A new UK Government took office on 11 May. As a result the content on this site may not reflect current Government policy.
All statutory guidance and legislation published on this site continues to reflect the current legal position unless indicated otherwise.

New approaches to identity and security (March 2010)

Software and internet news


Proving your identity - and thus rights to access content or authorise financial transactions - is fundamental to web security and trust. The basis for many exchanges is public key encryption, but its security is coming under increasing attack, while the way it works makes it possible to tie together disparate pieces of information that you have revealed for unrelated purposes.

Microsoft has released U-Prove as a community technology preview (CTP). This new technology was purchased with Credentica - a company that had been developing the underlying algorithms. The system has a combination of features that it claims make it unique, including:

  • The user controls which data is shared with whom
  • Only the specific data required is revealed, so (for example) your phone number should not be revealed at the same time as your address, or your date of birth with your age in years, unless required
  • The identity tokens protect your data (revealed for separate transactions) from being linked together
  • The protocols are designed to prevent fraudulent collusion between parties involved in the transaction.

Microsoft is releasing the necessary specification under a guaranteed, open source licence, meaning that third parties can use the code without fear that the company will seek royalties in the future. Although it is deploying the technology in its Windows CardSpace and other platforms, Microsoft is keen to see it used by many other providers, as widespread adoption of the framework is necessary if consumers are to recognise it and trust it. If only a minority of services use it, then it will simply add to the confusion around security and authentication. Some further details are given by Ars Technica and in this 2008 Wired article.

The Open Identity Exchange (OIX) was also launched during March's RSA security conference. OIX brings together authentication systems from the Information Card Foundation and Open Identity Foundation (see article in TechNews 04/09) and is supported by some well-known companies, including Google, PayPal and VeriSign. OIX has been approved as a 'trust framework' by the US Federal Government and has already been adopted by the US National Institutes of Health website. The framework is expected to be implemented by a number of other federal bodies, as well as globally by businesses, library services, media portals and a wide range of sites that require identity details.

Comments [0]

Note: All comments will be reviewed by Becta before being published.

PDF creator

Add pageLink to PDF creator help

You currently have no articles chosen


Latest Tech analysis

Download the latest TechNews digest

Download

Propose an article

propose an article

If you have an article you would like published on this site please get in touch. Email us your article proposal.