Ending Microsoft's identity crisis

Identity expert Kim Cameron explains more about the InfoCards touted as the death knell for usernames and password.

Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
Ina Fried
5 min read
SAN JOSE, Calif.--If Microsoft needs a lesson on how to do identity management wrong, it needs only look at its past.

With Passport, Microsoft had exactly the wrong approach as the software maker needlessly stepped between businesses and their customers--so says Kim Cameron, the identity expert who leads Microsoft's current effort, known as InfoCard.

Microsoft Chairman Bill Gates on Tuesday touted InfoCards as one of the technologies that could finally help cement the death of the username and password as the means of verifying identity on the Internet.

But before InfoCard can supplant anything, Microsoft will have to line up Web sites to use it, banks and credit card companies to support it and then get consumers to buy in, too. Cameron sat down with CNET News.com this week to talk about InfoCard, how it works and what Microsoft needs to do to make sure it doesn't whiff again.

Q: What makes this attractive to others--to, say, Web site owners?
Cameron: When you first go to a Web site, their mantra, somebody told me, is "acquire, acquire, acquire." I didn't know what that meant. But what that means is: Get that customer relationship going. At that moment, a lot of people will want to accept any InfoCard they can, then later, they get pickier. For example, if you want to buy something they will probably want something from a credit card company or a bank.

It's a bit of a chicken and egg thing. How do you guys get enough of the right people on board, build enough of an ecosystem?
Cameron: One of the things is people don't have to throw out their current authentication mechanism for InfoCard. And you don't have to change much at your site. It's just one very small component of the site that changes. The rest of the site all just stays the same. So, the investment required is small. And it becomes easier to acquire (new customers).

What it is, is a visualization and a way of contacting the identity provider. You can't go and steal the InfoCard. I mean if you did, it wouldn't give you anything.

Now the question is: "Can we as Microsoft put together the right partnerships?" It?s hard. I've never worked on anything this hard, but the payoff is huge if it can be done. Then the question is: "Does the industry want to do it?" Microsoft can't do it by ourselves. Nobody can do it by themselves.

If I'm a user of Vista (the next version of Windows). How do I get an InfoCard. Is it something that is just there?
Cameron: A self-issued one you create yourself. If you get one, say from your bank, you go to your bank's Web site and you double click on it. It will give you your InfoCard--you might have to enter a one-time password or something that they have given you. It just appears in your InfoCard collection. You go through the verification process and it will appear in your InfoCard collection.

Is it limited to Internet Explorer. You have talked about it being implemented in the browser, but is it limited to that?
Cameron: It's not implemented to the browser. It?s integrated with the browser. The browser uses it, but it's an underlying platform service. Mozilla can use it just as well as IE (Internet Explorer). That's key. If that isn't the case, it just won't get the reach that we need.

It seems like the intent is for there to be multiple and compatible things there, a mechanism that keeps it so that when Apple does it, it's compatible with InfoCard?
Cameron: This is the nice thing. It's built on these standards that a lot of companies have adopted, Web services standards. It's really a precise collection of standards--WS-Trust, WS-Security, WS-Security Policy.

What about the whole Liberty Alliance specification?
Cameron: This is not positioned against Liberty. I am an admirer of Liberty. Liberty has done a lot of great things around policy, leadership on federation. This is something that a Liberty-enabled site can use for interacting with their customers.

Now, in terms of WS standards and Liberty, currently Liberty runs on the SAML (Security Assertion Markup Language) protocol, and WS standards are slightly different, although they share components. We're also working to try and align those things. But those things don't impact InfoCard.

Microsoft has said that InfoCard will be available for XP machines through IE7. How do XP users get access to the necessary code.
Cameron: In XP it comes in on WinFX.

So it's a client-side software download?
Cameron: Yes. Our hope is that will be really easy.

So, I can have my InfoCards on my work machine and on my home machine and they could be the same. Does that expose it to security risks? If you are able to transfer InfoCards then people can steal it?
Cameron: No, because the InfoCard doesn't actually contain the identity information.

What it is is a visualization and a way of contacting the identity provider. You can't go and steal the InfoCard. I mean if you did, it wouldn't give you anything.

What, if any, personal data lives on other people's servers?
Cameron: Let's take the case of a credit card company. Because I go to the credit card provider each time I want to use one, it can give me a one-time credit card number. It actually never has to release my real credit card number.

Obviously InfoCard comes with Vista, but what do you think is a realistic time frame for when this will be usable?
Cameron: I think people will be people offering InfoCard-enabled services by the time Vista ships. I'm at a disadvantage because I can't tell you who we are working with. What I can say is there are thought leaders around this in each industry. Those are the guys who we will be working with and who will have these applications that are InfoCard ready.

You can get not just identity but sort of very interesting semi-anonymous things that are very privacy-friendly. One of the things we have been doing with this project is to work with the privacy advocates and have them as colleagues in the design of the thing. This is not one of those things where a bunch of nerds get in to a garage and come up with something that is going to gross out the privacy advocates.

When do you anticipate talking about some of the partners?
Cameron: It will be as we get closer to (the launch date for) Vista.

News.com's Joris Evers contributed to this report.