Privacy Digest

Microsoft man seeks to re-engineer the Web: "KIM CAMERON'S AMBITION is quite modest, really: he just wants to re-engineer the Internet so it has what he calls an 'identity layer'. Because: 'There is no mechanism for knowing who you're talking to.'

Cameron says he's been working toward this his whole career, but his first big splash was late last year, when he published his paper The Laws of Identity and proposals for A Privacy-Compliant Identity Metasystem (PDF). The latter is the basis of CardSpace, identification technology that is built into Windows Vista and is available for download for XP. Many sites, he says, have it in beta and it is 'beginning to ramp up'.

Cameron calls an 'identity' a set of claims. Cardspace's basic unit of authentication, instead of a user ID and password, is the Information Card, which is generated securely on the user's machine. When a site asks for authentication, the user selects (or generates) a card from a graphical display. The information held in the card isn't sent to the site; instead the card generates a security token which completes authentication. A graphical display verifies to the user who owns the site, where the underlying business is located, and so on to help the user verify that the site is genuine.

There are various controversies surrounding this idea. First and foremost is the question of why Microsoft didn't join the existing Liberty Alliance, a many-vendor attempt at the same kind of thing. When asked about this at the recent ACM conference on Computers, Freedom, and Privacy ), he said he didn't think Liberty was the same thing at all. 'It doesn't give the user their own agent under their control.'

In addition, critics ask what the threat model is (he says this information is, for now, confidential although they are considering publishing it), and what the use case is ('We feel it has to solve all use cases').
"

(Read Original Article - Via New Scientist .)