In Microsoft's latest bid to win acceptance of .NET, the company announced last week that it will let its Passport authentication service interoperate with competitors' (e.g., AOL's) upcoming services. This news was largely a surprise, although Microsoft made several concessions to privacy advocates this year regarding Windows XP and .NET—products that the company sees as key to its success in both the short term (Windows XP) and the long term (.NET). But a growing number of critics are calling Microsoft's latest maneuver a scam, stating that Microsoft is purposefully muddying the line between authentication and authorization to make the company appear more open than it really is. Let's look at what the company has done and what its actions mean to .NET.
Christopher Payne, Microsoft vice president of the .NET Core Services Platform, says that opening Passport enables a "network of trust," in which the company's much-touted single sign-on (SSO) feature is federated with a variety of previously incompatible authentication systems that use the Kerberos 5.0 security standard. Thus, corporations or consumers can use one common authentication system across the Internet, involving a variety of disparate OSs and other platforms, as long as the servers are all compatible with Kerberos 5.0. Microsoft compares this scheme to the one that banking ATMs use: Each machine might be on a separate network, but because those networks employ a trusted, interoperable authentication scheme, you can get cash at a bank with which you're not affiliated.
"Your individual bank is part of a larger ATM service-based network built on a common operating agreement among the various member banks," Payne says. "Within this broad network, you can use your individual ATM card at any one of thousands of ATM machines, regardless of where they're located or whether you even have an account with that particular bank. On the Web, customers will have a similarly seamless experience. They won't have to remember different sign-in names and passwords as they 'travel' about the Internet."
Microsoft will update its Passport service in early 2002 to conform to the Kerberos 5.0 security protocol (a plan that has been in place since at least April). The Windows .NET Server products that are also due in early 2002 will include this capability as well.
Microsoft is quick to point out that it won't "own" any user data. Because Passport will be an open system, the authentication services could be local, through a user's ISP, or through a worker's business. This method will let corporations store users' Passport data inhouse. Microsoft says these authentication services will reside on servers that will soon become as important as the DNS servers that translate a URL into the IP address the underlying network understands.
Critics maintain, however, that Microsoft's announcement is nothing more than hot air. And as I mention above, the move to Kerberos 5.0 compatibility has been in the cards for several months, making the timing of the announcement suspect. Critics say that .NET servers can only authenticate users (i.e., allow or prevent users from accessing services) but that the crux of the Passport privacy issue is authorization, which determines which services are available for a user to access. An authentication server can only query whether an action is possible, whereas an authorization server can determine exactly which services are available. Authentication servers will require authorization servers. According to critics, Microsoft is letting third parties provide authentication only—a simple yes or no to requests. But Microsoft isn't giving up authorization, which is far more important to the company than authentication. Authorization, critics say, is where the real control of this system lies.
In a strange twist, critics say that Microsoft has already usurped the Kerberos 5.0 protocol by wrapping a proprietary authorization mechanism into Kerberos "tickets" that Windows servers generate. Thus, only a Windows server can provide authorization services, because only Windows servers work with Microsoft's proprietary version of Kerberos. Linux and UNIX hackers who have been trying to get around this restriction say that doing so is possible but very difficult. And that's exactly what Microsoft wants, they say.
I'll further examine this topic in the coming weeks; I'm planning a discussion with Jeremy Allison, who created a crucial Linux utility—Samba—that lets Linux machines network with Windows machines. Also, in related news, Microsoft recently gave the HailStorm services a kinder, gentler name. Microsoft will phase in these services, now marketed as .NET My Services, during the next several months.