Why claims will Change Everything

1
Why claims will Change Everything

• Kim Cameron
• Architect of Identity
• Microsoft
• http//www.identityblog.com

2
Landscape silos

• Todays enterprise/consumer/telco services are
  hard-wired, siloed, self-centered systems
• Their perimeters are impermeable
• Users and other entities are reduced to the
  systems definition of them (within a single
  boundary)
• Digital experience is organized from the point of
  view of the system, not the user who employs
  many systems
• Very controlled movement into or out of each
  system
• Rigid technology landscape in terms of
  protocols, formats, syntax, semantics
• Single source of truth the system
• Easy to know what to believe but doesnt cross
  boundaries

3
Silos so last century
4
User-centered versus silo-centered worlds

• Different kinds of silos we face as users
• Operating Systems and Environments
• E.g. Windows versus OS X or Linux
• Applications
• E.g. SAP versus PeopleSoft
• Enterprises
• E.g. Avis collaborating with United Airlines
• Services
• E.g. Facebook versus LinkedIn
• Networks
• E.g. Firewalls versus NAP versus machine guards
• The Access Control Stack
• Network, Storage, Information, Application,
  Functions, Services

5
Policy-based control incompatible with silos

• Digital systems function like a fortress
  multiple concentric rings of defense
• Guards controlled the fortress from drawbridge to
  castle keep
• Digital physics tells us that to protect digital
  systems, policy must also control access
  end-to-end
• Need a way for access to become subject
  oriented

6
From federation to claims-based applications

• Requirements to cross enterprise boundaries
• Detach assertions from trust infrastructure
• Multiple perspectives, points of view, definition
  of truth
• Translate syntax, map semantics
• Transcend vendor architectures

• Requirements to cross vendor architectures
• Under enterprise boundaries are vendor
  boundaries
• Allow different systems to interact
• Multiple perspectives, points of view, definition
  of truth
• Represent similar things
• Translate syntax, map semantics

• Requirements for user-centered systems
• Allow many components to interact
• Multiple perspectives, points of view, definition
  of truth
• Translate syntax, map semantics
• Simplify mashups and transfer of control

7
Legonics for digital integration

• Combining lego and electronics
• legonic adjective
• The quality of being easily pluggable into other
  services to create more value, like pieces of
  Lego or integrated circuits
• legonics noun
• (used with a singular verb) the discipline
  dealing with the development and application of
  devices and systems that can be
  assembled through convertible claims.
• (used with a plural verb) Legonic systems and
  devices  The legonics aboard the new aircraft
  allow it to be customized in a matter of days.

See http//www.lego.com
8
Like a circuit board for digital components

• Claims
• The information through which loosely coupled
  components can decide whether and how to provide
  services
• Different sources of claims for different
  purposes
• An assertion which is in doubt
• Claims describe entities
• Principals
• requestors of access, e.g. humans, devices,
  applications
• composite principal human device
  application
• Resources
• targets of access request, e.g. services, data
• Actions
• operations on resources
• Context
• runtime environment of the access session
• Actionable claims
• Claims a component is willing to act upon after
  evaluation

9
Functional components

• Relying Party
• Offers a service to a user, but requires claims
  to personalize the service and control access
• Every component in the access stack
• Identity Selector
• The entity from which the user controls release
  of claims and vetoes matching of source to
  recipient
• Identity Provider
• Generates claims as required by the relying party

10
Mutual veto of claims

• Relying Party accepts the Claims and the Claims
  Provider
• User accepts the Relying Party and Claims
  Provider
• Claims Provider accepts the User and the Relying
  Party
• The components are jointly responsible for the
  transaction

11
A taxonomy of claims
12
Claims transformers

• Transformation rules
• policies describing claims relations
• One transformer may depend on other transformers
  for its inputs
• Transformers will operate on all the claim types
  in the taxonomy
• System architecture and components insulated
• from Trust, Format and Content
• Transformers Security Token Services with
  intelligence

Local Actionable Claim
Partner Claim
SAML token
X.509 Cert
Access Right
Role
13
Putting it together

• Enterprises and Government can no longer run on
  silos
• To achieve end-to-end policy in loosely coupled
  components we need systems linked by claims that
  can be transferred, transformed and evaluated to
  match local needs
• No limit to the kind of claims
• System insulated from content
• Must be consistent with digital physics
• Components operate in a plane not bounded by
  distance or location
• Result a new technology of Legonics, functioning
  at a higher level of encapsulation than previous
  proposals, and creating digital components that
  snap together like lego
• I have a demo that I think conveys this

14
Legonics demo
15
Legonics Demo
BizTalk Guard Service

• Despite novelty, the components are standard
  legonic parts
• Claims transformer, identity provider, relying
  party
• Any kind of claim can potentially be used within
  the same framework and products

1
2
3
4
XBox Controller
Robot Host
16
BizTalk Services

• Experimental open lab in the sky exploring
  hosting scenarios
• Currently hosting an experimental authorization
  claims transformer that customers and Identity
  Metasystem partners can use in testing and
  developing legonic solutions
• Goals
• Foster interoperability
• Promote discussion and understanding of how new
  hosted components fit into the Metasystem
• Move beyond thinking about Identity providers
  to facilitate creation of claims-based
  applications and services

17
Growing momentum

• The identity metasystem and claims-based
  architecture continues to gain momentum
• Number of software vendors supporting it still
  growing and includes all major players
• Another Interopathon will be held in Barcelona at
  Catalyst Europe in a matter of weeks
• Number of released products is growing
• Critical Mac component Novells Bandit
  DigitalMe.
• HPs built-in CardSpace support
• Panel on Interoperability after this session
• Deployment bits are becoming available
• Number of CardSpace sockets increasing towards
  tipping point
• Improved functionality new beta of CardSpace is
  shipping this week.
• MSN/Hotmail/Windows Live Information Card beta
  now demonstrates architecture scales

18
Conclusion

• As people begin to use them, we are understanding
  the full potential of claims
• Way beyond Federation
• We stumbled on to Claims when we started to
  seriously solve the inter-enterprise Federation
  problem
• Way beyond cross-vendor Interoperation
• A paradigm for building loosely coupled
  application components that
• function securely
• are policy driven
• run anywhere at any scale
• snap together in a distributed architecture
  transcending organizations, platforms, and, above
  all, function
• traverse all the layers of computing so things
  really work end-to-end