[Substantially revised from the rush job yesterday, and continually updated as people comment.]

[See also There are lots of things right about InfoCard]

In months of discussion on public and private mailing lists, and in many meetings — most recently in a workshop hosted by Harvard’s Berkman Center — many in this community have brought up various questions and issues with Microsoft’s second foray into digital identity, this time centered around InfoCard.

On one hand, much more of the thinking that lead to InfoCard has been publicly visible than of virtually any other Microsoft effort, maybe ever (thanks Kim!). On the other hand, substantial questions remain about both technology and Microsoft’s related business strategy that, so far, have prevented many members of the security / identity and general information technology industry from endorsing this new direction.

The questions go far beyond the InfoCard "identity selector" itself, to what Kim Cameron calls the "identity meta-system" and which has been his overarching architectural blueprint for Microsoft’s digital identity strategy, of which InfoCard is only the first piece. This makes this a somewhat tricky discussion as subjects like a "meta-system" are not easily understood even by many insiders.

I’d like to contribute to shedding some light on what the issues are. As Kim says it, he sees a "historic opportunity" to get identity right for the entire industry this time around. For my part, I think these issues must be resolved, otherwise this historic opportunity may simply pass.

Disclaimer: I do not agree with all the issues listed below. In this post, I’m just a collector of issues that were raised with me present, sometimes in private discussions that I suspect were not intended to be publicized in a manner attributable to specific individuals.

So there’s a good chance that I’ll be singled out as the guy who is spoiling the party; I prefer to look at it as me just articulating that there is a good chance the party ends prematurely because some of the guests are not having a good time (for whether the food was bad or they simply didn’t understand the party is unclear as of yet). Regardless, articulating what the guests are thinking I would consider a constructive role.

Also, if you have an opinion on this subject, please do contact me and let me know. If you have blogged about it, let me know and I can link to you.

I have categorized the issues into several overarching rhetorical questions.

What is Microsoft proposing here?

• The term “identity meta-system” is ill-defined and often used as a synonym for InfoCards. This is incorrect (Kim agrees). It must be clarified and enforced by people at Microsoft, for all their communications to the outside world. Without this kind of precision in terminology, many people do not feel the can endorse the concept of an identity "meta-system" because they fear it may be construed as endorsing the Microsoft InfoCard product in whatever form it reaches the market. (e.g. by Doc Searls here, look for the word "conflate")
• The press coverage on InfoCard this week (e.g. here) was all about InfoCard as a glorified password manager. Why is there a difference between that public positioning and the positioning that InfoCard is just the visible "identity selector" of a much larger identity "meta-system"?
• "Better explanation is needed why it is better than Firefox’s Password Manager, Opera’s Magic Wand, and SSH keys! (plus some others, I think)" (from /.)
• There needs to be a lot more public documentation and disection, so people can really understand what’s in the InfoCard box (metaphorically because it will come with Vista).
• Does InfoCard violate Kim’s own Fourth Law (Ben Laurie here)
• InfoCard claims "because its inclusive of other systems". However, as Ben Laurie points out, this conjecture has not been proven (he points to Credentica and SXIP, and I’d like to add LID, OpenID and YADIS as other examples, although those might be easier.)

Is it safe for others to partner with Microsoft on this, and to endorse InfoCards and the "identity meta-system"?

• The idea of an identity "meta-system" must not prescribe the use of WS-* or any other protocol. The whole point of an identity meta-system is that it can, and does, describe all protocols, not just those based on WS-*. In other words, Microsoft must be consistent about saying that their choice of WS-Trust (and others from the WS-* stack) is purely tactical, and is perfectly willing support, in their implementation, other protocols doing similar things as WS-Trust if and where they will emerge. (discussion over drinks at the Harvard workshop)
• As long as statements like this are made, slip of the tongue or not: “Microsoft will release the [identity] meta-system with Windows Vista”, very few people will be comfortable with trusting the reportedly new, open, multi-vendor approach that Microsoft claims to be taking.
• Microsoft must provide strong and credible evidence that Microsoft is not going to follow a “lock-in by speed of upgrades” strategy or any similar strategy with a similar effect. While a system may be nominally open, substantial barriers exist in the market if one market participant (Microsoft) has control over the evolution of the market-dominant implementation, whether or not it is based on open standards. This is particularly true of the open standards in question are complex like WS-*. Without this evidence, potential partners will simply not want to take the risk.
• "Does the metasystem require adoption of SOAP and the whole WS-* suite of protocols (or whatever those are) … or something much less than that? I’ve gathered from Kim that WS-Trust is an essential component. But what about the rest of the list? Seems to me that Kim conceives the Identity Metasystem as a wide-open and inclusive architecture in which all kinds of current (LID, Sxip, XRI-XDI) and future identity systems can participate. Is this possible if the required protocols aren’t really open or usable in a practical sense, as Julian contend?" (Doc Searls here. Here is a great illustration of this.)
• Schema extensibility: can only attributes be exchanged that Microsoft has blessed in InfoCards, or could anybody use InfoCards (including the GUI) to exchange data of any kind (like detailed financial information, insurance information, health information etc.) (That’d be an issue I’d like to bring up)

Why should we trust Microsoft to do the right thing this time? What if it is all a sham, and Microsoft as a company is not really behind this untypically open approach?

• For people to trust the InfoCard implementation, the InfoCard implementation must be available in re-compilable source code to pretty much anybody. If it isn’t, neither dissidents nor whistleblowers will ever go near it to assert their identity, and it goes downhill from there in a cascading effect. (e.g. blog platforms can’t use/require it etc.)
• There must be InfoCard implementations from other vendors on other platforms, most importantly on mobile devices, the Mac/iPod, and Linux. These implementations should appear on the market roughly at the same time as Vista ships (preferably earlier, for credibility purposes!) and should be at least as functional as Microsoft’s. (background of the question: historically, there have often be announcement that certain Microsoft technologies were going to be available on non-Windows platforms through certain partners, but often those implementations never saw the light of day or didn’t work well. There needs to be evidence that it is different this time)
• Related issue: "So > 50% of the market is excluded" (Julian Bond here)
• There must be evidence that InfoCard indeed can, and will, interface with all major existing identity systems. For example, there needs to be a Liberty connector out of the box, as we need interop out of the box with major enterprise and consumer identity management systems. (many enterprises)
• If the IP related to InfoCards is indeed supposed to be licensed royalty-free and no copyright / patent / etc. rights are asserted, where is the legally valid statement to that effect?
• “The majority of web site owners simply didn’t trust Microsoft enough to integrate their security in any way.” How can that trust be established? (from /.)
• Crystal-clear, irreversible, official Microsoft statements on these issues are needed in order to trust that the open and engaging approach pioneered around InfoCard is indeed Microsoft’s approach and not just the approach of some committed individuals at Microsoft. In other words, will everything revert back to "normal" if such individuals were hit by the proverbial truck?

If it all goes wrong, what is plan B?

• InfoCard security depends on Vista security. If that was broken, any virus could impersonate the user. Is that correct? What is the contingency plan if/when that happens? Many people assume that this will only be a matter of time.
• The question needs answering: “if somebody steals my laptop, they can now impersonate me?” (from Slashdot)
• If government X of some country compromised the Windows installations in that country (with or without cooperation of Microsoft), how would anybody ever know?

I’m sure I’m missing a whole bunch … let me know! I will also attempt to track the resolution of those issues when/if that occurs. Maybe a column with check boxes to the right might be a way of doing that…