Palladium, Pervasive Identities and Trust

by William Crawford

Related link:

Security is important: authentication, authorization and encryption are the cornerstones of secure and reliable communication and commerce. Standards for digital identity, once finalized, will contribute to the next Internet driven productivity boom, as business processes that have yet to be brought effectively on-line will continue to streamline enterprise operations. A pervasive digital identity is the key to a huge range of productive applications. But to realize these benefits without giving up ground already gained we need a system that serves users rather than vendors.

Last month I went down to TechX NY (previously known as PC Expo), where Intel and IBM were showing off a dedicated security chip that integrates PKI, data encryption and access control at the hardware level. This functionality is a real win for corporate IT departments who want to take a centralized approach to security and strong encryption. It's also a nice potential boost for both IBM and Intel, who get to sell a lot more computers into large corporations (since integrated security chips can't be added after the fact). The demo didn't work perfectly, but there's definitely some promise to the technology, and it's available now.

Around the same time we started to hear about Microsoft's Palladium, which, although it will also incorporate a hardware component, is something else entirely. For those who haven't been following it closely, I've included a link (above) to Microsoft's white paper on the subject. Palladium proposes to provide the same benefits within corporate IT departments, which is all well and good. The white paper, though, also alludes to the "millions of people [who] simply avoid some online transactions out of fear." I'm not sure whether or not that's even true, but it's not a problem that can be solved by centralizing identity management. Now, to Microsoft's credit, that's not what they're proposing with this particular software, at least not yet. But the user has to grant Microsoft an unprecedented level of trust anyway.

Source code for the trusted layer will be published and externally validated, but I haven't found any announcements regarding how this will actually be done. There's no reason, other than corporate profits and Windows platform lock-in, not to make any security specification along these lines completely open. The authentication, after all, comes from the hardware and the mathematics of public-private key encryption, not from the obscurity of the implementing software. I'd be much more comfortable if I could plug in my own trusted components according to my own needs, and I suspect most IT customers would as well. And needless to say, I'd like to be able to implement the server components and integration in non-Microsoft languages (particularly Java) on non-Microsoft operating systems.

Almost indirectly, the white paper raised another disturibing issue: step-wise pricing based on the level of personal information the user is willing to give out. In figure 3, a vendor requests a user's name, Social Security Number and Credit Card information for a $100 purchase. The Palladium software informs the site that it is only authorized to provide name and credit card information, at which point the price goes up to $102. There's nothing wrong with this in principle. In fact, my academic background is as an economist, and as a result I have a pronounced weakness for free market arguments. If someone wants to sell their social security number for a few dollars, then there's no reason to prevent them from doing so. Still, given how often smart people do give away extremely sensitive information for next to nothing (doctors, for instance, frequently include their Social Security Numbers, and often their Drug Enforcement Agency controlled substance ids, on their curriculum vitae). No system will be a panacea: effective use requires further public education about the risks and rewards of distributing particular kinds of information. Hopefully users will begin to put realistic valuations on their own identity.

There are no two ways about it: pervasive identity systems are dangerous. I think that centralization of standards is supreme good sense. But I'm much less confident about centralization of implementation.

What do you think?


2002-07-29 10:46:37
These systems will NEVER serve consumers
To imply that an identity system being developed by a vendor will ever serve consumers is ridiculous and lacking in an understanding of the motives and histories of these vendors.

They're motives shouldn't be hidden or disguised - this is a disservice to the general publc that may be reading an article. To represent these systems as being anything other than an attempt by a few major corporations to lock us into using their e-commerce platforms while allowing them to track our every on-line move is simply misleading the public.

Mr. Crawford should lift his head out of the technology details and realize what path he is leading us down.

2002-07-29 11:22:43
These systems will NEVER serve consumers
Much as it would inflate my ego to be the pied piper leading the computer industry forward (or backward, or whatever) I think the poster is overstating my own influence just a little bit.

As things are, I've been following this industry for years, and have a pretty solid understanding of the nature of these companies. I have no rose colored glasses where Microsoft is concerned, and I'm not terribly sanguine about the Libery Alliance either. Which is why, although the specter of Palladium does not have me running scared, I'm out cheerleading for it, either. Frankly, most of the coverage I've seen so far seems to be from people who haven't bothered looking at the technical details and have just equated the thing with Passport, which is a dangerous simplification.

