![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
maelorin at 08:01pm on 05/04/2006 under identity management, infocard, lessig, open source, privacy, protocol, securityThis is not a new thing:W|I|R|E|D Issue 14.03 - March 2006
Can Microsoft Save the Net?
By Lawrence LessigPosts|lessig
Working late one night a few months back, I was just about to sign off when I decided to check my email. At the top of my inbox was a message from PayPal, "confirming" a change in my email address. But I hadn't changed the address. In an exhausted panic, I clicked the link to correct an obvious fraud.For a split second the browser opened not to PayPal but to an unrelated IP address. Then, almost instantaneously, the screen was replaced by what looked exactly like a PayPal window, requesting my password to sign in. This wasn't PayPal; it was a phishing bot. Had I been just a little drowsier, I might have been snagged by the fraud in the very act of trying to stop it.
We who celebrate the brilliance of the Internet - and in particular, its end-to-end open design - tend to ignore the maliciousness that increasingly infects it. The Net was built on trust, and it lacks an adequate mechanism to prevent fraud. Thus, it's no surprise that phishing expeditions nearly doubled last year - and phishing is just one of many evils proliferating online. It's only a matter of time until some virus takes out millions of computers or some senator's identity is stolen. When that happens, the liberties inherent in the Internet's early design will erode even faster than the liberties said to be protected by the Constitution.
Now, with the debut of the InfoCard identity management system, Microsoft is leading a network-wide effort to address the issue. To those of us long skeptical of the technology giant's intentions, the plan seems too good to be true. Yet the solution is not only right, it could be the most important contribution to Internet security since cryptography.
The InfoCard system will first be distributed with Vista, Microsoft's newest Windows OS, set for release this year. The system effectively adds an "identity layer" to the Internet, accomplishing what security companies have been promising for years: making it difficult to falsify an identity and easy to verify your own. Here's how it works: Users' computers and potentially cell phones and other devices) will hold files called InfoCards that give encrypted sites access to authenticated information about the user. An American Express InfoCard, for example, might carry your name, address, and account number, all authenticated by American Express. When a Web site requests personal data, you choose whether to release that information, securely and with the verification of the card's issuer.
The resulting system is more precise and comprehensive than the hope-it-works hodgepodge of security measures we use now, argues Kim Cameron, Microsoft's chief architect of identity and access. "Auto-complete and cookies and passwords are part of a patchwork solution. With InfoCards, users will always know exactly what's happening and can always control it."
This might sound scary to friends of privacy. It shouldn't. The InfoCard system gives you more control over your data, not less. The protocol is built on a need-to-know principle: While an InfoCard might hold 30 facts about me, only the data I choose to reveal is shared. If I need to certify that I am a US citizen, then that fact is verified without also revealing my name, age, or place of birth. And when it comes to that fake PayPal site, the InfoCard system wouldn't recognize it - it wouldn't have the proper credentials.
Again, if this sounds scary to those suspicious of Microsoft, it shouldn't. It's a protocol - a set of rules for exchanging information - not a Microsoft product. Any company can provide certified protection for data using the protocol, and many will. So unlike Microsoft's Passport system, the dubious personal info repository that alarmed many people a few years ago, no central administrator decides how privacy is protected or trust secured. Instead, the protocol solves the problem of security the same way the Internet solved the problem of browsers - through competition on an open, neutral platform. This is infrastructure for a digital age. It's TCP/IP for privacy and security.
None of this means there isn't a role for smart) government policy and laws against online fraud or theft. There plainly is. But if this identity layer sticks, then there is a wider range of solutions to the problem. In particular, there is one that seemed impossible to me just a year ago, one that's consistent with the decentralized design of the Internet. That's an extraordinary gift to the online world, from a giant that increasingly depends on the Net's extraordinary design.
Meet Microsoft's Info-card 30/3/2005)
http://arstechnica.com/news.ars/post/20050330-4752.html
InfoCard on the way from Microsoft 14/2/2006)
http://arstechnica.com/news.ars/post/20060214-6183.htmlMicrosoft info-cards to use blind signatures? 30/3/2005)Microsoft Professional Developers Conference 2005
http://www.idcorner.org/?p=88
Los Angeles, California, September 13-16, 2005Jim Allchin, Group Vice President, Platforms, Microsoft Corporation
"The Next Step for the Windows Platform" September 13, 2005)
http://www.microsoft.com/presspass/exec/Jim/09-13PDC2005.mspxBob Muglia, Senior Vice President, Windows Server, Microsoft Corporation
Microsoft Windows Server Platform: The Next Three Years September 15, 2005)
http://www.microsoft.com/presspass/exec/bobmuglia/09-15PDC2005.mspxc|net news.com
Microsoft to flash Windows ID cards May 18 2005)
http://news.com.com/Microsoft+to+flash+Windows+ID+cards/2100-1029_3-5711126.htmlIdentity 2.0
An open-source identity management system could change the way we share personal information over the Internet.
http://www.technologyreview.com/InfoTech/wtr_16509,258,p1.html
Apart from the fanfare, tracking down real information on this beastie is not trivial.
Microsoft's website yielded the following:Q&A: Advancing Identity Security on the Internet with “InfoCard” Technology
Microsoft adds “InfoCard” support to the new Windows Internet Explorer 7 browser as part of its ongoing effort to protect users’ private information and deter online fraud.
http://www.microsoft.com/presspass/features/2006/feb06/02-14InfoCards.mspx
A Technical Reference for InfoCard v1.0 in Windows, August, 2005
http://download.microsoft.com/download/5/4/0/54091e0b-464c-4961-a934-d47f91b66228/Infocard-TechRef-Beta2-published.pdf
InfoCard
"InfoCard" is the code name for a WinFX component that provides the consistent user experience required by the identity metasystem. It is specifically hardened against tampering and spoofing to protect the end user's digital identities and maintain end-user control.
http://msdn.microsoft.com/winfx/reference/infocard/default.aspx
Kim Cameron's Identity Weblog (Microsoft's Chief Identity Architect)http://www.identityblog.com/
thoughtful