3 <b>Sep 20, 2001:</b> Microsoft has just announced some changes
4 to passport that are rather interesting. This document
5 reflects the Passport system without taking into account the
8 Read about it <a href="http://www.microsoft.com/presspass/features/2001/sep01/09-20passport.asp">here</a>.
10 For an analysis of security problems with passport, check <a
11 href="http://avirubin.com/passport.html">http://avirubin.com/passport.html</a>.
12 The bottom line is that you should not put any sensitive
13 information on passport.
15 I have received many comments from people, and I have updated
16 the page accordingly. From removing incorrect statements, to
17 fixing typos, to include mentions to other software pieces.
19 I also corrected my statement about IIS and a trojan horse, I
20 should read a more educated press in the future. My apologies
21 to Microsoft and its employees on this particular topic. IIS
22 did not have a trojan horse built in.
24 * Microsoft Hailstorm and Passport
26 Microsoft Passport is a centralized database hosted by
27 Microsoft that enhances the consumer experience with the Web
28 by providing a single logon system that they can use across a
29 number of participant web sites.
31 As you might know by now from our extensive <a
32 href="faq.html">FAQ</a>, the Mono project has nothing to do
33 with Microsoft Hailstorm or <a
34 href="http://www.passport.com">Microsoft Passport.</a>
36 Still a lot of people have asked us our opinion on them.
40 Passport is important not because of it being a breakthrough
41 technologically speaking, but because the company is in a
42 position to drive most people toward being suscribers of it.
44 At the time of this writing passport is required to use the
45 free mail service <a href="http://www.hotmail.com">Hotmail</a>
46 to get customized support for the <a
47 href="http://www.msn.com">MSN portal</a>, <a
48 href="http://msdn.microsoft.com">Microsoft Developers
49 Network</a> and according to the original announcement from
50 Microsoft <a href="http://www.americanexpress.com">American
51 Express</a> and <a href="http://www.ebay.com">EBay</a> will be
55 href="http://www.passport.com/Directory/Default.asp?PPDir=C&lc=1033">Large
56 list</a> of participating sites.
58 There are many current users of it and Microsoft will be
59 driving more users towards Passport as it <a
60 href="http://news.cnet.com/news/0-1003-200-6343275.html">integrates
61 it</a> in their upcoming release of Windows.
64 href="http://www.passport.com/Business/JoinPassportNetwork.asp?lc=1033">developed
65 a toolkit</a> to enable current web merchants to integrate
66 their services with passport.
68 To the end user, there is a clear benefit: they only have to
69 log into a single network and not remember multiple passwords
70 across sites on the internet. Companies that adopt passport
71 will have a competition advantage over those that dont.
72 Microsoft lists a list of <a
73 href="http://www.passport.com/Business/Default.asp?lc=1033">benefits</a>
77 ** The problems of Passport
79 There are a number of concerns that different groups have over
80 Passport. Sometimes I have some, sometimes I do not. But
81 overall, consumers and businesses can have better solutions.
84 * <b>Single Point of Failure:</b> As more services and
85 components depend on remote servers, functionality can
86 grind to a halt if there is a failure on the
87 centralized Passport system.
89 Such a failure was predicted, and we recently <a
90 href="http://news.cnet.com/news/0-1005-200-6473003.html">witnessed</a>
91 got a lot of people worried.
93 The outgage lasted for seven days. Think what this
94 could do to your business.
96 * <b>Trust:</b> Not everyone trusts Microsoft to keep
97 their information confidential. Concerns are not only
98 at the corporate level policy, but also the fact that
99 the source code for Microsoft products is not
100 available, means that trojans or worms could be built
101 into the products by malicious engineers.
103 * <b>Security:</b> With a centralized system like
104 Passport, imagine the repercussions of a malicious
105 hacker gaining access to the Passport database.
106 Personal information and credit card information about
107 almost everyone using a computer could be stored there.
109 Hackers have already <a
110 href="http://slashdot.org/articles/00/10/27/1147248.shtml">broken
111 into Microsoft</a> in the past. And the company was
112 unable to figure out for how long their systems had
115 Security holes have been found in <a
116 href="http://slashdot.org/articles/00/04/14/0619206.shtml">IIS
117 in the past.</a> If all the world's data is stored on
118 a central location, when a single security hole is
119 detected, it would allow an intruder to install a
120 backdoor within seconds into the corporate network
121 without people ever noticing.
123 Microsoft itself has been recently hit by worms,
124 imagine if all your business depended on a single
125 provider for providing all or your authentication
129 Microsoft might or might not realize this. The idea behind
130 Passport is indeed a good one (I can start to get rid of my
131 file that keeps track of the 30 logins and passwords or so
132 that I use across the various services on the net myself).
