Slashdot Mirror
Passport to Nowhere
prostoalex writes "CNET News.com.com talks about less than glamorous acceptance of Microsoft's single sign-on technology, .NET Passport. Being launched as a single sign-on service for online businesses and competing heavily with open Liberty Alliance project, which so far has produced just a large amount of PDF files, .NET Passport is considered a failure (although not by Microsoft). Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."
"Microsoft was kind of pushing Passport for a problem that didn't exist..."
I think that more or less hits the nail on the head. This is aside from the downtime issue, which is embarassing, and privacy issues, which are disturbing. On the privacy/downtime note, the Liberty Alliance may be vapor currently, but the idea of a "federated" system sounds much better to me. It's not a problem I have with Microsoft, rather it's a problem I have with giving all of my personal information to a single organization to put into a central respository.
No sir, that's bad sauce.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
I never saw a need for .NET Passport in any way. Privacy issues aside, all Passport would achieve for the company using it is something they could already do with simpler, more secure, and less liable technologies already available to them.
Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime
Yet they still buy windows...
I mean, doesn't "competing heavily" imply that there's, well, an active competition in the first place?
Obliteracy: Words with explosions
Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime... Could have fooled me
If the dollar is an "I owe you nothing", then the Euro is a "Who owes you nothing." - Doug Casey
It is widely pulicized now how to manage passwords for a website -- it's as simple as using other Microsoft tools, and so in a way, passport puts itself out of business by competing poorly with other Microsoft products. Why would anyone not just use an NT auth login, ASP, or one of the myriad of other ways to do a sign-on. The only place I see passports now is places where Microsoft already had a majorly vested business interest. Passport should go right up there with Microsoft BOB , IMHO.
stuff |
I actually created a passport login to see how many places they would use it and if it would be beneficial. Thus far I have only seen it used with Hotmail and on the MSN site. Have any others seen it used on other non-Microsoft sites?
I like the concept of passport, but I'm not going to get in bed with Microsoft to put it on my web servers. Besides, it has always seemed to me that doing a scheme like that would introduce so many more points of failure to your web system, that it wouldn't be worth the trouble. That's not to mention security. Somehow I just feel safer when I have to log in to each site separatly.
SCO.com uses Linux
Is it the reason why we're seeing more and more MS-related "Everybody-Should-Use-It" web services?
Since nobody's really using the passport, MS is really trying to force people to use it by introducting IM, webmail and maybe in the future and passport-based search engine...
Rock that crushes, Paper & Scissors that don't matter.
Either that, OR it is yet another bash Microsoft story in sla$hdot's endless Ahab-like obsession with Microsoft, that borders on the tedious.
I am an Architect and I was pretty happy to see Sweets (the product catalogue) uses msn passport as their logon service. I have to admit it was convenient as there are drawbacks to having to remember every online service logon that you subscribe to. It's pitty this couldn't have been implimented better and or be more successful. It would be interesting to see if yahoo or aol takes a stab at this as everyone I know has a yahoo login. It would be nice to use it for everything none critical.
I can, of course, only speak for myself but I am fairly web-savvy and I was initially confused about the Passport system. It appeared to me that I needed an MSN account or Hotmail account to make it work, though I don't think that was/is the case. I always use my Hotmail account for junk; I'd never use it for e-commerce transactions. Perhaps that is the issue with a company with soooo many services.
Hotmail was such a pain in the butt when i used it. It was nice before Microsoft bought it, but then it turned downhill. Everything was tied directly into the MSN homepage. Worst was passport system, which magically never worked.
I was pretty happy about that, I didn't feel comfortable with their implementation. I think a common login would be useful, but maybe if it was done by RSA, not by Microsoft.
http://github.com/gbook/nidb
An interesting concept coupled with all the bad parts that were exposed and its a wonder why no one wanted to use it. I use it myself with messenger service, but thats about it. I would not trust the security of my website/webapp to Microsoft.
Liberty Alliance project, which so far has produced just large amount of PDF files
Which is all they intended to produce. Technically Liberty Alliance is a spec, not an implementation.
Now if you are asserting that there are no implementations, the SourceID people would probably disagree with that.
