News

Open Sourcing Online ID Management

Redmond teams up with open source community to create an interoperable architecture for identity protection.

• By John K. Waters
• 06/15/2007

Microsoft has launched four new open source projects designed to implement information cards in a variety of formats, including Java, Tomcat (for IBM WebSphere servers), Ruby on Rails, PHP and a generic C library.

Redmond expects the results of these efforts to complement the ability of the Windows CardSpace identity-management system to support information cards.

The new projects will be hosted on two open source project sites: SourceForge and RubyForge. They'll also be aggregated at codeplex.com, Microsoft's collaborative development portal.

Information cards are the primary mechanisms for representing user identities in the so-called identity metasystem. The metasystem is an interoperable architecture for digital identity that assumes people will have several digital identities based on multiple underlying technologies, implementations and providers. The concept is the brainchild of Microsoft identity access architect Kim Cameron, who assembled the famous "7 Laws of Identity" in a white paper published about two years ago.

"It's a system of systems," explains Earl Perkins, research vice president at Gartner Inc. "A set of protocols for the exchange of personal identity information on the Internet. ... The idea is to provide an ecosystem that allows everyone to know who they're interacting with online."

The thing about the metasystem, says Thom Robbins, director of .NET platform product management at Microsoft, is that it's not a Microsoft-only environment. "So the interoperability pieces are key," he says. "We need to be able to work well with others and to take advantage of the common protocols."

People, Services and Providers
Three core elements make up the identity metasystem, explains Jean Paoli, Microsoft's general manager of interoperability and XML architecture: the people who are presenting their identity, the Web site or online service requesting proof of identity and the identity providers who assert some information about those people. The purpose of the newly launched projects is to improve interoperability for each of the identity metasystem components.

Paoli has been leading Microsoft's overall interoperability initiative for the past year. "Interoperability by design has four pillars," Paoli says. "We build interoperability into our products, we work on standards, we work with the community and we enable access to some of our technologies for the greater good, so to speak. These open source projects build on the last two."

The decision to open source the information card projects is Microsoft at its most pragmatic, Perkins observes. "It allows them to enlist, essentially, the whole world in making these connections," he says. "And it's good for Microsoft in another way: If these projects draw the kind of support they need from the open source community to be successful, it'll be a kind of tacit admission that Microsoft is now part of the open source world."

A Welcomed Effort
If the response from competing info card projects is any indication, Microsoft's prospects for success are good. In a Microsoft statement announcing the initiative, Paul Trevithick and Mary Ruddy, co-leads of the Eclipse Higgins Project, and Dale Olds, leader of Novell Inc.'s Bandit project, praised Redmond's efforts to increase the cross-platform interoperability of information cards. The Higgins Trust Framework Project, sponsored by The Eclipse Foundation, and the Bandit Project, sponsored by Novell, both seek to provide a consistent approach to managing digital ID information, regardless of the underlying technology.

"Microsoft's relationship with the open source community is complicated," says IDC's Mathew Lawton, program director for open source software business models. "Because they make a lot of money from proprietary software, everyone interprets that to mean that they're never going to do anything with open source software. But the company has demonstrated that it'll take advantage of the open source model when it helps them."

In a related announcement, Microsoft said that it plans to make its Identity Selector Interoperability Profile available under its Open Specification Promise (OSP). Last September, the company made 38 Web services specifications available under the OSP, which is Microsoft's public vow not to sue developers or customers for using designated technologies. With the addition of the Selector profile, an individual open source software developer or a commercial software developer can build its identity selector software and pay no licensing fees to Microsoft.