March 11, 2002
MICROSOFT AND FORMER FOE TEAM UP AS MICROSOFT CO-FUNDS PRIVATE STUDY OF THE FUTURE OF INTERNET AUTHENTICATION; WHO WILL CONTROL USER IDENTITY -- GOVERNMENT, BUSINESS, OR BOTH?
By Bill Densmore
Founder, Clickshare Service Corp.
WASHINGTON, D.C., March 11, 2002 -- Microsoft says that Stanford Law School professor Lawrence Lessig has agreed to co-chair with the company's chief technology officer a study of identity and authentication on the Internet. Microsoft will help fund the study, to be undertaken by a Washington, D.C., think tank headed by a former deputy secretary of defense.
Lessig, author of the book, "The Future of Ideas," was a court-appointed expert in the Microsoft antitrust trial. But Microsoft, at the time, challenged him as biased and he was removed. Now, the company says Lessig will work with the company to run the study of a subject which Microsoft Senior Vice President and Chief Technology Officer Craig Mundie acknowledges is likely to have profound implications for the way users' online privacy and civil liberties are handled in the future.
At issue is who will take charge of tracking user identity on the Internet -- governments, private enterprise, or both. The assumption is that business forces are will require some universal way to verify the identity of Internet users for access to private documents and websites, or for purchasing, which goes far beyond the present system of passwords and repeated log-ins at each website.
The Working Group on Authentication and Identity will investigate the economic, technical and regulatory implications of identity and authentication worldwide, Mundie told an audience of about 100 people gathered on Monday [March 11] at the Center for Strategic and International Studies (CSIS), in Washington. "There will be two co-chairs, formally to help provide some guidance and operate this. I'm one of them, and Larry Lessig, a professor of law at Stanford University, quite well know on these issues around cyberspace. "He and I have had a number of discussions about this and we both think it is a fascinating a question and so Larry has also accepted an invitation to also be the co-chair of this."
The recipient of Microsoft's money and the manager of the Lessig-Microsoft study is the non-partisan Center for Strategic and International Studies. It's president is John Hamre, an economist, former Senate Armed Services Committee staffer and former Clinton-administration deputy defense secretary who came to CSIS two years ago.
The issue is this in a nutshell: Around the world, governments are largely in the business of providing physical authentication -- driver's licenses, passports, etc. But in the business world, there are private authenticators, too -- banks, employers, etc. The challenge: Who will be in charge of the authentication service which ties together all of the sub-authenticators on the Internet? Government(s)? Private enterprise? CSIS -- a non-profit think tank -- is taking money from Microsoft and others to produce a report by the end of the year.
-- BACKGROUND ---
I tape recorded and took copious notes today at a presentation by Craig Mundie, senior VP and CTO of Microsoft Corp., at a half-day seminar in Washington, D.C., put on by the Information Industry Association of America. Mundie announced that Microsoft would be partially funding of a study on the public-policy implications of how to set up a federated authentication authority hierarchy. And he said tha Stanford Univ. Law School professor Larry Lessig (the court special master in the MSFT antitrust case) would co-chair the effort with Mundie. Lessig is the author of "The Future of Ideas" book and someone I've exchanged email with.
I attended the conference because besides the subject: "Managing Identity and Authentication on the Internet", is exactly what Clickshare does and I wanted to make sure we were on the guest list at this sort of (FREE) event. I made sure to hook up with Jim Lewis, director, technology and public policy program at CISC, to express our interest in helping with the thinking process on this problem.
I also sat next to Pierre De Vries, advanced product development director (email@example.com) at Microsoft, who works under Mundie (425-706-5639). Pierre demonstrated how they say version 2.0 of Microsoft Passport will work -- as one of many federated identity services that consumers will use to manage calendaring, travel arrangements, banking relationships and site access control. Interestingly, they are making it VERY CLEAR now, however that they expect to be one among several, if not many, authenticators and that they see the need for a top-level "authenticator of authenticators" that makes competing (or collaborative) authentication services interoperable. This is the gradual shift that has been occuring in Microsoft's thinking about this problem which brings them closer and closer to the Clickshare model. But . . . they don't have the technology in place for the Clickshare model -- nobody does yet.
