The cloud demands identity. Microsoft has a strong, secure, privacy-friendly identity technology that’s open, easy to federate and will transform the Web and the cloud. So why is Windows Live ignoring CardSpace?

OpenID is a great tool for logging in to a Web site that you want to use but don’t need to trust. You wouldn’t want to use OpenID to get into your banking site because it’s just not secure enough, but it’s great for not having to remember passwords for LiveJournal, Dopplr, Plaxo and the like. You log into one site and tell the others to ask that site who you are. OpenID is getting less vulnerable, but it’s simply not intended to protect really important information.

The information card system is secure; it’s protected by cryptographic keys, it’s got a user interface that makes it very clear when you’re being asked to log in to a site, what the site wants to know about you and it lets you choose from a ‘wallet’ of cards to prove your identity. That gives you security and privacy and ease of use together (which improves security by stopping people using the same password everywhere. Microsoft put it into Vista and Internet Explorer 7 as CardSpace (information cards are the generic system and there are implementations that you can use in Firefox and Safari, on Macs and Linux machines, CardSpace is just the Microsoft implementation).

And since then, I’ve been waiting for Microsoft to deliver the next pieces. A token server that a business can use to issue its own information cards, and to validate them so you can use them for access to internal apps, preferably federated so you can also validate partners. And a public service that issues not just the self-certified cards that anyone can create with their public details but managed cards that have useful information that you want to protect. When you wave your passport or driving licence in an American bar, the bar doesn’t - or shouldn’t take a copy of it; they just need to know you’re old enough to have one.  Put your birthday into a managed card and you can prove that you’re over 16 for a shopping site without handing over details that could help someone hack your bank account if the site loses its customer details on a USB stick, because the site only gets the assertion that you’re old enough, not the actual day, month and year.

Issuing cards was going to be a function of ADFS at one point, because it fits with where enterprises store identity information; for development and resource reasons it went on and off the feature list and now it’s going to be a free component in Windows Server 2008 (and maybe other versions), code-named Project Geneva. Currently in beta at www.microsoft.com/geneva, there will be a feature-complete beta in the first half of 2009 and a final version in the second half. It leverages AD and SAML and x509, it interoperates with a wide range of line of business applications and it makes using secure identities easy in a business.

That just leaves a managed card service for those of us who aren’t in a big business and I’m still waiting. And in the PDC keynote today, Microsoft announced that Windows Live ID would be issuing a new kind of identity - but it’s not information cards.

So why is Windows Live ID proudly announcing that it’s issuing OpenIDs but not CardSpace IDs? Is it because OpenID is accepted by a lot of sites? So are information cards, and if you could get an identity you could trust from Windows Live other sites would be more likely to adopt them - because it’s easy to use Windows Live ID instead of running your own username and password system.

Is it because OpenID is, well, open?
CardSpace is the most open project Microsoft has ever done. The architect, Kim Cameron, has almost single-handedly changed the perception of Microsoft in the identity community, which isn’t bad for a company that was so roundly derided for Passport. The open nature of information cards “just isn’t up for discussion” Cameron said to me (before plunging into a discussion with senior VP Bob Muglia about why you can’t constrain the scope of identity to just in the cloud or just on the server or just on the Web or just on the desktop).

Is it because CardSpace 2 is going to better than CardSpace 1? It will let you transfer information cards from one PC to another, and when you go back to a site you’ve used an information card with before, CardSpace 2 will show you the card you used last - which means that even if a phishing site accepts information cards to try and fool you, you’ll be able to tell (and the phishing site isn’t going to get the details out of your card so scammers can’t steal it). But Microsoft has adopted the first version of plenty of its own technologies even when there has been something new and better just around the corner. And issuing managed cards today, cards that have been verified and are backed by an identity provider, would be a huge step forward.

If it’s because Microsoft wants somebody else to issue managed cards because a supermarket or a post office or a government already has relationships with people and systems for handling information - or because they look like a more natural place to prove your identity because they can prove that you have a loyalty card or a post office box or a passport - then I’d say yes, but you can’t wait for that to happen. Once the first managed identity provider proves its value then banks and services that sell you certificates will join in, but you can’t keep on waiting to go first them to go first.

I wonder if it’s the legacy of Passport. Maybe the Live team wants to be extra sure they don’t rush out with an implementation that could have problems and create another Passport backlash. Or maybe they aren’t comfortable with the way that CardSpace takes the power of identity away from the provider and gives it back to the user; issuing managed information cards would be admitting once and for all that Microsoft is never going to own user identities in the way that Passport envisaged. Everyone I’ve met from the Windows Live team so far is smarter than that, which leaves me confused. Because it’s ludicrous that Microsoft has a far superior identity technology to OpenID that it’s getting ready to offer to businesses and it hasn’t even talked about how to bring it to everyday Web users who need it just as much.
-Mary

Step into the rooms of the National Museum of Computing at Bletchley Park and you’re taking a journey back in time. The whirr of paper tapes signals that the reconstruction of the Second World War Colossus is at work, cracking the same teletype codes it was designed to break at the height of the war.

