| blob | 3ffe0dfeef9edee06ab45146c1fc072446991f93 |
1 * Updates
3 <b>Sep 20, 2001:</b> Microsoft has just announced some changes
4 to passport that are rather interesting. This document
5 reflects the Passport system without taking into account the
6 new changes.
8 Read about it <a href="http://www.microsoft.com/presspass/features/2001/sep01/09-20passport.asp">here</a>.
10 For an analysis of security problems with passport, check <a
11 href="http://avirubin.com/passport.html">http://avirubin.com/passport.html</a>.
12 The bottom line is that you should not put any sensitive
13 information on passport.
15 I have received many comments from people, and I have updated
16 the page accordingly. From removing incorrect statements, to
17 fixing typos, to include mentions to other software pieces.
19 I also corrected my statement about IIS and a trojan horse, I
20 should read a more educated press in the future. My apologies
21 to Microsoft and its employees on this particular topic. IIS
22 did not have a trojan horse built in.
24 * Microsoft Hailstorm and Passport
26 Microsoft Passport is a centralized database hosted by
27 Microsoft that enhances the consumer experience with the Web
28 by providing a single logon system that they can use across a
29 number of participant web sites.
31 As you might know by now from our extensive <a
32 href="faq.html">FAQ</a>, the Mono project has nothing to do
33 with Microsoft Hailstorm or <a
34 href="http://www.passport.com">Microsoft Passport.</a>
36 Still a lot of people have asked us our opinion on them.
38 ** Passport
40 Passport is important not because of it being a breakthrough
41 technologically speaking, but because the company is in a
42 position to drive most people toward being suscribers of it.
44 At the time of this writing passport is required to use the
45 free mail service <a href="http://www.hotmail.com">Hotmail</a>
46 to get customized support for the <a
47 href="http://www.msn.com">MSN portal</a>, <a
48 href="http://msdn.microsoft.com">Microsoft Developers
49 Network</a> and according to the original announcement from
50 Microsoft <a href="http://www.americanexpress.com">American
51 Express</a> and <a href="http://www.ebay.com">EBay</a> will be
52 adopting it.
54 There is already a <a
55 href="http://www.passport.com/Directory/Default.asp?PPDir=C&lc=1033">Large
56 list</a> of participating sites.
58 There are many current users of it and Microsoft will be
59 driving more users towards Passport as it <a
60 href="http://news.cnet.com/news/0-1003-200-6343275.html">integrates
61 it</a> in their upcoming release of Windows.
63 Microsoft has also <a
64 href="http://www.passport.com/Business/JoinPassportNetwork.asp?lc=1033">developed
65 a toolkit</a> to enable current web merchants to integrate
66 their services with passport.
68 To the end user, there is a clear benefit: they only have to
69 log into a single network and not remember multiple passwords
70 across sites on the internet. Companies that adopt passport
71 will have a competition advantage over those that dont.
72 Microsoft lists a list of <a
73 href="http://www.passport.com/Business/Default.asp?lc=1033">benefits</a>
74 to companies.
77 ** The problems of Passport
79 There are a number of concerns that different groups have over
80 Passport. Sometimes I have some, sometimes I do not. But
81 overall, consumers and businesses can have better solutions.
83 <ul>
84 * <b>Single Point of Failure:</b> As more services and
85 components depend on remote servers, functionality can
86 grind to a halt if there is a failure on the
87 centralized Passport system.
89 Such a failure was predicted, and we recently <a
90 href="http://news.cnet.com/news/0-1005-200-6473003.html">witnessed</a>
91 got a lot of people worried.
93 The outgage lasted for seven days. Think what this
94 could do to your business.
96 * <b>Trust:</b> Not everyone trusts Microsoft to keep
97 their information confidential. Concerns are not only
98 at the corporate level policy, but also the fact that
99 the source code for Microsoft products is not
100 available, means that trojans or worms could be built
101 into the products by malicious engineers.
103 Various government officials in non-US countries also
104 have a policy that no state sensitive information can
105 be held by foreign companies in foreign soil. A natural
106 matter of national security to some.
108 * <b>Security:</b> With a centralized system like
109 Passport, imagine the repercussions of a malicious
110 hacker gaining access to the Passport database.
111 Personal information and credit card information about
112 almost everyone using a computer could be stored there.
114 Hackers have already <a
115 href="http://slashdot.org/articles/00/10/27/1147248.shtml">broken
116 into Microsoft</a> in the past. And the company was
117 unable to figure out for how long their systems had
118 been hacked.
120 Security holes have been found in <a
121 href="http://slashdot.org/articles/00/04/14/0619206.shtml">IIS
122 in the past.</a> If all the world's data is stored on
123 a central location, when a single security hole is
124 detected, it would allow an intruder to install a
125 backdoor within seconds into the corporate network
126 without people ever noticing.
128 Microsoft itself has been recently hit by worms,
129 imagine if all your business depended on a single
130 provider for providing all or your authentication
131 needs
132 </ul>
134 Microsoft might or might not realize this. The idea behind
135 Passport is indeed a good one (I can start to get rid of my
136 file that keeps track of the 30 logins and passwords or so
137 that I use across the various services on the net myself).