134 ** Alternatives to Microsoft Passport
136 An alternative to Microsoft Passport needs to take the above
137 problems into consideration. Any solution of the form `We
138 will just have a competing offering' will not work.
140 The system thus has to be:
143 * <b>Distributed:</b> The entire authentication
144 system should not create an internet `blackout' in the
147 A distributed system using different software
148 platforms and different vendors would be more
149 resistent to an attack, as holes in a particular
150 implementation of the server software would not affect
151 every person at the same time.
153 A security hole attack might not even be relevant to
154 other software vendors software.
156 * <b>Allow for multiple registrars:</b> Users should
157 be able to choose a registrar (their banks, local
158 phone company, service provider, Swiss bank, or any
159 other entity they trust.
161 * <b>Mandate good security measures:</b> As a
162 principle, only Open Source software should be used
163 for servers in the registrar, and they should conform
164 to a standard set of tools and software that can be
165 examined by third parties.
168 An implementation of this protocol could use the DNS or a
169 DNS-like setup to distribute the information of users with the
170 possibility of replicating and caching public information
173 For instant messaging (another piece of the Hailstorm bit),
174 you want to use a non-centralized system like Sun's <a
175 href="http://www.jxta.org">JXTA</a>. Some people mailed me to
176 mention Jabber as a messaging platform and other people
177 pointed out to the <a
178 href="http://java.sun.com/products/jms/">Java Message
179 Service</a>. The JMS does support a number of very
180 interesting features that are worth researching.
182 It could also just use the user e-mail address as the `key' to
183 choose the registrar (msn.com, hotmail.com -> passport.com;
184 aol.com -> aol.passport.com; you get the idea).
187 href="http://www.soapware.org/xmlStorageSystem">xmlStorage</a>
188 idea from <a href="http://www.scripting.com">Dave Winer</a>
189 could be used to store the information.
191 A toolkit for various popular web servers could be provided,
192 authenticated and should be open sourced (for those of you who
193 think that a binary program would give more security and would
194 prevent people from tampering: you are wrong. You can always
195 use a proxy system that "behaves" like the binary, and passes
196 information back and forth from the real program, and snoops
197 in-transit information).
199 Good cryptographers need to be involved in this problem to
200 figure out the details and the possible insecure pieces of a
203 ** Implementation: In short
205 To keep it short: <b>DNS, JXTA, xmlStorage.</b>
210 The implementation of such a system should be a pretty
211 straightforward task once security cryptographers have
212 designed such a beast.
214 The major problems are:
217 * <b>People might just not care:</b> In a poll to US
218 citizens a couple of decades ago, it was found that
219 most people did not care about the rights they were
220 given by the Bill of Rights, which lead to a number of
221 laws to be passed in the US that eliminated most of
222 the rights people had.
224 * <b>The industry will move way too slow:</b>
225 Microsoft's implementation is out in the open now: it
226 is being deployed, and soon it will be insinuated to
227 many, many users. The industry needs to get together
228 soon if they care about this issue.
230 By the time the industry reacts, it might be too
236 The .NET class libraries include a Passport class that
237 applications might use to authenticate with Passport. Since
238 we do not have information at this point on the exact protocol
239 of Passport, it is not even feasible to implement it.
241 If at some point the information is disclosed, it could be
244 If a competing system to Passport existed, we could probably
245 hide all the authentication information to use a number of
246 different passport-like systems.
248 If a user does not want to use Passport at all, he could
249 always turn it off (or completely remove the class from the
250 library). After all, this is free software.
252 Currently, we are too far from the point where this is a real
255 ** Passport and endangering Open Source.
257 A few people have said: `Mono will allow Passport to be
258 available for Linux and that is bad'. This is plain
261 Currently, you can obtain Passport for Linux from Microsoft
262 itself and deploy it today on your Web server. Mono does not
263 even enter the picture here. Go to passport.com and download
264 the toolkit and you will see with your own eyes that passport
265 is <B>already</b> available for Linux.
269 This is just a group of personal thoughts of mine that I have
270 placed here because I get asked this question a lot lately.
271 The views of this page are not a statement from my employer
274 This is not part of Mono. We are not trying to deal with this
277 Nat Friedman (Ximian's co-founder) has his own ideas on how a
278 competing system to Passport could be designed, but I will let
279 <a href="http://www.nat.org/">him</a> post his own story.
281 ** Other Passport Comments
283 An interesting study on the security of passport is available at: <a
284 href="http://avirubin.com/passport.html">http://avirubin.com/passport.html</a>
286 ** Other Alternatives
288 Some people have pointed out <a
289 href="http://www.xns.org">XNS</a>
291 Send comments to me: Miguel de Icaza (<a
292 href="mailto:miguel@ximian.com">miguel@ximian.com</a>)