Research firm Gartner Group offers only fleeting hope this week for a swift evolution to Web-based development using Microsofts .NET framework. Analysts speaking at Gartner's annual Windows conference extinguished much of the hype surrounding what they called a "remarkably confusing" marketing blitz around .NET.
Read Gartner sees bumpy road toward .NET
I think Microsofts strategy maybe towards services rather than shipping application servers.
Look at HailStorm. EBay have decided to use it now and I think it's a good thing. Get a single online id and then use it to authenticate with any passport affiliated site like EBay for example.
If Microsoft can build, deliver and support this and other types of business agnostic, easy to integrate (even for non MS platforms) services then I think they are on to a winner. It would certainly ease the building of portal applications as single sign on is an issue with these types of applications when diverse back ends are present.
There are a bunch of similar services that they could build and then offer to developers/companies to make developing systems easier. They aren't selling software, they are selling/renting a service that hooks up with Web Services or simpler means. Looks very high margin if it takes off and I think it will.
Companies are paying for IT through the nose and the noses are bleeding because of it. Anything to lower costs and simplify the development/maintenance of their applications longer term has to be a good bet. Outsourcing these types of services makes sense.
The big question is how to make money from it. I wonder whether people will pay for such a service. I think corporates will as it'll be cheaper than doing it inhouse.
I wonder how would TSS readers feel about being able to reuse a passport account as well as the normal TSS login?
I'm looking at trying to integrate a passport login with WebSphere. It looks possible but I'm just getting the infrastructure to try it out. Has anyone else looked at integrating Passport login with a J2EE server?
The idea that one's identity will be controlled by M$ (Passport) is as stupid as it gets.
While the public at large may swallow it like they swallowed other privacy mine bombs.
At least outside USA (Europe, Japan, maybe Canada) I'm sure it won't catch, and in USA people with their heads on their shoulder will not swallow it.
And by the way, nomatter how many licenses Microsoft can sell they don't sell as many as VISA, Mastercard or American Express.
So unless MS bribes these organizations to swallow its technology I am very doubtful they will ever succeed with Passport.
And in fact they shouldn't.
I would also be concerned with Privacy. I havn't looked at Passport closely, how much of a users data does a passport integrated website (lets take a theoretical TheServerSide.com for instance) have access to?
What sorts of questions are users of passport required to fill out? What are the privacy policies? Passport sounds like the greatest marketing database of all time - controlled by Microsoft. I would have to see some really good privacy policies before entrusting my own data to passport. I would much rather use a consortium supported service, like some sort of warped UDDI for users. :)
Still, the thought of a giant central user directory, exposed as a webservice and useable by any website is enticing. I don't really see development time being significantly being reduced by websites using passport, most sites (like TSS) just store basic user info like username, contact info, etc. Sites with non-trivial user databases will likely need to support their own infrastructure anyway, after all, if you are going to store application specific user information in a 'user table' anyway, how much does it buy you to store name/password and contact info on passport?
I see clear benefits for the end user, not so clear on the benefits for the server side developers. Still, I am intrigued by Billy's question. TSS members, would you be ok with having a passport based TSS login?
Looks like now M$ wants to behave like a government. They are going to give you passports and Ids, as Costin said this idea is "as stupid as it gets". The whole idea of letting a company(that too Micro$oft!) control a master user/marketing database is really scary. Basically, what they are trying to do is push their other products. If you need new media player(version 8) you need to buy WinXP, XP will have some special MSN hooks and then you are automatically part of the passport thing. And from the developer's view, you want passport? use .NET, and then you need their AppServer and SQL Server and WinXP. It's just a yet another "LOCK IN" strategy. Infact, the whole WinXP, Hailstorm, passport, .NET and whatnot should be declared a fraud :)
I wouldn't go as faras condemn the whole MS software stack for this awfull idea.
Although lately I found them pushing more and more into packaging strategy.
While Win200 is an admirable OS, you hit all kinds of problems running older versions of software, even things as SQL Server 7, so while I am a liberal (liberal as in "English UK" locale), I think they should be broken afterall.
But the passport problem is a different issue.
Single sign-on is a value proposition and we all should be looking forward to implement solutions.
But with current state of the art technology in cryptography and smart peripherals, it is clear to me that the identity should be TOTALLY within user's hands.
Like you have a smart card, you log into the OS and prompts you for a password that is verified with the smart card.
In case you visit a site, the site presents you a challenge and the browser/OS forwards that to the smart card which returns a response that should be totally opaque to the OS and other third parties.
TOTAL privacy is the ONLY WAY to go, and we have the technological capability in place.
As far as I read about MS passport,it is totally different from the scenario that I described.
You like the passport now or not? It's not clear from the posting? I think it is a good idea but the privacy concerns need to be addressed.
Smart cards aren't secure either. Recently, the French unbreakable Carte Blue was duplicated after a guy figured out how. OF course, the banks said it was impossible so when he proved it in public then they promptly had him arrested... Ostrich security mentality, if we make it illegal to break it then the people intent of robbing us won't do it because it's illegal, please...
