Stephen Wilson - Lockstep Consulting - Sydney 24 June, 2008, 20:54 0 likes

Take care Dean, this is important.  

They're talking about "Info Cards", as pioneered by Kim Cameron at Microsoft.  This is the most important and best supported initiative in identity for many years, it's not trivial.  Start by looking at www.identityblog.com.

It's not mentioned in the article, but Project Higgins is a generalisation of Microsoft's work.  Not only is Higgins open source, but they have abstracted "information" cards to "relationship" cards.  Very powerful stuff.

You don't need readers necessarily.  Info Cards are virtual -- they are graphical icons that map onto sets of SAML and WS* based 'assertions' or 'claims', that themselves are implemented on a range of technlogies.  Some InfoCards are soft, while some are on smartcards or smartphones. 

You obtain Info Cards from "Identity Providers", many of which in future will be extensions of the sorts of institutions we currently have relationships with -- banks, government licensing agencies, communities.  The meaning and value of any given Info Card is context dependent.  People will likely pay for them accordingly, just as they currently pay (or not) to have a bank account or a store account. 

My advice is that no identity technology developer can afford not to be ready to integrate with Info Cards.  

Stephen Wilson.

Lockstep Group. 

A Finextra member 25 June, 2008, 13:55 0 likes

"The meaning and value of any given Info Card is context dependent.  People will likely pay for them accordingly, just as they currently pay (AU or UK not) to have a bank account or a store account."

This little tidbit rings alarm bells for me. Are we now paying for a context sensitive ID?

Sounds like a scam Aussie banks would come up with to create a new profit centre, are they getting a discount to introduce it and shall I expect it soon?

"You don't need readers necessarily". Yeah right, software readers instead of hardware?

"Some InfoCards are soft"  - try viagra.

"while some are on smartcards or smartphones".  - sounds like a 'strap-on' smartcard. see above.

Spare me the new ID buzzwords like 'context', 'assertions' etc, and I don't support the multiple 'Identity Provider' (SELLER) model. I already have an identity, and these Tech Giants are the ones who got us into this mess with flawed systems and took our data and put it on cards and gave it to thieves and they are not going to get to sell my identity back to me.

I don't expect it will take that much effort to integrate with it if we choose, as it says on the site it only takes '30 lines of code'. We can integrate into anything and that shouldn't be too hard.

I can't see why we would. All the goals they seek to achieve can already be done, the only difference is that it isn't a cash trough for one and all to go dipping into just for us to try to keep our ID safe.

I have been watching ID developments for years, and am familiar with these players, and I see some application for portions of what they propose, but don't think it's the best overall approach or solution. I think the PING guys are very bright and I already have a few things in mind for them.

Overall it is as laughable as emerging nations trying to develop nuclear weapons,  so stone-age, they're old hat folks and it's now the 21st century, there's a whole bunch of new tricks in the cupboard. This looks like an attempt to keep the old arms dealers in the game as the solution which fits all the 'providers', but not the consumers.

I'm more of a minimalist. One way to do everything. Sure you can Federate it if you want but who wants to trust everyone? We are scaling an internet shopping payment system which will enable any merchant or consumer to accept payment, straight to their bank account with minimal fees or risk and with perfect privacy for both the buyer and seller. It also works in the liquor store down the street, and can prove the buyer is old enough to buy beer at the same time, without compromising your ID.

Context is something the consumer decides, by determining for themselves who finds out what about them. In many cases it will be the person 'finding out' paying to find out if you are you, and it will be cheap and instant. ie. you decide if bars get to find out if you are of legal drinking age and they'll pay to do the checking, not you, that is until you buy a drink and possibly pay a couple of cents more. 

When you are stopped by a plain clothes policeman how will you know he is actually a policeman? I think you need to, and have a right to know. Should you both nip down the shops so you can buy a 'Police Context' identity from an 'Identity Provider' and a reader so you check the cop's 'soft' or 'hard' credentials? You'd need to carry a smart card reader, after all even a police uniform is easy to get, how will we have confidence in who we are dealing with?

