Microsoft Opens Passport, But To Where?
Think of how your automated teller machine card works: You need cash, so you go to the nearest bank. Doesnt make a difference that you may not have an account there. If the bank is part of that network of banks that link their ATMs - such as the Cirrus network - then your ATM card and password give you access to your money.
Thats how Microsoft described its plan for a new, "open" Passport on Thursday, Sept. 20. Passport is the digital wallet and user authentication technology at the heart of Microsofts plan to build a network of e-commerce and data interchange services under its .Net umbrella. Those services, previously known as HailStorm and due next year, are now officially called .Net My Services.
Like an ATM card, Microsoft wants Passport to be accepted anywhere on the Web - whether that site or service is using Microsofts .Net technology or not.
And in a move aimed at quelling antitrust concerns over the fact that Passport and .Net My Services would have made Microsoft the repository of users personal data - everything from name, address and credit card data to address book and calendar information - Microsoft said it no longer has to be the sole keeper of that data. By opening Passport, Microsoft allows developers of rival digital wallet technologies - such as AOL, which is reportedly developing a Passport rival code named "Magic Carpet" - to have their "cards" accepted at Passport-enabled sites and Web services, and remain the keepers of users data.
Its all about building a "network of trust," according to Microsoft. "Your individual bank is part of a larger ATM-service-based network built on a common operating agreement among the various member banks. . . . You can use your individual ATM card at any one of thousands of ATM machines," said Christopher Payne, Microsoft vice president of the .Net Core Services Platform, in a Q&A posted on Microsofts site (www.microsoft.com/presspass/features/2001/sep01/09-20passport.asp). "On the Web, customers will have a similarly seamless experience. They wont have to remember different sign-in names and passwords as they travel about the Internet."
And they wont have to turn over their data to Microsoft. "The data always remains with the user, who has the ability now to store that data with the participating Internet trust network provider - such as their own company or a site operator of their choosing," Payne said.
But just as people who use ATMs have learned that a network of convenience comes at a price - in the form of surcharges automatically deducted from their accounts - analysts and privacy watchers said theyre not yet sure what hidden costs there are to Microsofts open Passport proposal.
"Microsoft announced that it plans to make the technical standards for Passport, its online identification system, open to other companies. The company claimed this as a privacy benefit," said Jason Catlett, president of Junkbusters, one of 14 privacy groups that filed a complaint against Microsofts proposed .Net data collection practices with the Federal Trade Commission in August
"Its good to see Microsoft giving up on this attempt to use their operating system monopoly to reinforce their monopoly on identity services, but they currently have over 100 million people in their Passport database," Catlett said. "Even if AOL and other competitors were to sign up half of their customers, Microsoft would still dominate. Instead of one enormous database, therell be one huge database and a few big ones. Thats slightly better, but only slightly. Microsoft must be restrained from continuing to collect and use personal information unfairly."
Network of trust?
The 2-year-old Passport service sits at the heart of Microsofts ambitions to turn into reality its vision of a digital economy interconnected through Windows-based Web services. Passport is included in the upcoming Windows XP operating system, due Oct. 25, and is intended to serve as the sign-on to .Net My Services -- everything from .Net-enabled e-commerce and content sites to Web-based services such as calendars and notification services.
Microsoft claims it has more than 165 million accounts, though it acknowledges that not all of those represent active users. Today, about 75 companies -- including Starbucks -- use Passport for consumer transactions. Microsoft also uses Passport to authenticate users of its Hotmail free Web e-mail service, its instant messaging service and other MSN Web properties. In order to use Windows XP Messenger, the IM client built into the new operating system, XP must sign up for Passport.
Microsoft was motivated to open Passport because it recognized that "the challenge of providing universal single sign-in is larger than any one company," said Bob Muglia, Microsofts group vice president of .Net Services. "If we are going to be successful in building a trusted authentication network across the Web, we will need broad participation from industry, government and public policy groups."
If anyone can build support for the creation of an ATM-like federation for digital wallets, its Microsoft, say analysts. "What theyre doing is they are fast-tracking, using their size and market power, the standards process for Passport, for an authentication system for e-commerce," said Rob Enderle, research fellow at the Giga Information Group. "And given its market size, Microsoft still has the strongest physical advantages to making .Net the standard for e-commerce."
So far, there arent any takers. AOL said it is still evaluating the proposal, and a Microsoft spokesman said Thursday the company is in conversations with potential partners, but has no announcements to make at this time.
Microsoft said the "network of trust" it envisions will be based on Kerberos, the Internet Engineering Task Forces network security standard for user authentication. First developed at the Massachusetts Institute of Technology in the mid-1980s for Unix, the open source code system requires an exchange of messages over a network with a secure Kerberos server to confirm a user ID. To minimize breaches, no passwords are used.
Instead, a client submits an encryption key known only to a single user, and the Kerberos server verifies the user ID, returning an encrypted certificate that can travel over the network.
In each step of Kerberos authentication, the bits of the message are counted upon receipt to make sure the message wasnt tampered with en route. A snooper detecting the encrypted traffic cannot decipher it without the encryption key.
Microsoft is proposing using Kerberos Version 5.0 as the basis for trust between its Passport servers and other parties. At the same time, Microsoft has come under fire for tampering with Kerberos.
In June 2000, Ted Tso, a member of the original Kerberos development team, charged that Microsoft had filled in the data authorization field in the certificate issued by the Windows 2000 version of Kerberos. Other Kerberos systems leave the field blank because no standard way of using it has been defined. The entry is required by Microsofts Active Directory, in effect, making companies that use Kerberos go through a Windows server in order to get user information in Active Directory.
"No one else uses the data authorization field this way," said Tso, a former software engineer with VA Linux Systems and currently a security consultant.
Doing this without documenting the change to the IETF, Microsoft was like "embracing an open standard and deforming it," said Paul Hill, a current member of the MIT Kerberos team.
But Microsoft insists that it will base Passport authentication on standard Kerberos operations, not the modified Windows 2000 Kerberos. When it says third parties may use Kerberos for secure communications between their enterprises and the Passport server, it means MIT Kerberos, said Microsofts Payne.
"The issue comes down to who controls the standard for single user sign-on," said Bernie Mills, vice president of marketing for open source tool company CollabNet. To Mills, if Passport became the dominant means of authorization on the Internet, it would be far from open because it remains under the control of Microsoft.
Chris DiBona, program director of the Open Source Developer Network at VA Linux Systems, questioned whether the approach could truly be termed open when Microsoft holds patents on its software. Enterprises and service providers relying on the Passport servers could find Microsoft levying a patent-licensing fee on them at a future date, he claimed.
But Microsoft insisted that there were no hidden controls. "You do not need any Microsoft software or licensing to federate with Passport. No Microsoft intellectual property is required," said company spokesman Erik Denny, adding, "there will be a certification process that will need to happen for this trusted network to take off. I dont have the details. This is just announcing the strategy. This is just the starting point."