So I am more convinced than ever that we are sitting on technology and IP that is rapidly become the silver bullet that the Internet needs to "manage identity and authentication" in a federated way.
I gave Pierre De Vries my card and said: "We're already have a federated authentication service in operation. You might want to look at what we're doing in the newspaper industry." He nodded his head, I thought, as if in recognition that he knew who Clickshare was. But perhaps it was just a polite not. That was the extend of the conversation. I didn't want to go any further without policy guidance from Nell on approaching MSFT. I think it might behoove us for one of us to follow up with Pierre in some fashion in a few days just to see what level of interest (or lack) there might be.
Mundie said MSFT's goal is to make web services as reliable as the phone or electricity. He said the most basic requirement to make that happen is federated authentication. "The issue is one of authentication and not just authorizing."
"We originally created Passport as a Microsoft Network-specific function," Mundie said. But he said over the years since then, MSFT's customers have asked for "and Internet-scale authentication service providing single sign-on across multiple public sites."
How does Passport work, Mundie asked rhetorically? "It stores basic credentials that allows a user to come and authentication . . . what does it actually store? Well, the minimum it stores is your email address . . . a maximum of 13 fields." He said Microsoft offers what he termed an "optional . . . separate service" for storing other types of data. He said "people get confused" about what Passport stores. He said the data which partners keep on their customers is not stored. "None of that partner data is stored in Passport." He was not specific about what sort of data is not stored.
He said Microsoft decided that it need to embrace the concept of "conditional disclosure" of information controlled by the end-user. He said the company also realized that it had to participate in some "level of federation." He called that "the remaining challenge for us." He said Passport offers a "pretty low level of credentials." He said Passport was "openly accessible" and the principal issues it deals with are "access . . . use . . . and payment."
Answer a question from the audience, Mundie said he expects two-factor authentication will eventually be required for high-value services -- using things like smart cards or biometrics.
Relevant highlights of some other presenter's remarks:
The functions of identity management and authentication need to be separated into two services, said Paul Barrett, CEO of Real User Corp., of Washington, D.C. "Our service will look after the user's credentials," he said. "And the other will look after the keys . . . a user's key should be at a key-storage service and should not have any identity information associated with it. In other words, that authentication service neeeds to be anonymous."
Daniel Burton, VP of government affairs for Entrust, of McLean, Va., asked a good question about why there is no authentication market leader yet: "There is a sense that the authentication market has not 'tipped' yet . . . how is that tipping going to occur?"
Catherine Allen, CEO, of the BITS Financial Services Roundtable organization, replied: "I think operational risks" which will create liability for boards of directors and force a tightening of Internet authentication standards.
"I'm not sure it is going to tip, at least for broad personal or citizen use," said David Nelson, a NASA administrator, who said he thought public-key infrastructure and so-called X.509 "digital" certificates were not being adopted quickly. "There are a number of approaches . . . and they way that they tip isn't clear to me." Nelson said the private sector has "commandeered" forms of public identity such as driver's licenses for private identification. "It's an open question who provides identification for private purposes [on the Internet]."
"One of the big mistakes people make about identity management is to think that they have to be centrally managed," said Gordon Eubanks, president/CEO of Oblix Corp., of Cupertino, Calif. "The cost factors and the complexity factor will kill you."
What's needed for the Internet is a standard way to pass identity information, said Arthur Coviello, president and CEO of RSA Security Inc., of Bedford, Mass. For example, he said airline websites need a way that they can partner with hotel and car-rental sites to pass user information back and forth without having to have individual contractual agreements. This is needed to bring back the one-stop convenience of the physical-world travel agent, he said. "There is nothing wrong with the concept of a single, strong identification," said Coviello. "People are already using a ubiquitous ID -- it's their driver's license."
