Microsoft man seeks to re-engineer the Web

KIM CAMERON'S AMBITION is quite modest, really: he just wants to re-engineer the Internet so it has what he calls an “identity layer”. Because: “There is no mechanism for knowing who you're talking to.”

Cameron says he's been working toward this his whole career, but his first big splash was late last year, when he published his paper The Laws of Identity and proposals for A Privacy-Compliant Identity Metasystem (PDF). The latter is the basis of CardSpace, identification technology that is built into Windows Vista and is available for download for XP. Many sites, he says, have it in beta and it is “beginning to ramp up”.

Cameron calls an “identity” a set of claims. Cardspace's basic unit of authentication, instead of a user ID and password, is the Information Card, which is generated securely on the user's machine. When a site asks for authentication, the user selects (or generates) a card from a graphical display. The information held in the card isn't sent to the site; instead the card generates a security token which completes authentication. A graphical display verifies to the user who owns the site, where the underlying business is located, and so on to help the user verify that the site is genuine.

There are various controversies surrounding this idea. First and foremost is the question of why Microsoft didn't join the existing Liberty Alliance, a many-vendor attempt at the same kind of thing. When asked about this at the recent ACM conference on Computers, Freedom, and Privacy ), he said he didn't think Liberty was the same thing at all. “It doesn't give the user their own agent under their control.”

In addition, critics ask what the threat model is (he says this information is, for now, confidential although they are considering publishing it), and what the use case is (“We feel it has to solve all use cases”).

It's been a long road to this point. Cameron, a Canadian, fell into computing while studying physics and mathematics at Dalhousie University in Halifax, Nova Scotia. He added an MA in sociology at the University of Montreal - and then quit before writing his doctoral dissertation to join a rock band called Limbo Springs. A bout of teaching led him into a private company where, in the early 1980s, he built an email system called Zoomit, based on the old X.400 standard.

The addresses, he says, were “frightening” - and made the need for directories “self-evident”. Building those was his next project. And that's where he first came up against the idea of the central authority that everyone would use for everything. Imagine that: it would be incredibly slow, it would be incredibly expensive - but it would be spam-free.

“By this time, I thought it's not human nature. It's a multi-centered world. People will be using a bunch of different directories forever. We need to accept it.” He developed a technology called metadirectory, trying to solve the problem of keeping information accurate across different directories while allowing everyone autonomy. That was, he says, the technology that Microsoft bought in 1999. He arrived in Redmond in time to watch the centralised idea play itself out again in Passport Microsoft's Internet-wide single sign-on service.

“It seemed a lot simpler,” he says. “You have a single place where you give everybody an identity.” Indeed - provided that everyone is willing to let Microsoft own their identity. Unsurprisingly, many people weren't - but it wasn't the total failure people think.

Says Cameron, “Passport does a billion authentications a day for Hotmail and so on. It has 300 million active users. So if you go to the Passport guys and say it wasn't a good idea, they say, ‘I do a billion authentications a day. How many do you do?'”

Even so, it isn't the direction Cameron thinks is the right one. “It didn't have the quality of being part of a wider identity system.” µ