Click here to Subscribe

Opera Browser

View this feed in your browser

Other Services:

Search All Issues, Conference Reports and Tutorials

Web Services Summit

Fair Use or Copyright?

Deregulation Smoke and Mirrors



Digital ID World
By John Latta, WAVE 0522 6/3/05

San Francisco, CA
May 10 - 12, 2005

There are 600+ here at this unique conference. This is the 4th event and the market forces of compliance, criminal activity on the net and consumer concerns are bringing identity management to the forefront. It is a well run event with a trade show floor in the center of the atrium of the Hyatt Regency in San Francisco. Our focus is to understand the role that biometrics may play but it is clear that a much larger forces are shaping the identity market dynamics. Having been to five biometrics conferences, this is a cold shower of a totally different aspect of the need for security. Identity management, in many respects, is at the center of logical access. Thus, we are seeing the very early development of the logical access market. As in biometrics, this market is chaotic and shaped by impulse forces. Here it is clear this centers on compliance of Sarbanes-Oxley (SOX). As one booth conversation netted – the enterprise sector having just completed the first round of compliance with SOX businesses are anxious to get compliance under control and identity management is a critical factor.

Driving Identity Management with its use in Compliance

Phil Becker, Editor-in-Chief of Digital ID World gave a very insightful kick off presentation. It focused on the role that compliance is playing in fostering the development of the identity management market but there was much more to the talk.

One of the problems with computing today can be traced to its roots. In the early days of computers, physical access was a proxy for identity. That is, there was no need to tie identity on the computer because the physical access assured that no one could get to a computer unless they passed the physical controls. As a result, boot and sign on were trivial by any individual in the computer room.

This was called the location paradigm and Phil maintains that it still exists today. That is, location is a proxy for identity.

The problem is that in a networked environment where anyone can be anywhere, the location paradigm does not exist anymore. As a result, firewalls and other devices seek to protect the network by putting up barriers. This has resulted in a network siege mentality. Phil cited that “once a computer is connected to a network no physical computer remains fully under your control.”

Phil maintains that identity is the organizing construct for networks. Once identity is established, it is possible for autonomous agents to identify each other, organize interactions, pass certificates of authority and to be held accountable irrespective of location.

Many of the problems we face today are a result of the design of networks. He used the OSI model to show how networks are designed around communications. What is missing is an identity layer. Without this, there has been a passing of the buck of identity. That is, identity is integrated into many of the layers, such as in applications and logons that are independent identity silos. The lack of identity is compromising the network.

Experience has shown that major computing developments take 10 years. The Internet took 10 years to mature. We are now in the second phase with web services and, as he described it, the tools and means to more effective use network computing is getting there. But the next wave will come with identity on the network and this has barely begun. If history is a guide, a 10 year quest lies ahead.

He called compliance a universal application on the network because it is a natural extension of doing business on the network. It is just like accounting and will be a cost of doing business. What is critical is that compliance must be automated in order to bring down the cost.

Authentication is the foundation of identity based computing techniques. Provisioning is the foundation of compliance automation.

Identity Theft is a BIG Problem

Nicco Poppo, CTO and VP, VeriSign presented his views on a layered approach to protecting consumer identities.

In 2004 the FTC cited that consumer identity theft was over $1/2B.

The bad guys are going digital – 57% of all fraud complaints are Internet related.

March 2005 was a bad time. There was ChoicePoint, Lexus/Nexus and more. The loss of identity hit the radar screens of the public and legislators. It is likely that we will see a legislative response. There are 18 federal and 30 state cybersecurity bills pending.

The Internet only compounds the issues around identity theft. It makes it possible for criminal activity because it is low cost, criminals can be anonymous and effective and it is scalable. For example, phishing is 6% effective, an unheard of rate for any fraud. The result is that the Internet has become an organized crime network.

Consumers are also very concerned. 60% of online consumers are “extremely concerned” about security when banking online.

Another view can be taken – security can be a market advantage. Trust is a competitive advantage. Trust is “sticky.” New services can be offered which are based on stronger IDs and these can offer higher value transactional services.

Paulo de Almeida was cited as an example of how effective the criminals have become. An article from The ChannelRegister is at the end of this report.

Nicco Poppo concluded that only a layer defense that includes the Users, Desktop, Web Site and the Corporation will mitigate these multi-faceted attacks.

