IBM and Higgins
Age, shoe size: IBM thinks you should only disclose as much of your identity as you want
Although IBM was one of the original backers when the Higgins identity project started up last year, the company is only now contributing its first code, something it’s been working on since early 2000.
The first technology is an ‘identity mixer’ that will let users pick and choose what information to disclose about themselves and next (in July) an identity selector for choosing the sources of information to use. The emphasis is not just on encrypting your information en route – which systems like Microsoft’s CardSpace already offer – but on allowing you to anonymise yourself and use pseudonyms.
“Today you go to a website and it asks for information and you don't know what it's for and you have to fill out all these forms,” says Anthony Nadalin, IBM's chief security architect. “The identity mixer is a means where we can actually have a policy on a site and you know why it's asking you for the particular set of information, somewhat like the way CardSpace works today.”
Instead of giving your date of birth to prove you’re over 18 – or between 10 and 15 for a site that wants to reach children and avoid stalkers – Nadalin says you will pick the credential you want to use to prove your age and the software confirms that you qualify: “Based on the user's selection, the identity mixer transforms the credential into an identity mixer credential that states the user’s age is between 10 and 15. We’re capitalising on the release of minimal information wherever possible; we think this is vital to user centric identity management.” You can choose information from multiple cards to send to a single site at once, rather than sending one card and then another. And instead of sending your actual credit card details, you’d send a cryptographic token from your credit card company; like a one-time card number without the hassle.
Blinding information like this doesn’t mean you can fake it, says Nadalin. “We create a new token and we can still maintain the original details of the identity provider that created it to begin with; the relying party gets the new token, gets the proof and can verify where that information came from.” It’s also more like the real world, he believes; if you show your driving licence to prove your age, the business you’re proving it to doesn’t usually phone up to check. As long as the cryptographic signature checks out, the identity provider doesn’t need to be online at the time.
Accepting Identity Mixer credentials will improve security, he believes. “Today you buy online and you wind up giving the site your credit card number, the verification code, the expiry date and so on. Why doe the storefront need this information? They actually don't. What they need is to put through a transaction. If this data is anonymised and only available to the credit card company, this reduces the amount of information the storefont has to keep lying around.” Although he won’t name names, Nadalin says financial institutions and healthcare providers are interested.
The code that can understand the policy, generate a token and consume a token will all be open source and available as libraries through the Higgins process once the IP review process is complete. The commercial side will come when IBM’s identity management products like Tivoli add support for creating and managing the x509 certificates and tokens that provide identity mixer claims.
Initially IBM is providing a Java binding, and then there will be a WSDL abstract for using it with Web services, and then support for C, C++ and other languages because that’s what developers are asking for, Nadalin says: “So far people have clamoured for the abstract interfaces, followed by Java.” There are already plugins for Firefox and Internet Explorer and there will be a standalone version for Web sites that have their own client software. There’s an annotated series of screenshots from a demo RentaCar system here [1.34 Mb download].
Using the identity mixer coder is a similar process to working with Open ID or CardSpace but be prepared for some complexity. “I think the learning curve for developers may be a little bit harder because of the various claims. I don't think it's much more than what has to be done with CardSpace, though our claims are a little bit more complex. But the UI has to be a little more sophisticated than the CardSpace UI today; you have to have these policies be able to be expressed and be understood by a mere mortal.”
CardSpace will also be able to support blinded claims like an age range, according to Microsoft’s identity architect Kim Cameron, and a future version of Active Directory will add more options: “You can transfer claims indicating you are over some age or belong to some role or a member of some group as easily as you can transfer any other claim. Our ADFS managed card provider for AD is specifically designed to make it easy to define attributes indicating membership in a set, including over and under some age, or belonging to some ‘calculated role’.
You can’t do it with self-issued information cards in Vista; not because it’s technically hard, but because Cameron thinks the industry needs to plan for the new kind of claims people are going to make. “In the attributes we support with the self-issued identity provider, the only one that could potentially be blinded is birth date. And in version 1.0 we weren't able to get that done in time for Vista. It would have been technically easy to calculate attributes such as ‘over 16’ and ‘under 16’. The problem was that there had been no discussion in the industry about how to express the claims (which URI's), and we wanted to have at least some discussion before ‘unleashing the new attributes’ on the world. After all, it will affect hundreds of millions of people.”
Anthony Nadalin agrees that moving away from creating endless usernames and passwords to more flexible and powerful online identities is going to take time. “That would be the major milestone of the decade, it would be a paradigm shift – but there's things to get changed. Just moving companies off of old operating systems takes years and years. But we definitely need this to happen - and I hope it will happen before the end of the decade.”
And although he believes that the identity mixer will do things CardSpace can’t, Nadalin insists this isn’t about IBM competing with Microsoft or open source competing with commercial approaches. “It's first getting the technology out to show people that it is real, it is usable, it is deployable and we're trying to put the rubber to the road here. Second is making sure it does integrate with CardSpace, with OpenID, that it's not just stuck to one identity system. That’s our whole basis in supporting Higgins. Imagine OpenID attributes can be carried as part of an authentication request and some of these attributes could be anonymised. We're not trying to create yet another identity silo. Each identity system has a reason why you'd try to use it over another system; so our goal is to get this anonymising technology to work with all identity technologies.” ®