Who do you trust more than Microsoft?

IBM and Novell announce donations of code and support for the Higgins open source identity management framework.

Microsoft's project Hailstorm promised single sign-on and selective sharing of personal information stored at a central location. However it withered on the vine because a) central information stores are juicy targets for thieves, and b) nobody quite trusted Microsoft to keep their deepest secrets safe from prying eyes.

Today Novell and IBM threw their weight behind a framework that uses completely different approach: project Higgins. First, it's an API that aggregates trust providers from many different vendors. For example IBM is planning to use it in its commercial Tivoli identity management software. Programmers can write smart secure applications using these calls and not be locked in to any particular technology or provider.

Second, it's designed mainly for local trust stores under control of the user. Thus in order to get a million credit card numbers, an identity thief would have to compromise a million computers instead of just one central server.

Although some vendors (*cough*Microsoft*cough*) would have you believe security by obscurity is best, open source code provides the ability to audit the code for yourself to make sure. A good hacker with a disassember can pretty much see any code anyway, so don't kid yourself otherwise.

When asked if Higgins was intended to be competition for Microsoft's latest initiative, InfoCard, Anthony Nadalin, chief security architect at IBM said:

"We are not here to create another identity system; we are here to aggregate the existing systems. We have invited Microsoft to participate...and we will continue to work with Microsoft to integrate with InfoCard. We think that has to happen."

So far Sun hasn't been mentioned, but if Sun and Microsoft join the project, I'll eat my blog.