Notes2Self.net

Stephen McGibbon's Web Journal

- "What Cardspace enables, Vista prevents" ...

... or at least Stephan Engberg thinks so. In a comment (#14) to one of my posts on the Danish "Radical" party's Technology Fix blog Stephan commented

I can easily see that Cardspace in itself COULD be a step in the positive direction, but MS is sending mixed signals by pushing the aggressive Live Id and "trusted" computing simultaneously with Cardspace.
That might be ok if someone else had access to make usable solutions, but it is not my understanding that VISTA and Cardspace provide that access. What Cardspace enable, VISTA prevents.

If Stephan's right then it's a pretty dumb thing for Microsoft to do. I committed to Stephan that I'd try to loop in Kim Cameron and Caspar Bowden to the conversation. Jerry Fishenden might also be interested. The topic is a little too esoteric for the audience at the Technology Fix and I am only guest blogging there for a week anyway, so I thought I'd post here to try to keep the dialogue out in the open for those interested and link here from the original discussion.

Posted: Mar 02 2007, 04:28 PM by Stephen McGibbon | with 2 comment(s)
Filed under: , ,

Comments

Kim Cameron’s Identity Weblog » Mixed signals? said:

PingBack from http://www.identityblog.com/?p=697

# March 3, 2007 1:32 AM

Stephan Engberg said:

Kim & Stephen,

Stephen McGibbon alerted me to this posting and Kims response where I am asked to explain what I meant. OK, I will give it a try.

First, for the record, I am not speaking on behalf on any organization nor can what I say be assumed to be endorsed by any organization. I am founder of Priway providing user-centric identity management as a spin-off of Open Business Innovation, a consultancy specializing in user-centric identity management.

When I say user-centric Identity, I mean trustworthy Identity where all stakeholder security requirements and rights are designed into and enabled by technology - of course seen related and integrated with the legal and economical surroundings.  

To be trustworthy - and not merely something you have to trust - include issues such as revokability, non-linkability, context isolation etc.

In my view, the only neutral moral goal is "Freedom with Accountability" according to the risk profile and what we could call contextual identity as the main tool to enable relative trust.

Bart Preneel, also in the Strategic Advisory Board of EU´s Security & Dependability Taskforce, phrased it simply: "You can trust what you don't have to trust."

Second, as you rightly say, there are multiple issues. Ones view depend on focus, priorities and what is considered goals and measurements of quality. The most objective aspect, in my view, is the amount of risk you have to accept - and thereby the amount of trust required.

Trustworthiness is a multi-stakeholder issue - and every stakeholder desire control of risk related to him. Control is the key-word. And you cannot have control.when reusing keys across purpose.

Some would require a provide with a market share such as MS to make user-centric security, but theoretically it could be enough to have the ability to make trustworthy identity if that would make it possible for third parties to provide solutions so that end-users can override the server-side control models such as Live Id with models that enable balanced security.

Even though the Laws of Identity are a step in the right direction, we - in my view - cannot stop there as for instance the concept of Informed Consent is useless and turning into blackmail, if you make it a choice between service or security. I am talking about the need to enable ex post-transaction control in order to ensure trust and autonomy ex ante-transaction.

Sure we have lots of legacy and technologies with bad or insufficient security; Credit Cards, mobile phones, PKI, federated identity, biometric identification etc. etc. It will take time to get trustworthy alternatives available in the market.. But as long as trustworthy solutions exist and a fair oppourtinity for consumers to chose, then markets can still work and trustworthy solutions gain ground.

We can change technologies that have been designed wrongly - if we chose to use the possibilities. Try having a look at RFIDsec providing RFIDs. One primary target is to enable 100% transfer of control, stealth unless authorized to communicate and zero linkability when communicating in the personal space - in the strongest mode neither the application reader nor the RFID leak identifiers. There is a published paper on this. Obvious uses are healthcare, pharmaceutical anti-counterfeiting incl. home medication and for instance military applications where you don´t want roadside bombs triggered by broadcasting devices.

But this discussion goes all the way to the most fundamental issues in society. Why introduce an aggressive and trust-destructive national id such as REAL ID in US and the Entitlement card in UK today, when we know that was outdated 10 years ago?

We need to move towards National id 2.0 where you have multi CLIENT-SIDE controlled Id built on top of traceable identification. Otherwise "security" create the sources of distrust and crime. Aiming for less is aiming for trouble.

Third, I do approve the Cardspace approach of opening for other vendors of identity and initially also the platform as well prepared for this purpose. A root-self issued id only traceable to hardware and from there we start building the identity bottom-up. In principle, such an approach demand respect.

My initial take was therefore to see how we could build user-centric identity management on top of card-space. No reason to spend time and resources doing was is already there and being deployed. However, when looking deeper into the setup, it is very clear that what I would consider minimum requirement for making trustworthy identity _likely_ cannot be implemented with VISTA.

One of the main aspects is the need for active channel management. It is an essential requirement for trustworthy identity to even make sense. Otherwise technologies such as blinded certificates loose purpose as you crate linkability through reuse of channels such as email-addresses, device identifiers, credit cards etc.

There are other issues, but it was not my intention to attack VISTA. Merely to say that in my view, VISTA does not solve even the minimum requirements for trustworthy identity which is again a requirement for security in a fully integrated digital world.

Aspects of our analysis, approach and inventions to core problems where presented at the ID World Conference in Milan. I am NOT point towards neither anonymity or trusted third party models - we need to look beyond that and into something sustainable.

No, I don´t think the problem is lack of communication - on the contrary, the marketing guys seem to be more than willing to come with all sorts of unsubstantiated claims. Problems and opportunities are in the design.

The temptation of lock-in and integrating intravenously into transactions seems to be too strong to resist. There simply is not enough focus and priority on enabling stakeholder security and empowerment to match the requirements of a digital society Dependability is not enough to claim trustworthiness if the power & control model is not empowering.

So, kindly responding to Stephan McGibbons assumptions that we can make trustworthy identity with VISTA, my response was no. Even though Cardspace to some degree provide support for trustworthy identity and must be recommended for that, VISTA likely prevents it.

As long as user-centric security is not enabled, Cardspace will mainly serve as a vehicle of MS control over identity providers.

Hope it helped clarify.

# March 4, 2007 9:16 PM