Microsoft's identity management tokens, known as U-Prove, are worth a real look -- and a pat on the back. We want to be able to securely make transactions without allowing a website to track us or to combine various pieces of information which enable that site to learn more about us than we care to share with it. There is no need for a storefront selling apps to know my identity such as my name, address, or date of birth; it only needs to know the money being forked over is mine to hand out. We want to be able to disclose some pieces of information about ourselves, but not everything. Sites that collect unnecessary details about us, data miners, are a privacy risk since internal and external hackers might be able to steal this stored data about our identity.
Mixing online security and privacy is a daunting task. However, we need to build in privacy before we pass the point of no return. The proposed Identity Ecosystem is not a new concept. Federated identify systems are not new. There is OpenID for identity management and federations; it's backed by Microsoft, Google, Yahoo, IBM, VeriSign, Paypal, and Facebook. There is also Microsoft's U-Prove framework which aims for end-to-end trust.
U-Prove was designed by cryptography researcher Dr. Stefan Brands as a system in which identity information is deployed by minimal-disclosure tokens; it can be used securely to safely share only the private data that is needed. It would put an end to over-sharing more than is required. If, for example, my credit card company and online app store both supported U-Prove, I could create a token which would allow a single limited electronic money transfer from my card to the app store without disclosing my age, address, date of birth, and name. If the purchase was for something related to an age requirement, say 18+, then my age would be revealed and the money transfer would go through to complete the purchase. In this case, my address and name would still not need to be revealed.
If a company uses Active Directory to manage its employees, U-Prove could help federate the directory to the cloud. Applications and services are based on tokens and claims. Also Microsoft's Forefront Identity Manager 2010 enables policy-based identity management for internal and remote employees as well as business customers. Once a token is issued to a user, a claim-aware application can access claims in the token and make decisions about access rights on the statements made. The application can get everything handed to it from the token instead of needing to go look for the information about a user. If the application needed the user's job title, it could be specified in its list of required claims. There was recently some good work done on model-based Identity Claims.
U-Prove could help enterprise identity and access management, but it definitely has benefits for the end-user. The problem is that U-Prove has not been widely adopted. Microsoft released its U-Prove SDK using the open source BSD license, publishing under the Open Specification Promise which allows anyone to use or implement the technology. Their OSP is not exactly a true-blue open source license; it is better described as a patent protection promise. Source code is available in both C# and Java in hopes that there will be no barriers to using the system for both service and identity providers.
Microsoft integrated U-Prove into its own identity products: Windows CardSpace 2, Active Directory Federation Services 2, and Windows Identity Foundation. These technologies, codenamed "Geneva," provide identity management opportunities to end-users, administrators, and developers.
It will be interesting to see which direction federated identity systems go. Microsoft may have the answer with U-Prove technology and Forefront Identity Manager 2010.