Today, users need to have separate, unconnected IDs for virtually every secured place they visit, but efforts by groups such as the Identity Gang — a working group founded to support, facilitate and promote the creation of an identity layer — are aimed at creating standard, secure ways of authentication.
One such method is OpenID, in which users send what amounts to a personal URL to a site they wish to access (the Relying Party), which in turn sends that URL to a security provider to receive authentication of the user.
During a panel discussion at Microsoft’s recent Mix’07 conference in Las Vegas, Microsoft’s architect of identity and access Kim Cameron noted that since the Relying Party is relaying the OpenID, an evil Relying Party could potentially misuse it. He instead advocates Microsoft’s CardSpace (formerly InfoCard), which allows users to securely locally store various digital identities supporting claims such as who the user is, whether he or she is of legal age, or whatever else the identity requires.
Confirmation of these claims is acquired by the user from a security provider in the form of a token (an agreed-upon digital certification that the claim is true), and the user application passes that token on to the Relying Party.
This means the user is always in control, and the identity is not potentially subject to man-in-the-middle attacks (attacks where the crook sits between the communicating parties, intercepting traffic and recording it before passing it on).
OpenID and CardSpace complement each other, pointed out Scott Kveton, former CEO of identity management software developer JanRain, and Bill Gates announced at the RSA Conference in February that Microsoft would support both. With OpenID, he noted, since peoples’ IDs are the same on many sites, “you can create a social network to drag from site to site to site.”
Combine OpenID with other Web-based data such as contacts or calendars, and the potential is huge. Depending on their digital identity, you could, for example, grant different information — a friend might be given your cell phone number, while a business contact would only see your office number.
In the end, the notion of a digital identity can simply be stated as “a set of claims made by one party about another party,” said “Identity Woman” blog author Kaliya Hamlin. “I can imagine claims that just express an authorization.”
Such claims could, for example, assert that the individual is over 21 years of age, for example.
But, noted Hamlin, the important thing is that the user is in charge of his or her data. “A lot of us were offended by Passport because it made Microsoft the centre of the universe.”