Finkployd
1. I have yet to meet someone who actually has (let alone uses) a .NET Passport.
2. If you are thinking about replying to this message with "I Do!", then I probably won't meet you, so see 1.
If you're not part of the solution, you're part of the precipitate.
At first, the concept of a global authentication system seems great. We all have too many passwords to remember, the idea behind Passport seems great.
But in reality, there isn't anyone who is secure enough, trustworthy enough, powerful enough and smart enough to pull off a system that would work and would be trusted.
You need to have the strength and power to be able to build such a system, and with those, trust invariably goes out of the window.
So for now I'll keep all my passwords in my brain, and pay the price of my mistrust.
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
I just called Microsoft to get my MCP number and the told me to sign up for a .NET Passport, I declined.
...isn't such a chore that we would need a freakishly-complex infrastructure to save us a couple of keystrokes.
Interesting claim. Care to, you know, back it up with something?
When it doesn't even work on their own partners' sites? Ever try to update any information you have actually given to MS for whatever reason?
.net passport: blah blah blah. Change pages again, move to something else inside MS' own site:
.net passport: blah blah blah.
Please Login using your
Please Login using your
The stupid thing doesn't even work on your site, why would I pay you to use it on mine?
They said "What happens in Vegas stays in Vegas"!!!!
cites?
oh I forgot, you're full of shit.
Was this .NET My Services?
.NET The Platform, C# -- .NET's Revenge, and VB.NET -- a new SOAP. A while ago, the company put forth this .NET strategy and then backed away as people started going "eh?" as to what it all meant.
.NET platform seems to be doing ok into adoption (if those "Senior .NET Programmer" ads are an indication) while the whole "My Services" single sign-on deathtrap was greeted with uberskepticism. If I remember correctly, this was one of the grand awakenings BillyGoat had -- when nobody would adopt it because of security concerns, he realized he had to coin "Trustworthy Computing."
I know there was a
From general consensus, the
I don't think the idea is going to die away -- when they've come up with their "Best Windows Ever!!!" in 2007 or so, look for that same "My Services" pitch.
Ebay has some form of Passport.NET implemented on their website, but I've never used it. I don't really see why I should considering that I'm already registered with eBay and my current username and password work just fine.
Interesting claim. Care to, you know, back it up with something?
Back it up? You must be new here.
What Microsoft does considers a failure.
If the dollar is an "I owe you nothing", then the Euro is a "Who owes you nothing." - Doug Casey
It is official; Netcraft confirms: .NET is dying
.NET community when IDC confirmed that .NET market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that .NET has lost more market share, this news serves to reinforce what we've known all along. .NET is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.
.NET's future. The hand writing is on the wall: .NET faces a bleak future. In fact there won't be any future at all for .NET because .NET is dying. Things are looking very bad for .NET. As many of us are already aware, .NET continues to lose market share. Red ink flows like a river of blood.
.NET is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time Microsoft developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: .NET is dying.
.NET leader Bill states that there are 7000 users of .NET. How many users of .NET are there? Let's see. The number of .NET versus .NET posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 .NET users. .NET/OS posts on Usenet are about half of the volume of .NET posts. Therefore there are about 700 users of .NET/OS. A recent article put .NET at about 80 percent of the .NET market. Therefore there are (7000+1400+700)*4 = 36400 .NET users. This is consistent with the number of .NET Usenet posts.
.NET went out of business and was taken over by .NETI who sell another troubled OS. Now .NETI is also dead, its corpse turned over to yet another charnel house.
.NET has steadily declined in market share. .NET is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. .NET continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, .NET is dead.
.NET is dying
One more crippling bombshell hit the already beleaguered
You don't need to be a Kreskin [amdest.com] to predict
Microsoft
Let's keep to the facts and look at the numbers.
Due to the troubles of Walnut Creek, abysmal sales and so on,
All major surveys show that
Fact:
Liberty does not compete with Passport, it competes with WS-Federation. Liberty scores points on an open developement process (as opposed to MS and IBM doing ws-fed in a darkend backroom somewhere) and also on having actual software implementations of their specs available. However WS-fed scores big because managers these days see Web Services is the silver bullet, holy grail for everything. Time will tell.
