+* Updates
+
+ <b>Sep 20, 2001:</b> Microsoft has just announced some changes
+ to passport that are rather interesting. This document
+ reflects the Passport system without taking into account the
+ new changes.
+
+ Read about it <a href="http://www.microsoft.com/presspass/features/2001/sep01/09-20passport.asp">here</a>.
+
+ For an analysis of security problems with passport, check <a
+ href="http://avirubin.com/passport.html">http://avirubin.com/passport.html</a>.
+ The bottom line is that you should not put any sensitive
+ information on passport.
+
+ I have received many comments from people, and I have updated
+ the page accordingly. From removing incorrect statements, to
+ fixing typos, to include mentions to other software pieces.
+
+ I also corrected my statement about IIS and a trojan horse, I
+ should read a more educated press in the future. My apologies
+ to Microsoft and its employees on this particular topic. IIS
+ did not have a trojan horse built in.
+
* Microsoft Hailstorm and Passport
Microsoft Passport is a centralized database hosted by
** Passport
- There is nothing in Passport really advanced technologically
- speaking.
+ Passport is important not because of it being a breakthrough
+ technologically speaking, but because the company is in a
+ position to drive most people toward being suscribers of it.
+
+ At the time of this writing passport is required to use the
+ free mail service <a href="http://www.hotmail.com">Hotmail</a>
+ to get customized support for the <a
+ href="http://www.msn.com">MSN portal</a>, <a
+ href="http://msdn.microsoft.com">Microsoft Developers
+ Network</a> and according to the original announcement from
+ Microsoft <a href="http://www.americanexpress.com">American
+ Express</a> and <a href="http://www.ebay.com">EBay</a> will be
+ adopting it.
+
+ There is already a <a
+ href="http://www.passport.com/Directory/Default.asp?PPDir=C&lc=1033">Large
+ list</a> of participating sites.
+
+ There are many current users of it and Microsoft will be
+ driving more users towards Passport as it <a
+ href="http://news.cnet.com/news/0-1003-200-6343275.html">integrates
+ it</a> in their upcoming release of Windows.
+
+ Microsoft has also <a
+ href="http://www.passport.com/Business/JoinPassportNetwork.asp?lc=1033">developed
+ a toolkit</a> to enable current web merchants to integrate
+ their services with passport.
+
+ To the end user, there is a clear benefit: they only have to
+ log into a single network and not remember multiple passwords
+ across sites on the internet. Companies that adopt passport
+ will have a competition advantage over those that dont.
+ Microsoft lists a list of <a
+ href="http://www.passport.com/Business/Default.asp?lc=1033">benefits</a>
+ to companies.
+
+
+** The problems of Passport
+
+ There are a number of concerns that different groups have over
+ Passport. Sometimes I have some, sometimes I do not. But
+ overall, consumers and businesses can have better solutions.
+
+ <ul>
+ * <b>Single Point of Failure:</b> As more services and
+ components depend on remote servers, functionality can
+ grind to a halt if there is a failure on the
+ centralized Passport system.
+
+ Such a failure was predicted, and we recently <a
+ href="http://news.cnet.com/news/0-1005-200-6473003.html">witnessed</a>
+ got a lot of people worried.
+
+ The outgage lasted for seven days. Think what this
+ could do to your business.
+
+ * <b>Trust:</b> Not everyone trusts Microsoft to keep
+ their information confidential. Concerns are not only
+ at the corporate level policy, but also the fact that
+ the source code for Microsoft products is not
+ available, means that trojans or worms could be built
+ into the products by malicious engineers.
+
+ Various government officials in non-US countries also
+ have a policy that no state sensitive information can
+ be held by foreign companies in foreign soil. A natural
+ matter of national security to some.
+
+ * <b>Security:</b> With a centralized system like
+ Passport, imagine the repercussions of a malicious
+ hacker gaining access to the Passport database.
+ Personal information and credit card information about
+ almost everyone using a computer could be stored there.
+
+ Hackers have already <a
+ href="http://slashdot.org/articles/00/10/27/1147248.shtml">broken
+ into Microsoft</a> in the past. And the company was
+ unable to figure out for how long their systems had
+ been hacked.
+
+ Security holes have been found in <a
+ href="http://slashdot.org/articles/00/04/14/0619206.shtml">IIS
+ in the past.</a> If all the world's data is stored on
+ a central location, when a single security hole is
+ detected, it would allow an intruder to install a
+ backdoor within seconds into the corporate network
+ without people ever noticing.
+
+ Microsoft itself has been recently hit by worms,
+ imagine if all your business depended on a single
+ provider for providing all or your authentication
+ needs
+ </ul>
+
+ Microsoft might or might not realize this. The idea behind
+ Passport is indeed a good one (I can start to get rid of my
+ file that keeps track of the 30 logins and passwords or so
+ that I use across the various services on the net myself).
** Alternatives to Microsoft Passport
+ An alternative to Microsoft Passport needs to take the above
+ problems into consideration. Any solution of the form `We
+ will just have a competing offering' will not work.
