Microsoft's acquisition of privacy vendor Credentica signals another step in the company’s effort to ensure that users don’t lose control of their personal data.
Credentica develops technology called U-Prove that uses cryptography and multiparty privacy features to facilitate “minimal disclosure” so a user can reveal only the bits of information about themselves they want to while protecting their privacy.
Terms of the acquisition announced Thursday were not disclosed.
But Microsoft’s Identity Architect Kim Cameron could hardly hide his pleasure at landing the U-Prove technology, which he said on his blog is “equivalent in the privacy world of RSA in the security space.”
Cameroni has almost single-handedly rescued Microsoft from its identity gaffe of years ago when it launched Passport, which called for Microsoft to store user’s personal data. Cameron was the driving force behind Microsoft’s new CardSpace technology and claims-based architecture, which flips the Passport concept on its head and makes users gatekeepers of their own personal information.
Cameron told Network World, “customers want authorization without putting their personal information in jeopardy. In many online interactions, there is a need to verify people’s identities. Today we have to give too much personal information, and it increases our risk of online identity theft or misuse of our personal information.”
Cameron said the Credentica acquisition is an important step in developing Microsoft’s Identity Metasystem concept, a framework for connecting identity systems via Web services based protocols and client, server and middleware technologies.
He said the U-Prove technology could be applied in many areas, including anonymous age or membership verification for online communities or social networks.
“If a student is issued a U-Prove token by a school and the student uses the token to apply for access at an age-controlled Web site, the only information the site obtains from the student is the fact that the token has not been tampered with and the student is under or over a certain age. The site does not obtain the exact age, name, address, etc. of the student,” he said.
The technology also could be used to access government services without those individual services being able to link the user data they collect to create a user profile.
Cameron also said U-Prove could support outsourced identity services.
“The main point is that this will just become part of the base identity infrastructure we offer. Good privacy practices will become one of the norms of e-commerce,” Cameron said.
Microsoft plans to incorporate U-Prove into both Windows Communication Foundation (WCF) and CardSpace, the user-centric identity software in Vista and XP.
Microsoft said all its servers and partner products that incorporate the WCF framework would provide support for U-Prove.blog.
“The U-Prove technology looks like a good candidate as an authentication mechanism for CardSpace-managed cards (i.e., those cards issued by an identity provider),” Mark Diodati, an analyst with the Burton Group, wrote on his
In general, the technology ensures that users always have say over what information they release and that the data can not be linked together by the recipients. That means that recipients along the chain of disclosure can not aggregate the data they collect and piece together the user’s personal information.
The select disclosure feature of the technology also prevents unauthorized transfer, discarding and re-use of identity data. Also multiple revocation methods are included and users can bind to smartcard identity assertions, such as those issued via the Security Assertion Markup Language (SAML).
The only trick for Microsoft might be that U-Prove is currently made available via a Java SDK.
Microsoft says Credentica’s core development team of Stefan Brands, Greg Thompson and Christian Paquin will join its identity and access group. The trio has been working on and validating the cryptography protocols at the foundaition of U-Prove since the early 1990s.
“The market needs in identity and access management have evolved to a point where technologies for multiparty security and privacy can address real pains,” Brands wrote on his blog.