mono-logo Downloads | Daily snapshots | Screenshots | Documentation | Bugs | Blogs

Updates

Sep 20, 2001: Microsoft has just announced some changes to passport that are rather interesting. This document reflects the Passport system without taking into account the new changes.

Read about it here.

For an analysis of security problems with passport, check http://avirubin.com/passport.html. The bottom line is that you should not put any sensitive information on passport.

I have received many comments from people, and I have updated the page accordingly. From removing incorrect statements, to fixing typos, to include mentions to other software pieces.

I also corrected my statement about IIS and a trojan horse, I should read a more educated press in the future. My apologies to Microsoft and its employees on this particular topic. IIS did not have a trojan horse built in.

Microsoft Hailstorm and Passport

Microsoft Passport is a centralized database hosted by Microsoft that enhances the consumer experience with the Web by providing a single logon system that they can use across a number of participant web sites.

As you might know by now from our extensive FAQ, the Mono project has nothing to do with Microsoft Hailstorm or Microsoft Passport.

Still a lot of people have asked us our opinion on them.

Passport

Passport is important not because of it being a breakthrough technologically speaking, but because the company is in a position to drive most people toward being suscribers of it.

At the time of this writing passport is required to use the free mail service Hotmail to get customized support for the MSN portal, Microsoft Developers Network and according to the original announcement from Microsoft American Express and EBay will be adopting it.

There is already a Large list of participating sites.

There are many current users of it and Microsoft will be driving more users towards Passport as it integrates it in their upcoming release of Windows.

Microsoft has also developed a toolkit to enable current web merchants to integrate their services with passport.

To the end user, there is a clear benefit: they only have to log into a single network and not remember multiple passwords across sites on the internet. Companies that adopt passport will have a competition advantage over those that dont. Microsoft lists a list of benefits to companies.

The problems of Passport

There are a number of concerns that different groups have over Passport. Sometimes I have some, sometimes I do not. But overall, consumers and businesses can have better solutions.

  • Single Point of Failure: As more services and components depend on remote servers, functionality can grind to a halt if there is a failure on the centralized Passport system.

    Such a failure was predicted, and we recently witnessed got a lot of people worried.

    The outgage lasted for seven days. Think what this could do to your business.

  • Trust: Not everyone trusts Microsoft to keep their information confidential. Concerns are not only at the corporate level policy, but also the fact that the source code for Microsoft products is not available, means that trojans or worms could be built into the products by malicious engineers.

    Various government officials in non-US countries also have a policy that no state sensitive information can be held by foreign companies in foreign soil. A natural matter of national security to some.

  • Security: With a centralized system like Passport, imagine the repercussions of a malicious hacker gaining access to the Passport database. Personal information and credit card information about almost everyone using a computer could be stored there.

    Hackers have already broken into Microsoft in the past. And the company was unable to figure out for how long their systems had been hacked.

    Security holes have been found in IIS in the past. If all the world's data is stored on a central location, when a single security hole is detected, it would allow an intruder to install a backdoor within seconds into the corporate network without people ever noticing.

    Microsoft itself has been recently hit by worms, imagine if all your business depended on a single provider for providing all or your authentication needs

Microsoft might or might not realize this. The idea behind Passport is indeed a good one (I can start to get rid of my file that keeps track of the 30 logins and passwords or so that I use across the various services on the net myself).

Alternatives to Microsoft Passport

An alternative to Microsoft Passport needs to take the above problems into consideration. Any solution of the form `We will just have a competing offering' will not work.

The system thus has to be:

  • Distributed: The entire authentication system should not create an internet `blackout' in the case of failure.

    A distributed system using different software platforms and different vendors would be more resistent to an attack, as holes in a particular implementation of the server software would not affect every person at the same time.

    A security hole attack might not even be relevant to other software vendors software.

  • Allow for multiple registrars: Users should be able to choose a registrar (their banks, local phone company, service provider, Swiss bank, or any other entity they trust.

  • Mandate good security measures: As a principle, only Open Source software should be used for servers in the registrar, and they should conform to a standard set of tools and software that can be examined by third parties.

An implementation of this protocol could use the DNS or a DNS-like setup to distribute the information of users with the possibility of replicating and caching public information about the user.

For instant messaging (another piece of the Hailstorm bit), you want to use a non-centralized system like Sun's JXTA. Some people mailed me to mention Jabber as a messaging platform and other people pointed out to the Java Message Service. The JMS does support a number of very interesting features that are worth researching.

It could also just use the user e-mail address as the `key' to choose the registrar (msn.com, hotmail.com -> passport.com; aol.com -> aol.passport.com; you get the idea).

The xmlStorage idea from Dave Winer could be used to store the information.

A toolkit for various popular web servers could be provided, authenticated and should be open sourced (for those of you who think that a binary program would give more security and would prevent people from tampering: you are wrong. You can always use a proxy system that "behaves" like the binary, and passes information back and forth from the real program, and snoops in-transit information).

Good cryptographers need to be involved in this problem to figure out the details and the possible insecure pieces of a proposal like this.

Implementation: In short

To keep it short: DNS, JXTA, xmlStorage.

Deploying it

The implementation of such a system should be a pretty straightforward task once security cryptographers have designed such a beast.

The major problems are:

  • People might just not care: In a poll to US citizens a couple of decades ago, it was found that most people did not care about the rights they were given by the Bill of Rights, which lead to a number of laws to be passed in the US that eliminated most of the rights people had.

  • The industry will move way too slow: Microsoft's implementation is out in the open now: it is being deployed, and soon it will be insinuated to many, many users. The industry needs to get together soon if they care about this issue.

    By the time the industry reacts, it might be too late.

Passport and Mono

The .NET class libraries include a Passport class that applications might use to authenticate with Passport. Since we do not have information at this point on the exact protocol of Passport, it is not even feasible to implement it.

If at some point the information is disclosed, it could be implemented.

If a competing system to Passport existed, we could probably hide all the authentication information to use a number of different passport-like systems.

If a user does not want to use Passport at all, he could always turn it off (or completely remove the class from the library). After all, this is free software.

Currently, we are too far from the point where this is a real issue.

Passport and endangering Open Source.

A few people have said: `Mono will allow Passport to be available for Linux and that is bad'. This is plain misinformation.

Currently, you can obtain Passport for Linux from Microsoft itself and deploy it today on your Web server. Mono does not even enter the picture here. Go to passport.com and download the toolkit and you will see with your own eyes that passport is already available for Linux.

Disclaimer

This is just a group of personal thoughts of mine that I have placed here because I get asked this question a lot lately. The views of this page are not a statement from my employer (Ximian, Inc).

This is not part of Mono. We are not trying to deal with this problem.

Nat Friedman (Ximian's co-founder) has his own ideas on how a competing system to Passport could be designed, but I will let him post his own story.

Other Passport Comments

An interesting study on the security of passport is available at: http://avirubin.com/passport.html

Other Alternatives

Some people have pointed out XNS

Send comments to me: Miguel de Icaza (miguel@ximian.com)

webmaster@go-mono.com