[LINK] Credentica Sold to Microsoft

Roger Clarke Roger.Clarke at xamax.com.au
Sun Mar 9 11:54:00 AEDT 2008


This is a privacy story with an open source angle to it.

It started with a posting of mine to the Privacy International 
Advisory Board and the Australian privacy list.  I've repeated my 
posting below, followed by three further postings, which culminate in 
a semi-official response from the key Microsoft person.

Feel free to flick this on to others who may be interested in either 
or both aspects of the issue.  (It's already been widely circulated, 
and all of the authors have written their comments knowing that lists 
are among the addressees).

________________________________________________________________________

Roger wrote on Sat, 8 Mar 2008 07:58:19 +1100:

Credentica is a crypto-based technology developed by Stefan Brands.

It enables secure digital tokens to be produced that can attest to an 
attribute of an electronic persona without disclosing the associated 
identifier.

Put another way, it's the only current mechanism for implementing 
effective pseudonymity, and one of the few genuine privacy-enhancing 
technologies that actually exists.

It's just been acquired by Microsoft, including all patents.

It would be nice to think that this means it will become mainstream.

Unfortunately, Microsoft has appalling records in:
-   quality of software
-   quality of documentation
-   privacy
-   enabling interoperability
-   licensing out of patents and software

Only by change in all of those areas could Credentica be used to 
embed pseudonymity in MS products and to make the tokens and the 
technique (let alone the software) available to other software 
providers.

It's impossible to believe that Microsoft would or even could change 
in all of those areas.

So I regretfully conclude that Stefan Brand's work has been lost to the world.


http://www.credentica.com/
http://www.credentica.com/intro_video.html

http://idcorner.org/2008/03/06/
Microsoft acquires Credentica's U-prove technology
I am thrilled to announce that Microsoft has acquired Credentica's 
U-Prove technology, together with all of the underlying patents ...

http://www.identityblog.com/blog.php/

________________________________________________________________________

My posting has been picked up in multiple places, and been the 
subject of a couple of important responses.  The authors have okay'd 
on-posting.

Pippa Lawson is a Canadian privacy researcher and advocate.
Stephanie Perrin is a long-time privacy advocate in Canada.
(Credentica was developed by a Dutchman long resident in Montreal, 
hence the level of interest in Canada).
Kim Cameron is a lead identity management person, employed by Microsoft.

________________________________________________________________________

On 7-Mar-08, at 5:31 PM, Philippa Lawson wrote:
>One of our colleagues, Dr. Stefan Brands, recently sold the rights 
>to his wonderful, privacy-friendly authentication technology (called 
>Credentica) to Microsoft.  See Stefan's blog at http://idcorner.org 
>and Microsoft's announcement below.
>
>While I think we all applaud Stefan's work and are happy for him 
>personally, some of us consider this to be an unfortunate 
>development for ID management insofar as Credentica will not be 
>available to MS competitors.  See Roger Clarke's comment ....  It 
>will be interesting to see what Microsoft does with the technology.

________________________________________________________________________

Stephanie Perrin wrote on Friday, March 07, 2008 8:59 PM:
>I would like to comment to the list that I am more optimistic than 
>roger clarke about this.  It is a question of when we reach the 
>"tipping point" for privacy.  Stefan Brands has held on to the 
>patents for this technology, has tried for at least ten years to 
>market it, and if anyone can get this mainstream, Microsoft can.  I 
>participated at a conference on privacy enhancing technologies put 
>on by the European Commission in 1993, and frankly the main message 
>was that everything that hit the market failed.  Now we have breach 
>disclosures, we have SOX and the Accountability Act, we have plenty 
>of mainstream reasons for embracing PETS, even if all you want is 
>obscurity.  You don't actually have to believe in privacy and human 
>rights to understand why you want the Brands technology, although it 
>certainly helps.  So there is every reason for Microsoft to go 
>forward with this and market it, and I hope we all push them to do 
>so while we applaud them for acquiring and publishing this great 
>technology and its developers.
>
>Congratulations to Microsoft, to Peter Cullen and Kim Cameron who no 
>doubt are behind this development, and to Stefan Brands and his team 
>for working so hard for so many years to hang on to this dream and 
>bring it to fruition.  A special thanks also to David Chaum, whose 
>ground breaking invention so many years ago paved the way for this 
>work.    ("Achieving Electronic Privacy," D. Chaum, Scientific 
>American, August 1992, pp. 96-101)
>If it is not implemented now, we have only ourselves to blame.

________________________________________________________________________

Kim Cameron wrote on Saturday, March 08, 2008 4:25 PM:
>I want to make it clear that it is my assumption (and that of my
colleagues) that the Credentia software will be available not only on
the Microsoft platform, but on every other.  My record is clear in
arguing that identity software is for reaching across boundaries of
all kinds, and U-Prove obviously needs to run on platforms from
different vendors and be fully interoperable (see
http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf).
>
>I refer people on the lists who are unaware of our previous
achievements around identity interoperability and intellectual
property issues to
<http://www.identityblog.com/?p=574>http://www.identityblog.com/?p=574
and following postings.  All the work I have done on identity is
interoperable.  All the protocols and related intellectual property
has been made available to everyone without requiring even a license,
and the legal mechanism we used to do this (so-called OSP) has been
thoroughly vetted and welcomed by the leading open source lawyers and
foundations, as well as Microsoft's competitors.  We have been fully
transparent in publishing our work as we went along so everyone could
see it's evolution and influence it.  If anyone harbours any
lingering concerns about OSP, I would be happy to help dispel them.
>
>I am exploring the best way to make the Credentica technology
available too.  You will understand that working the details out is
"labor intensive" - lawyers are involved ...  My colleagues and I are
working on this full speed ahead, and understand the need to be clear
about the fact that we will share this technology with the industry
and all of society.
>
>I'm not going to respond to Roger's views on the quality of my
software and documentation - I pretty much disagree with him,
although one can always do better.
>
>But hey, both of us will have the option of using Credentica
technology on the platform of our choice, and that's key to a healthy
ecosystem and universal privacy.

________________________________________________________________________


-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW



More information about the Link mailing list