Now it’s a museum piece, a mix of telephone exchange hardware and ancient valves. Even so, it’s still as fast as many of today’s desktop PCs - at least for the one specific task it was designed to handle. You can download an emulator, ready for most desktop PCs. Only the most recent PCs will be as fast - something that goes a long way to show the power of single-purpose computing hardware.

Code breaking may be the key that gets people in through the door, but it’s the rest of the museum’s collection that keeps ypu there for hours. In the rest of the rooms of the museum you’ll find old friends (and old enemies). Amigas sit next to Atari STs, while BBC Micros are ready for you to type 10 PRINT “HELLO”: GOTO 10 just like the old days. There are still plenty of gaps in the collection, but the biggest one is funding.

That’s why we were there today, to hear IBM and PGP announce that they were donating a hefty sum to the museum’s appeal. It’s still nowhere near enough. A new organisation, the museum doesn’t have the hefty bank balances other museums use to manage cashflow and property. They’d ideally like to raise seven million pounds - enough to cover the museum’s annual running costs from the interest. That’s only a pound or so per PC in the UK - something that’s easily affordable for most individuals and businesses. It’s not much to preserve the heritage of an industry that’s done more for the UK economy over the last few decades than anything else.

PGP and IBM have kickstarted a much-needed appeal - now it’s up to the rest of us (and the rest of the industry) to chip in and make sure that the birthplace of modern computing gets the museum it deserves.

I’m guessing that most of you

For years, I’ve been saying that Google would be mad to build its own operating system. It should leave the thankless task to Microsoft and Apple and Linux distributions; you can debate how good a job they do, turn and turn about, but the scale of what a desktop OS needs to do and the range of devices it needs to support (even on a netbook) is far broader than what you need to do in a browser or on a smartphone. I still don’t think Google has any plans to create its own desktop OS (whatever people do with Android), but it’s pushing beyond the browser as a development platform with Gears and App Engine and the like. Microsoft has a whole range of platforms in the browser, out of the browser and around the browser, from Windows and WPF to Silverlight to SharePoint to Office to SQL Server – to name just a few of the platforms Bill Gates touched on in his last ever keynote at Microsoft TechEd this morning.

Silverlight is a lot of things, from Microsoft’s answer to Flash to Microsoft’s answer to Web based applications. Leave aside the video plugin side of it; the fact that Silverlight 2 (beta 2 due at the end of this week) runs .NET and programs written in dynamic languages on Mac and Linux as well as Windows is the most interesting part. And it’s not just consumer Web apps; Facebook and Hotmail users aren’t happy with line of business apps in dreary basic grey when they get to work, and Silverlight is an easy way to spruce those up without slaving over a hot CSS schema for hours.

Adobe’s Air tackles much the same problem; how do you make powerful applications for the Web that work online and off, that look good and that work without installing anything (once you have the initial plugin or runtime). Air builds on Flex, so if you’re already writing Flash, you’ve got a head start. But there are a lot more .NET developers writing business apps, so although Microsoft demos consumer apps like the Crossfader social video sharing tool it talked about today, most Silverlight apps might show up at work, using Workflow Foundation and making data from SQL Server look good.

Silverlight is a subset of .NET and Windows Presentation Foundation, so developers are using familiar skills and Visual Studio plus Expression Blend for designers, who get to work on the live project, not in Photoshop mockups. The visual development tools also appeal to disenfranchised Visual Basic developers who’ve been wondering what Microsoft has done for them lately…. Microsoft VP Soma Somasegar said Crossfader is being built by six developers and two designers in three months, which is more like Internet time than standard Microsoft time scales.

If Silverlight’s so good, why would anyone be creating Windows applications at all? Bill Gates finished his Q&A trying to balance that question. “Yes, you’ll be able to do amazing things in Silverlight, but there will always be things that you can do in Windows Presentation Framework that you can’t do in Silverlight. Why is that so? Well, it’s so because with WPF we get to assume we have the full power of the PC; we’re not just running in a browser environment. So, take things like 3D type things, virtual world type things, take things like ink recognition or playing video back at arbitrary speeds. WPF will, because it can connect in to all of Windows, expose those services and let people do new things.

“We need to keep the Silverlight download to be fairly modest. So, if you think of what that will be versus the entire Windows environment, we have a much bigger runtime to call on. So, we’re not saying that those get absolutely merged, but we will have exactly the right relationship. And even as you’re in Visual Studio or in the Expression tools, you’ll be able to say I want to author for the Silverlight piece and to let you know that if you’re sticking to the things that work in that world.

