Microsoft Pushes Interoperable Net Trust Network

Microsoft Corp., acknowledging that no single company will be able to provide a universal single sign-in or authentication service, will announce Thursday an initiative that it hopes will facilitate a trusted, interoperable authentication network across the Internet.

The Redmond, Wash., software maker also hopes the move will help spur adoption and usage of its Passport authentication service and, ultimately, its Web services.

Brian Arbogast, vice president of Microsofts .Net core services platform, told eWEEK that the company is proposing an Internet trust network that would enable open, federated authentication and that would bring universal single sign-in to all users and provide interoperability among different enterprise and service authentication systems.

The goal is to enable Web services based on XML (Extensible Markup Language) to interoperate freely, through a broad Internet trust network that works in a manner similar to e-mail, DNS and the ATM network created by the banking industry, Arbogast said.

HailStorm gets new name

Microsoft has also renamed its core group of initial Web services, known as HailStorm until now, to .Net My Services. These will also be federated, but details will only be made available at the companys Professional Developer Conference in Los Angeles in October, he said.

"We realize that there will be many different authenticators on the Internet, including enterprises for their own staff and other service operators beyond Microsoft," Arbogast said. "As such, we need a model for bridging across these networks. We at Microsoft believe in and support an open model for authentication on the Internet."

To achieve this, the network and Microsofts own Passport service will support Kerberos 5.0, an open standard for authentication, which "provides a secure mechanism for creating trusted relationships across otherwise distinct boundaries," he said. "Its use will also remove the technical barriers that have until now prevented the trustworthy sharing of user credentials among independent, competing or otherwise incompatible systems."

Microsoft will take the lead in the formation of this network by making Passport available for federation with other authentication systems, he said. This essentially means that Passport will be able to accept credentials issued by other organizations that were part of the network, while they could in turn accept Passport credentials. This is a major shift for the software company, which has, until now, been the only operator of Passport.

"This federated model allows organizations to retain fine-grained and secure control over their user identities, profiles and other business data, while participating in a trusted network that delivers a unified experience to users," Arbogast said.

As such, it will be built on a common set of technical and operational guidelines and open to any organization supporting those standards.

But there will have to be a set of technology and operating agreements between the partners in the trust network around things like key exchange, management procedures, security, privacy and operations procedures. Microsoft is currently working on these operating agreements, he said.

Moving forward, Passport will support universal single sign-in next year, while the upcoming Microsoft Windows .Net Server line -- due for release next year -- will allow organizations of all sizes to easily and securely participate in the Internet trust network.

If the initiative gets off the ground, enterprises will be able to participate by licensing a Windows .Net server or buying an implementations of Kerberos Version 5. Authentication providers will be able to outsource authentication to Passport or, in the future, to other federated authentication providers. They will also be able to buy or build an authentication system that is compliant with Kerberos Version 5, he said.

But industry sources, who declined to be named at this early stage, were reserved in their response, saying that while the broad concept of many federated authentication services is appealing, there are a lot of second-order issues that need to be addressed.

"From what I can see, Microsoft intends still, on the client side, to have just one authentication service offered to the preponderance of consumers who use PCs. So it will be interesting to see where they ultimately come out on that. But, in the abstract, should there be an ability for server-to-server interoperability on authentication services, that would be appealing," one source said.

Another source cautioned that it is still far too early to make a decision about participating until it is clear exactly what Microsoft is proposing, and "since its Microsoft, youve always got to look and see exactly what the fine print is," he said.

Microsofts Arbogast said there has already been a round of discussions with enterprises and other interested parties in this regard, which will be aggressively pursued. "We intend to use the Trusted Computing Conference in November to continue our discussions with industry, government and policy groups," he said.

AOL Time Warner Inc. is one of the companies Microsoft is hoping will throw its weight behind the initiative. "We are calling on competitors like AOL to adopt the same model and to interoperate and federate with us, but I dont know to what degree theyre prepared to open up and change their model to participate in this," Arbogast said.

AOL spokesman Jim Whitney told eWEEK Thursday morning that the company has not been formally approached by Microsoft as yet. "We are not going to comment on this until we know more about it. This announcement is the first we have heard of it. We will be looking at the proposal and then make a determination on the correct way to respond," he said.

Arbogast said Microsoft will "continue to engage with AOL on a number of fronts and will welcome them to this model of building on a trusted network of authentication on the Internet."