Anybody following Identity/Privacy today is rooting for OpenID. They look like the good guys and they have momentum. However the purchase of Credentica by Microsoft in March was below most people's radar screens. You would need a keen interest in Identity/Privacy and Cryptography to have taken notice, and you're already rooting for OpenID, so why even look at what the Beast of Redmond is doing? This must be an evil plan to suck us all into Hailstorm 2.0, right? Maybe not.
It might be worth giving Microsoft some benefit of doubt for a while. First, my CliffsNotes on why Identity/Privacy matters:
That was easy enough to write, but it is much more difficult to deliver. Squaring the privacy vs. personalization circle is hard. That's why nothing has yet hit the spot.
The privacy backlash has predictably got the politicians and regulators into the act. Yet, they might just make it worse. A ham-fisted regulation - most regulation related to technology is ham-fisted - would ruin the business for publishers and advertisers and probably be quite easy for the really bad guys to hack.
On top of that, some governments just love to know what all their citizens are doing and that is not always in the citizens' interests. Would you want your government as the repository of all citizen private data? ... That's what I thought!
So who would you trust? Microsoft? Hmm, they tried that with Hailstorm and had their heads handed to them. Maybe Google? After all they already know all your searches and you have to trust them not to use that to identify anything about you personally. And Google said "don't be evil" and we mostly think they included themselves in that injunction. But who knows, even good guys can be tempted or get bored and let the bad guys take over.
So the answer for most people would be "None Of The Above." Which implies that nothing will happen, the status quo will remain. But that is clearly not ideal. It means that your personal information is scattered across lots of sites, most of which will have relatively weak security, so that hackers can easily get it. Just like they did recently at Facebook.
Ok, lets test that. Who would you trust to store all your private information? Please vote in the poll below.
That's why Credentica is important. Look at this 5 minute video to understand the technology. I don't know anything about cryptography, but it appears that the people who do understand it believe that Credentica is technically secure.
So then it is a question of trust. What will Microsoft do with Credentica? Which is a question that nobody has the answer to. Although I am sure many people have opinions -- and feel free to leave them in the comments. Steve Ballmer, what's the deal? What do you have planned?
Quite possibly, Microsoft is still figuring it all out. They do have somebody called Kim Cameron who has been thinking about online identity longer and deeper than most. His bio says:
"Kim Cameron is Chief Architect of Identity in the Connected Systems Division at Microsoft, where he works on the evolution of Active Directory, Federation Services, Identity Lifecycle Manager, CardSpace and Microsoft's other Identity Metasystem products.
Kim joined Microsoft in 1999 when it bought the ZOOMIT Corporation. As VP of Technology at ZOOMIT, he had invented metadirectory technology and built the first shipping product. Before that he led ZOOMIT's development team in producing a range of SMTP, X.400, X.500, and PKI products.
Kim grew up in Canada, attending King's College at Dalhousie University and l'Université de Montréal. He has won a number of industry awards, including Digital Identity World's Innovation Award (2005), Network Computing's Top 25 Technology Drivers Award (1996) and MVP (Most Valuable Player) Award (2005), Network World's 50 Most Powerful People in Networking (2005), Microsoft's Trustworthy Computing Privacy Award (2007) and Silicon.com's Agenda Setters 2007.
Kim blogs at identityblog.com, where he published the Laws of Identity."
He's Canadian, so he can't be evil... and he says he is a "strong proponent of OpenID." (As you can hear/see here.)
So it doesn't look like Microsoft is planning to replace OpenID. Perhaps they just plan to make it secure.
OpenID has the right approach with multiple providers, but as Cameron points out, it is open to abuse by hackers and ID phishers. That is where the OpenID's multiple providers have a branding/trust problem. Out in the wild, who knows the difference between MyVidoop, ClickPass, and EvilPhisher? (I made that last one up).
Credentica had/has a Java SDK. I hope Microsoft keeps this, while also offering a .Net equivalent. For many entrepreneurs the Java vs .Net decision is pretty immaterial, the decision comes down to skill availability. Keeping the Java SDK would increase trust a bit.
