On March 6th, almost a month ago, Microsoft announced its acquisition of Montreal based Credentica, a technology leader in the online digital privacy area. It’s been almost a month, but the dust won’t settle. Most analysts including KCP agree that Microsoft has managed a master coup in snapping up all patents and rights to this technology. But there are fears in the industry that Microsoft could effectively try to use this technology to enrich its own platform whilst impeding interoperability by making the technology unavailable. These fears are likely to turn out to be unfounded, but Microsoft isn’t helping to calm the rumour mill – no statements are being made for the time being to clarify its intentions.
Credentica was founded by Stefan Brands, and has developed a patented technology called U-Prove. This technology employs cryptography and multiparty privacy features to enable “minimum disclosure”. The technology has been around for many years, but has recently become very hot due to the increasing importance of privacy, and user centric identity systems.
Hot technology
Using U-Prove technology, it is possible for users to prove specific facts about them without having to give away other details. In the words of Stefan Brands:
Let's say you get a protected token from an IdP, and the token states your date of birth, citizenship, and birth name. When presenting the token, you can not only (unconditionally!) hide any of these three attributes from the RP, but you can also prove properties about them without revealing anything else. For example, instead of revealing your encoded date of birth you can prove you are over 18 years of age without revealing it; prove that you are a European citizen without revealing your country of citizenship, and prove that your birth name is not specified on a list of terrorists (without revealing your name itself).
As soon as the acquisition was announced, we were briefed by Stefan Brands and Doug Leland, General Manager of Microsoft’s Identity and Access Group. You could sense the upbeat atmosphere; it was evident that everybody was thrilled about the acquisition. According to Microsoft, the U-Prove fits very well with the overall strategy. Microsoft believes that it plays a significant role with respect to privacy and sees it “as its duty to provide leadership”.
Microsoft – a leader in the privacy arena?
Microsoft had been heavily criticised not too long ago because exactly of what many saw a disrespect for privacy. The mandatory product activation, introduced with Windows XP has drawn the ire of many users and online privacy advocates. Its Passport initiative, originally meant to be a single sign-on service for web commerce, has turned out to be a fiasco, drawing fire from many advocates of online privacy.
On top of this, Microsoft’s steady refusal to publish its intrinsic protocols and formats in order for third parties to interoperate with some of its intrinsic technology have not just drawn criticism, but a full-blown lawsuit by the European Commission, paired with painful fines that have been slapped on for non-compliance of the Commission’s rulings. Previously, Microsoft’s self-described “embrace and extend” method was commonplace - to use existing standards and extend them slightly in order to add additional features – but at the same time be incompatible with the rest of the world, such as its “NT Security Token” implementation of the Kerberos standard.
Amongst those criticising the old Passport initiative and Microsoft’s attitude towards privacy was Kim Cameron who is now Microsoft’s Chief Identity Architect and known for his “Laws” of identity. Ever since however, the company has made a remarkable turn-around in rebuilding its credibility within the standardisation and privacy arena – and many have credited Kim Cameron for being at least partially responsible for this.
Microsoft’s approach to standards has also changed. Instead of going it own way, Microsoft has actively contributed to, and worked with standards organisations such as OASIS to formalise and standardise its WS-* protocol stack, and has, although admittedly under fierce pressure, released the specification of many previously unavailable protocols, APIs and formats used within the Windows technology. Many believe that the “new Microsoft” under Steve Balmer is taking a strategically different, softer approach to interoperability, and this seems to be confirmed by the activities and statements from key Microsoft employees. Amongst the latter is Joe Long’s announcement at DEC 2008 that Microsoft was currently re-evaluating whether to support the SAML2 protocol in its products, as opposed to only supporting the SAML2 token format within the WS-* protocols. Microsoft has hinted that this announcement will be made sometime in May.
So how does all of this relate to Credentica and its U-Prove technology?
Credentica had, previous to the acquisition shipped a Java library that implemented its technology for developers to embed into their applications. This Java library seemed to have vanished into thin air. Repeated enquiries were made by KCP to Microsoft whether this library was still available, and the response was that at this time, no comments could be made on this subject. The official line from Microsoft communicated to KCP is that Microsoft is “not announcing any packaging or go-to-market at this time, [and] see the technology as an enhancement to Windows Communication Foundation (WCF)”. The latter part of the statement certainly makes sense. After all, U-Prove technology fits perfectly into the WCF and will empower CardSpace to become secure online privacy. This has the potential to boost adoption and truly give Microsoft a leadership position in the privacy space.
Conspiracy Theories?
However, the complete disappearance of the U-Prove API and the unwillingness for Microsoft to give any clear position to this point about how the U-Prove technology may be used outside of the Windows ecosystem leaves many observers speculating, and theories thrive in the blogsphere. Microsoft recently joined the OpenID Consortium, and the U-Prove technology can effectively address many of the security and privacy limitations of OpenID – such as the Identity Provider being able to tell which service provider a user is using. Some believe that Microsoft is likely to contribute the technology in order to establish itself as a leader within the OpenID community.
However, if Microsoft were to chose to leverage the technology only in its own ecosystem, effectively shutting out the rest of the Internet, then it would be very questionable whether the technology would be widely adopted. The same if Microsoft were to release the specifications, but introduce a “poison pill” by leveraging its patent. This would certainly be against Microsoft’s interest in the medium to long future.
Perhaps the most insightful glimpse into what is going on at Microsoft regarding this technology is a blog entry from Kim Cameron from March 9 where he responds to a Ben Laurie, the creator of OpenSSL that had previously expressed his scepticism of Microsoft’s intentions with U-Prove:
I hope everyone who reads this blog knows that it is elementary, my dear Laurie, that identity technology must work across boundaries, platforms and vendors (Law 5 - not to mention, “Since the identity system has to work on all platforms, it must be safe on all platforms”).
That doesn’t mean it is trivial to figure out the best legal mechanisms [sic] for making the intellectual property and even the code available to the ecosystem. Lawyers are needed, and it takes a while. But I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo.
Like, it’s 2008, right? Give me a break, guys!
There is a fair amount of mistrust in the industry, sometime even bordering on paranoia because of Microsoft’s past approach to privacy and interoperability. The current heated discussion about the OOXML is an example of this. Over the last years, Microsoft has taken great pains to alleviate those fears, and has shown an willingness to work towards interoperability. But many are not yet convinced of the picture that Kim is painting. It is very much in Microsoft’s interest to make an official statement regarding its broad intentions with U-Prove, and reassure the industry if and how Microsoft intends to follow the “fifth law of identity” with regards to this new technology.