+
+ The system thus has to be:
+
+ <ul>
+ * <b>Distributed:</b> The entire authentication
+ system should not create an internet `blackout' in the
+ case of failure.
+
+ A distributed system using different software
+ platforms and different vendors would be more
+ resistent to an attack, as holes in a particular
+ implementation of the server software would not affect
+ every person at the same time.
+
+ A security hole attack might not even be relevant to
+ other software vendors software.
+
+ * <b>Allow for multiple registrars:</b> Users should
+ be able to choose a registrar (their banks, local
+ phone company, service provider, Swiss bank, or any
+ other entity they trust.
+
+ * <b>Mandate good security measures:</b> As a
+ principle, only Open Source software should be used
+ for servers in the registrar, and they should conform
+ to a standard set of tools and software that can be
+ examined by third parties.
+ </ul>
+
+ An implementation of this protocol could use the DNS or a
+ DNS-like setup to distribute the information of users with the
+ possibility of replicating and caching public information
+ about the user.
+
+ For instant messaging (another piece of the Hailstorm bit),
+ you want to use a non-centralized system like Sun's <a
+ href="http://www.jxta.org">JXTA</a>. Some people mailed me to
+ mention Jabber as a messaging platform and other people
+ pointed out to the <a
+ href="http://java.sun.com/products/jms/">Java Message
+ Service</a>. The JMS does support a number of very
+ interesting features that are worth researching.
+
+ It could also just use the user e-mail address as the `key' to
+ choose the registrar (msn.com, hotmail.com -> passport.com;
+ aol.com -> aol.passport.com; you get the idea).
+
+ The <a
+ href="http://www.soapware.org/xmlStorageSystem">xmlStorage</a>
+ idea from <a href="http://www.scripting.com">Dave Winer</a>
+ could be used to store the information.
+
+ A toolkit for various popular web servers could be provided,
+ authenticated and should be open sourced (for those of you who
+ think that a binary program would give more security and would
+ prevent people from tampering: you are wrong. You can always
+ use a proxy system that "behaves" like the binary, and passes
+ information back and forth from the real program, and snoops
+ in-transit information).
+
+ Good cryptographers need to be involved in this problem to
+ figure out the details and the possible insecure pieces of a
+ proposal like this.
+
+** Implementation: In short
+
+ To keep it short: <b>DNS, JXTA, xmlStorage.</b>
+
+
+** Deploying it
+
+ The implementation of such a system should be a pretty
+ straightforward task once security cryptographers have
+ designed such a beast.
+
+ The major problems are:
+
+ <ul>
+ * <b>People might just not care:</b> In a poll to US
+ citizens a couple of decades ago, it was found that
+ most people did not care about the rights they were
+ given by the Bill of Rights, which lead to a number of
+ laws to be passed in the US that eliminated most of
+ the rights people had.
+
+ * <b>The industry will move way too slow:</b>
+ Microsoft's implementation is out in the open now: it
+ is being deployed, and soon it will be insinuated to
+ many, many users. The industry needs to get together
+ soon if they care about this issue.
+
+ By the time the industry reacts, it might be too
+ late.
+ </ul>
+
+** Passport and Mono
+
+ The .NET class libraries include a Passport class that
+ applications might use to authenticate with Passport. Since
+ we do not have information at this point on the exact protocol
+ of Passport, it is not even feasible to implement it.
+
+ If at some point the information is disclosed, it could be
+ implemented.
+
+ If a competing system to Passport existed, we could probably
+ hide all the authentication information to use a number of
+ different passport-like systems.
+
+ If a user does not want to use Passport at all, he could
+ always turn it off (or completely remove the class from the
+ library). After all, this is free software.
+
+ Currently, we are too far from the point where this is a real
+ issue.
+
+** Passport and endangering Open Source.
+
+ A few people have said: `Mono will allow Passport to be
+ available for Linux and that is bad'. This is plain
+ misinformation.
+
+ Currently, you can obtain Passport for Linux from Microsoft
+ itself and deploy it today on your Web server. Mono does not
+ even enter the picture here. Go to passport.com and download
+ the toolkit and you will see with your own eyes that passport
+ is <B>already</b> available for Linux.
+
+** Disclaimer
+
+ This is just a group of personal thoughts of mine that I have
+ placed here because I get asked this question a lot lately.
+ The views of this page are not a statement from my employer
+ (Ximian, Inc).
+
+ This is not part of Mono. We are not trying to deal with this
+ problem.
+
+ Nat Friedman (Ximian's co-founder) has his own ideas on how a
+ competing system to Passport could be designed, but I will let
+ <a href="http://www.nat.org/">him</a> post his own story.
+
+** Other Passport Comments
+
+ An interesting study on the security of passport is available at: <a
+ href="http://avirubin.com/passport.html">http://avirubin.com/passport.html</a>
+
+** Other Alternatives
+
+ Some people have pointed out <a
+ href="http://www.xns.org">XNS</a>
+Send comments to me: Miguel de Icaza (<a
+ href="mailto:miguel@ximian.com">miguel@ximian.com</a>)
projects / mono.git / blobdiff