Vendors will provide support for the standards users want, and the users who drive the development of this kind of system (and that's the enterprise!) need this sort of support. There are things we just can't do with existing infrastructure, and those limitations make stronger platform authentication inevitable.

If these systems are implemented in an open manner, with trusted software components that conform to published specifications and do not require a centralized clearinghouse (a la Passport/Hailstorm) then we can have a system which puts control into the hands of users. Failing that, identity management should be handled at the lowest level possible. I did an earlier weblog entry on that same topic.

2002-07-29 15:50:45
These systems will NEVER serve consumers
Will -

Thank you for replying. Going back and looking at my original post, I think my tone was harsher than warranted.

I guess my real concern is that I'm reading a great deal of material that presents what you refer to as "identity management" as being primarily a benefit to consumers.

It seems that people are debating various technical aspects of these systems without discussing the competitive and personal implications of them.

For an identify management system to be valuable, it must be widely used. Otherwise there is no value in centralizing the information. But once the system becomes widely used, then a huge barrier to entry exists for any competing system to come into use.

And once there is a large barrier to entry blocking new competitors then the owner of the system can run the system to their advantage - which may not coincide with the best interests of the consumer.

The other critical question is who "owns" the information in the system and what control do I have over information about me that's in the system. Is it appropriate for a company to "own" a history of all sites I've visited, all purchases I've made, all movies and other media I've played, financial transactions I've entered into, medical conditions I've researched, etc. What rights do I have in the matter?

Certainly this type of system makes a mockery of any, so-called "right to privacy" I may have.

Some may argue that I'm taking this too far and that no system will become that all-encompassing. But I don't believe anyone will argue that if this doesn't happen, it won't be because I have laws protecting me. It will or won't happen based on the economics of the situation and the adoption of the technologies by people building systems.

All I ask for in "Identity Management" is an opportunity to keep mine to myself.

2002-07-29 17:30:43
These systems will NEVER serve consumers
Thanks for sticking with it; you make some very interesting and, to my mind, quite valid points. It's very important that these issues be analyzed as thoroughly as humanly possible, and if that slows time to market than so be it. Whatever solutions we eventually come to in this area will likely become part of the bedrock infrastructure of the wired world for the next decade or more, and we'll all be stuck with the consequences.

I actually don't see that these systems have to be centralized to be useful. The interesting thing about platform security, rather than, say, Passport (which I do not and will not use) is that it doesn't require a centralized clearing house. If my computer generates public and private keys for me, then I have an easy to use, potentially very secure opportunity to engage in whatever peer-to-peer transactions I want, using those keys. What is not provided there is the external verification of my identity, but I don't think that has to happen on a world-wide level. For most transactions its enough to confirm that I'm the same guy who came by last time. This can be done with existing security tools, but not easily and not in a user-friendly way.

This, at least in theory, means that I can make my own arrangements with to confirm my identity once and then use that knowledge across all of my subsequent interactions. Whether Amazon is free to pool this information with other merchants depends on the terms of service they offer, and I suspect that the market as a whole will reject giving them that power. Building this support into the platform (and linking keys to hardware) provides the level of reliability and security that the corporate and government worlds need. I don't see the need for most of this for buying books; I do see the need when dealing with clinical data in health care.

That's why the only places I really think need centralized identity management are within individual corporations and within professional communities that require secure credentialing (I wrote about this as it affects the health care industry in an earlier entry.)

To serve consumers effectively, a system needs to let them manage their own identifying information, without the clearing house. Palladium actually sort of seems to do this, although there are so many other issues with it that I can't realistically consider it to be a workable solution (at least for problems that actually exist) while it is in its current form.

A lot of this really comes down to the question of what identity is really worth, and as of now I have no idea how to answer that.
2002-07-30 03:13:19
Is a "secure" system a system with inbuild obsolescence ??
Hardware will trust things when appropriate signatures are provided. Given that any methodology of encryption is good for a finite amount of time, it makes a system that will be obsolete when I cannot trust the encryption anymore.

I have not looked into the specs but I read that as security is in the hardware I see a house of cards destined to fall.