What the Heck Is Information Card Foundation?

Early this afternoon, Microsoft and four other establishing members—Equifax, Google, Novell, Oracle and PayPal—announced creation of the Information Card Foundation. The group seeks to improve online identity and privacy through use of a wallet metaphor.

Quick take: ICF is really a marriage of necessity between Microsoft identity and privacy work and an earlier open-source identity project; it's yet unclear to me how much influence Microsoft and its technologies will have on the organization. The group's loftier goal isn't the one being taken on today: enabling privacy and security for mobile transactions.

ICF's immediate goals are simple: to better enable online transactions, while protecting the privacy and security of the consumer on one end and the service provider on the other. The metaphor: a digital wallet containing online identification cards that acts as a single place to log into and transact with disparate online sites or services. Through that motif, ICF aims to better protect people's privacy and identity, while curbing phishing and other online scams.

Something else, before more broadly discussing the new organization: Almost certainly related, Microsoft has consolidated its Access Security and Identity and Access divisions into new organization Identity and Security division. Ryan Hamlin, former general manager of the Access Security division, takes on responsibility for the combined entity. Douglas Leland, former general manager of Identity and Access, will assume a worldwide business leadership role, whatever that means. The new division will be responsible for Microsoft technologies Active Directory, CardSpace, Forefront, Identity Lifecycle Manager and Rights Management Services.

ICF Primer
Microsoft provided what is at least a partial ICF board of directors list: Parity's Paul Trevithick as chairman, Kim Cameron from Microsoft, Patrick Harding from Ping Identity, Ben Laurie and Andrew Hodgkinson from Novell, Meristic's Mary Ruddy, and Drummond Reed and Pamela Dingle of the Pamela Project.

ICF incorporated on March 1, but its coming-out party, so to speak, is today. Discussions on forming the group started about 12 months before incorporation.

I notice that while ICF claims Equifax, Google and PayPal as founding members, their executives aren't listed as board members. Now why is that? Perhaps no coincidence, most ICF board members come from companies supporting Microsoft technologies, such as CardSpace. I make the distinction for clarity purposes only. ICF's press announcements indicate broad industry support and lofty interoperability goals, but not without Microsoft's heavy hand in the process—or so I perceive. To be clear: I don't suggest that's a good or bad thing; some Microsoft Watch readers will surely pick one or the other in the comments. My objective is to cut past any marketing propaganda.

By the way, Information Card in the group's title should be a dead giveaway of Microsoft's involvement and influence on the new organization. Information Card is the metaphor best associated with CardSpace.

But ICF is bigger than Microsoft, and that's an important distinction to make here. The group might be best described as a marriage of convenience between the Higgins Project and Microsoft technologies.

On Friday, June 20, I spoke with board members Paul Trevithick, Parity CEO, and Kim Cameron, Microsoft's chief architect of identity. Paul said ICF's roots go back five years to Higgins. ICF's identity and privacy platform will incorporate many Higgins mechanisms or metaphors, such as "identity selector." The platform also will support CardSpace and WS-TRUST, among other security technologies and protocols.

Paul described Higgins as "an open-source implementation of the Information Card as well."

I felt that Paul and Kim kind of brushed past my questions about architecture and whose technology would provide the underpinnings. Perhaps that's something they can't yet answer, or I failed to understand their meaning, or they didn't want to say that Microsoft would be a major influencer. I can't definitely say, because as I write this post the ICF Web site isn't yet live. That's where I expect to see more information on the architectural objectives.

Both men emphasized the importance of interoperability. "[We] need to make an identity layer for the Internet," Kim asserted. He said it can't be tacked on to what's out there already. "You need a really good architecture," he said, and "the architecture has to be provided by the industry and across geographies if this thing is going to work."

When I pressed on architecture, Paul responded: "We focus more on there being a consistent user interface on the top and interoperability on the wire then agreeing on a software architecture."

That statement really cuts to it. Based on the information that Microsoft provided and the nearly hour-long interview, I conclude this: ICF's main technological focus is top-layer infrastructure, which includes the main privacy and security metaphor and supporting protocols. Vendors would implement broader underpinning technologies, using guidelines and protocols adopted by ICF for the purpose of ensuring interoperability. Example: OpenID and Windows Live ID as authentication mechanisms used by different sites or services for different cards in the wallet.

Wallet as Metaphor
An Information Card and Higgins' "identity selector" really make up the core metaphor, the digital wallet containing different authentication cards.

"Your Identity Selector is like a wallet," Kim said. The wallet would contain digital identity cards for simply and securely logging into or transacting with different online sites or services.

I also spoke with Charles Andres, ICF's executive director, on Friday. "The Information Card metaphor is an excellent one" because it represents "transactions in the real world," he said.

I wondered how the heck the metaphor could be consistently offered across disparate platforms and devices. "The selectors can be baked into the operating system or put in a browser," Paul said. Kim chimed in: "Architecturally, [the wallet] could be anywhere. It could be on the operating system. It could be in the cloud."

Operating system placement would give Microsoft huge customer traction, simply because of Windows' huge install base.

I struggled to grasp the wallet metaphor in part because of the number of supporting identity and privacy technologies and how the Information Cards would drastically differ from those carried in a physical wallet. The two things are related, as they introduce unforeseen complexity to an approach that is arguably better than anything else broadly available today.

"There may be one wallet, but the cards don't contain the data," Paul said. "The issuer decides what kind of authentication that card requires." From security and service provider choice perspectives the approach is sensible. But won't different authentication mechanisms create confusion? The two ICF board members said no.

"Any kind of a token can be delivered," Kim said. "Most of us are using SAML tokens right now." SAML is Security Assertion Markup Language.

I asked what happens if the wallet is stolen, meaning someone other than the legitimate user gains unauthorized access? "Having access to the wallet doesn't necessarily mean access to everything in the wallet," Kim replied. "[Users] might have to enter a PIN. It's a cross between a wallet and an ATM." The service provider or Web site would decide what the second or even third authentication mechanism might be.

Different cards representing different things are important, not confusing, Kim asserted: "People want contextual separation between their banking and their lovemaking and everything else. The wallet idea [encapsulates] these different concepts. We've been very careful not to create links across the different contexts that you're in."

Mobile Transactions
The three men got some geek glow when I started asking, and theorizing, about the mobile market. With manufacturers shipping more than 1 billion handsets a year, the logical, primary identity and security platform should be the cell phone.

"It's very important that the Information Card is not just a PC phenomenon," said Kim. A statement like that means something coming from a Microsoft executive, whose company is best identified by the Windows PC.

"Mobile is a very exciting place. We want to make this thing run on [any cell phone]," Paul said. Oh, yeah? What about iPhones? Paul said ICF has spoken with Apple, but he insinuated that nothing much has happened yet. Definitely, the iPhone is a device ICF would like to support.

I asked about the mobile phone as being perhaps a better device for achieving ICF's privacy and security objectives, because of how its existing technologies could be used—everything from video capture to voice to GPS.

"Phones have a number of wonderful characteristics, [such as] facial recognition [and] voice recognition," Paul said. The mobile market isn't just about better security and privacy features; there is basis for broader acceptance of the wallet metaphor and underlying technologies. "The effort to get the selectors on mobile devices will [drive adoption]," Paul said.

[Editor's Note: SAML typo corrected.]