The 7 Laws of Identity

Kim Cameron of Microsoft gave an impassioned plea that we need to establish a framework to deal with the identity problems on the Internet. He has engaged many in the development of these “laws” with the blogsphere being a tool to form the dialog. At times the discussion was obtuse but semantic debate is a part of the process of dialog.

The problem is that the Internet was built without a way to know who and what you are being connected to. The result is that there is a patchwork quilt of identity one-offs. Consistent with the observations of Phil, the Internet is “Missing the identity layer.” This creates a world without digital identity synergy.

The Internet has attracted international criminals. Phishing and pharming is growing at 1000% CAGR.

The criminalization of the Internet has the potential of halting web services before they leave the starting gate. The problem is that the ad hoc nature of Internet identity cannot withstand the growing assault of professional attackers. Kim predicted a deepening public crisis on the role and use of the Internet.

What is required is to go from a patchwork to an identity fabric. He has come to the conclusion that no simplistic solution is realistic. As a result, based on much dialog, Kim has developed these “laws.”

1 – User Control and Consent

Digital identity systems must only reveal information identifying a user with the user’s consent.

2 – Minimal Disclosure for Limited Use

The solution that discloses the least identifying information and best limits its use is the most stable long term solution.

3 – Justifiable Parties

Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.

4 – Directed Identity

A universal identity metasystem must support both “omni-directional” identifiers for public entities and “unidirectional” identifiers for private entities.

5 – Pluralism of Operators and Technologies

A unifying identity metasystem must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.

6 – Human Integration

A unifying identity metasystem must define the human user to be a component integrated through protected and unambiguous human-machine communications.

7 – Consistent Experience Across Contexts

A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through lultiple operators and technologies.

The WAVE asked the question – how does this stop the criminals? The practical answer is that only when the Internet adopts much of these principles and the criminals stand out when they do not. Slight problem – is it possible to wait that long before the Internet is marginalized?

The BIG Picture

Jamie Lewis, CEO & Research Chair, Burton Group, gave the keynote on the second day. He put into context Identity Management.

Digital ID is becoming a mainstream issue. This is being driven by the reality that business is moving onto the network. Identity management is a core enabling infrastructure. This will evolve both within and between enterprises on a Service Oriented Architectures (SOA) that has identity management. This will combine with other infrastructure services to create interoperable fabric which will support a new generation of application services.

At the same time there is increasing interest in “user-centric” identity management. This will enable a more reliable, usable and secure web. It is essential that identity management be a part of a common infrastructure within and between communities. But making identity such a core component is at its early stages. There are many who would detract from this.

Today regulatory issues drive identity management. Provisioning plays a major role. The reality is that the more software a company has, the more it has to certify. But identity management products are weak on role and policy discovery. We need standardized provisioning within SOA.

Today the network and security infrastructure is becoming identity aware.

We are seeing signs the federated sign-on is viable. That is, identity which supports sign-ons amongst affiliates and between loosely coupled domains within enterprises. We see that, through standards, coexistence is possible in the near term but that convergence to this goal will happen in the longer term.

The problem today is that there are too many custom identity management integration projects. It is not a turn key solution. Major issues lie in interoperability, assurance and trust.

Another issue is that identity management audit remains a complex problem. Further privacy issues both drive and inhibit identity management. We see that the regulatory environment demands action, both national and international.

What has happened over the last several years is that many of the small companies have been acquired by larger ones. This has resulted in suites of identity management products but these are loosely integrated. They do not have common workflow, connectors, administration and audit. The result is that applying identity management results in lots of customization. This will improve in the next 12 – 18 months.

It will be essential that the providers move from product suites to a platform. Security and identity management will join. What will happen is that this platform will be a part of the SOA bus which connects various application services. This reinforces the need for a standards based federated communications infrastructure. Under this is the ability for application services to interact securely. We feel that it will take at least 5 years for this to emerge.

On the user-centric side – that is, consumers – we are seeing the emergence of a virtual society in virtual places. Individuals are buying, socializing and living online. At the same time invasive technologies are increasing in equal measure. An underlying issue is that the technical skills required are far too high.

It is important to give individuals assertive control over identity information in commercial, social and other contexts. This can be thought of as “federating” the individual.