Personally I like SAML (the technology Liberty is built off of), but supposedly WS-Fed is going to interop with Liberty, so maybe the two are not so different. (I really need to read up on WS-fed more)
Finkployd
"Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."
It's strange that this didn't appeal to most users who already use Windows. I would think people would tend to use things they are already familiar with.
I have yet to ever see a Liberty Federated login screen so I'm not sure that it is even implemented. The Microsoft acceptance outside their own network is shifting, but I think this is an inevitable result of companies not wanting to rely on SLAs for business critical components of their solutions. This really is the single biggest problem of any web service in that you lose control and true accountability. Smart businesses will continue to internalize business critical components.
can be found in your nearest pr0n site.
i remember loggin on i a porn site back in 1999 from where i could jump to several others without loggin on again.
maybe sir bill could buy a pr0n site or two to learn how it's done.
can u imagine MSN with an adults only warning ???
What ? Me, worry ?
Let's just say that single sign-on is going to be a Virus writers most effective tool for global infestation. No VPN, ssh, or any such tool will be effective once a single signon is comprimised. The same can be said for biometrics too.
From what I understood the recent hotmail problems where caused by the Passport .NET log-in failure not Hotmail per-se.
Of course.
I've put the source (well, what part of the source I have access to) on FreeNet early March with any identifying markers removed. Search it for FD_NSA_K and FD_FBI_K. If you're a programmer you'll see what I mean.
Ahh... what a relief to know that the Passport system has failed and is unlikely to make it as the world leader in single sign-on. To be honest, if anyone has the ability to nail this issue once and for all, it's Apple. Just watch... within the next two years, Apple will have a single sign-on system that works with *nix. This will cause a massive revolution in computing the likes of which we've never seen. Combine that with true centralized management of workstations as provided by OS X Server and you can say bye bye Micro$haft. The future's gonna be great without that dicktater Micr$oft!!!
Hello? It's not very easy to imagine a site that's willing let a third party handle customer information for free.
Most companies aren't even willing to tell you how many customers they have, much less let you collect personal information about them.
-- this is not a
I see .net passports...
they're everywhere...
they don't even know that no one's using them...
Passport is probably more secure that ssl. Its an excellent technology for Microsoft to use for all of its various services.
hotmail
MSDN
MSGaming Zone
etc.
For an intra-corporate login system its excellent. But to be used across multiple websites, it just puts all your proverbial security eggs in one basket.
I think the best solution is simply the browsers remembering passwords on websites. If they were to make that pwd list exportable, that would really be great!
p.s. ebay uses it along side standard logins.
What's to prevent me from copying their pretty gif and collecting people's logins/passwords?
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I don't know if they still do or not, but eBay used it at one point.
The original concept behind the design of the internet (DARPAnet) was to spread out the whole mess as to make it impervious (or at least resilient) to a tactical nuclear strike.
Fast forward almost three decades and now we should keep desigining it to avoid tactical commercial strikes.
If everything, like commercial web security, was placed in the hands on one trusted authority, some problems would be solved. (I for one welcome single sign-on to all my messageboards and other non-sensitive websites regardless of their affiliation) But build that authority on single corporate entity and the whole mess comes tumbling down once that solitary company folds, runs out of funds or cuts the project. Not to mention that they then have the power to determine limits of use to suit their own agenda.
MS Passport is one such technology that attempted to carve a market niche contrary to the spirit of the medium it was intended to support. The internet is not monolithic and it's use and enrichment should follow.
</soapbox>
Passport was a lame idea from the very beginning. While it may make sense for Microsoft, with MSN, MSDN, Messenger, etc., no right-thinking company is going to let go of such a critical element of customer account management. Think about it, one the first things a new customer needs to do is create an account - businesses just aren't going to trust that to a third party.
.NET Passports like .NET in general are not merely about today. Many of these sorts of projects are part of a larger scheme of Microsoft, so today's 'failure' is also an investment for the future of their corporation.
.NET was their plan for domination of net commerce and secure applications.
