• United States

Microsoft eyes ID management

Nov 03, 20035 mins
Access ControlMicrosoftNetworking

Microsoft is working on identity technology for its future Longhorn operating system that it hopes will evolve into a cross-platform, standard format that companies can use to secure digital relationships and share resources.

LOS ANGELES – Microsoft is working on identity technology for its future Longhorn operating system that it hopes will evolve into a cross-platform, standard format that companies can use to secure digital relationships and share resources.

The Longhorn Identity System, unveiled for the first time at Microsoft’s Professional Developers Conference last week, is a single storage and development platform for associating identity with applications. It includes an XML-based data structure that represents identity and an API for access.

Also: Beyond Windows-centric management

Longhorn, which isn’t expected to be released until 2006, is part of an ambitious slate of products that promise to integrate Microsoft’s software with .Net and Web services. It will require customers to overhaul client and server operating systems, Office and everything that runs on top. The integration plan parallels efforts by competitors such as IBM with WebSphere.

The Identity System is built on the new file store in Longhorn called WinFS, which treats identity as an object for use by programmers and end users. Microsoft hopes the concept will be ported to other platforms.

This is Microsoft’s second attempt at a universal identity model, the first being Passport, which has become largely a consumer service. However, this time Microsoft says the identity system will span consumer and corporate users who will store their identity data locally and not submit it to a central repository as Passport requires.

Microsoft plans to integrate the Identity System into larger Web-services-based federated identity initiatives, including its own work with IBM and possibly the Liberty Alliance, which has a similar user-centric identity model.

Collaboration guru Ray Ozzie, the founder of Groove Networks and the creator of Lotus Notes, was in the audience at the Identity System presentation and came away impressed.

“Today’s business environment is a mesh, not a hierarchy. Asking someone in IT to grant access is clumsy,” said Ozzie, whose company, Groove, has a partnership and investment relationship with Microsoft. “This puts sharing into the hands of people who control their personal information and have control over relationships.”

Ozzie said Microsoft’s challenge is execution. “There is lots of code, lots of moving parts, but the design is solid,” he said.

The heart of the Identity System is the XML-based Information Card, which lets users digitally exchange data about themselves with other users or servers. At its most basic, the Information Card is a mechanism for users and organizations to recognize one another, much like today’s cell phones display incoming phone numbers as an identifier.

“The Information Card is a recognition infrastructure. It’s like a vCard on steroids,” said Kim Cameron, architect of directory services for Microsoft. The vCard is an Internet Engineering Task Force standard for an electronic business card. The Information Card goes a step further to add policy and cryptography features. Communication is protected using technologies such as IP SecuritySecure Sockets Layer and Web services protocols.

“The goal is to make this ubiquitous. We think everyone will adopt this as a concept. There is no Microsoft in the middle. This is a very simple, very thin layer that just does identity,” said Cameron, who adds Microsoft is already getting feedback from privacy groups, universities, enterprise customers and vendors.

Once beyond basic recognition between users, the Information Card can be used for a more formal digital relationship, with end users controlling the identity data they communicate. The data includes name, identity claims such as an e-mail address, use policies that define what can be done with the ID and a digital certificate to validate identity. Users can self-sign the certificates, or a certificate authority within a company can assign certificates. Optionally, users can decide to disclose more information through the cards, such as a home address, phone number or credit card number, and can update data automatically and revoke cards.

Experts and users said the Identity System shows potential to solve lingering security issues.

“This model seems to have good modular security, which is something that is missing today,” said one IT architect from a Fortune 50 company who asked not to be identified. The architect said that too often IT is dragged into setting up users and access controls for any type of resource sharing. “There is a desperate need for identity management in organizations today. This could make it easier to implement what people do today by creating small resource domains within Active Directory to control access to groups of machines.”

Active Directory can be used to store Information Cards, and Microsoft plans to move its certificate authority technology to the directory in the Longhorn server and will incorporate its Authorization Manager technology for roles-based access control to support the Identity System.

“This is a shift in thinking to a bottoms-up element to identity,” said Adam Sohn, product manager in the platform strategies group at Microsoft. “You need to have trust as a platform service, and that is what this is.”

The cards could be used in peer-to-peer relationships, including validating the e-mail sender, or as a single-sign-on control to reduce the IT burden of creating and maintaining user accounts across multiple systems. The cards also could secure access control and communication between a user and a company, and between departments or organizations.

Recipients of the cards can associate them with certain privileges such as access to a desktop file or data on a server, and use the cards to validate senders during subsequent communication. They also can revoke access by removing a sender’s Information Card from their system. Machines also can build secure relationships with users and provide access controls.