Design Rationale behind the Identity Metasystem Architecture Kim Cameron and Michael B. Jones [email protected], [email protected] http://www.identityblog.com/, http://research.microsoft.com/~mbj/ Abstract Many of the problems facing the Internet to-day stem from the lack of a widely deployed, eas-ily understood, secure identity solution. Micro-soft’s “InfoCard” project and the Identity Meta-system vision underlying it are aimed at filling this gap using technology all can adopt and solu-tions all can endorse, putting users in control of their identity interactions on the Internet. The design decisions presented in this paper are intended to result in a widely accepted, broadly applicable, inclusive, comprehensible, privacy-enhancing, security-enhancing identity solution for the Internet. We present them and the rationale behind them to facilitate review of these design decisions by the security, privacy, and policy communities, so that people will bet-ter understand Microsoft’s implementations, and to help guide others when building interoper-ating implementations. 1. Introduction 1.1. The Challenge: A Ubiquitous Digital Iden-tity Solution for the Internet By definition, for a digital identity solution to be successful, it needs to be understood in all the contexts where you might want to use it to identify yourself. Identity systems are about identifying yourself (and your things) in envi-ronments that are not yours. For this to be possi-ble, both your systems and the systems that are not yours – those where you need to digitally identity yourself – must be able to speak the same digital identity protocols, even if they are running different software on different platforms. In the case of an identity solution for the en-tire Internet, this is a tall order. It means that, to succeed, the solution will need to be adopted by the wide variety of operating systems, browsers, and web servers that collectively implement the phenomenon we know of as “the Internet”. 1.2. Practical Considerations To have any hope of such widespread adop-tion, we believe that any Internet-scale identity solution will need to satisfy these practical con-siderations: • Improved Security and Privacy: To be widely adopted, platform and software ven-dors will need to be convinced that the solu-tion results in improvements in the overall Internet security landscape. Likewise, con-sumers (and their advocates) will need to be convinced that the solution improves the con-sumer privacy landscape. • Inclusive of Technologies: There are a number of identity technologies in wide-spread use today (Kerberos, X.509, SAML, etc.) with more being invented all the time. To gain wide acceptance, the solution should be able to leverage existing identity tech-nologies and deployments, incorporating them as part of the solution and building upon their strengths, rather than calling for their wholesale replacement. • Inclusive of Scenarios: The solution must be broadly applicable across a wide range of use cases, even accommodating those with conflicting requirements. For instance, in many cases users will want guarantees that their identity providers can’t accumulate a record of the sites they visit. However, in some governmental and financial settings, an audit record of sites visited using an identity may be required. Both kinds of identities should be able to be accommodated. At an even more basic level, the solution must be applicable not just on workstations but also on different devices such as wireless mobile devices and cell phones. • Incrementally Deployable: The solution must coexist with and complement existing authentication systems, rather than calling for a “forklift upgrade” or “flag day” where ex-2 isting solutions must be replaced by the new one all at once. 1.3. Architecture of a Proposed Solution Such a solution, the Identity Metasystem [Microsoft 05a], has been proposed and some implementations are under way. The Identity Metasystem is based upon a set of principles called the “Laws of Identity” [Cameron 05b]. The Laws are summarized in Appendix A. The Laws are intended to codify a set of fundamental principles to which a universally adopted, sus-tainable identity architecture must conform. The Laws were proposed, debated, and refined through a long-running, open, and continuing dialogue on the Internet [Cameron 05a]. Taken together, the Laws were key to defining the over-all architecture of the Identity Metasystem. While the Laws of Identity have undergone broad review and been met with significant ac-ceptance, that’s certainly not the end of the story. While the Identity Metasystem is designed in accordance with the Laws, there are also numer-ous practical design decisions that had to be made to translate the vision into working, inter-operable systems. The purpose of this paper is to publish the design decisions underlying the Identity Metasys-tem architecture and the rationale behind them. This is intended both to enable a deeper under-standing of the problems that this solution ad-dresses and to enable discussion of these design decisions by the security, privacy, and policy communities. 2. Identity Problems on the Internet and an Overview of the Proposed Solution The section briefly describes the problems motivating the need for a new identity solution for the Internet and gives an overview of the mechanisms that the Identity Metasystem em-ploys to do so. 2.1. The Internet’s Problems are often Iden-tity Problems Many of the problems facing the Internet to-day stem from the lack of a widely deployed, eas-ily understood, secure identity solution. Micro-soft’s “InfoCard” project and the Identity Meta-system vision underlying it are aimed at filling this gap using technology all can adopt and solu-tions all can endorse, putting users in control of their identity interactions on the Internet. A comparison between the brick-and-mortar world and the online world is illustrative: In the brick-and-mortar world you can tell when you are at a branch of your bank. It would be very diffi-cult to set up a fake bank branch and convince people to do transactions there. But in today’s online world it’s trivial to set up a fake banking site (or e-commerce site …) and convince a sig-nificant portion of the population that it’s the real thing. This is an identity problem. Web sites currently don’t have reliable ways of
View Full Document
Unlocking...