Microsoft last week laid out a model for a distributed identity infrastructure designed to simplify access to corporate resources and protect user privacy across the Internet.

The model begins with a seven-point conceptual representation of digital identity that Microsoft has been discussing with industry experts, including the open source community, for a month. Last week, Microsoft released a description of its Identity Metasystem architecture, which adheres to the conceptual representation. The company also said it was readying client, server and development tools for users to build an open and extensible identity system based on Web services protocols that is compliant with the Metasystem outline.

The goal is to provide users with the means to join, or federate, their identity systems internally and across the Internet regardless of the platforms they run on or technology they use for identity, including Kerberos, X.509 and the Security Assertion Markup Language (SAML).

"The trick is to build a framework that all these security systems can work in," says John Shewchuk, CTO of distributed systems for Microsoft. "It's mainframe, it's Java, it's everything."

Observers and critics applaud Microsoft for stimulating open discussion with its "Seven Laws of Identity," a manifesto published last month on the blog of Microsoft Directory Architect Kim Cameron that lays out the dynamics of digital identity.

"The industry would be a better place if we can build on these laws," says Pamela Dingle, a consultant with Nulli Secundus. "This is a beginning."

But there isn't universal appeal for Microsoft's implementation of the Identity Metasystem, described in a white paper published last week.

The Metasystem, in essence, is a network layer that carries all identity traffic regardless of protocol or format, much like TCP/IP carries traffic regardless of underlying network protocols such as Ethernet, frame relay or X.25.

In the Metasystem, when identity data reaches its destination, a software-based translator turns the data into the format needed to access a particular resource. The Metasystem defines certain requirements such as ways to express identity; negotiate the exchange of identity data; establish trust between network nodes; and integrate disparate identity token formats such as Kerberos tickets, X.509 certificates or SAML assertions.

Microsoft says users can plug their access control infrastructures and corporate applications into this identity architecture without rewriting any code.

The rub is that the proposed Metasystem implementation relies on WS-Trust and other Web services protocols created by Microsoft and IBM, a factor critics say could be a showstopper until those protocols are submitted to a standards body.

"I'm real interested to see if they can do any-to-any integration," says Dave Miller, chief security officer for Covisint, best known for creating an integration hub for the automotive industry. "IBM tends to support what they write and Microsoft is even worse. They support their stuff first and everyone else's never."

Microsoft's planned Metasystem implementation revolves around a variety of tools: the company's new technology called Info Card that lets users aggregate their identity information and control its release; a middleware technology under development called Indigo; Active Directory and the Microsoft/IBM controlled slate of Web services protocols, including WS-Trust, WS-Secure Conversation, WS-SecurityPolicy and WS-MetadataExchange.

"It's a brave new world with a whole set of specifications that have been developed outside the real world - at least outside of our real world," says Bob Morgan, senior technology architect at the University of Washington and a member of the steering committee for the Shibboleth federated identity project for Internet2.