We cannot lose sight of the fact that identity is highly contextual. It is like all social interaction. Who we choose to be, what we share will be depend on the context. We will have many different credentials, identifiers for different needs. Ad hoc groups, formal communities, social structures and businesses will implement and manage identity in a fashion that suits their needs. For example, identity systems that work for a financial services company will not work for social software and vice versa. The bottom line is that we are talking about representing human behavior not machine behavior.

Federation is important because it allows for organic growth in self-organizing systems. Identity connections will not form because of some master directory but because individuals, groups, organizations and companies will need those connections. These federated connections will emerge on an as-needed basis.

What is needed is agreement on laws and principles. The internet community needs to solve this problem. The laws presented by Kim Cameron of Microsoft is a beginning and this is unorthodox for Microsoft to be so open about an issue. We also need open standards, protocols and frameworks. Then it will take time for technologies and implementations to propagate.

Taming the Beast

One of the points made by Jamie Lewis, CEO & Research Chair, Burton Group is that identity management requires highly customized efforts to integrate into an enterprise. This was reinforced in presentations by Sun Trust Banks, Sony Media and GM. We saw the following threads.

Each company has many heterogeneous systems which must interoperate. It was not uncommon to hear the term - ”We have at least one of everything.”

These systems impose an enormous burden on the users and one of the most frequently cited are multiple passwords. Every presenter listed password resents over help lines as a measure of the burden and overhead cost.

But the nature of organizations, especially virtual organizations, that cross into vendors and contract individuals, drives issues such as provisioning. Cited multiple times is the need for automated provisioning which entails many functions in the organization including HR.

Federation is essential as the identity management system extends across many organizations or even within an organization that has independent operations.

A common identifier for individuals, especially the SSN, can no longer be used, except for financial reporting.

In the financial sector, compliance is critical but this is now extending to all businesses which are listed due to SOX. Compliance and identity management go hand in hand.

Role definition is very important to establish access rights. Some did this manually but others are able to be automated after some effort.

The functions within identity management include:


These companies would have multiple identity management software components to accomplish these and they would have to be customized for their needs. No suite exists.

It should be noted that biometrics applies to only the authentication portion.

Where Does Biometrics Fit When there is Strong Authentication?

A panel on The Great Authentication Debate captured many of the issues which help define the role of biometrics. We summarize this along with many assessment points.

Strong authentication is the use of a token, a small device carried by the individual. This device frequently has an LCD panel which generates a random number, sometimes a frequently as every minute.

This number along with a PIN which is appended to it, then creates a larger number, is a one time password (OTP) to a system. Software running on a server then matches this key to a crypto algorithm to determine if there is a match. If so entry is granted on a one time basis. The next attempt needs a new password which follows the same process.

RSA is a leading provider but many in the industry do not like the fact that the implementation is proprietary. OATH published a framework during the conference which seeks to make this open.

One of the problems with the OTP systems is that there is no interoperability between applications. That is, a person must carry a token for each application they desire to access. OATH seeks to correct this also.

Today, these tokens are in the enterprise and many want to enter the mass market with millions of tokens. ActivCard was showing a consumer token and RSA has announced that they have a deal with AOL and E*Trade.

Rather than hardware tokens, it was suggested that software tokens could serve the same role.

These OPT solutions only work where there is mutual authentication. It does nothing against the bad guy seeking to misrepresent another party and no mutual OTP is present.

Biometrics has a role but it is not fully defined.

The strength of Strong Authentication is very high, practically zero, FAR and FRR. There are no enrollment issues. But the value is based on remembering the PIN and carrying the token. This latter has drawback of the cost of the token and the need for multiple tokens.

While biometrics is intrinsic with the individual it also allows the individual to remember nothing. Mutual authentication, however, is only possible in biometrics when the opposite party has the biometric or some form of it, such as a template or image. This has privacy implications which the token does not. A major drawback of biometrics is its poor “quality” – the FAR and FRR is much too high. Multifactor biometrics, even the combination with tokens or other forms of security, can significantly raise the quality.

It was stated that biometrics has the advantage of adding an additional layer of security. Yet, this misses the point. Only biometrics tries the individual to the authentication in a way that is not related to memory.

