Security Review Delays Crucial .NET Passport Update

Microsoft has delayed until early 2003 an updated Microsoft .NET Passport version that the company originally envisioned as the first public step toward its .NET vision. Originally expected in late 2001 but delayed several times since then, .NET Passport 3.0 will include the industry-standard Kerberos security standard, possibly paving the way for competing products to integrate with Microsoft's online authentication system.

Two factors caused the recent delays. The first was Microsoft's security code review during February and part of March, when Microsoft ceased new coding and instead inspected the company's current products for security risks. The second factor was a recent decision to open up changes Microsoft made to Kerberos when the company implemented the technology in Windows 2000 Active Directory (AD). Open-source pundits had charged Microsoft with "embracing and extending" the Kerberos standard by adding proprietary extensions that third-party vendors couldn't access. By releasing the details of those extensions sometime in mid-2002, the company will ease the way for developers who want to integrate their products and services with AD and other Microsoft products that use Kerberos, such as .NET Passport 3.0.

Because of the delays, however, Microsoft will implement some minor updates to the crucial .NET Passport service in stages later this year. First up will be a series of small updates accompanied by software development kits (SDKs) for programmers. The SDKs will let programmers write applications and services that tap into .NET Passport's authentication and networking capabilities. And in light of criticism that the company should open Passport to the rival Liberty Alliance Project, Microsoft will start an informational campaign to increase user, developer, and enterprise understanding of the .NET Passport service, which sits at the heart of the .NET strategy. As I discussed in "Selling the .NET Vision" in the March 7, 2002, edition of .NET UPDATE, making people understand what the .NET strategy is all about is, perhaps, the most daunting task Microsoft faces in garnering .NET acceptance.

Also problematic is the company's ongoing legal problems, which extend beyond the familiar antitrust case in the United States to wider charges in Europe, where the European Union (EU) accuses the software giant of attempting to further its desktop monopoly into server software. The EU believes that Microsoft should be more open with current and upcoming .NET technology so that partners and competitors alike can write services that interact as effectively with the company's server products as Microsoft's own services do. As a crucial centerpiece of the .NET strategy, .NET Passport is also at the center of the European controversy; by opening up Windows server and .NET Passport-related technologies, Microsoft hopes to address the EU's core complaints.

I think opening .NET and other server technologies will benefit all Microsoft customers. But more important than those benefits are the benefits that product users will receive as a result of Microsoft delaying .NET Passport until the company can implement the findings of its crucial security code review. If a slight product delay is the only price users pay for product security, so be it; in the online world, more than ever before, security should be Microsoft's first concern, not an add-on.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.