The Liberty Alliance, of which RSA is a founding member, is a standards-development effort, not a product, said Coviello. He said the founders all concluded that whatever the Liberty Alliance comes up with has to work with Microsoft. For that reason, he said, LA and Microsoft are not mutually exclusive.
-- VEBATIM TRANSCRIPT OF MUNDIE --
Here is my transcription from the audio tape I made of the part of Mundie's remarks about the problem generally, after he finished demonstrating the future of the company's Passport system.
"The real question boils down to if you have a lot of these things how are you going to make this work. In essense you ask the question: How many Internet trust brokers will there will be? And, there is an opportunity to say I'll have one or two that will help broker things between these two. In fact, if you have a small number of these things, you can set them up on a contractual basis using either international or national contract law. And you can agree on what the peering arrangements are going to be.
"But one of the reasons we decided to sponsor this work with other people here at CSIS and why I agreed to be a co-chair for this panel, for this study, is because it became clear to us that probably, technically, we could solve this problem on a worldwide basis with just a couple of companies -- two, three, some single-digit integer, could operate systems at a web scale on a world-wide basis sufficient to provide the identity mechanism for everybody on the planet and ensure that there were, you know, two or three redundant services that you could choose from. You could say the world only needs a few. There is no technological reason that there has to be a lot of these.
"But then you bump into Jim Hamre's opening remarks [Hamre is president of CSIS]. He says, "Ah, governments think that they are in the business of owning identities." And in facts lots of levels of government own identities. You've got the states who issue your driver's license. You've got the federal government who issues your social-security number and your passport for international travel. And then you have all the other countries of the world.
"And so now you sit here and look at this web services model where in the commercial world we could look at these independent set of what's called commercial trust brokers and we'd be happy to just accept all the credentials from them. But the question is, would government be happy to have those be the only credentials? And if not, then when some government decides that they want to have one, well how many governments will decided that you want to have one?
"But now you get to this question of, will a hierarcy really be necessary? Could you really do it peer-to-peer? And if not, you have to have some new governance mechanism in order to make it work. And the issue is as you scale this, you get a new problem. One of the things that teaches about this is the Domain Service, DNS, one of the core mechanisms of how the Internet works. It's that thing that gives you microsoft.com, or mundie.org or whatever your domain name and maps it down to your TCP address. And there was a fundamental issue that came up with that. DARPA paid for the original research work and built the first Internet and as it became operational, the ownership and control of the domain name service was here with the Department of Commerce. And they operated it for the benefit of everyone in the world, pretty much in a completely even-handed way. Some people say they gave too many addresses to people in the United States, but that aside it was pretty even handed.
"But people started to complain about the fact that now we had this thing called the Internet with the trans-national mechanisms and we don't like the idea that the Dept. of Commerce of the United States seems to have ultimately the unilateral control over how the domain name service will work in the future. So they decided to create some new governance mechanism. And so a grand experiment, you could say, is in process now. It is something called ICANN -- the International Corporation for the Assignment of Names and Numbers. And the goal there was to create a non-governmental, but international corporate governance mechanism with a board of directors and voted representatives. You could say it is sort of like a commercial United Nations for DNS. Now this has actually not gone super smoothly. So despite the best efforts of a lot of smart people in thinking about it, it isn't clear that you could just hold that up and say, "This is the obvious answer for how you solve trans-national infrastructure governance questions."
"Well guess what? We have this problem again. But in fact we have it in a bigger way than DNS. Of course you want it all to be simple, so it is just like [unintelligible] you can just click, click, click around no bit problem. Therefore you have to have a bunch that it will take. Well how many of those do you really want? The technical feasibility of dealing with a small number is really good. But is everybody going to agree apriori on a way to exchange information about these things? Is in fact everybody going to agree on what a particular credential represents, or how much work was done to authorize it? Or to identify yourself in its create?