ID is essential infrastructure and governments have a stake along with the citizens. There is a lot to consider, but it's the 'trust provider', rather than 'identity seller' model which will work. The trusted party must have no interest in the transaction, politics, fashion or profit - only the establishment of sufficient trust between parties to the degree required to meet the partcipant's and legal objectives. It will be something we end up doing many times each day and it must be simple and cheap. Ubiquity will go a long way make it the cheapest. Design has done the rest.

Governments will get their share of benefits. Exceptional benefits which are not even possible with other solutions. Ultimately it's the citizen consumer who'll benefit most.

I'll go for my system thanks. One size fits all, easy and very easy to switch to as well, just chuck out all the gadgets and cards, except for the only one you really want to keep - your mobile. Merchants can ditch the eftpos, lower their risk by not storing personal data, reduce their monthly fees, eliminate lots of other fees and most of their fraud losses. Governments save billions.

I still think it beats 30 lines of code (and we probably can).

It certainly beats 'pay for your bank account and pay for your ID', with the consumers at least, and they're the ones I care most about, and the merchants will be happy too.

And yes it works on the Android, the new Blackberry, and we'll make it work with whatever they come up with next. 21st century, wakey, wakey.

Free bank accounts and free ID? Now there's an idea. All you'd need is (a free) any mobile. End game.

Stephen Wilson - Lockstep Consulting - Sydney 25 June, 2008, 23:52 0 likes

Dean,

One of the most disconcerting claims anyone can make in any branch of IT, especially identity, is that their solution is "one size fits all".  You really shouldn't dismiss 'context', 'assertions' and 'mutliple identity' as being buzzwords.  These are modern ways of understanding the plurality and complexities of 'identity'; they characterise most of the current literature on the subject. 

You are evidently frustrated by a lack of broader engagement with your approach.  It would help us all if your proposal was transparent.  Why don't you publish your work, expose it to scrutiny, let us see for ourselves how good it is? The claims you make are quite extraordinary, but without any substantiation, well, you know what they say about something that sounds too good to be true ... 

Cheers,

Stephen Wilson.

 

A Finextra member 26 June, 2008, 10:00 0 likes

In regards to one size fits all and context, our approach is very different to the ones you point to. We propose a single process for everyone everywhere, either as the person seeking to authenticate, or the entity wishing to have you or your action, instruction or communication authenticated. For instance - there is no need whatsoever for a website to have any of my personal or financial information.

I may choose to use my real name, as I do here and it is even more important to not have any further personal information available to the website. This is better for the website and will reduce risks and liability whilst still being able to build a customer relationship based on trust and accountability.

I think there should be a clear line drawn between my identity and confirming that I'm the person authorised to log on. For instance, I may be a 'member' of a website, but that website may have no idea of my 'identity', its entered into a trust arrangement with a trusted third party - and me as the websurfer. Instead of sharing multiple ID 'context' secrets with every Tom, Dick and Harry, I merely share a secret with the trust provider. The website does similar.

When I join the website I choose how I will authenticate. You may choose to use a context sensitive ID, however I will choose our 'trust provider' service. The website will ask the trust provider to verify that I exist, the trust provider will verify to me that the site is a trusted one and confirm to them that I am logging into that site. The trust provider will tell the site that I am, not who I am.

The website will, by default, have no rigts to access my information, although a doctor may have authority to acces my medical records and health insurance by default, if I authenticate to him. The trusted third party holds no actual records. 

I will have previously enrolled with the trust provider, probably by watching a TV spot taking me through it in a few minutes, along with millions of others. If not, I can do it online or while on the bus.

Next time I try to access to the site, the website will ask the trust provider if it is me. The trust provider will check with me, and confirm it to the website that I am the same 'me' who logged on as my alias last time. No logon password required, no account hijacking, no impersonation.

If I choose to interact to a greater degree, ie buy something, I'll be able to do so. The website will present me with an account, I'll pay for it. I will use a 'transaction provider'. There will have been no further information required to be given to the site. i.e, no credit card number or personal details, just a delivery address if I'm buying physical rather than digital goods, and those who want absolute privacy can use a post-office box if they wish.

I may also provide my email address and recieve email, but I don't need to in order to repace a forgotten password, because there need be no password and we have it covered even if you forget your logon alias.

