I’ve briefly mentioned Microsoft’s InfoCards, and chances are you may have heard snippets of it elsewhere. InfoCards is the company’s planned implementation of a digital identity infrastructure it terms “Identity Metasystem”.
Johannes Ernst of LID fame provides a good, plain language description and scenario for the concept. Though much of the details are still unknown, we do know that it’s possibly dependent on certain desktop and browser objects, is dependent on SOAP and what is known as the “Web Services Stack”, including WS-trust, WS-Security, WS-Policy, WS-Addressing, and several other services.
Reading all of this, Julian Bond responded with:
– User end requires Longhorn or an XP upgrade
– Depends on SOAP and the WS protocol stack
– Uses HTML OBJECT tag wth DLL support
– Multiple commercial licensing but with probably no open, free, license.
What’s sad about this is that Microsoft cannot separate the standards process from it’s commercial business. It’s completely unable to take a view that a larger market raises all boats. So I’m not at all surprised at the approach and I also predict loads of noise and very little implementation leading to another failure. I think the rest of us can safely ignore what they’re doing. While at the same time borrowing from all the excellent work that people like Kim Cameron are doing on the fundamental analysis of Identity.
And in a later post, he continues:
I’ve written here and on Kim Cameron’s and Marc Canter’s blogs that InfoCards is doomed because MS cannot implement a standard that is genuinely open. They’re completely stuck in architecting something that relies on ActiveX, Internet Explorer and the WS-Stack of SOAP protocols. It’s completely understandable why they do this. But it’s also just about guaranteed to fail. The reliance on ActiveX and IE rejects macs, linux and firefox on the desktop. The reliance on the WS-Stack rejects PHP/PERL/Python on the server and it probably rejects Java as well because interop with plain old SOAP is patchy let alone the full stack. Basically, if you don’t use an MS development environment you can pretty much guess it won’t work. And compatibility or at least the ability to interop with things like SAML, PingID and Liberty is a noble goal, but I wouldn’t bet money on it unless I could afford large numbers of Accenture contractors.
Kim Cameron, the Microsoft architect behind the concept of ‘meta-identities’ responds, refuting some of the technical concerns that Julian expressed:
InfoCard does depend on SOAP and WS. But creating an interoperating stack is not difficult. People on non-windows clients will have open source implementations available to them. Such implementations are being built today (some exist).
As regards the license:
Again I will say that the IP will be available in a royalty-free license. We are working on using an existing license that is well accepted by the vast majority of people building software today.
However, much of Kim’s response seems to focus more on the fact that Julian has challenged InfoCards, rather than on specific issues. He writes:
I just don’t get Julian’s vibrations. We thought long and hard about how to make the client tremendously open to a plurality of identity technologies and operators. We’ve put it out there. It doesn’t require anyone to lay down their existing protocols – use whatever works for interacting with conventional clients. But let’s give the end user a better, safer and more comprehensible mechanism for taking control of her identity.
In this, Julian, why not work with us? The laws are not abstract things. This is the time when we need to change the Internet so it comes into accord with them. Not every aspect of these proposals may be exactly as you would wish. But please consider the great complexity of “weaving” a solution here, garnering support across all the consitutencies, and consider again why you would walk away from this opportunity.
(Personally, I’ve always thought that challenges are best when made before the champagne is popped, rather than after, but that’s me.)
Regardless, like Julian I’m hesitant about buying into a universal digital identity system of which key components of said system are held by a single non-public entity. This is my concern about using LID, as lightweight and open as this system is; this remains an even stronger concern with InfoCards.
It’s not that I believe that Microsoft is inherently evil. How can I? I spent a great deal of my professional life working on Microsoft-related technologies. In fact, much of my livelihood in the past was due, directly or indirectly, to Microsoft. If I call Microsoft ‘evil’ than I must take responsibility for having spread evil, and the use of evil.
No, I don’t think Microsoft is evil, but I do think the company is arrogant–an arrogance reflected in the company decisions. We have only to look at how long Internet Explorer lived in the crippled 6.x version after Microsoft achieved success over Netscape, to realize that though the company is inspired–brilliantly at times– by competition, it becomes complacent, even lazy, when said competition is routed.
Now Microsoft is asking that we buy into a proprietary architecture governing a technology as sensitive as digital identities, with only a given assurance that the company will act benevolently. More, the company is asking that we believe it will act consistently. Though it may apply a liberal software license that allows others to implement the architecture, there’s nothing in a royalty free license to prevent Microsoft from implementing a sudden and not necessarily backwards compatible change in direction–as was demonstrated when the company rolled out .NET.
Joining the dialog, Doc Searls wrote a post titled Some Questions of the Identity Metasystem. Specifically, he addressed the issue of separation of specification and implementation:
I think what we have here (looking at Johannes’ and Julian’s posts, which are representative of questions I hear quite often elsewhere) is an insufficient distinction between an open environment (Identity Metasystem) and one vendor’s implementation inside that environnmemt (InfoCard). Because both come from Microsoft, it’s easy to conflate the two.
From the beginning of these conversations, Kim has made it clear to me that he (and Microsoft) want to see other implementations on other platforms, to demonstrate the open and inclusive nature of the metasystem, and to invite more implementations into the marketplace.
I have no doubts that Microsoft wants acceptance and adoption of this system within the open source and other environments. There would have to be implementations in other platforms for some major players in the commerce market to buy into the infrastructure. Though I don’t care for SOAP, and am disconcerted by the heavy metal of web services necessary for the implementation of this Identity Metasystem, I do understand the concerns that have been expressed with alternatives, such as HTTP and SSL. Given time I do think we can overcome the current technical obstacles integrating the Web Services into open and lightweight environments such as the ones running this weblog.
The issue, though, isn’t the technology; it’s not even the license. It’s the surprising fact that in all of this discussion, there seems to be an assumption that the average person is willing to input sensitive information, such as the following, into a digital identity–a digital identity which will then be stored on in their internet-enabled personal computer, bits of which to be passed around from site to site:
Home and Work address
Family member information
Credit and Debit cards
Driver’s license and passport
Date and location of birth
Access names and passwords, as well as other digital security data
History of activity, including:
Purchases at all online stores
Membership in various organizations, online or off
Trip and traveling information
Political and social activities
Friends and associates
Microsoft’s old foray into digital security, Passport, was rejected because the data was centralized and outside individual control. Now the data is distributed, tucked away into individual machines and under the control of you and me. Being distributed, though, does you no good when your computer is wired to the world and the back door is open.
When Longhorn is released with InfoCard as part of it, it will effectively be the target of every hacker–benevolent or not–in the free and not so free world. Microsoft is banking the success of InfoCards on a corporate belief that its engineers can create what is, in effect, a crack proof system. It, and those others who implement the “non-Windows” components of this new Identity Metasystem, are also banking on the fact that we agree.