Microsoft is one of many companies that would like to one day see us subscribing for software monthly rather than merely suffering through outlandish licenses, having little knowledge of what is actually going on inside of our infrastructure and ultimately making them into another 'ma Bell'.
Their goal is seamless computing, controlled entirely by monopolies. I think the advantages of this are clear: Configuration of software could be done automatically based on users preferences, licenses could be validated behind the scenes, displays of resources similar to what you have shown an interest in can be compiled by their networks.
This future will be dominated by web based resources and applications. Just as Windows allows them to dominate the desktop,
The downside to all of this is clear I assume.
I'm glad it is presently considered a failure, I merely hope their long term investment doesn't pay off.
.MAC accounts! And what was the name of that propritary Mac dial-in service that Apple had going for a while?
Best Buy can have you arrested
"Where do you think you're going..... NOWHERE!!"
A couple of years ago I wanted to buy some espresso pods from Starbucks online. Unfortunately the only way to log in was through opening a passport account. I shopped elsewhere and have never been back...
Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."
They also had problems with Passport.
Tiddy-boom!
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin
.NET Passport is considered a failure (although not by Microsoft).
Just what does Microsoft admit to as a failure?
XENIX? OK I'll buy that....
I attended an MS tech talk a couple of months ago about the identity system coming in Longhorn. It seems like they are really targetting mass acceptance with that one too.
:)
While I can't remember exactly how everything worked (hey, I was there for the food), it was basically an RSA key system, with the private key stored on ones own computer. The main MS involvement was to have some servers set up to allow one to back up their private key so they aren't screwed over if their computer crashes without a backup... and the presenter seemed confident that there would be non-MS providers of the service as well.
It seemed like a pretty neat idea anyway... There were also systems in place to allow one to deactivate their key if it was compromised. Basically one's computer could notify all of the places it had exchanged its public key with to tell them that it is no longer valid anymore. It seemed like an interesting system that took a lot of the control away from MS, as long as one trusts the OS not to beam the keys back to them
The only real downside was that it seemed like they weren't too keen on getting the server-side software operating on non-MS platforms. But who knows... It certainly seems to be a better solution than Passport, since there would be no fees beyond having a supported OS.
On the other hand, exactly how is the Liberty Alliance "competing heavily" with Passport? As you point out, they've produced nothing but specification that nobody seems to have implemented. Or if they have, they haven't been obvious in any product I've used.
And believe it or not, we really do need some kind of universal sign on system. Actually more than one, since you don't want everybody dependent on a single vendor. Right now we have millions of people managing dozens of passwords, using sticky notes and other methods equally insecure. Plus it's much too easy to intercept passwords, or con people into giving them to you.
Not to mention that an identify infrastructure would do a lot to eliminate spam.
I'll say it again: I want a smart card that I can plug into any machine and establish my identity, without sending passwords over insecure media. The technology's there: when will somebody actually use it?
Passport has extremely high potential. I tried it out a while back... I went to Slate.com after signing up for a passport, and clicked the "Sign In" button. Now, I had never visited Slate, nor did they have any data on me prior to this. When I clicked "Sign In", that was it. I was registered. No filling out forms. No nothing. From a usability standpoint, Passport has tremendous potential.
With that said, the fees are absolutely horrendous. I checked it out - $1000/year for "small implementations", and $10000 for other. While I'm all for paying for a good solution, I can't see how having a single-sign-in solution on any website would generate $10000/year in profits.
I'm sure it would catch on like wildfire if they just lowered the fees to more manageble levels.
Oh, and buy paypal.
Not that I think this is a good idea but I've come to realize that many people use the SAME userid and password for different sites. That's how they remember how to get in.... I have come to this conclusion after observing the user habits of some of my clients.
So bottom line: MS Passport is redundent in terms of making it easier for the user. As for security... that's just a whole different ball game.
-- What's this '-r *' file doing here? -- Oh well, a simple 'rm' should do the trick.
I mean. WTF do we need an extra service for if the security manager can do it, also kwallet can remember them all and interact with konqueror....
Even IE can do it i think..... so, i think the single sign on in passport is really a fucking hoax designed to lock linux and OSS out of large datacenters.