“Silverlight will probably have almost everything WPF has today, but WPF will keep getting richer and richer as we go forward.”

That’s the Microsoft dream and it’s one direction things could go. Google is pushing in completely the other direction. Last week at Google IO, Chris Prince and Aaron Boodman (better known as the designer of the Greasemonkey FireFox extension) was explaining why they don’t want you to think of Gears as taking Google applications offline. Yes it does that, but actually Google wants it to give Web apps to have access to all the capabilities of your PC the way desktop apps do. Why shouldn’t the browser get the power of your 2GHz processor and your 300GB hard drive? Why shouldn’t they be able to send you notifications in another window or show a progress bar? Why can’t you access USB drives from inside Gears or use a GPS to tell the Web app where you are?

Google filed its name off Gears so that it has more chance of becoming a standard, either as part of HTML 5 or by becoming ubiquitous as a plugin in its own right. Personally, I’m not going to be installing it on any machine I use.

It’s not just because it has no way to limit the amount of disk space it’s going to take for its local database (used by MySpace to give you search across the whole site without having to take up space on their data centre for those pesky index files). It’s only partly because it’s going to be able to use your GPS or other tools to get your location and there is currently nothing to warn the user and no options for choosing if and when Gears can get your location. Google seems committed to harmonizing with whatever standards HTML 5 includes for the things that Gears does, and I’m not the one who will have to detail with duplicate APIs from Gears and HTML 5 to do the same thing – that’s a problem for Web developers to juggle. And the fact that Web sites like YouSendIt already have real progress bars without needing me to download a plugin is a quibble rather than a complaint.

Mainly, I won’t use it at this point because of how Chris Prince explains why he thinks Web apps are so good in the first place. “Everything in the browser is inherently safe,” he said at Google IO. “There is no cost to install a Web app, you’re not afraid to click a link, and you can navigate away with no fear it will take over your machine.” Compared to the near-paranoia that’s is Microsoft’s attitude to the Web, from the phishing filter to the way IE doesn’t get the same privileges as a desktop app to the security-first attitude that permeates the company, calling the browser ‘inherently safe’ seems a little laissez faire to me.

Adding binary data files to JavaScript will certainly make for more powerful apps. Some of them might be Trojans; if Gears gets everything Google talked about that would be able to scrape files off a USB stick, record you talking with the audio APIs, add in your physical location and do whatever you can think of with it all. If I’m not too busy playing with whatever features the Web app disguising the Trojan has I can navigate away from it – but if it’s using Gears to run offline, has it gone away?

The browser sandbox limits the features on my system that Web apps have access to. That’s a pain when you want to build a better app in the browser – but it’s a security measure if you want to build a better way of attacking my system. I asked Chris Wilson of the Internet Explorer dev team if I was being paranoid – he was the one who’d raised the issue about privacy with the GPS location in Gears at the end of the session. Maybe, he suggested - but with the number of security issues it raises, Gears isn’t going to be installed by default with IE any time soon…

-Mary

On the Internet, nobody knows you’re a dog. You can put up a Facebook page, send spam, pretend to be a bank; as long as you can read distorted characters, you can leave comments on a blog under any name you choose (I’d like to see at least one Mickey Mouse commenting to this post). Passwords are well past their sell-by date but proving your identity securely matters more and more. Identity online covers everything from throwaway accounts on forums to online banking and no one system is every going to ‘win’ - but they can learn to work together.

You can buy a hard drive from any vendor you like; as long as it fits in your PC and uses a standard interface, your operating system will take care of accessing the hardware and loading the drivers, leaving you to enjoy the storage space. The identity metasystem will do the same thing for user information, identity providers and sites that accept user details in the form of information cards. The terminology comes from Microsoft, the impetus comes from a wide range of customers and the technology comes from everybody from Oracle to Sun, IBM to Novell, the Liberty Alliance to the Higgins Project. Does it all work together yet? Not quite - but the Project Concordia interoperability workshop that opened the RSA conference today was a step forward.

Not least because for the first time Sun demonstrated an information card logon that used no Microsoft software at all; Sun’s Pat Patterson showed a system using OpenSSO v1 build 4 - which Sun will ship in the summer as Federated Access Manager 8.0, with an Oracle identity provider and Novell’s identity selector to deliver the same experience of logging in with an information card as a Vista user gets on the system using CardSpace.

Microsoft showed CardSpace sending SAML 1.1 and SAML2 tokens to a WS-Federation system. Ashish Jain of Ping Identity demonstrated a system using an information card from Sun to log into Gmail, running Vista in a virtual machine on a Mac talking to a Linux system. And systems from Ping, SymLabs, FuGen and Shibbloeth talked to each other and to Sun, Oracle and Microsoft systems using WS-Federation and SAML, transferring not just the identity of the user from a managed information card provided by a trusted identity provider rather than one the user had created themselves but also information like whether the user had provided a password or a smartcard rather than just clicked on a link.