Microsoft will have to work hard to forge developer trust in this area. If they can win over developers they have a strong story to tell. The game will shift from just being an ID Provider to offering "secure ID" as a feature of your service. In other words, they will shift this "up the stack," which will be a threat to an ID Provider that plans to use that one feature to build a business, but maybe great for other entrepreneurs.
Listed below are links to blogs that reference this entry: What Will Microsoft Do With Credentica?.
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/3886
Comments
Subscribe to comments for this post OR Subscribe to comments for all Read/WriteWeb posts
.. Maybe microsoft isn't evil?
Bwahahahahahahaah
Posted by: Mikael Bergkvist | May 3, 2008 5:09 PMI entirely agree with the thought what Microsoft will have to earn developer trust.
Especially as Microsoft continues to move the goal posts on products and processes periodically in part to introduce new technologies, but in part to force more product consumption.
And it is for this reason I think Microsoft will have to work hard to forge user trust as well ... as they've yet to prove themselves a bona-fide player in the are of open anything.
In this case, the question looms, why not just adopt OpenID?
I mean, how much do I really want to invest in Credentica just to have it "Vista'd" like so many other MSFT developer and user tools?
Posted by: Mean Dean | May 4, 2008 12:45 AMMicrosoft might not be perfect, but they've been around for a long time now, and they generally do a good job on privacy matters. In this case, behavior history trumps the latest technology.
Posted by: Alex Wright | May 4, 2008 5:37 AMSecurity and Privacy over web is becoming a big issue day by day. May be I will choose Yahoo! for this job, second preference will be Google! Actually Bernard, MSN is a bit difficult to understand in my opinion!
Posted by: Siddharth | May 4, 2008 5:54 AMNice post, very informative. Thanks for sharing.
nhick
Posted by: ITrush | May 4, 2008 7:35 AMhttp://www.itrush.com
"Unlinkable in data sharing" seems interesting, in the fast arising linked data web... :-)
Posted by: MyMesh.com | May 4, 2008 8:02 AM...very interesting write up. Thanks for shedding additional light on this topic. On a side note, OpenID is such a great idea but it's still very much in its infancy so I expect there will certainly be more to come.
Posted by: Michael Marlatt | May 4, 2008 7:14 PM"Passport" by any other name will smell just as bad. But please, go ahead and trust your online identity to the same company that bribed the Florida state congress, who were about to switch to OpenDocument,to keep using Word.
http://www.linux.com/articles/61481
Posted by: Todd | May 5, 2008 9:10 AMHi,
I’m an ex-Credentica-new-Microsoft employee. I focus entirely on integrating Credentica’s U-Prove technology into Microsoft’s products and how we can open the technology to the world. I’d like to say a few things:
• Yes, the technology is great; it enables strong authentication and data sharing, with any level of security and privacy that you may want (you can get both, without sacrificing one). And we plan to make it available as much as we can. The first goal is to integrate into CardSpace.
• You don’t need to trust Microsoft (or anybody else) to store data. The U-Prove technology allows you to share your data from and to any location, without linking the origin and destination accounts. In real life, to prove that you are over-18 to buy liquor, you can just pull out a government-issued driver’s license, and the government doesn’t get magically notified when and where you use this data. We can do the same thing electronically.
• You don’t need to trust Microsoft (or any other implementer) to protect the data exchange; you need to trust the protocol (the same way you trust SSL or RSA). These are public (see the book: http://www.credentica.com/the_mit_pressbook.html) and have been reviewed by the academic crypto community for more than 15 years.
• U-Prove doesn’t displace OpenID, conventional PKI, or federation architectures. It’s a new tool that enables new use cases or improves existing systems/frameworks.
• It won’t happen overnight. To use a naïve analogy, integrating the U-Prove technology into CardSpace is like integrating an environment-friendly technology into a car engine to reduce pollution: you need to involve the car designer (to make sure the changes don’t break anything), modify some of the engine’s pieces, modify the assembly line, modify the marketing brochures So, we are working hard to make this happen.
I encourage you to read Kim Cameron’s post about the acquisition: http://www.identityblog.com/?p=934, and also Stefan Brands’: http://idcorner.org/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/#more-206.
Cheers
Christian
Posted by: Christian Paquin | May 7, 2008 7:37 AM