Seattle WA – September 27, 2010 – Last month, at the Privacy Identity Innovation 2010 conference in Seattle, Microsoft Senior Program Manager Christian Paquin hosted a session on the U-Prove minimal disclosure technology. ICF Executive Director Drummond Reed interviewed Christian for the following in-depth Q&A about U-Prove.
Q: First, can you tell me what is U-Prove?
A: U-Prove is an innovative privacy-enhancing security technology that can help people protect their identity-related information. U-Prove combines the security of PKI (public key infrastructure) with the flexibility of federation technologies that allow people to link identities across domains. And it does all this while providing privacy-by-design. That makes the U-Prove technology ideally suited to protect claims (attributes) in user-centric identity systems.
Q: Microsoft made a major announcement about U-Prove at RSA in March. What was the essence of that announcement?
A: The initial release of the U-Prove technology we announced at RSA consisted of two parts. First, we released the U-Prove specifications, published under the Open Specification Promise (OSP), so anyone can implement and use them freely and for any purpose. The first specification describes the core cryptographic protocols, and the second is a WS-Trust / OASIS IMI profile (the protocol used for Information Cards). We also released two open-source Software Development Kits (SDK) – one in C#, one in Java – implementing the core cryptographic specification.
Munich, Germany -- Information Cards and ICF members were very active in the European Identity Conference (EIC) in Munich this past week. To begin with, ICF board member Kim Cameron accepted the European Identity Award for “Best Innovation” on behalf of Microsoft for its U-Prove minimal disclosure technology. The award was shared with IBM for its similar Idemix technology. Both solutions were lauded by EIC host Kuppinger Cole as pioneering efforts in enhancing online privacy and security.
Mr. Cameron also gave a keynote address, “Federated Directory meets Minimal Disclosure: Mortal Enemies or Soul Mates?” in which he showed how cloud computing, social networks, and enterprise collaboration demand federation of directory information across trust boundaries to create a distributed information fabric. Mr. Cameron then asserted that, by using technologies like U-Prove, these federations can be built to be consistent with the requirements of minimal disclosure.
Avoco Secure today announced it will launch the first "universal identity broker", a new product call Open2Connect that will make it much easier and more seamless for users to access online resources such as websites, documents, etc. using any identification/authentication method, including username/password, Information Cards, OpenID®, X509 digital certificate, Windows Live® ID, SAML, etc.
The Open2Connect UIB system ensures that a user can utilise any preferred login method, as long as that method contains the information required by the site to allow access (called a "claim"). Examples of claims include names, email addresses, or account numbers. The UIB can also go a step further by controlling access to the web resource through associating levels of assurance with the login, for example specifying that the claim must originate from a specified source.
The whole login process is handled by the UIB: the user simply clicks on the login button as usual -- vital in retaining usability of websites. The UIB will then present the user with choices of login method from their preferred list -- showing only those that the website will accept (because they contain the correct claim). The communication between the login method, the identity provisioning site (as appropriate) and the website is all handled by the UIB.
ICF Steering Member Equifax Inc. announced this week that it has chosen Anakam, Inc. to provide the electronic authenticator for the Equifax I-Card. Anakam will implement its Anakam.TFA® Two Factor Authentication service, making the Equifax I-Card the first to have the maximum ease of use as well as the highest level of authentication security (Level 3) in the marketplace.
According to ICF board member Ron Carpinella, Equifax's Vice President of Identity Management, "This speaks to our efforts to provide strong authentication for the U.S. federal government via i-cards and the ICAM trust framework." The Information Card Foundation, together with the OpenID Foundation, has been instrumental in working with the U.S. GSA Identity, Credential, and Access Management (ICAM) Subcommittee to create a trust framework that enables U.S. citizens to use open identity credentials to access U.S. government websites.
The Anakam platform will be incorporated into the Equifax I-Card offering to provide on-going two-factor authentication without the need for distribution of smart cards and hard tokens to end users while still complying with the standards established around these devices. With Level 3 authentication, there is high confidence in the validity of the user's asserted identity as determined by U.S. Office of Management and Budget (OMB) guidelines and the technical recommendations of the National Institutes of Standards and Technologies (NIST).
On the ICF mailing list earlier this week, ICF member Markus Sabadello, a leader of several Information Card-related open source projects, announced the availability of CardGears, a hosted service for web sites wishing to issue Managed Information Cards.
As Mr. Sabadello points out, Managed Information Cards can be issued by any website, whether just to provide a simpler and more secure sign-in mechanism, or to expand their brand to becoming part of the user experience every time a card is used. This website issuing a managed card is authoritative for the data on it. Technically, this requires two components:
- A card issuing component. This produces and sends to the user a card file (in the .crd format) each time a new card is issued.
- A Security Token Service (STS). This is the component that provides the claim values (identity information) on a card, such as first name, last name, e-mail address, etc. The STS is invoked every time a user uses or previews their card.
Mr. Sabadello explains, “CardGears makes it as simple as possible to operate both of the above components. First, you can design, issue and modify cards by using the intuitive web interface, without any programming at all. Second, you can use various APIs to integrate the CardGears service with your own applications. And you can mix and match each of these two approaches as needed for your site.”