You need a lot of infrastructure deployed to make even smart cards viable, I can't see it happening any time soon. Until then, we're stuck with user names and passwords. I got certificates for S/MIME email but whats the point, no one else has a certificate!
Total privacy will never work as what happens when someone duplicates your smart card. You get a new one but the copy still works too. You need a central database to check if the card is the current legal one just like with certificates and then we're back to square one again. Centralized infrastructure.
this is true that french blue card has been broken, but this was possible ONLY because the machine which was reading this faked blue card used the magnetic informations on the card, not those put on the inboard chip - ALL french credit cards have this inboard chip, which is *almost* unbreakable -
And this happened two years ago.
btw, what if you claim that your house's door is unbreakable, does it mean that I can broke it without having any problem with you? I don't think that this guy just wanted to prove that the system was unsecure, but he tried to make money with it - kind of blak-mail, isn't it? -
Whatever, I don't buy the password & ID. Those guys at M$ should have listen too many often the beatle's song "back to USSR".
I remember some deal around it that he wanted to make money off it, you're right.
But, unless computers come with card readers etc, i.e. a significant number of computers have it then there is no incentive for web sites/Microsoft to support it. It's catch 22. People say they want security but seem unwilling to pay for it. But, anyway, we're getting off topic.
"You like the passport now or not? It's not clear from the posting? I think it is a good idea but the privacy concerns need to be addressed. "
I think it was clear from my posting also, there could be NO solution where a central authority has control over my electronic ID, not even if that thing is a government, but worse, if that thing is MS and offers this single sign on as a service that's an ABSOLUTE NO.
They might have broken a smart card two years ago, but that proves nothing. It's only a matter of time until they get in place. A smart card reader should be around 20 bucks.
If someone copies your card then someone has to also steal your password if the cart is "smard" as I said it, and not a mere magnetic deposit.
Of course, someone can broke into my house, replace the OS and so on, but this would be much more difficult to do it on a large scale.
And by the way, MS was not able to keep its code secure, that is its dearest tresure, so aren't you absurd to expect MS to keep identities secure ?
Have you considered they have zero experience in security issues ?
Decentralization and autonomy are the only key to security and there could be no privacy without security, even if you want to credit MS with its best intentions (that's another naive thing to do).
So ABSOLUETLY NO PASSPORT for me.
Yeah, for dumb consumers this idea might catch on, but I hope not.
"You need a central database to check if the card is the current legal one just like with certificates and then we're back to square one again"
You know that a central certification authority does not have any privacy issues, common Billy, let's get serious here.
And there's no need for online realtime cross check with the certificate authority just as it is the case today.
Billy, are you the devil's advocate this time ?
If yes, you'd better find good arguments :)
Figured I'd jerk your chain this time for once :-)
Just a few quick comments:
- Passport is a bad idea. MS is just not trustworthy enough. Enough said.
- That said, I think they are looking to partner with Mastercard on this one - am I just remembering wrong?
- Lastly, while Passport is flawed, I think the .NET infrastructure (web servers, web services, database, etc.) are very interesting. I'm using Beta 1 and have found it very stable and very innovative on the XML front in particular. That said, I'm also enjoying Orion.
I think that the real problem MS has is that they are trying to do too much - they should concentrate on the .NET platform as it relates to their own software. Passport is just way too out on the limb.
I found someone else made an interesting comment on MS in another group: basically, the point was that MS would announce a services business plan, let everyone follow it, then withdraw from it once it didn't pan out. I find it interesting that they pulled out of a subscription service for OfficeXP - probably because they realized it wasn't going to make any money because it's too far ahead of the customers.
My 2 cents....
On a second thought, I think my "dumb consumer" friend might be right.
If we don't do anything we'll HAVE to enable our program to make use passports even if we don't like them, and denying MS for its bad intention and bad technical design is not going to help us in any way.
A good article on this issue is at:
Unfortunately my interest in cryptograhy and public key infrastructure is only a hobby, so I can only wait and see what happens.
The least thing we can do is not to pro-actively sustain MS proposition.
Microsoft is reported as saying that "HailStorm is built on open standards and is available for use by any Web site". It may be built on open standards but, it seems to me, it is only useable by others if they adhere to a proprietary Microsoft interface.
The key to the Hailstorm set of services is that services must be authenticated. In Hailstorm this service is provided by the Passport service. Once authenticated by Passport, a ticket is issued and passed as a parameter to other services. (I am guessing about the mechanics of how this is implemented. However, that is not important -- the principle remains the same.) Only services which can deal with a Passport ticket can avail of Hailstorm services. This allows Microsoft to charge for use of the services and to charge other service providers for their participation in the Password authentication system. In effect, Microsoft has created a propriety system. In addition, by integrating the upcoming XP authentication system with Passport, Microsoft hopes to leverage and extend its current dominance on the desktop to the net.
To allow authenticated web services to interoperate, the computer industry needs to develop standards around web authentication services. Is there any work being done in this area? Not an easy task. Can PKI come to the rescue?