"And then you have this little problem, it's part technological, and I content is ultimately is the real problem in governance, which is anything that is connected like this is an N-squared problem. What that means is every time you add one, you know, nominally the common [unintelligible] the number of people that have to talk to each other goes by the square of the number of things that you have. So whether, you know, it is me, I just talk to me. If I go to Pierre, and say let's have a conference, we'll just sit down and negotiate it well now it's just one dialog, so it is 2-1 squared is one. But if I add a third person, now you are up to four possible discussions that you have to have. And when I add a fourth one I have eight. As this things get bigger and bigger, how can you set it up and how do you run it?
"And so while we have tremendous evolution in the technology, we don't have similarly rapid evolution in international governance for web infrastructure. And in fact now we have this other problem that we didn't have much before which is we have the parallel creation of these things between government and commercial enterprises. And interestingly, commercial enterprise is already doing it in a completely trans-national way. Passport's 200 million users -- they are in all the countries of the world. And the governance there is essentially just the end-user agreements you sign when you become a Passport user. And it operates under U.S. law, but essentially other than that, there is no governance mechanism and it works in all the countries of the world. And anybody on the web can choose to accept that credential if they choose.
"So the question is, if governments are going to get into the act, how many will get into the act. Well let's say there are just three companies who decided to offer this at web scale, and you say, "OK, that's nice, that would be manageable, we only have four contracts, negotiated bi-laterally." But let's say that the top 20 countries all decided to get into the act and they had to have a national identity and they want to have in there. Well now you have too many to negotiate and who do you negotiate with in each government and do the governments all agree? We know it's hard for governments to agree on things.
"So it gives us a big problem. We have a necessary interaction now between the role of government and the role of business in creating trans-national identity systems and yet you have the sovereignity questions within each one of these nations.
"So, these are very difficult problems and its why I am happy to have CSIS taking this up. And in fact they are taking it up at a very opportune moment. After Australia, I went to Japan and when I got to Japan I was talking to people in the government there, the federal government, who said, "Oh, by the way, by late this summer we think we want to announce that we want to have a Japanese online identity system and we're trying to figure out how do we do that." And I think that everywhere you go now, governments are starting to realize that they have to do something. At least they need the equivalent of your passport in some on-line representable.
"So it seems almost inevitable, which is why we agreed to help fund and participate in this study here, that in fact the governments are going to come down this path, they aren't going to know what to do when they get there and, ideally, we would like to have a policy statement that they can look at from some people who are thoughtful to say, "Look, here's the problem, here are the issues and here is how you guys ought to work on this issue together." So there are many, many questions to study -- commercial issues, privacy issues, civil-liberty issues, security implications, that we have a requirement for incredibly broad deployment and very rapidly. We don't know what the organizational model is; we know things like ICANN, probably at least as it was done, may not be the answer. We don't know what other legal, regulatory or administrative measures are needed in any countries even if they wanted to bring these into a harmonized way.
"And today, we don't even have enforcement mechanism. That's one of the biggest problems we're having in the security world today. It's not only that we don't have great identity. But even if you wanted to enforce something, there is no uniform way to do that. The treaties in many cases of extradition are not uniformly rich enough to deal with these types of problems even if you wanted to go prosecute 'em in your own country. We have public-private partnerships and now in a much, much greater level than we've had in the past. How do you set all this up internationally?
"So this Project on Identity is basically a goal to look into and investigate these issues around economic, technical and regulatory implications of identity and authentication on a trans-national basis. There will be two co-chairs, formally to help provide some guidance and operate this. I'm one of them, and Larry Lessig, a professor of law at Stanford University, quite well know on these issues around cyberspace. He and I have had a number of discussions about this and we both think it is a fascinating a question and so Larry has also accepted an invitation to also be the co-chair of this. So we look forward to working with CSIS and any other folk in trying to get some [unintelligible.] I think there is some real-time urgency both because of the operational need and because governments are awakening to their future role in this space and they I think can be guided if we give them a good policy document. So I look forward to working with everybody. Thanks for you coming."
--- END OF TALK / END OF TRANSCRIPT --