There are currently has four demo sites illustrating various aspects of Information Cards and CardGears:
Bethesda, MD, USA – The first iTrust Forum, held today at the National Institute of Health (NIH) headquarters in Bethesda, MD, featured a four-part session about the U.S. government’s Open Identity for Open Government Initiative. NIH is leading government adoption of this initiative through the NIH Federated Identity Service. NIH demonstrated the first production use of open identity technologies at the iTrust Forum by showing how the Federated Identity Service now accepts logins from several of the ten OpenID and Information Card identity providers who have announced participation in the initiative.
In a separate demonstration, Don Schmidt of Microsoft showed a prototype “multi-protocol selector” – software that will enable users to do both OpenID and Information Card registration/login to websites through one simple, safe, visual interface. This will make authentication at many different websites dramatically simpler for users while at the same time providing strong protection against the main source of phishing attacks.
ICF Executive Director Drummond Reed and OpenID Foundation Executive Director Don Thibeau presented the Open Identity Framework (OIF), a new open trust framework model being developed jointly by the ICF and OIDF to solve the problem of how third-party portable identity credentials such as OpenID and Information Cards can be trusted in very large deployments, such as across the entire U.S. population and all U.S. government websites.
Mountain View, CA – November 2, 2009 – Avoco Secure, a leading security, digital identity, and digital signature vendor based in the U.K., announced at the OpenID Summit today that it is releasing the first commercially available Information Card selector software that operates completely “in the cloud”. Called CloudCard, it is a standard Information Card selector implementation that requires no installation and works from any conventional browser on a desktop, laptop, or mobile device.
Susan Morrow, Product Manager for CloudCard, demonstrated today how it eliminates the need for local client software, which is one of the barriers to widespread adoption of the Information Card digital identity standard. CloudCard uses the standard IMI 1.0 Information Card format and protocol so it works immediately with any Information Card issuer. Websites that wish to accept Information Cards from CloudCard currently need to add some simple custom HTML code to their web page, but according to Ms. Morrow this step is easy compared to the hurdle of requiring users to install a desktop selector, and Avoco plans to standardize this special code so it can be used with any cloud selector.
Avoco will demonstrate CloudCard again tomorrow at the Internet Identity Workshop in Mountain View.
ICF Executive Director Drummond Reed just returned from a two-week trip to the EU. He shares the following observations:
My first stop was giving a keynote at the NordSec conference in Oslo, wonderfully organized by Dr. Audun Jøsang of the University of Oslo. The agenda was one of the richest of any conference in my recent memory; I found myself taking notes constantly on talks covering STORK, ID management based on mobile SIM cards, and privacy risks in Web 2.0, among other topics.
The day ended with a panel on “Global identity management – a threat or an opportunity for privacy?” I spoke strongly in favor of the opportunity Information Card technology offers for privacy protection, and how the U.S. government’s open identity solutions initiative is taking advantage of this. That initiative and the ICF/OIDF open trust frameworks project drew a great deal of interest among the largely EU-based audience—its potential for helping “raise the bar” on Internet privacy was one the main themes of the panel.
Although a formal announcement from OASIS is not expected until next week, the Identity Metasystem Interoperability Version 1.0 specification was approved as an OASIS standard today by a unanimous vote of the OASIS members participating in the vote. According to IMI Technical Committee editor Mike Jones of Microsoft, "This is a wonderful endorsement of the work of the IMC TC. The standard benefitted substantially from the input received during the process. Numerous clarifications were incorporated as a result, while still maintaining compatibility with the earlier Identity Selector Interoperability Profile V1.5 (ISIP 1.5) specification."
Mr. Jones acknowledged this was a broad community effort, spanning many individuals and organizations. Many Information Card Foundation members were involved, and others are currently implementing products and services based on the specification. Said ICF Chairman Paul Trevithick of Azigo, "Reaching the level of an OASIS Standard is a major milestone for the Information Card community. It attests to the maturity of the IMI 1.0 specification. Now ICF can place more emphasis on the other elements necessary for widespread adoption, including reference implementations, best practices, trust frameworks, and market education."
The European e-Identity Management Association (EEMA) held its annual conference in London last week, and Information Cards were a major topic. At the opening session on Thursday, 25 June, Kim Cameron of Microsoft gave an overview of claims-based identity and the role of Information Cards in a claims-based identity metasystem. He also mentioned his new white paper, Proposal for a Common Identity Framework: A User-Centric Identity Metasystem, co-authored with Reinhard Posch (federal CIO for the Austrian government since 2001) and Kai Rannenberg (the T-Mobile Chair for Mobile Business and Multilateral Security at Goethe University Frankfurt).
The second day of the conference featured an Identity Metasystems Roundtable, moderated by John Bradley, ICF Fellow and OASIS IDtrust Steering Committee Member, Tony Nadalin of Microsoft, and Drummond Reed, ICF Executive Director. It was an in-depth discussion covering many current topics in the Information Card and IMI ecosystem, including: