What Will Microsoft Do With Credentica?
Anybody following Identity/Privacy today is rooting for OpenID. They look like the good guys and they have momentum. However the purchase of Credentica by Microsoft in March was below most people's radar screens. You would need a keen interest in Identity/Privacy and Cryptography to have taken notice, and you're already rooting for OpenID, so why even look at what the Beast of Redmond is doing? This must be an evil plan to suck us all into Hailstorm 2.0, right? Maybe not.
It might be worth giving Microsoft some benefit of doubt for a while. First, my CliffsNotes on why Identity/Privacy matters:
- To Publishers: You need to show Advertisers/Marketers that your audience/community has some spending power. And you need to personalize the content to make it more useful to your audience/community. You need to do both without giving out any private information that would annoy your audience/community and put them at risk of spammers and bad guys.
- To Advertisers/Marketers: You need to know whether the people reading/watching/listening to content have budgets to spend money. Without getting any private information that you might just possibly be tempted to use for some nefarious spamming campaign.
- To Users. There are things about you that you want to shout from the rooftops. And things you want to keep away from the eyes of people who might use it to harm you. But you also need to move around online from site to site without any registration hassle.
That was easy enough to write, but it is much more difficult to deliver. Squaring the privacy vs. personalization circle is hard. That's why nothing has yet hit the spot.
The privacy backlash has predictably got the politicians and regulators into the act. Yet, they might just make it worse. A ham-fisted regulation - most regulation related to technology is ham-fisted - would ruin the business for publishers and advertisers and probably be quite easy for the really bad guys to hack.
On top of that, some governments just love to know what all their citizens are doing and that is not always in the citizens' interests. Would you want your government as the repository of all citizen private data? ... That's what I thought!
So who would you trust? Microsoft? Hmm, they tried that with Hailstorm and had their heads handed to them. Maybe Google? After all they already know all your searches and you have to trust them not to use that to identify anything about you personally. And Google said "don't be evil" and we mostly think they included themselves in that injunction. But who knows, even good guys can be tempted or get bored and let the bad guys take over.
So the answer for most people would be "None Of The Above." Which implies that nothing will happen, the status quo will remain. But that is clearly not ideal. It means that your personal information is scattered across lots of sites, most of which will have relatively weak security, so that hackers can easily get it. Just like they did recently at Facebook.
Ok, lets test that. Who would you trust to store all your private information? Please vote in the poll below.
That's why Credentica is important. Look at this 5 minute video to understand the technology. I don't know anything about cryptography, but it appears that the people who do understand it believe that Credentica is technically secure.
So then it is a question of trust. What will Microsoft do with Credentica? Which is a question that nobody has the answer to. Although I am sure many people have opinions -- and feel free to leave them in the comments. Steve Ballmer, what's the deal? What do you have planned?
Quite possibly, Microsoft is still figuring it all out. They do have somebody called Kim Cameron who has been thinking about online identity longer and deeper than most. His bio says:
"Kim Cameron is Chief Architect of Identity in the Connected Systems Division at Microsoft, where he works on the evolution of Active Directory, Federation Services, Identity Lifecycle Manager, CardSpace and Microsoft's other Identity Metasystem products.
Kim joined Microsoft in 1999 when it bought the ZOOMIT Corporation. As VP of Technology at ZOOMIT, he had invented metadirectory technology and built the first shipping product. Before that he led ZOOMIT's development team in producing a range of SMTP, X.400, X.500, and PKI products.
Kim grew up in Canada, attending King's College at Dalhousie University and l'Université de Montréal. He has won a number of industry awards, including Digital Identity World's Innovation Award (2005), Network Computing's Top 25 Technology Drivers Award (1996) and MVP (Most Valuable Player) Award (2005), Network World's 50 Most Powerful People in Networking (2005), Microsoft's Trustworthy Computing Privacy Award (2007) and Silicon.com's Agenda Setters 2007.
Kim blogs at identityblog.com, where he published the Laws of Identity."
He's Canadian, so he can't be evil... and he says he is a "strong proponent of OpenID." (As you can hear/see here.)
