thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Friday, February 16, 2007

ID standards war is over - but what now?

So the heated exchange of "mine is safer" arguments between Kim Cameron from Microsoft and Dick Hardt from Sxip was just the PR prelude to the great romantic ending in heightened public attention: Microsoft will be using OpenID and CardSpace together. It was announced like the next big thing at the RSA conference, and Verisign (the usual suspects for identity provision aka "I tell others about you, and they pay for it") as well as JanRain also signed the joint announcement. Everybody was keen to ensure that this is not some buy-out by Microsoft. Scott Kveton from JanRain announced:
"Microsoft did not cave in to the OpenID community and the OpenID community is giving nothing up to Microsoft."
Interestingly, just a day before that, some folks from Higgins, Bandit and Novell had demonstrated open source identity services that are interoperable with Microsoft's Windows CardSpace system and enable Liberty Alliance-based identity federation via Novell Access Manager. Microsoft CardSpace and Liberty specifications interoperating. Wow. But they were not Bill Gates, so it was not as widely reported. But the effect is that now, the three biggest players in the field cooperate (or "coopete", as some call it).

Today, AOL announced that they also will use OpenID for AIM. It looks like the standards wars are over. But what will follow from this?

The core problem with CardSpace will remain: It may help against phishing, but it can also be used for tracking your movements through the web through the identity provider. At least our governments won't have such a difficulty anymore to decide which identity technology to use foryour online "show your ID please" experience. I have not looked into OpenID enough to really see what the problems are, but my computer science friends tell me it's a big hole, and you can read about man-in-the-middle attacks as well as phishing possibilities. A recent white paper by Ping Identity therefore concludes:
"While not necessarily a concern for the use cases that initially motivated OpenID, such a privacy risk will limit OpenID’s success in more sensitive use cases (e.g. Internet banking, eCommerce, health care, etc)."
Gerry Gebel from the Burton Group also has a very sober perspective on the convergence fuzz and the visions of an internet-wide identity system:
"In his keynote, Bill Gates described a world in which every device, person, and datum will have a unique identifier, the network address space will vastly expand, and policies will be much more granular and specific than they are today. The scale of the policy management problem in that world will be orders of magnitude larger than it is today; where are the models which will support a solution?"
One thing that gives me hope is this here: Credentica has just released its "U-Prove" ID management kit, which works with SAML, Liberty ID-WSF, and CardSpace while, according to the press release, massively enhancing the privacy of its users. Among other things, it allows for "sharing information without revealing source data". While I am not cryptographer enough to really understand zero-knowledge proofs and related fancy (and fuzzy) algorithms, Stefan Brands and his colleagues certainly know their stuff. Hopefully this or similar technology will also find widespread adoption.


Post a Comment

<< Home