Card technology to enable retail merchants, corporations, financial institutions and other organizations to offer a privately branded identity card to their customers.
"Businesses should benefit with a decrease in internal consumer authentication and fraud detection costs if they encourage their customers to adopt a digital identity card," says Tim Christin, senior vice president of Acxiom's risk mitigation division. "And in turn, their customers should benefit by the streamlined online experience with a single sign-on system, the elimination of user names and passwords, and the reduced risk of identity fraud."
A digital identity card allows consumers to establish new online accounts and log in to existing accounts with a unique, encrypted identity that is stored on the consumer's personal computer. This is the digital equivalent of a privately branded identity card that is typically carried in a person's wallet.
For the past few years, analysts such as Bob Blakley and Jamie Lewis have predicted that someday, with the right identity technology, a 'digital oracle' could issue abstract but trusted declarations such as "a specific person is above or below a specific age" without needing to reveal the actual birthdate.
In mid-October a story published on theonion.com shouted to the world that, for the first time in history, someone pressed the “I'm under 18 button” on a pornographic site, denying themselves a treasure trove of “adult content.” This story highlights a glaring defect with Internet identity: after more than 20 years of evolution, there is still no way to prove how old we are (let alone whether we are a dog or not).
Last week that finally changed. Equifax introduced the first digital Information Card that allows anyone with a credit record to make verified claims -- specifically, an "I'm over 18" claim. This new age verification service was introduced by Equifax in conjunction with Azigo, makers of the Azigo Information Card selector. Equifax acts as the identity provider for the Equifax Over 18 I-Card. This card is produced by the Azigo CardPress service, and works with any Information Card selector.
With Information Card technology, Equifax can attest online whether a person is older than a specific age without needing to divulge actual identifying information such as the real birthdate. A website that accepts the Equifax Over 18 I-Card doesn't have to trust the user asserting this information; it can trust Equifax.