NO SIG
Haven't read the replies (or the FA), but wasn't a big concern about Passport that you would need to sign over your first 3 children just to get authenticated?
Vote monkeys into Congress. They are cheaper and more trustworthy.
I don't think the security is even the main issue. Outside of those problems coupled with the cost involved, the problem is trust. I'd have a tough time trusting anyone outside source with that kind of information, let alone M$.
It doesn't matter how good a german car is, it's still a tough sell to an old WWII vet.
No, I'm New Here
Altough a centralized auth system isn't ideal, it is still the best solution so far for this amount of users.
Security issues: how many security issues where found in windows or openssl, vs. how many in passport? Do you have any hard numbers?
Privacy issues: Regulation agencies are working closely with Passport to set a good industry standard. Can you clarify what privacy issues you were thinking of?
Let's see if SharedID or TypeKey manage to handle millions of user, for free, no licensing fee and with a good uptime (above 99.9).
The problem with the whole concept in general to me is security.
Company A holds your credit card information and controls the sign up system.
Company B You make purchases through there system, credit card details are pulled from company A, your happy
Slap on 100 Company B's each with the ability to pull your credit card data so you can make purchases.
You now have 100 new possible locations for a hacker to crack, giving them access to a massive database of credit card data.
A chain is only as strong as its weakest link. The more merchants you add to this style system, the better change your chain will break one day.
Personal Website
I'm curois, could someone tell me what the licensing fees are approximately?
I've heard from several places that it is way too expensive for all but the biggest sites, but I'm curious, and I don't feel like emailing Microsoft (I don't want a bunch of salespeople hounding me to get the license).
Passport has gotten a lot of bad press, but there's three other major single signon systems in circulation that nobody talks about...
AOL's ScreenName Service is used on all Time Warner web properties and partners, including AIM, the Netscape sites, all of the magazines they own and EA's Pogo games site.
Disney's Go Network may have failed as a portal, but every web domain Disney owns still redirects to a subdomain of go.com such as ABC.go.com and ESPN.go.com. Therefore, there's a full network of news content, e-mail, and a few shopping sites contained there, all of which are Disney-owned properties.
Yahoo also has a full "network" of sites within the Yahoo.com domain... e-mail, an IM client, games, shopping, and let's not forget there's a serach engine there too. Yahoo lets several partners have your entire account infomation simply by offering a one-click registration into a site such as WorldWinner.com from their games section.
So, while all the bad press is being aimed at MS... several just as invasive services have quietly gained power.
You saw part of a source file that mentioned things you probably didn't understand in the first place, then went off half-cocked and shit a brick--yet you still don't know crap.
Here's an idea: post that code someplace else other than freenet and we'll see what a million eyes do to it other than the, what, 4 people that acutally care to use such an abomination such as freenet.
customer lists are closely guarded by most businesses. Letting some one else control that doesn't make any business sense. Is anyone seriously surprised PassPort got passed by everyone?
Isn't that the point of having the authentication integrated in the OS, as it is in windows XP? Unless your spoof page can also trick the authentication popup of client, this won't work.
;-)
In terms of pure web UI, spoofing is a very general problem. For Passport, you can easily see that the url for all passport authentication are Passport urls (passport.com or passport.net).
You also have certs to verify you are not sending your password to paSSSport.com
Also, only the passport UI will pre-fill the username correctly, since the spoof sites don't have access to the passport cookies.
Every registration-requiring service of Google nicely collects no more infomation than it needs to, but there also seems to be very little support for cross-linking registrations from one service to another. As a result, they have distinct logon screens for...
- AdWords
- AdSense
- Google API
- SiteSearch / Websearch
- Blogger
They just keep adding new services, but there's no sign of any unity coming...
Anyone else notice at the bottom the little table containing the words "E-commerce...Create Alert"?
I laugh at thee from my comfy chair.
From here where I deride those who try
Everything is so obvious
Of course losers would fail
Of course winners would prevail
I think the idea of single sign on is a good one. The problem is, it shouldn't be implemented on the server side. KDE's new KWallet system is a very good example of how this should work - I keep all my logons locally, encrypted, and in a trusted place - my privacy is not at any more risk than it ever was. Now, I single sign on to the KWallet system which is then used by konqueror/kopete/kmail/whatever to auto-logon whereever i go.
