[JDEV] MS Passport and Open alternatives

Michael Hearn mhearn at mailandnews.net
Fri Sep 21 09:45:56 CDT 2001

>wow... MS is on the warpath...
>they're supposedly opening up their .Net auth system to allow other,
>non-Passport, auth systems, such as from AOL or Yahoo... they would be
>100% compatible with each other, so Yahoo Auth users could use Yahoo to
>access Hotmail and other MSN services...

OK, a few words on this issue. Firstly, MS is not actually "opening" Passport - Passport is inherantly impossible to open in its current form as it relies upon a central authentication engine. This is why any email address can be a Passport without the address provider installing any software - MS runs the show. What they have actually said is they will allow "federation" of Passport to other organisations. Let's examine what this means:

"Federation allows businesses of any size, or any other organization, to maintain
the control of their local resources while still being able to interact with
people, organizations and software that are not under their direct control." MS PressPass

OK, so this is actually only a minor change to the current model. At the moment if you want to make your site Passport enabled, you have to go through a massive amount of paperwork to get it going, involved Microsoft actually trying out your site beforehand to ensure it works! Federation won't change this - all it does is allow companies to run their own Passport engines with the permission of Microsoft. Now they *have* realised that what the net needs is an open authentication system and they propose Kerberos to do this but what they don't mention is whether it'll be the Microsoft version or the MIT version which are of course incompatible.

Second problem - they say Passport will be accessible via Kerberos. But Kerberos wasn't designed for the web, how will this work? Kerberos is also very complex, relying on networks of key distribution servers, clock synchronization etc., so it's not a piece of cake to add authentication to a product that uses Kerberos.

I don't think we should say, MS has openened Passport, right that's authentication solved. It might turn out to be as open like hardware is "open" in Windows XP, where anyone can write drivers ... as long as they get permission from Microsoft first. I don't want to see this, the open community can do better. 

In fact I have been thinking about this :) .... 

What's needed is an open "Simple Authentication Protocol" (SAP) that has bindings to various protocols such as Jabber, SOAP, XML-RPC etc. This would allow any server to allow authentication against it simply by running a small server alongside say an email or jabber server, that responds to messages requesting authentication. It could well use Kerberos design principles and even be compatible with it to some extent - but I seriously don't think Kerb is right for this job.

I described the basic model in an email a few days ago, and the content of this protocol wouldn't be hard to guess anyway. This would allow anyone to have their network address be used for authentication and single sign on without the standardisation and centralisation issues prevalent in Passport.

ok, rant over. thanks for reading

More information about the JDev mailing list