In the mid-1970s Kim Cameron played guitar for a Toronto bar band called Limbo Springs, and backed up John Belushi and Dan Ackroyd, at the time calling themselves the Blues Brothers. Today, Cameron is Microsoft's chief architect of identity, and has been named by Network World as one of the 50 most powerful people in networking.
He created an e-mail technology called ZoomIt, which he sold to Microsoft in 1999. In 2003, working at Microsoft, he went public with a technology he developed called InfoCard, an identity system that lets users control the information about them; it is now the centre of Microsoft's identity strategy.
In 2005, he ignited a major industry discussion on the subject of digital identity, which included Bill Gates, various leaders of the open-source community, sworn enemies of Microsoft and the celebrated legal scholar Lawrence Lessig. From that he hammered out his publication of the Seven Laws of Identity.
The seven laws could also help kill spam.
Kim Cameron chatted about the Seven Laws with Jack Kapica
JACK KAPICA: How did Microsoft get into identity management?
KIM CAMERON: Basically, the software got more complex and did more things, and it got to the point where we started to move stuff between machines with the Internet. It got to the point that we wanted to do more on the Internet than just publish things for anybody, then we started getting problems about spam and phishing, and it became clear to everybody who was concerned about the future that we had made an architectural mistake.
We had built this huge Internet infrastructure and it was missing what I call an identity layer, with the result that it's impossible to know whom you're talking to.
At a certain point, with this architectural problem, we reached a stagnation point, so we became very interested in it in terms of we needed identity to move virtual reality closer.
JACK KAPICA: How broad are the implementations?
KIM CAMERON: It can save a lot of trouble on the Internet because you can have some notion of who you're connected to. Right now, if you got to an evil site that is defrauding you or fooling you or spamming you, you're putting yourself in the hands of an evil party. That's the way the browser works.
The evil site now controls my experience completely and can get me to do things that I wouldn't otherwise do.
Today I got an e-mail from PayPal saying someone had spent $780 buying a new Dell computer on my PayPal credit card. And at the bottom it said, if this transaction is in error, click here.
Now I understand that's spam. But if someone had a PayPal credit card, they might click there, and if they do they're under the control of this other evil party.
It gets very scary because once they get some credentials, they can do what's called a man-in-the-middle attack, in which they hook you up to things so that you think you're having a real experience while they continue to extract more and more information from you. So I should have some way to know of whether I'm dealing with PayPal or not.
JACK KAPICA: When did Microsoft get involved?
KIM CAMERON: Microsoft got involved with this initiative called Passport in the late 1990s, which today does a billion authentications a day, so you have to see it as a success in some ways.
But on the other hand, Passport was initially envisaged as an Internet-wide solution, and it did not succeed at that at all. So I was partly motivated by understanding why Passport didn't evolve as an Internet-wide solution.
JACK KAPICA: Why was it a failure?
KIM CAMERON: I believe there is a set of principles that have to be respected before we'll have an identity system that people buy into. In Passport's case — and it wasn't the only one that failed, by the way — merchants would say, what is Microsoft doing between me and my customer? And customers would say why is Microsoft involved in my relationship with this online store? Marketing people call the process of getting rid of the third party as disintermediation, where the third party tries to, um, make a threesome.
