Newsmaker: Ending Microsoft's identity crisis

SAN JOSE, Calif.--If Microsoft needs a lesson on how to do identity management wrong, it needs only look at its past.

With Passport, Microsoft had exactly the wrong approach as the software maker needlessly stepped between businesses and their customers--so says Kim Cameron, the identity expert who leads Microsoft's current effort, known as InfoCard.

Microsoft Chairman Bill Gates on Tuesday touted InfoCards as one of the technologies that could finally help cement the death of the username and password as the means of verifying identity on the Internet.

related coverage
RSA: Consumer trust and the government's thrust

Without e-tail security, Americans may dump their Net-buying habits. Meanwhile, the U.S. works to batten down its hatches.

But before InfoCard can supplant anything, Microsoft will have to line up Web sites to use it, banks and credit card companies to support it and then get consumers to buy in, too. Cameron sat down with CNET News.com this week to talk about InfoCard, how it works and what Microsoft needs to do to make sure it doesn't whiff again.

Q: What makes this attractive to others--to, say, Web site owners?
Cameron: When you first go to a Web site, their mantra, somebody told me, is "acquire, acquire, acquire." I didn't know what that meant. But what that means is: Get that customer relationship going. At that moment, a lot of people will want to accept any InfoCard they can, then later, they get pickier. For example, if you want to buy something they will probably want something from a credit card company or a bank.

It's a bit of a chicken and egg thing. How do you guys get enough of the right people on board, build enough of an ecosystem?
Cameron: One of the things is people don't have to throw out their current authentication mechanism for InfoCard. And you don't have to change much at your site. It's just one very small component of the site that changes. The rest of the site all just stays the same. So, the investment required is small. And it becomes easier to acquire (new customers).

What it is, is a visualization and a way of contacting the identity provider. You can't go and steal the InfoCard. I mean if you did, it wouldn't give you anything.

Now the question is: "Can we as Microsoft put together the right partnerships?" It?s hard. I've never worked on anything this hard, but the payoff is huge if it can be done. Then the question is: "Does the industry want to do it?" Microsoft can't do it by ourselves. Nobody can do it by themselves.

If I'm a user of Vista (the next version of Windows). How do I get an InfoCard. Is it something that is just there?
Cameron: A self-issued one you create yourself. If you get one, say from your bank, you go to your bank's Web site and you double click on it. It will give you your InfoCard--you might have to enter a one-time password or something that they have given you. It just appears in your InfoCard collection. You go through the verification process and it will appear in your InfoCard collection.

Is it limited to Internet Explorer. You have talked about it being implemented in the browser, but is it limited to that?
Cameron: It's not implemented to the browser. It?s integrated with the browser. The browser uses it, but it's an underlying platform service. Mozilla can use it just as well as IE (Internet Explorer). That's key. If that isn't the case, it just won't get the reach that we need.

It seems like the intent is for there to be multiple and compatible things there, a mechanism that keeps it so that when Apple does it, it's compatible with InfoCard?
Cameron: This is the nice thing. It's built on these standards that a lot of companies have adopted, Web services standards. It's really a precise collection of standards--WS-Trust, WS-Security, WS-Security Policy.

What about the whole Liberty Alliance specification?
Cameron: This is not positioned against Liberty. I am an admirer of Liberty. Liberty has done a lot of great things around policy, leadership on federation. This is something that a Liberty-enabled site can use for interacting with their customers.

Now, in terms of WS standards and Liberty, currently Liberty runs on the SAML (Security Assertion Markup Language) protocol, and WS standards are slightly different, although they share components. We're also working to try and align those things. But those things don't impact InfoCard.

More Newsmakers

[Earl Benser]

What did he say??????

A whole lot of words, but nothing that would suggest that the
InfoCard has any better security than a password. It seems that
if someone got ahold of my InfoCard or one of my InfoCards, or
Whatever, no one on the other end would it wasn't me.

I think that MS is going to have to do a monumentally better
selling job that this poor interview does.

ABout the only thing I read that held water was MS admitting
that Passport was a damn fool idea. Good intentions and no
follow though.

[NWLB]

I think, maybe, he could have been saying...

