Kim Cameron, Microsoft’s chief identity architect, was over in the UK last week, talking to government, analysts, internal folk … and me. Most of his time is currently spent on the massive CardSpace project which Microsoft hopes will have the same effect as putting chip and pin on the internet – basically it is being touted as the answer to our online identity verification woes.
Up until now, solutions to the problems of online fraud and even enterprise identity management have been less than perfect. One-time passcode generating tokens work OK, but there comes a point when your “fistful of dongles”, as Cameron calls them, becomes too unwieldy. Cameron’s answer revolves around the “Identity Metasystem” - his vision for the underlying architecture on which CardSpace is built which is cross-technology, cross-provider and as such probably stands the best chance of living up to its own hype.
It involves interaction between three different parties: identity providers, such as credit card companies, government, or even the individual consumer/web site visitor; the relying parties, which require said identities, such as a web site; and subjects, which could be any party about which claims are made.
It can get rather complicated from here, but basically the CardSpace software stores references to a user’s digital identity and then presents them as so-called Information Cards. When a user visits a site that supports InfoCards, they will then be presented with the CardSpace UI from which they can select the appropriate card. Once chosen, the CardSpace software will contact that identity’s issuer to obtain a signed token containing all the relevant information. It’s all about trying to borrow concepts of trust and verification from the physical world and make it all as user friendly as possible.
There are obviously serious data protection issues to be faced here too – as Cameron observed, in the past privacy has often had to be compromised to ensure security. It’s an issue they are well aware of: “If it’s a spy machine then [this project] goes nowhere,” observed Cameron. Well, thanks to some clever algorithms – isn’t it always about algorithms these days - they’re able to do just that. Don’t ask me how, but it will be interesting to see if CardSpace proves to succeed wherever all other verification technologies have not.
IT services group Eduserv were represented at the meeting too, for the work the company is doing with CardSpace. It just announced last week that ten local councils are trialing the software – given the amount of data loss incidents in recent times, it’s reassuring that local councils are looking at innovative ways to tighten their security practices and ensure the secure sharing of and access to data. Practical, real world applications like this of the still juvenile technology will be vital in the coming months and years to hone the technology and processes behind it and win over the sceptics.
No comments:
Post a Comment