With a little bit of support server side (perhaps a standard way of passing logon information to HTTP servers - if the existing method is not deemed good enough) this could easily fake the entire passport system with no need for any centralised server.
Carpe Daemon
Novell has two great XML-based products that compete head-to-head with Passport - NSure and iChain, providing basically the same functionality, but built around eDirectory.e r/
http://www.novell.com/products/ichain/
Now that Novell is becoming serious Linux player, it will be interesting to see what they can do with these.
Links: http://www.novell.com/products/nsureidentitymanag
Netscapes current browser has a passwd manager that fulfills the role of a centralized user db. Correctly configured, it'll save all usernames/passwds/form data in an encrypted form on the users hard disk, and when a site is accessed, will prompt you with a dialogue box with username and passwd filled in, ready to be clicked, or the form filled in, also ready to be clicked. Thus the user has complete control over the data they send, not any business entity. I don't know if mozilla etal have this feature as I've never bothered to try them, haven't had a need since Netscapes browser fulfills all my web browsing needs. I haven't used IE since version 2.
For each web site I visit, I have a user ID and then make up a 10 character random password. That's stored in a text file on my laptop which is then encrypted with PGP. When I need to log in to a site, I unencrypt the file, copy/paste the password into the browser, and wipe the file. This is a few more steps than what MS Passport does but is infinitely more valuable to me in making me feel my passwords are relatively secure. BOTH solutions rely on one password to protect all my accounts, but at least in my solution it's a 20-character phrase stored my head instead of one stored in Redmond.
They have the Internet on computers now?
I already have Password Manager in Netscape and Keychain in OS X competing everytime I log in somewhere. And I can usually remember the 5 or 6 common passwords I use, as well as the 3 my GF uses and the two my boss uses.
Then, I can still remember the burglar alarm codes and passwords for my last three jobs, too.
You brought up some good points. I really hate to dump on someone for stating a point of view.
I had to research this thread before submitting my metamod form, and I do see where there is quite a bit of anguish over why it got moderated as a troll.
Its the way the post was organized... coming on as AC followed by a lot of name calling. A lot of us here take offense when someone resorts to name-calling and consider it more juvenile than anything else.
One usually does that when one wants to blow off steam without taking a karma hit for it. Because what happened is damn near inevitable.
Based on that, I had to mark my response to the troll mod as "fair".
here's Glenda's
/mnt/factotum/ctl
.NET libs to compile against or licensing fees to pay
In plan9's the single sign on is a bit different as it can save credentials for your regular internet services such as ftp, ssh, vnc, pop3, imap
secstore is an encrypted file store, one of which is your factotum keys
here's some example keys (SECRET is where my password would be):
key proto=pass server=www service=ftp user=matt !password=SECRET
key proto=p9sk1 dom=outside.plan9.bell-labs.com user=mattp9 !password=SECRET
key proto=pass server=colo service=ssh user=matt !password=SECRET
key proto=vnc server=kit user=matt !password=SECRET
one can load one's passwords into a text editor and add/remove them in secstore
or do echo 'key proto=vnc server=kit user=matt !password=SECRET2' >
if they key is not present, factotum prompts you for it and remembers it while you are logged into the terminal
When you log out factotum forgets all the entries not in secstore
It's a great system, I just enter my secstore password at boot and I have passwordless access to the services I have stored.
though one tends to just hit power when you go to lunch you can just do 'kill factotum | rc' to unload all the keys and then 'ipso factoum' to load them from secstore again (i think thats how you unload them, i've never done it)
servers need not know anything about it, no
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Connecting your blog to a big directory service would mean getting rid of comment spam forever. Blocking comment abusers would become much easier, too.
In fact, if I were running one of these directory services, I would offer the service free of charge to blogs (for a limited time) in the interest of getting customers signed up and used to the service.
Then, once it's established, the commercial potential will become ever more lucrative.
I was going to implement passport on a client site when it first came out. I didn't know about the security issues at the time, but the cost was so high that I simply couldn't do it.