Well it sounds like Passport II. Microsoft has been getting into the habit of renaming failed ideas and trying them again.

It seems like a bad joke. Some kind of attempt to get back control they feel they have lost. To use this thing they are talking about, I would have to trust Microsoft, believe they have created a generally bug-free and secure service or program. Then I'd have to believe they won't turn around and use my adopting it, to force me to use it their way, or spend money to keep it. Since I can't do or believe any of that, I'll take a big pass on the idea.

The more they trot out these talking heads to babble about things which even they don't understand, the less credible the entire company appears.

[scdecade]

Slow down JA

Wait just a minute here. Slooooow down. First, and before anything else, Microsoft needs to make a stable, secure operating system. Stable? C+ (too many reboots for trivial tasks) Secure? F- (horrible, just horridly horrible). Now would I buy or use a new security product from this company? No freakin' way. They need to get Windows secure first.

[Deborah Mitchell]

Thanks, but no thanks...

I don't think the public wants this sort of technology. Not from
Microsoft, not from Google, not from anyone.

[Zeus, Son of Cronus]

Talking?!?

Fear me mortals

[abualsamid]

what does that mean??

i have no idea what Infocard is, and after reading the article i did not gain a grain of knowledge as to what it is...
if this is how they are going to end their identity crisis then i better start shorting the stock...

interviewer needs a lesson in journalism.

[mozart11]

Info-cards. What info. No infor from Microsoft speak.

Has anybody understood one thing Microsoft has said for the
last year or more? Gates, Balmer and this guy. They all speak
some language that says absolutely nothing. They talk like
they're in tune with innovation and produce NOTHING. I truly
belive this company is so rudderless. Getting beat left and right.
Google, Amazon and Apple.

Info-cards? Another item they "explain" by saying nothing. Who
would tgrust their info based on this article?

[OneWithTech]

Wheres the security in InforCards

I just finished the interview and was wondering if Microsoft
could actually answer the real question being asked here. How is
the InforCard security differ from that of say -- server
certificates that allow authentication?

As my InfoCard deck builds and E-Com sites come and go how
can I ensure that InfoCard will remain a secure alternative?

Will InfoCard be subject to phishing and web site spoofing?

I ask these questions as a web developer / designer, computer
repair man, marketeer and media guru; with an interest on how
you, Microsoft, plan on accomplishing a feat like this when the
very operating system and browser that will be powering this
feature is severely FLAWED!

It is a proven fact that you can't build a stable software package
against an unstable software base. So how does Microsoft plan
on alleviating this problem?

As a person that writes copy and has some marketing
background I could answer all of those questions posted in this
article without ever seeing InfoCard! Why don't you release some
viable, valid, information on the workings of InfoCard?

Where is the Information that we as users and media can use to
ensure that InforCard will do as stated in the article. Because
frankly we as a Tech society have heard and seen so much
******** from Microsoft over the years -- how is this any
different?

These are only some of the questions. The rest of them we'll
have to answer at www.TechViewsToday.US in time!
~Justin

[OneWithTech]

Wheres the security in InfoCards

I just finished the interview and was wondering if Microsoft
could actually answer the real question being asked here. How is
the InforCard security differ from that of say -- server
certificates that allow authentication?

As my InfoCard deck builds and E-Com sites come and go how
can I ensure that InfoCard will remain a secure alternative?

Will InfoCard be subject to phishing and web site spoofing?

I ask these questions as a web developer / designer, computer
repair man, marketeer and media guru; with an interest on how
you, Microsoft, plan on accomplishing a feat like this when the
very operating system and browser that will be powering this
feature is severely FLAWED!

It is a proven fact that you can't build a stable software package
against an unstable software base. So how does Microsoft plan
on alleviating this problem?

As a person that writes copy and has some marketing
background I could answer all of those questions posted in this
article without ever seeing InfoCard! Why don't you release some
viable, valid, information on the workings of InfoCard?

Where is the Information that we as users and media can use to
ensure that InforCard will do as stated in the article. Because
frankly we as a Tech society have heard and seen so much
******** from Microsoft over the years -- how is this any
different?

These are only some of the questions. The rest of them we'll
have to answer at www.TechViewsToday.US in time!
~Justin