* Updates
Sep 20, 2001: Microsoft has just announced some changes
to passport that are rather interesting. This document
reflects the Passport system without taking into account the
new changes.
Read about it here.
For an analysis of security problems with passport, check http://avirubin.com/passport.html.
The bottom line is that you should not put any sensitive
information on passport.
I have received many comments from people, and I have updated
the page accordingly. From removing incorrect statements, to
fixing typos, to include mentions to other software pieces.
I also corrected my statement about IIS and a trojan horse, I
should read a more educated press in the future. My apologies
to Microsoft and its employees on this particular topic. IIS
did not have a trojan horse built in.
* Microsoft Hailstorm and Passport
Microsoft Passport is a centralized database hosted by
Microsoft that enhances the consumer experience with the Web
by providing a single logon system that they can use across a
number of participant web sites.
As you might know by now from our extensive FAQ, the Mono project has nothing to do
with Microsoft Hailstorm or Microsoft Passport.
Still a lot of people have asked us our opinion on them.
** Passport
Passport is important not because of it being a breakthrough
technologically speaking, but because the company is in a
position to drive most people toward being suscribers of it.
At the time of this writing passport is required to use the
free mail service Hotmail
to get customized support for the MSN portal, Microsoft Developers
Network and according to the original announcement from
Microsoft American
Express and EBay will be
adopting it.
There is already a Large
list of participating sites.
There are many current users of it and Microsoft will be
driving more users towards Passport as it integrates
it in their upcoming release of Windows.
Microsoft has also developed
a toolkit to enable current web merchants to integrate
their services with passport.
To the end user, there is a clear benefit: they only have to
log into a single network and not remember multiple passwords
across sites on the internet. Companies that adopt passport
will have a competition advantage over those that dont.
Microsoft lists a list of benefits
to companies.
** The problems of Passport
There are a number of concerns that different groups have over
Passport. Sometimes I have some, sometimes I do not. But
overall, consumers and businesses can have better solutions.
* Single Point of Failure: As more services and
components depend on remote servers, functionality can
grind to a halt if there is a failure on the
centralized Passport system.
Such a failure was predicted, and we recently witnessed
got a lot of people worried.
The outgage lasted for seven days. Think what this
could do to your business.
* Trust: Not everyone trusts Microsoft to keep
their information confidential. Concerns are not only
at the corporate level policy, but also the fact that
the source code for Microsoft products is not
available, means that trojans or worms could be built
into the products by malicious engineers.
Various government officials in non-US countries also
have a policy that no state sensitive information can
be held by foreign companies in foreign soil. A natural
matter of national security to some.
* Security: With a centralized system like
Passport, imagine the repercussions of a malicious
hacker gaining access to the Passport database.
Personal information and credit card information about
almost everyone using a computer could be stored there.
Hackers have already broken
into Microsoft in the past. And the company was
unable to figure out for how long their systems had
been hacked.
Security holes have been found in IIS
in the past. If all the world's data is stored on
a central location, when a single security hole is
detected, it would allow an intruder to install a
backdoor within seconds into the corporate network
without people ever noticing.
Microsoft itself has been recently hit by worms,
imagine if all your business depended on a single
provider for providing all or your authentication
needs
Microsoft might or might not realize this. The idea behind
Passport is indeed a good one (I can start to get rid of my
file that keeps track of the 30 logins and passwords or so
that I use across the various services on the net myself).
** Alternatives to Microsoft Passport
An alternative to Microsoft Passport needs to take the above
problems into consideration. Any solution of the form `We
will just have a competing offering' will not work.
The system thus has to be:
* Distributed: The entire authentication
system should not create an internet `blackout' in the
case of failure.
A distributed system using different software
platforms and different vendors would be more
resistent to an attack, as holes in a particular
implementation of the server software would not affect
every person at the same time.
A security hole attack might not even be relevant to
other software vendors software.
* Allow for multiple registrars: Users should
be able to choose a registrar (their banks, local
phone company, service provider, Swiss bank, or any
other entity they trust.
* Mandate good security measures: As a
principle, only Open Source software should be used
for servers in the registrar, and they should conform
to a standard set of tools and software that can be
examined by third parties.
An implementation of this protocol could use the DNS or a
DNS-like setup to distribute the information of users with the
possibility of replicating and caching public information
about the user.
For instant messaging (another piece of the Hailstorm bit),
you want to use a non-centralized system like Sun's JXTA. Some people mailed me to
mention Jabber as a messaging platform and other people
pointed out to the Java Message
Service. The JMS does support a number of very
interesting features that are worth researching.
It could also just use the user e-mail address as the `key' to
choose the registrar (msn.com, hotmail.com -> passport.com;
aol.com -> aol.passport.com; you get the idea).
The xmlStorage
idea from Dave Winer
could be used to store the information.
A toolkit for various popular web servers could be provided,
authenticated and should be open sourced (for those of you who
think that a binary program would give more security and would
prevent people from tampering: you are wrong. You can always
use a proxy system that "behaves" like the binary, and passes
information back and forth from the real program, and snoops
in-transit information).
Good cryptographers need to be involved in this problem to
figure out the details and the possible insecure pieces of a
proposal like this.
** Implementation: In short
To keep it short: DNS, JXTA, xmlStorage.
** Deploying it
The implementation of such a system should be a pretty
straightforward task once security cryptographers have
designed such a beast.
The major problems are:
* People might just not care: In a poll to US
citizens a couple of decades ago, it was found that
most people did not care about the rights they were
given by the Bill of Rights, which lead to a number of
laws to be passed in the US that eliminated most of
the rights people had.
* The industry will move way too slow:
Microsoft's implementation is out in the open now: it
is being deployed, and soon it will be insinuated to
many, many users. The industry needs to get together
soon if they care about this issue.
By the time the industry reacts, it might be too
late.
** Passport and Mono
The .NET class libraries include a Passport class that
applications might use to authenticate with Passport. Since
we do not have information at this point on the exact protocol
of Passport, it is not even feasible to implement it.
If at some point the information is disclosed, it could be
implemented.
If a competing system to Passport existed, we could probably
hide all the authentication information to use a number of
different passport-like systems.
If a user does not want to use Passport at all, he could
always turn it off (or completely remove the class from the
library). After all, this is free software.
Currently, we are too far from the point where this is a real
issue.
** Passport and endangering Open Source.
A few people have said: `Mono will allow Passport to be
available for Linux and that is bad'. This is plain
misinformation.
Currently, you can obtain Passport for Linux from Microsoft
itself and deploy it today on your Web server. Mono does not
even enter the picture here. Go to passport.com and download
the toolkit and you will see with your own eyes that passport
is already available for Linux.
** Disclaimer
This is just a group of personal thoughts of mine that I have
placed here because I get asked this question a lot lately.
The views of this page are not a statement from my employer
(Ximian, Inc).
This is not part of Mono. We are not trying to deal with this
problem.
Nat Friedman (Ximian's co-founder) has his own ideas on how a
competing system to Passport could be designed, but I will let
him post his own story.
** Other Passport Comments
An interesting study on the security of passport is available at: http://avirubin.com/passport.html
** Other Alternatives
Some people have pointed out XNS
Send comments to me: Miguel de Icaza (miguel@ximian.com)