Solving the minimum disclosure problem: The significance of Claims based Identity system

claims based identity model.jpg

I first saw this initiative at Kim Cameron’s Identity blog where he talks of Microsoft’s announcement at the RSA conference about Minimal Disclosure, End to End trust and Claims based Identity system.

The service has been implemented in Germany in partnership with Fraunhofer FOKUS – who are good friends (I have been invited to speak at FOKUS events for a few years now and I highly recommend it for some cutting edge thinking).

The initiative is significant since it is addresses a problem which we are facing increasingly but are not addressing adequately.

There are two scenarios:

Firstly, we are all users of online services. Each of these services want us to provide our credentials. Thus, users are giving up their credentials at many places which is a problem (password protection, phishing etc). On the other extreme, many services are ‘free’ and in return, they want us to provide personal information for behavioural targeting, which is also a problem in the long term.

Claims based Identity systems and the principles of minimum disclosure potentially provide a third way and hence they are significant.

The overall goal is: to enable citizens to use their electronic identity cards as the basis for accessing online services with minimal disclosure of information for both Cloud services and offline services.

Read Write Web/Kaliya Hamlin also cover the same announcement when they say that:

Anonymity and verified Identity are at the opposite ends of the spectrum. Customers have to balance between these two elements. The verified Identity is easier. In many cases, customers need to also maintain anonymity and there are many cases where the verified Identity is not needed.

It seems like the two ends of this spectrum can’t go together. You can’t be anonymous and verify yourself by sharing all of the details on a credential from a government issuer who has asserted they have checked these things are true.

Microsoft demonstrated today how you can achieve anonymity and identity verification together at the same time, giving you verified anonymity. This technology (that relies on some pretty complex cryptography) lets you prove things without giving away too much information about yourself.

For example:

• Proving you are over 21 without giving away your actual birth date

• Proving you live in a certain congressional district and are a registered voter but not having to give away your name or address

• Proving you are a kid at a middle school in San Jose without giving away which school or which grade you attend

Behind this goal is the vision of Claims based Identity model.

We are moving away from rigid, closed identity systems to a more open Identity system where the concepts of authentication and authorization are unified. This shifts the focus to the user who present claims that indicate who they are and what they want to do in order to gain access to services. The move is slowly gaining momentum especially in a world dominated by Cloud based services.

The claims-based model has three components : the relying party, which needs the claim to decide what it is going to do; the identity provider, which provides the claim; and the user, who decides what if any information they want to provide. Claims can contain static information such as birth date, relationship-based information such as group membership or derived claims that make general assertions such as the user is over 21 years of age. There are also meta-claims about how information was verified, such as in-person registration, or how it was issued. The model also incorporates a Veto power for claims instead of domains implicitly trusting one another.

Other systems like SAML2 and WS-Trust address some of these goals but not holistically as a usable system.

In this scenario, as has happened with the German government, the government could play a role in the providing trusted services for the Cloud. The government already provides some form of identifier(such as a passport). But passports and other mechanisms are not readily usable for more mundane services (like borrowing a book, registering in a course or renting a video). Thus, the claims based model ensures that the provider (ex hospital) is not in the business of authenticating the credentials

To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions.

In a cloud computing world, we are likely to see this requirement in increasing number of cases and it is also relevant for governments

Definitely one to watch

Image source : wadewegner.com

Comments

  1. Kim Cameron says:

    Good to see you explaining that privacy and verification are not polar opposites. Your explanation puts it simply and clearly – hard to do. I look forward to further conversation. Kim

  2. Ajit Jaokar says:

    Many thanks for your comments Kim kind rgds Ajit