Microsoft flies the identity management flag

Identity management has finally reached the big time – Microsoft has announced an ID initiative for Longhorn, the Windows release that’s expected in 2006.

As outlined at the recent Professional Developers Conference, and reported by Network World’s John Fontana (see story link below), the Longhorn Identity System (as it’s currently called, but expect that to change) looks remarkably like some previous work done by Novell. It also owes some of its impetus to the much-maligned Passport (a.k.a. “Hailstorm”) technology.

At its heart, the identity system is a personal directory – a workstation-based repository for the identity information (and any other attributes) associated with a single user. These personal directories will then be able to federate with other identity management systems, applications and services using technology provided by the WS-Federation specification (and also, possibly, the Liberty Alliance spec) under the control of the user who owns the data.

Kim Cameron, architect of directory services at Microsoft, describes the repository – called the Information Card – as “a vCard on steroids” (vCard, the electronic business card, https://www.imc.org/pdi/vcardoverview.html). What it mostly resembles, though, is Novell’s “DigitalMe” card (https://www.digitalme.com/) a much ballyhooed, but never developed, technology.

The Information Card will be integrated with the new Windows file system, WinFS and an API that allows applications and services to directly interact with identity and personalization information without having to navigate the complexities of Active Directory. Microsoft hopes that other operating system vendors will adopt the technology so that universal identity federation could occur. That seems like wishful thinking at this stage but it could become reality later on.

The important feature is that the user controls the use of the data which Fontana reports includes “…name, identity claims such as an e-mail address, use policies that define what can be done with the ID and a digital certificate to validate identity. Users can self-sign the certificates, or a certificate authority within a company can assign certificates. Optionally, users can decide to disclose more information through the cards, such as a home address, phone number or credit card number, and can update data automatically and revoke cards.”

That shows tremendous potential for spreading identity technology, but we’ll all have to be careful about how we address the issues that the popular press is sure to raise – security and identity theft.

“Phishing” is the term for an e-mail/Web-based scam in which a message purporting to come from the billing or security department of a popular Web destination asks a user for personal data (social security number, credit card number, mother’s maiden name, etc.), supposedly to verify identity but actually to aid the criminal in stealing that identity. “Phishers” will be salivating as they wait for the Longhorn Identity System because a slickly worded e-mail could induce a user to turn over not just one or two bits of ID data, but the whole ball of wax.

Microsoft needs to quickly identify the security mechanisms it will use to prevent this, as much as possible, from occurring. The rest of us will need to help educate the general press as well as the worldwide user community that this technology can be used safely and provide a huge advantage to both users, their vendors and their clients.