Security is important: authentication, authorization and encryption are the cornerstones of secure and reliable communication and commerce. Standards for digital identity, once finalized, will contribute to the next Internet driven productivity boom, as business processes that have yet to be brought effectively on-line will continue to streamline enterprise operations. A pervasive digital identity is the key to a huge range of productive applications. But to realize these benefits without giving up ground already gained we need a system that serves users rather than vendors.
Last month I went down to TechX NY (previously known as PC Expo), where Intel and IBM were showing off a dedicated security chip that integrates PKI, data encryption and access control at the hardware level. This functionality is a real win for corporate IT departments who want to take a centralized approach to security and strong encryption. It’s also a nice potential boost for both IBM and Intel, who get to sell a lot more computers into large corporations (since integrated security chips can’t be added after the fact). The demo didn’t work perfectly, but there’s definitely some promise to the technology, and it’s available now.
Around the same time we started to hear about Microsoft’s Palladium, which, although it will also incorporate a hardware component, is something else entirely. For those who haven’t been following it closely, I’ve included a link (above) to Microsoft’s white paper on the subject. Palladium proposes to provide the same benefits within corporate IT departments, which is all well and good. The white paper, though, also alludes to the “millions of people [who] simply avoid some online transactions out of fear.” I’m not sure whether or not that’s even true, but it’s not a problem that can be solved by centralizing identity management. Now, to Microsoft’s credit, that’s not what they’re proposing with this particular software, at least not yet. But the user has to grant Microsoft an unprecedented level of trust anyway.
Source code for the trusted layer will be published and externally validated, but I haven’t found any announcements regarding how this will actually be done. There’s no reason, other than corporate profits and Windows platform lock-in, not to make any security specification along these lines completely open. The authentication, after all, comes from the hardware and the mathematics of public-private key encryption, not from the obscurity of the implementing software. I’d be much more comfortable if I could plug in my own trusted components according to my own needs, and I suspect most IT customers would as well. And needless to say, I’d like to be able to implement the server components and integration in non-Microsoft languages (particularly Java) on non-Microsoft operating systems.
Almost indirectly, the white paper raised another disturibing issue: step-wise pricing based on the level of personal information the user is willing to give out. In figure 3, a vendor requests a user’s name, Social Security Number and Credit Card information for a $100 purchase. The Palladium software informs the site that it is only authorized to provide name and credit card information, at which point the price goes up to $102. There’s nothing wrong with this in principle. In fact, my academic background is as an economist, and as a result I have a pronounced weakness for free market arguments. If someone wants to sell their social security number for a few dollars, then there’s no reason to prevent them from doing so. Still, given how often smart people do give away extremely sensitive information for next to nothing (doctors, for instance, frequently include their Social Security Numbers, and often their Drug Enforcement Agency controlled substance ids, on their curriculum vitae). No system will be a panacea: effective use requires further public education about the risks and rewards of distributing particular kinds of information. Hopefully users will begin to put realistic valuations on their own identity.
There are no two ways about it: pervasive identity systems are dangerous. I think that centralization of standards is supreme good sense. But I’m much less confident about centralization of implementation.
What do you think?