IBM and Higgins

Age, shoe size: IBM thinks you should only disclose as much of your identity as you want

Choosing a cloud hosting partner with confidence

Although IBM was one of the original backers when the Higgins identity project started up last year, the company is only now contributing its first code, something it’s been working on since early 2000.

The first technology is an ‘identity mixer’ that will let users pick and choose what information to disclose about themselves and next (in July) an identity selector for choosing the sources of information to use. The emphasis is not just on encrypting your information en route – which systems like Microsoft’s CardSpace already offer – but on allowing you to anonymise yourself and use pseudonyms.

Photo of Anthony Nadalin, IBM's chief security architect. “Today you go to a website and it asks for information and you don't know what it's for and you have to fill out all these forms,” says Anthony Nadalin, IBM's chief security architect. “The identity mixer is a means where we can actually have a policy on a site and you know why it's asking you for the particular set of information, somewhat like the way CardSpace works today.”

Instead of giving your date of birth to prove you’re over 18 – or between 10 and 15 for a site that wants to reach children and avoid stalkers – Nadalin says you will pick the credential you want to use to prove your age and the software confirms that you qualify: “Based on the user's selection, the identity mixer transforms the credential into an identity mixer credential that states the user’s age is between 10 and 15. We’re capitalising on the release of minimal information wherever possible; we think this is vital to user centric identity management.” You can choose information from multiple cards to send to a single site at once, rather than sending one card and then another. And instead of sending your actual credit card details, you’d send a cryptographic token from your credit card company; like a one-time card number without the hassle.

Blinding information like this doesn’t mean you can fake it, says Nadalin. “We create a new token and we can still maintain the original details of the identity provider that created it to begin with; the relying party gets the new token, gets the proof and can verify where that information came from.” It’s also more like the real world, he believes; if you show your driving licence to prove your age, the business you’re proving it to doesn’t usually phone up to check. As long as the cryptographic signature checks out, the identity provider doesn’t need to be online at the time.

Accepting Identity Mixer credentials will improve security, he believes. “Today you buy online and you wind up giving the site your credit card number, the verification code, the expiry date and so on. Why doe the storefront need this information? They actually don't. What they need is to put through a transaction. If this data is anonymised and only available to the credit card company, this reduces the amount of information the storefont has to keep lying around.” Although he won’t name names, Nadalin says financial institutions and healthcare providers are interested.

The code that can understand the policy, generate a token and consume a token will all be open source and available as libraries through the Higgins process once the IP review process is complete. The commercial side will come when IBM’s identity management products like Tivoli add support for creating and managing the x509 certificates and tokens that provide identity mixer claims.

Initially IBM is providing a Java binding, and then there will be a WSDL abstract for using it with Web services, and then support for C, C++ and other languages because that’s what developers are asking for, Shows screenshot from IBM's RentaCar ID Mixer demo. Nadalin says: “So far people have clamoured for the abstract interfaces, followed by Java.” There are already plugins for Firefox and Internet Explorer and there will be a standalone version for Web sites that have their own client software. There’s an annotated series of screenshots from a demo RentaCar system here [1.34 Mb download].

Using the identity mixer coder is a similar process to working with Open ID or CardSpace but be prepared for some complexity. “I think the learning curve for developers may be a little bit harder because of the various claims. I don't think it's much more than what has to be done with CardSpace, though our claims are a little bit more complex. But the UI has to be a little more sophisticated than the CardSpace UI today; you have to have these policies be able to be expressed and be understood by a mere mortal.”

CardSpace will also be able to support blinded claims like an age range, according to Microsoft’s identity architect Kim Cameron, and a future version of Active Directory will add more options: “You can transfer claims indicating you are over some age or belong to some role or a member of some group as easily as you can transfer any other claim. Our ADFS managed card provider for AD is specifically designed to make it easy to define attributes indicating membership in a set, including over and under some age, or belonging to some ‘calculated role’.

You can’t do it with self-issued information cards in Vista; not because it’s technically hard, but because Cameron thinks the industry needs to plan for the new kind of claims people are going to make. “In the attributes we support with the self-issued identity provider, the only one that could potentially be blinded is birth date. And in version 1.0 we weren't able to get that done in time for Vista. It would have been technically easy to calculate attributes such as ‘over 16’ and ‘under 16’. The problem was that there had been no discussion in the industry about how to express the claims (which URI's), and we wanted to have at least some discussion before ‘unleashing the new attributes’ on the world. After all, it will affect hundreds of millions of people.”

Anthony Nadalin agrees that moving away from creating endless usernames and passwords to more flexible and powerful online identities is going to take time. “That would be the major milestone of the decade, it would be a paradigm shift – but there's things to get changed. Just moving companies off of old operating systems takes years and years. But we definitely need this to happen - and I hope it will happen before the end of the decade.”

And although he believes that the identity mixer will do things CardSpace can’t, Nadalin insists this isn’t about IBM competing with Microsoft or open source competing with commercial approaches. “It's first getting the technology out to show people that it is real, it is usable, it is deployable and we're trying to put the rubber to the road here. Second is making sure it does integrate with CardSpace, with OpenID, that it's not just stuck to one identity system. That’s our whole basis in supporting Higgins. Imagine OpenID attributes can be carried as part of an authentication request and some of these attributes could be anonymised. We're not trying to create yet another identity silo. Each identity system has a reason why you'd try to use it over another system; so our goal is to get this anonymising technology to work with all identity technologies.” ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.