Sunday, May 15, 2005

fyi Microsoft sells ID mgmt. plan


Pointer to article:

Kobielus kommentary:
Every few years Microsoft issues another new grand unified plan for identity management (IdM). Well, they’ve gone and done it again.

Microsoft is nothing if not relentless in the IdM arena. At the turn of the millennium, Microsoft launched Passport, an initiative under which the vendor sought to become the world’s pre-eminent identity aggregator and authentication service. That was followed a few years later by a comprehensive Web services security roadmap that included the WS-Federation protocol, and which marginalized Passport’s role in the grand scheme of IdM. Now we have a new Microsoft strategy—“Identity Metasystem”—that largely turns away from WS-Federation in favor of an architecture that grants WS-Federation and such rivals as the Security Assertion Markup Language (SAML) more or less equal footing. In fact, WS-Federation is mentioned nowhere in Microsoft’s Identity Metasystem vision paper, whereas SAML is mentioned several times.

Why is Microsoft distancing itself from its previous IdM strategies? The reason is simple. Its previous approaches ran into stonewalls of industry opposition and apathy. Neither Passport nor WS-Federation has gained much industry support beyond a hard core of Microsoft’s closest business partners. At the same time, the rest of the industry has flocked to SAML as the principal unifying framework for federated IdM. If Microsoft had participated more fully in OASIS’ ongoing federated IdM discussions, the new SAML 2.0 standard might have incorporated more features from WS-Federation, rather than from the rival Liberty Alliance Identity Federation Framework (ID-FF) specification.

Microsoft’s new party line for IdM stresses the need for a universal identity environment that supports interoperation of multiple identity technologies run by multiple identity providers (IdPs). This represents a 180-degree turn away from both WS-Federation and Passport. The former was intended to serve as the single universal federated IdM protocol while the latter was positioned as an uber-IdP for all of cyberspace.

What new twist, if any, does Microsoft’s new strategy add to the vendor’s IdM roadmap? To a great extent, the Identity Metasystem strategy simply repackages the core WS-* specifications that Microsoft has championed over the past three years, including WS-Security, WS-Trust, WS-Policy, and WS-Metadata Exchange. Microsoft hasn’t totally abandoned WS-Federation, but now positions it as the federated IdM plumbing within the Active Directory Federation Services feature of Windows Server 2003 and Windows “Longhorn.”

The only truly new component of Microsoft’s IdM strategy is “InfoCard,” which will be implemented in “Longhorn.” At heart, InfoCard is a privacy-protection feature within the “Longhorn” client. It will provide a secure client-side store of identity information for authenticating to various relying services. Users will also be able to selectively withhold privacy-sensitive InfoCard identity attributes from relying services, and to define and enforce policies regarding which relying services may access which client-store attributes.

Indeed, privacy protection is the principal theme of Microsoft’s new IdM strategy. This fact comes through loud and clear in the “identity laws” promulgated by Microsoft’s identity guru, Kim Cameron, who was the mastermind behind the new strategy. According to Microsoft/Cameron, IdM systems must gain user consent prior to revealing information identifying the user; disclose the minimum amount of identifying information necessary; limit that disclosure to parties with a need to know; provision public and private identifiers for pointing to users’ identity data; and provide user interfaces that help people avoid revealing personal information to phishing and pharming scams.

These are all worthy concerns, but Microsoft seems to be inflating privacy protection all out of proportion as an organizing principle for IdM. Totally missing from Cameron’s “laws” is any mention of trust management, strong assurance, multifactor authentication, single sign-on, role-based access control, confidentiality, integrity, nonrepudiation, audit, compliance, and governance.

In his blog, Cameron asserts that his "laws" are explanations of why previous identity systems have “failed where they failed and succeeded where they succeeded.” If that's so, can he be more specific? Which previous identity systems? How is he defining the success or failure of such systems? How have privacy and identity-theft concerns--the primary focus of his "laws"--stymied acceptance of these identity systems? Did Passport fail because non-Microsoft people didn’t trust Microsoft as an identity aggregator? Or because Microsoft pursued a stovepipe proprietary approach in a world rapidly moving to SAML as the convergence IdM federation framework?

It’s good to see that Microsoft recognizes where it went astray in its previous IdM visions. But its new IdM strategy is too narrowly focused to serve as the basis for a truly universal, general-purpose, federated IdM environment. And its InfoCard mechanism does little to address the threat of identity thefts on server-based IdPs throughout the federated world.

Microsoft needs to think through these issues more comprehensively before issuing grandiose new vision statements.