The 'trust provider' will not have my personal details or financial data and the separate 'transaction processor' may not not even need to have that information either. We can simply operate as a 'blind' interface between the merchant's and customer's financial institutions if the participants choose. The customer may choose to have a stored balance with the 'transaction processor' and in that case there may be a legal requirement in some countries for the processor to 'know your customer' and may need to hold data about the customer however the merchant will never have access to it, nor any information able to be linked to it, unless there is a legal demand to do so.

Most websites never need to know anything about me, nor do bricks and mortar merchants and they'll still be able to operate personalisation and loyalty programs. If I want relevant filtered information, I will more readily provide personal preferences and demographic data to a website marketer if I am absolutely certain that it cannot be connected to my actual identity by the marketer, or used to target me in another arena or context.

I am more likely to express my personal political opionion in an arena which I am absolutlely certain is anonymous and I will be unable to be identified and persecuted by othes who do not share my opinions or beliefs.I will do so knowing full well that although I am 'anonymous' to the site and the other visitors, I will be held accountable for my actions if they are unlawful. I will also be safe in the knowledge that the 'anonymous' person I am interacting with is in fact the same anonymous over 18 male 'Harry101' I exchanged views with last week, and I can even pay them knowing they will be able to be brought before the court if they defraud me. 

Scalability of any system catering for multiple applications is a challenge and our target minimum is many thousands of transactions per second. We can achieve that capacity easily in the front end and are working towards delivering the outcome at the same rate while catering for a wide range of legal requirements.

We can do this for any consumer equipped with the most basic device and it does not limit what we can also do for the consumer with an advanced device or service.

We have several applications where at least one of the parties will have a smart phone, law enforcement for instance. We have even solved that problem of the Bobby in Tooting where the mobile reception is too poor and turned it into an opportunity to more easily priorise communications in an emergency.

Stephen, if I seem frustrated, I am afraid you are mistaken as to the cause. It's like the experience of being forced to watch the same b-grade movie over and over again, such are the 'solutions' I've seen put forward. I experience more frustration when my daughter puts her ipod through the washing machine (easy to do), but then decides to plug it in straight away and 'see if it works' (99.99% guaranteed to kill it), or the other one breaks her laptop power charger for the second time this month. That's frustration.

I try and resist commenting on or perpetuating all the bad news or the latest incompetence committed by companies who should know better. I am looking at it from the viewpoint of someone who has used the best solution and remains convinced that it is the most effective and practical one for the most purposes. 

I prefer the 'build Rome, and they will come' approach. I'd love to make it instantly available for everyone, however it will take a few of more days and dollars to build Rome, and we aren't giving away the architectural drawings until it is finished (unless you count those ones we leave around on our 'Honeypot' machine, a few hackers will know what I mean there). We are in business and the objective is to monetise it, not give it away.

I agree, one size doesn't fit all. What are we going to do when a half-conscious naked man washes up on the beach - no phone, no ID card, no card reader? Nothing fits everyone all the time, but at least we have a plan for then. It doesn't include selling him his ID. We are making sure we offer a secure system which is easy, low cost, robust and generous enough to allow for a little humanity.

 

A Finextra member 26 June, 2008, 15:44 0 likes

Dean,

You mention that you already have an identity - could you be more specific?

I have several identities: dual citizenship, several drivers licenses and addresses (depending on the timeliness & accuracy of the institution asking). Even for my cellphone, I have multiple SIMs and/or handsets, depending on the country I'm in. Now, I may be an exceptional case, but 'one size fits all' clearly doesn't fit.  By your reckoning, my ID is determined by whatever device I decide to carry.  Whereas the current reality is that, when it counts, my ID is verified by multiple sources in multiple jurisdictions, depending on the level of trust required.

While I think your proposal is elegantly simple, it fails to address all situations and is therefore of limited value as a ubiquitous solution.

A Finextra member 27 June, 2008, 02:24 0 likes

Hi Neil,

I bet you can't wait for the Telco's to get into the 21st century. The lack of interoperability and realistic billing by Telco's rings alarm bells for me when anyone suggests a solution which involves the telco's at any level other than as a basic utility. It is not the fault of any individual telco, there are just too many of them with different business models.