So it doesn't look like Microsoft is planning to replace OpenID. Perhaps they just plan to make it secure.
OpenID has the right approach with multiple providers, but as Cameron points out, it is open to abuse by hackers and ID phishers. That is where the OpenID's multiple providers have a branding/trust problem. Out in the wild, who knows the difference between MyVidoop, ClickPass, and EvilPhisher? (I made that last one up).
Credentica had/has a Java SDK. I hope Microsoft keeps this, while also offering a .Net equivalent. For many entrepreneurs the Java vs .Net decision is pretty immaterial, the decision comes down to skill availability. Keeping the Java SDK would increase trust a bit.
Microsoft will have to work hard to forge developer trust in this area. If they can win over developers they have a strong story to tell. The game will shift from just being an ID Provider to offering "secure ID" as a feature of your service. In other words, they will shift this "up the stack," which will be a threat to an ID Provider that plans to use that one feature to build a business, but maybe great for other entrepreneurs.
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
.. Maybe microsoft isn't evil?
Bwahahahahahahaah
I entirely agree with the thought what Microsoft will have to earn developer trust.
Especially as Microsoft continues to move the goal posts on products and processes periodically in part to introduce new technologies, but in part to force more product consumption.
And it is for this reason I think Microsoft will have to work hard to forge user trust as well ... as they've yet to prove themselves a bona-fide player in the are of open anything.
In this case, the question looms, why not just adopt OpenID?
I mean, how much do I really want to invest in Credentica just to have it "Vista'd" like so many other MSFT developer and user tools?
Microsoft might not be perfect, but they've been around for a long time now, and they generally do a good job on privacy matters. In this case, behavior history trumps the latest technology.
Security and Privacy over web is becoming a big issue day by day. May be I will choose Yahoo! for this job, second preference will be Google! Actually Bernard, MSN is a bit difficult to understand in my opinion!
Nice post, very informative. Thanks for sharing.
nhick
http://www.itrush.com
"Unlinkable in data sharing" seems interesting, in the fast arising linked data web... :-)
...very interesting write up. Thanks for shedding additional light on this topic. On a side note, OpenID is such a great idea but it's still very much in its infancy so I expect there will certainly be more to come.
"Passport" by any other name will smell just as bad. But please, go ahead and trust your online identity to the same company that bribed the Florida state congress, who were about to switch to OpenDocument,to keep using Word.
http://www.linux.com/articles/61481
Hi,
I’m an ex-Credentica-new-Microsoft employee. I focus entirely on integrating Credentica’s U-Prove technology into Microsoft’s products and how we can open the technology to the world. I’d like to say a few things:
• Yes, the technology is great; it enables strong authentication and data sharing, with any level of security and privacy that you may want (you can get both, without sacrificing one). And we plan to make it available as much as we can. The first goal is to integrate into CardSpace.
• You don’t need to trust Microsoft (or anybody else) to store data. The U-Prove technology allows you to share your data from and to any location, without linking the origin and destination accounts. In real life, to prove that you are over-18 to buy liquor, you can just pull out a government-issued driver’s license, and the government doesn’t get magically notified when and where you use this data. We can do the same thing electronically.
• You don’t need to trust Microsoft (or any other implementer) to protect the data exchange; you need to trust the protocol (the same way you trust SSL or RSA). These are public (see the book: http://www.credentica.com/the_mit_pressbook.html) and have been reviewed by the academic crypto community for more than 15 years.
• U-Prove doesn’t displace OpenID, conventional PKI, or federation architectures. It’s a new tool that enables new use cases or improves existing systems/frameworks.
• It won’t happen overnight. To use a naïve analogy, integrating the U-Prove technology into CardSpace is like integrating an environment-friendly technology into a car engine to reduce pollution: you need to involve the car designer (to make sure the changes don’t break anything), modify some of the engine’s pieces, modify the assembly line, modify the marketing brochures So, we are working hard to make this happen.
I encourage you to read Kim Cameron’s post about the acquisition: http://www.identityblog.com/?p=934, and also Stefan Brands’: http://idcorner.org/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/#more-206.
Cheers
Christian