RSA stated that a corporate token costs $80 - $120. It is their intent to drive the consumer version to <$20. We find it hard to believe this is sufficient. For example, of one looks at the frequently phished sites such as eBay and PayPal it is not hard to envision many tokens to be carried. Further, the consumer will tire of the burden of this – it is just not convenient enough. Yet, biometrics is held by the individual and one reader token, if a reader is on a smart card for example, might be adequate. If the “quality” limitations of biometrics are either overcome or accepted, biometrics has the potential of offering a much lower cost solution.

If one assumes that price gives biometrics a market advantage a market position can be gained by:

Being a leader in the commodization of biometric Readers;
Advocating open standards for biometric information and its matching; and
Making biometric reading portable – anytime anywhere.

There is an interesting aspect of privacy if one should assume wide spread adoption of biometrics for authentication. It is critical to protect the biometric in the same way that cryptographic means are protected. If the bad guys get the biometric they are able to represent a trusted source, such as PayPal, and falsely seek the individual out, with phishing, and “validate” and authenticate the user. Under these conditions we are no better off than today. Multifactor biometrics are one way to minimize the potential for such attacks as long as both biometrics are protected.

It is important to recognize that OTP is just like physical access. It is an entrance to the system. If keystrokes are being monitored, yes, replicating those keystrokes will not allow for a bad guy to get in the next time. But that also misses the point. If one has important information such as credit card numbers, the image of a web page or the pattern of usage of the sensitive corporate application this may be all that is needed by a criminal. That is, if a Trojan has been planted on the machine having strong authentication is almost irrelevant. Granted such considerations are much more important to a consumer than a robust enterprise network infrastructure one cannot dismiss the reality that access controls alone may be insufficient to address the criminalization issues.

We come back to Taming the Beast discussed above. This is not just a network security issue. It is also not just an identity management issue. It is also not narrowly confined to a privacy issue. It is all of these things.

Identity Metasystem

John Shewchuk, CTO Distributed Systems, Microsoft teamed with Kim Cameron to show how the 7 laws of identity could help provide a foundation for an identity metasystem. The analogy was used that in the early days of the PC writing directly to a disk drive or a display severely limited software development. With drivers and a file system a level of abstraction was introduced that changed application development. That same approach is required for identity management. As a lead in, past lessons also provided a frame work for the metasystem.

Single technology, single provider solutions are not broadly Accepted;

Single technologies with multiple providers have not been universally deployed; and

Multiple providers with multiple technologies has meant very little interoperability.

A metasystem provides a way that users can manage identity in a heterogeneous world. This is because if the metasystem is carefully developed it is possible to unify:

Multiple identity technologies;

Multiple operators; and

Multiple implementations.

This can then allow:

Customer freedom with technology such as x509, Kereos, SAML along with provider choice such as Self issued, private or government, and

Customers can also look forward to new systems such as Liberty.

The essence of the metasystem are these components.

Negotiation Driven
Claims Transformation and
User Experience

The audience responded positively to the concept of claims transformation that allows for a trusted way to change one set of claims regardless of token format into another.

Microsoft has been working with many in the industry to develop an architecture for an identity metasystem – WS-*. It has the following components.

Composable Architecture for Web Services

Security Token format neutral which has as its basis OASIS WS-Security

Dynamic system for exchanging claims which uses WS-MetadataExchange and WS-SecurityPolicy.

Token and claim translation which uses WS-Trust and this defines STS (Security Token Services)

Microsoft then demonstrated its implementation of the identity metasystem.


Runtime for building distributed applications supporting an identity metasystem.


Identity selector for Windows which safeguards user’s digital identity.

Active Directory

Which is the infrastructure for identity and access.

An example was given of code development to allow individuals outside of the directory to be included based on trust established by the outside organization – federated login.

During the question session is was clear that many in the audience were impressed by the progress made. Another aspect is that the development of 7 Laws of Identity by Kim Cameron was called unorthodox for Microsoft. That is, using Kim’s blog and working in the blogsphere, Microsoft was unusually receptive to outside participation. This was reinforced in John’s presentation when he said that an identity metasystem must operate in a heterogeneous world. A point that was reinforced in the case studies presented during the conference. The conference showed how there is a need for a unifying architecture and design which accelerates the maturation of identity management. Microsoft demonstrated how its work, especially in conjunction with many others, had made significant progress in moving the technology of identity management forward.

E-mail webmaster
Page updated 1/24/07
Copyright 4th Wave Inc, 2007