About Information Cards and Digital Identity
The Internet continues to be increasingly valuable, and yet also faces significant challenges. Online identity theft, fraud, and privacy concerns are rising. Users must track a growing number of accounts and passwords. This burden results in "password fatigue," and that results in insecure practices, such as reusing the same account names and passwords at many sites.
CardSpace is Microsoft's implementation of an Identity Metasystem that enables users to choose from a portfolio of identities that belong to them and use them in contexts where they are accepted, independent of the underlying identity systems where the identities originate and are used. This topic explains the issue and the CardSpace solution in greater detail, and outlines how Windows Communication Foundation (WCF) users can use CardSpace. Many of these issues are rooted in the lack of a widely adopted identity solution for the Internet.
Opportunities and Challenges
For users and businesses alike, the Internet continues to be increasingly valuable. More people are using the Web for everyday tasks, from shopping, banking, and paying bills to consuming media and entertainment. E-commerce is growing, with businesses delivering more services and content across the Internet, communicating and collaborating online, and inventing new ways to connect with each other.
But as the value of what people do online has increased, the Internet itself has become more complex and dangerous. Online identity theft, fraud, and privacy concerns are on the rise. And increasingly sophisticated practices such as "phishing" are invented. In response, a multitude of systems designed to protect identity have been devised. The diversity results in the aforementioned password fatigue and unsafe practices.
The root of these problems is that the Internet was designed without a system of digital identity in mind. In efforts to address this deficiency, numerous digital identity systems have been introduced, each with its own strengths and weaknesses. But no single system meets the requirements of every digital identity scenario. The reality is that many different identity systems are in use today, with still more being invented. The result is an inconsistent patchwork of improvised solutions at every Web site, rendering the system as a whole fragile, and constraining the fuller realization of the promise of e-commerce.
Open Identity Metasystem
Given that universal adoption of a single digital identity system or technology is unlikely ever to occur, a successful and widely employed identity solution for the Internet requires a different approach—one with the capability to connect existing and future identity systems into an identity metasystem (or "system of systems"). This metasystem leverages the strengths of its constituent identity systems, provides interoperability between them, and enables creation of a consistent and straightforward user interface to all. The resulting improvements in cyberspace benefit everyone, making the Internet a safer place with the potential to boost e-commerce, combat phishing, and solve other digital identity challenges.
Maintain the Diversity of Systems
In the offline world, people carry multiple forms of identification in their wallets, such as driver's licenses or other government-issued identity cards, credit cards, and cards such as frequent flyer cards. People control which card to use and how much information to reveal in any given situation.
Similarly, the identity metasystem makes it easier for users to stay safe and in control when accessing resources on the Internet. It lets users select an identity from among a portfolio of their digital identities and use them at Internet services of their choice where they are accepted. The metasystem enables identities provided by one identity system technology to be used within systems based on different technologies, provided an intermediary exists that understands both technologies and is willing and trusted to do the required translations.
It is important to note that the identity metasystem does not compete with or replace the identity systems it connects. Instead, the goals of the identity metasystem are to connect individual identity systems, allowing seamless interoperation between them, to provide applications with a technology-independent representation of identities, and to provide a better, more consistent user experience with all of them. The metasystem relies on the individual systems to do its work.
Identities in Context
The identities held by a person in the offline world can range from the significant, such as birth certificates, passports, and drivers' licenses, to the trivial, such as business cards or frequent coffee buyer's cards. People use their different forms of identification in different contexts where they are accepted.
Identities can be in or out of context. Identities used out of context generally do not bring the desired result. For example, trying to use a coffee card to cross a border is clearly out of context. On the other hand, using a bank card at an ATM, a government-issued ID at a border, a coffee card at a coffee stand, and a Passport Network (formerly .NET Passport) account at MSN Hotmail are all clearly in context.
In some cases, the distinction is less clear. You can use a government-issued ID at your ATM instead of a bank-issued card, but if this resulted in the government having knowledge of each financial transaction, some people would be uncomfortable. You can use a Social Security Number as a student ID number, but that facilitates identity theft. And you can use Passport accounts at some non-Microsoft sites, but few sites chose to enable this; even where it was enabled, few users did so because they felt that Microsoft's participation in these interactions was out of context.
Studying the Passport experience and other digital identity initiatives throughout the industry led to working with a wide range of industry experts to derive a set of principles that are fundamental to a successful, broadly adopted, and enduring digital identity system on the Internet. The following section describes these principles.
Principles ("Laws of Identity")
The open identity metasystem is designed to follow a set of principles (also called "The Laws of Identity") that have been developed with ongoing feedback and input from a broad community of people active in the digital identity community.
The principles that an identity system should follow are the following.
- User Control and Consent
- Identity systems reveal information that identifies a user only with the user's consent.
- Minimal Disclosure for a Constrained Time
- The identity system solution that discloses the least amount of identifying information is the most stable, long-term solution.
- Justifiable Parties
- Identity systems disclose identifying information only to parties who have a necessary and justifiable place in a given identity relationship.
- Directed Identity
- Identity systems support both "omnidirectional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
- Pluralism of Operators and Technologies
- Identity systems channel and enable the inner workings of multiple identity technologies run by multiple identity providers.
- Human Integration
- Identity systems define the human user to be a component of the distributed system, integrated through unambiguous human-machine communications mechanisms that offer protection against identity attacks.
- Consistent Experience Across Contexts
- Identity systems facilitate negotiation between a relying party and user of a specific identity. That presents a harmonious human and technical interface while permitting the autonomy of identity in different contexts.
Open Identity Metasystem Architecture
This section covers the general architecture of an open identity metasystem.