139 ** Alternatives to Microsoft Passport
141 An alternative to Microsoft Passport needs to take the above
142 problems into consideration. Any solution of the form `We
143 will just have a competing offering' will not work.
145 The system thus has to be:
147 <ul>
148 * <b>Distributed:</b> The entire authentication
149 system should not create an internet `blackout' in the
150 case of failure.
152 A distributed system using different software
153 platforms and different vendors would be more
154 resistent to an attack, as holes in a particular
155 implementation of the server software would not affect
156 every person at the same time.
158 A security hole attack might not even be relevant to
159 other software vendors software.
161 * <b>Allow for multiple registrars:</b> Users should
162 be able to choose a registrar (their banks, local
163 phone company, service provider, Swiss bank, or any
164 other entity they trust.
166 * <b>Mandate good security measures:</b> As a
167 principle, only Open Source software should be used
168 for servers in the registrar, and they should conform
169 to a standard set of tools and software that can be
170 examined by third parties.
171 </ul>
173 An implementation of this protocol could use the DNS or a
174 DNS-like setup to distribute the information of users with the
175 possibility of replicating and caching public information
176 about the user.
178 For instant messaging (another piece of the Hailstorm bit),
179 you want to use a non-centralized system like Sun's <a
180 href="http://www.jxta.org">JXTA</a>. Some people mailed me to
181 mention Jabber as a messaging platform and other people
182 pointed out to the <a
183 href="http://java.sun.com/products/jms/">Java Message
184 Service</a>. The JMS does support a number of very
185 interesting features that are worth researching.
187 It could also just use the user e-mail address as the `key' to
188 choose the registrar (msn.com, hotmail.com -> passport.com;
189 aol.com -> aol.passport.com; you get the idea).
191 The <a
192 href="http://www.soapware.org/xmlStorageSystem">xmlStorage</a>
193 idea from <a href="http://www.scripting.com">Dave Winer</a>
194 could be used to store the information.
196 A toolkit for various popular web servers could be provided,
197 authenticated and should be open sourced (for those of you who
198 think that a binary program would give more security and would
199 prevent people from tampering: you are wrong. You can always
200 use a proxy system that "behaves" like the binary, and passes
201 information back and forth from the real program, and snoops
202 in-transit information).
204 Good cryptographers need to be involved in this problem to
205 figure out the details and the possible insecure pieces of a
206 proposal like this.
208 ** Implementation: In short
210 To keep it short: <b>DNS, JXTA, xmlStorage.</b>
213 ** Deploying it
215 The implementation of such a system should be a pretty
216 straightforward task once security cryptographers have
217 designed such a beast.
219 The major problems are:
221 <ul>
222 * <b>People might just not care:</b> In a poll to US
223 citizens a couple of decades ago, it was found that
224 most people did not care about the rights they were
225 given by the Bill of Rights, which lead to a number of
226 laws to be passed in the US that eliminated most of
227 the rights people had.
229 * <b>The industry will move way too slow:</b>
230 Microsoft's implementation is out in the open now: it
231 is being deployed, and soon it will be insinuated to
232 many, many users. The industry needs to get together
233 soon if they care about this issue.
235 By the time the industry reacts, it might be too
236 late.
237 </ul>
239 ** Passport and Mono
241 The .NET class libraries include a Passport class that
242 applications might use to authenticate with Passport. Since
243 we do not have information at this point on the exact protocol
244 of Passport, it is not even feasible to implement it.
246 If at some point the information is disclosed, it could be
247 implemented.
249 If a competing system to Passport existed, we could probably
250 hide all the authentication information to use a number of
251 different passport-like systems.
253 If a user does not want to use Passport at all, he could
254 always turn it off (or completely remove the class from the
255 library). After all, this is free software.
257 Currently, we are too far from the point where this is a real
258 issue.
260 ** Passport and endangering Open Source.
262 A few people have said: `Mono will allow Passport to be
263 available for Linux and that is bad'. This is plain
264 misinformation.
266 Currently, you can obtain Passport for Linux from Microsoft
267 itself and deploy it today on your Web server. Mono does not
268 even enter the picture here. Go to passport.com and download
269 the toolkit and you will see with your own eyes that passport
270 is <B>already</b> available for Linux.
272 ** Disclaimer
274 This is just a group of personal thoughts of mine that I have
275 placed here because I get asked this question a lot lately.
276 The views of this page are not a statement from my employer
277 (Ximian, Inc).
279 This is not part of Mono. We are not trying to deal with this
280 problem.
282 Nat Friedman (Ximian's co-founder) has his own ideas on how a
283 competing system to Passport could be designed, but I will let
284 <a href="http://www.nat.org/">him</a> post his own story.
286 ** Other Passport Comments
288 An interesting study on the security of passport is available at: <a
289 href="http://avirubin.com/passport.html">http://avirubin.com/passport.html</a>
291 ** Other Alternatives
293 Some people have pointed out <a
294 href="http://www.xns.org">XNS</a>
296 Send comments to me: Miguel de Icaza (<a
297 href="mailto:miguel@ximian.com">miguel@ximian.com</a>)