Identity. Multiple ones. Perfect. Easy for our system. It's up to you who gets access to whatever view of your information you decide. I assume the traffic cop in Delhi isn't really interested in your name, merely whether you are licensed to drive. We can tell him faster and more easily without any risk of exposure of personal data. Do exactly the same thing when you are in New York - using your US SIM and US phone. The appropriate bank will also know it's the appropriate you without bandying your address or personal details around.

Multiple devices are possible and there will still be multiple separate sources of verification of your information.

"my ID is verified by multiple sources in multiple jurisdictions, depending on the level of trust required". - currently your ID is exposed in multiple jurisdictions and more information than is required is often transmitted around with the current processes.

This currently means a greater cost, both to attempt to secure the information and in it's management and storage. Most of the time when providing identity you are doing so, not because someone wants to check who you are, merely because they want to check that you are someone who has a right to something, accessing money or driving a car, or entering the country. For instance, the guy at the customs counter doesn't want to know your name, just whether you are a person of interest. We make it easier for them to do so without the need to expose so much personal data. When you want to move funds it is only important that the holder of your funds know that you are the one authorised to move them and your details are already with them (mainly for the law - otherwise we might have anonymous bank accounts - see the popularity of prepaid debit cards etc).

We intend to empower you to be 'verified' often, but rarely 'identified'. 

Our solution provides a link between you and your personal and financial data and it's keepers, and at the same time reduces the need to expose it unnecessarily.  It also provides a link between various holders of your personal data and empowers you to determine if and when they have a right to access it from each other.

If I put my financial information on the web under an 'alias' would it matter if everyone read it?

Obviously I would substitute different account numbers for the real ones. Why couldn't I just log on to my internet banking as an 'alias', or multiple aliases for the same account, no passwords, all 'verified' by the one identity? As long as the bank knew it was me - who cares what the network in between thinks? If my bank is co-operative and doesn't display my name or unnecesary details on my account screen I could internet bank from any cafe and allow shoulder surfers with impugnity - and with our system you could.

If my medical records were on the net, but not in my name, say in yours for instance - would I care if anyone read them? (on a server which didn't tell every hacker or advertiser my IP address).

Our solution does indeed fill all the needs you have at lower cost and with greater ease and security.  Multiple devices and locations can all be provided for, although you may in all fairness pay slightly more for the difference, but possibly less each year than it costs you now to replace a single document.

Our solution makes it easier for governments to deal with mobile populations, and they will save billions of dollars by adopting it, while citizens enjoy more convenience freedom and safety - all round. The benefits to governments, and therefore citizens,  cannot be understated.

It is actually a win-win situation for almost everyone except card manufacturers. I cannot be dissuaded in my view that it will happen, even if my team all get hit by a bus, someone else will do it because it is so much better and the only really practical solution to the problem of identity and trust - which is holding back progress.

We have another team developing a population mobilisation and imobilisation system for natural disasters and disease outbreaks which integrates into our identity system. The aim is to manage a disaster or prevent the spread of a disease by 'mobilising' the required 'first responders' and 'imobilising' the population who are not at risk of being exposed. The system will tie into media, traffic management, emergency personnel, and every citizen with a mobile. It can provide disaster and other warnings to millions of people in a minute or two.

It can also track suspected or known single or multiple disease carriers and provide medical teams with the current locations of, and direct communication with, people who may have come into contact or risked exposure, while keeping other citizens out of harms way and out of the way of medical responders while they contain the outbreak and focus treatment and testing on those who are at risk. We calculate that outbreaks can be contained within the first minutes of detection. Our solution will avoid mass quarantining for extended periods and unnecesary loss of life reducing it to minutes of slight inconvenience with minimal personal and economic impact. The Chinese showed us that you just need a strong and clear organisational structure with immediate accountability and you can do a lot. A few preparedness plans might help also, that's where mobilisation comes in.

People want to help, sometimes the best thing they could do is stay where they are and relax, other times they may be alerted to follow an emergency procedure such as moving to higher ground away from a tsunami. We want the people moving to safety to be given as unimpeded a path to safety as is possible with help from all the fabulous technology we under-use.

I can't even begin to tell you all the possibilities a mobile identity can provide but certainly a more Utopian world can be made possible, quickly.

Mobilisation - welcome to the 21st century.