Who needs that heterogenous a system? General Motors for a start, which is why Bob Haar, an IT architect at GM was chairing the workshop along with Microsoft’s Mike Jones and Eve Maler from Sun. Jones repeated what Microsoft is hearing from customers; “Some of the more interesting business discussions have been about risk. Certainly in the automotive industry, a decision has been made that there’s both at least cost savings and possibly minimisations of risk by going to federated authentication for collaboration with suppliers. Think about how many companies are involved in building a GM automobile or a Boeing airplane; it’s mind boggling.”

Haar explained that in a little more detail. “We think the federation gives us more control in real time to monitor and control access. There are legal and contractual aspects of setting up the business relationships and supporting for activities about auditing - if there’s a question about who changed this financial data or when it came through the federated environment, we have to have systems and procedures in place to make that happen.”

Sun’s demo didn’t use any Microsoft products at all and Patterson took something of a cheap shot by apologizing to Microsoft for that. Mike Jones smiled back and said actually, Sun had given him two of his three wishes. “I said three years ago we’ll know the metasytem is succeeding when interactions occur that use no Microsoft software, where Microsoft receives no revenue and Microsoft has no idea the interaction is taking place.” Today, the point is for the companies to be talking so they can make this all work. When it does all work, Sun wouldn’t need to tell Microsoft anything to have happy customers who could use CardSpace against a system that uses Oracle to issue identity information to connect through to another system that uses ADFS to do it. Assuming ADFS could issue and understand identity beyond Active Directory…

There isn’t a name for the next version of ADFS, or a shipping date but Microsoft promises, it will issue and consume information cards. This has gone in and out of the feature list for the next version of ADFS as shipping schedules and priorities shifted, but it’s back on the table says Jones - and Visual Studio will get tools for working with identity. “We probably wouldn’t have gotten permission to show SAML2 token support in the next version of our identity server products if we were not going to put tools into deployers hands to easily build and consume these tokens. We get that until it’s easy for developers to do this, a lot won’t. We’re looking at federation and information cards not as separate things but as parts of a spectrum people can deploy as it makes sense for them.”

Standards are good, runs an old joke; that’s why we have so many of them. Whether it’s a proprietary approach that’s become popular enough to document or a philosophical difference in approaches, there’s hardly anything in technology that you can’t do in two completely incompatible ways by following different standards. What’s happening in identity is a remarkably grown-up approach to tackling a problem. When did you last see Microsoft, IBM, Sun, Novell and Oracle playing nice together without government interference? Instead of expecting to own the marketplace, all the major players are putting in the effort to get their systems working with each other and with the standards. Imagine if all the effort spent arguing about whether OOXML and ODF could both be ISO standards had gone into writing translators to move documents between the two.

But once it’s easy for a service to accept identity logons from a variety of information providers, what is the user experience going to look like? The test sites had buttons to log on with every combination of service and they exposed the debug information so you could see what was happening; real sites won’t have that. But they shouldn’t have umpteen buttons to choose which information provider I want to use either; that way madness and another set of chances to get me to do something insecure lie.

Every credit card I have has its own branding, and there are plenty of different card readers in shops, but they all have a slot I put the card into and a keypad where I type in the PIN. I don’t have to press a button saying I want to use a MasterCard or an Amex card before I start - I put in the card and the reader works it out, hides the process and asks me for the important thing, my PIN. Sites using identity should do the same thing. Don’t give me a button for OpenID or SAML or Ping or Oracle or whatever underlying identity system I’m going to use happens to be, and make me click it and then click again to pick an information card. Use the same identity selector I’m going to give you my information card in; that way your Web site doesn’t have to have five otherwise identical pages and CardSpace or the Higgins identity selector or whatever the experience is on my OS and browser can do the hard work. All I have to do is say yes, I do want to use this information card with this site and you can concentrate on building something that works better because you know who I am without either of us having to care about passwords.

Way back when consumer digital maps were new, I went in to see the Dorling Kindersley World Atlas on DVD. We were looking at the California map and I wanted to see where the Apple headquarters were. I said ‘Cupertino’ and the helpful PR said ‘OK but I thought we could finish the demo and then have lunch’. We looked at each other blankly for a little while; they’d heard a rather curt ‘cup of tea now!’ rather than a place name.

I’m not a big Facebook fan. Part of it is that I’ve seen a lot of online communities, from Usenet and the uniquely British CIX to AOL and Web forums and IRC and LiveJournal andLinked in - and the evolution of online behaviour that occurs in all of them is the same. Food fights and virtual flowers replace SIG files and ASCII art but a me-too meme is the same whether it’s plain text or fancy CSS (and don’t get me started on second life because that’s a whole ‘nother rant).

But I’m not an online Luddite. I live in email and IRC. Simon and I met online (in a virtual bar,