Skip to comments.Microsoft Opens Passport to Scrutiny
Posted on 10/11/2002 2:07:06 PM PDT by Bush2000
Microsoft Opens Passport to Scrutiny
Source code for server portion will be released, encouraging interoperability with other single-sign-on specs.
Susan Perschke, special to PCWorld.com
Thursday, October 10, 2002
DENVER -- Microsoft will release part of its Passport source code into the public domain so that developers can create their own versions of the single-sign-on specification for internal use or for resale.
The company announced the policy change at the Digital ID World Conference here this week, as part of a presentation by Craig Mundie, Microsoft's chief technical officer. Passport is Microsoft's user-identification system, deployed on a multitude of Microsoft platforms such as MSN and Hotmail.
The source-code release could come as soon as the end of November, Pete McKiernan, Microsoft product manager for the .Net platform, told PCWorld.com. It is the server-based Passport Manager portion of the technology, and it will be delivered in the form of a server code object, currently compatible with Windows 2000 server products. Mundie said the release lets licensees "extend, improve, and innovate" the Passport product under Microsoft's Shared Source License. Developers can view, change, and modify features as they wish, and they can copy the software without royalties or license fees.
Microsoft's decision is not entirely altruistic; the company obviously hopes its action will spur adoption of its single-sign-on technology among corporate and commercial developers. Microsoft is also apparently warming to eventually enabling Passport to interoperate with a single-sign-on specification being developed by the Liberty Alliance, a consortium of 120 technology and services companies--many of them Microsoft rivals.
In addition Microsoft hopes that the source-code release will enhance the general acceptance of Passport as an industry standard for user identification and authentication, McKiernan added. Other code-sharing available through Microsoft's Shared Source program are Windows CE and pieces of Microsoft's .Net Framework.
Mundie characterized such standards as an "emerging layer" of technology that handles digital identification. Hardware-specific solutions may eventually be necessary to meet regulations for security and for confirming identities digitally, he said. Microsoft is taking that approach in its Palladium project, which ensures trusted communications by linking hardware and software security inside a Windows PC.
Mundie announced Microsoft's decision during a session entitled "How Digital Identity Helps Deliver Trustworthy Computing," which takes its name from Microsoft's recent secure-programming campaign. Passport's security and privacy provisions have drawn criticism from the Federal Trade Commission, which has accused Microsoft of misrepresenting the capabilities of the single-sign-on service.
Thursday's announcement follows on the heels of competitor Sun's recent release of an open-source software development tool that supports the Liberty Alliance standard.
Still Some Fees
However, not all aspects of Passport will be free of charge. Organizations using Passport for online commerce, for example, will still have to sign a contract and pay a fee for access to the service, which resides on Microsoft's own servers, said Adam Sohn, product manager for Microsoft's .Net platform group.
"For [developers] who want to build applications that plug into the Passport service, it just becomes easier for them to do that" with access to the source code, Sohn said.
The Passport Manager technology sits on the authentication system of a Web site or an application and communicates with Microsoft's Passport servers, where users are authorized and credentials are stored, Sohn said. Passport Manager is "really just the communications integration point," he said.
Microsoft earlier indicated it would incorporate more industry standards into Passport. The company has said it will support the standard authentication technology Kerberos to encourage compatibility among systems. It also has pledged to add support for Security Assertion Markup Language, which would also make compatibility more viable.
"Federation is an architectural challenge that we're still working on," Sohn said. He said Microsoft expects to fully integrate Kerberos into its products sometime in 2003, which will further its efforts.
In his presentation Mundie also said Microsoft is developing a Passport Password Quality Meter, designed to measure the level of security that a password might offer.
Hey, B2K, see why you find me frequenting tech threads less and less?
This says it all.
Yes. I fit that description as well.
Cheers, CC ;-)