Different parties participate in the metasystem in different ways. The following roles within the metasystem are:
Identity Providers issue identities. For example, credit-card providers might issue identities that enable payment, businesses might issue identities to their customers, governments might issue identities to citizens, and individuals might use self-issued identities in contexts like signing on to Web sites.
Relying Parties require identities. For example, a Web site or online service that uses identities offered by other parties.
Subjects are the individuals and other entities about who claims are made. Examples include end users, companies, and organizations.
Each person and entity that participates in an identity metasystem can play all the roles, and each person and entity can play more than one role at a time. Often a person or entity plays all three roles simultaneously.
This section describes the key components and concepts of the metasystem.
The metasystem is made up of five key components:
A way to represent identities using claims.
A means for identity providers, relying parties, and subjects to negotiate.
An encapsulating protocol to obtain claims and requirements.
A means to bridge technology and organizational boundaries using claims transformation.
A consistent user experience across multiple contexts, technologies, and operators.
Identities consist of sets of claims that are asserted about the subject of the identity. For example, the claims on a driver’s license might include the issuing state, the driver’s license number, a name, address, gender, birth date, the kinds of vehicles the licensee is eligible to drive, and so on. The issuing state asserts that these claims are valid.
The claims on a credit card might include the card issuer’s identity, the card-holder’s name, the account number, the expiration date, the validation code, and the card-holder’s signature. The card issuer asserts that these claims are valid.
The claims on a self-issued identity (such as a business card) might include your name, address, and telephone number. For self-issued identities, you assert that these claims are valid yourself.
Negotiation enables participants in the metasystem to make agreements required for them to connect with one another within the metasystem. Negotiation is used to determine mutually acceptable technologies, claims, and requirements. For instance, if one party understands SAML and X.509 claims, and another understands Kerberos and X.509 claims, the parties negotiate and decide to use X.509 claims with one another. Another type of negotiation determines whether the claims required by a relying party can be supplied by a particular identity. Both kinds of negotiation are simple matching exercises; they compare what one party can provide with what the other one requires to determine whether there is a fit.
The encapsulating protocol provides a technology-neutral way to exchange claims and requirements between subjects, identity providers, and relying parties. The participants determine the content and meaning of what is exchanged, not the metasystem. For example, the encapsulating protocol would allow an application to retrieve SAML-encoded claims without having to understand or implement the SAML protocol.
Claims transformers bridge organizational and technical boundaries by translating claims understood in one system into claims understood and trusted by another system, thereby insulating the mass of clients and servers from the intricacies of claim evaluation. Claims transformers may also transform or refine the semantics of claims. For example, a claim asserting, "Is an employee" might be transformed into the new claim, "OK to purchase book." The claim "Born on March 22, 1960" could be transformed into the claim "Age is over 21 years," which intentionally supplies less information. Claims transformers may also be used to change claim formats. For instance, claims made in formats such as X.509, Kerberos, SAML 1.0, SAML 2.0, SXIP, and others could be transformed into claims expressed using different technologies. Claims transformers provide the interoperability needed today, plus the flexibility required to incorporate new technologies.
Consistent User Experience
Many identity attacks succeed because the user was fooled by something presented on the screen, not because of insecure communication technologies. For example, phishing attacks occur not in the secured channel between Web servers and browsers—a channel that might extend thousands of miles—but in the two or three feet between the browser and the human who uses it. The identity metasystem, therefore, seeks to empower users to make informed and reasonable identity decisions by enabling the development of a consistent, comprehensible, and integrated user interface for making those choices.
One key to securing the whole system is to present an easy-to-learn, predictable user interface that looks and works the same no matter which underlying identity technologies are employed. Another key is making important information obvious—for instance, displaying the identity of the site you are authenticating to in a way that makes spoofing attempts apparent. The user must be informed which items of personal information relying parties are requesting, and for what purposes. This allows users to make informed choices about whether or not to disclose this information. Finally, the user interface provides a means for the user to actively consent to the disclosure, if they agree to the conditions.
As with other features of WCF, the CardSpace technology is built upon a set of open specifications, the WS-* Web Services Architecture. The encapsulating protocol used for claims transformation is WS-Trust. Negotiations are conducted using WS-MetadataExchange and WS-SecurityPolicy. These protocols enable building a technology-neutral identity metasystem and form the "backplane" of the identity metasystem. Like other Web services protocols, they also allow new kinds of identities and technologies to be incorporated and used as they are developed and adopted by the industry.
To foster the interoperability necessary for broad adoption, the specifications for WS-* are published and are freely available, have been and continue to be submitted to open standards bodies, and allow implementations to be developed royalty-free.
The following figure illustrates the end-to-end processes that occur when you use CardSpace to access a site that requires user validation.
Many of the problems on the Internet today, from phishing attacks to inconsistent user experiences, come from the patchwork nature of digital identity solutions that software makers have built in the absence of a unifying and architected system of digital identity. An identity metasystem, as defined by the Laws of Identity, supplies a unifying fabric of digital identity, uses existing and future identity systems, provides interoperability between them, and enables the creation of a consistent and straightforward user interface to them all. Basing our efforts on the Laws of Identity, Microsoft is working with others in the industry to build the identity metasystem using published WS-* protocols that render Microsoft's implementations fully interoperable with those produced by others. Microsoft's implementation of components of the identity metasystem is the CardSpace system.
Using CardSpace, many of the dangers, complications, annoyances, and uncertainties of today's online experiences can be a thing of the past. Widespread deployment of the identity metasystem has the potential to solve many of these issues, benefiting everyone and accelerating the long-term growth of connectivity by making the online world safer, more trustworthy, and easier to use. Microsoft is working with others in the industry to define and deploy the identity metasystem.