With the U-Prove technology, users can release authenticated information about themselves in a safe and secure way. U-Prove uses a complex set of encryption and signing rules to derive information from authenticated sources. For example, a government-issued electronic ID could contain many pieces of information about an individual, including name, address, birth date, gender and biometric information. Given this credential, U-Prove allows an extract to be created from this information that contains a minimum of the information required to make a transaction. Need to verify that you are older than 18? Need to certify that you are a citizen of a particular country, or live in a particular state/county/commune? U-Prove can create a signed cryptographic extract of this information, without releasing any other information – for example that you are older than 18 without having to specify your birth date – or that you have your registered address in Brussels without having to disclose your address. The party that receives this token can then verify (through the cryptographic process) that the information is genuine.
Privacy issues have been holding back use of many applications, most commonly because they required a level of trust that most users were not willing to give. Age verification for example via a credit card, was a problematic area. Voting is another issue, where in order to cast a vote, it is necessary to prove that you are a resident (or citizen) of a particular area, without giving any personally identifiable information. On the other side, proper care must be taken that you are eligible to vote, and that you are not voting more than once.
Microsoft has acquired the U-Prove technology in March 2008 and has spent two years preparing for the release of the technology. The current release includes two major milestones: a release of the U-Prove intellectual property with a cryptographic specification under Microsoft’s Open Specification Promise. Microsoft will now work with standardisation bodies to get the specification approved in an official standard. Open source toolkits have also been made available in C# and Java to reach a broad audience of developers, enticing them to harness these new features in their applications and services. Microsoft has also made available a “Community Technology Preview” that integrates the U-Prove technology with Microsoft’s Identity Platform technologies, specifically AD FS 2.0, Windows Identity Foundation and Windows CardSpace v2.
To underscore Microsoft’s commitment to releasing this technology to the public without locking users into its technology, a second specification is available that details how to integrate the technology into other open source identity selectors. The reasons why Microsoft is careful to release this technology within its Open Specification Promise seems obvious. The technology will not be uniquely adopted if it is perceived that Microsoft is controlling it. Given the promise of minimum disclosure, the technology has the ring of a “magical silver bullet” to enable adoption of new applications and electronic identities. It therefore comes as no surprise that Microsoft is focusing on governments as its first major adopters. Government issued IDs are intrinsically authoritative credentials, and privacy concerns rule much of the political debate around its adoption. Up until now, adoption of government-issued eIDs has been held back for several reasons – availability, use cases and privacy. With the privacy aspect addressed by this technology, the debate should hopefully be easier in the future. It will take time – years to be exact – for the standardisation process to be completed, but the technology is there to use and embed today. I expect high interest from developers and businesses for this technology, and we should see adoption and several tangible use cases very soon.