It seems to me that Passport could handle some security issues (albeit badly, but that's another issue) of small/mid developers and sites so that you don't have to worry about keeping certain personal data on your own system. But, it's simply priced way too high.
Maybe it would have gone better if they offered a free version - perhaps with a certain customer limit, so that small sites could implement it. If you have a large volume of customers, then you pay. So it cost would only become a factor as your site grew. Hopefully, your site grows and so do your profits. They would have you by the balls at that point - gauranteed customer. I think they killed it with the high price.
TODO: come up with a clever sig
Ah, but who's law? A Bulgarian colo is very different from Rackspace.
I use Opera's Wand tool. It can be a bit irritating at times, but for a few sites where I have multiple logins, or those sites for which I have one login and it tends to boot me out a fair bit, it's nice. Sure beats cookies.
Now, you can bet I'd go in and scrub my passwords if anyone else used my computer, and I don't use it for, say, banking sites(where the consequences of being cracked would be just too great), but for run-of-the-mill stuff, it's handy.
And it isn't made or broken by MS keeping servers online.
NB: YMMV. IANAL. Take the above with a grain of salt.
Does that make you an asshole?
http://www.passport.net/directory/default.asp?lc=1 033&PPDir=C
Links of passport using sites.
Ebay?
TruePunk | Games
"You get all the fun of sitting still, being quiet, writing down numbers, paying attention...science has it all."
I've used my .NET Passport with McAfee, for their free virus scan.
..Liberty Alliance project, which so far has produced just a large amount of PDF files...
Yep, the last time we had a liberty alliance, they only produced one document. But don't worry, politicians are doing their best to take care of it.
Sure I'm paranoid, but am I paranoid enough?
http://cgi3.ebay.com.au/aw-cgi/eBayISAPI.dll?Passp ortSignInShow&pt=-1&finalURL=
Did some more searching, and yes ebay ueses passport.
Does this mean paypal uses passport? If not will it?
TruePunk | Games
I don't get it, I thought Gator already had all these features.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
What works well is Apple's Keychain idea.
If you want, all of your passwords (web sites, iDisk, e-mail, etc) are all stored in your encrypted keychain on your computer. When you login and authenticate your primary keychain is unlocked, allowing programs that stored passwords to access them. Programs cannot access others' passwords without your consent (in the form of "The application blah wants to access your keychain. Do you want to allow this?"). As would be expected, the whole shebang is encrypted on disk, I believe with AES. Finally, if you don't want all of your passwords in one spot, you can create multiple keychains (e-mail accounts, financial sites, other web sites) and unlock them only as needed.
It's all local, all secure, very flexible, and by default so easy it's completely transparent.
I don't know what kind of crack I was on, but I suspect it was decaf.
The only thing i've ever found remotely useful about the passport ID is that it lets me check my mail from MSN messenger without having to login again? :-)
Do any one of you really use ur id for anything else? OR IS there anything else to use???
Lord of the Binges.
Not that anyone will ever see this, but it seems that a distributed LDAP database answers most of the problems raised in these various articles. You get decentralized security/management with referral chasing while at the same time having a global tree-like infrastructure like DNS, so a single originating query retrieves the requested information.
Adopting a common lookup structure to filter on (and this can be accomplished via referral chasing as well so that existing structures can be acommodated) would mean that your email address would identify you and your password would authenticate you to web services anywhere, with permissions based on the DN of the bind - if I supply me@domain.com, I authenticate via uid=me,cn=users,dc=domain,dc=com and the password I supply, and permissions are granted/withheld based on components of the DN.
With referrals security and authentication is left up to individual LDAP directory administrators.
Someone had a better solution for the single login which was Plan9 based, using Factotum. It should beat both Passport and Liberty Alliance. Here's more info about the Plan9 auth system (factotum/secstore):
http://www.cs.bell-labs.com/sys/doc/auth.html
I have five kids, anyway
Or as I tell my wife.."we have spares"
Liberty implementations are currently availiable from: Novell, Sun, RSA, Netegrity...and others!
He could, but as he is involved with secret NSA/FBI secret projects he would have to kill you afterwards. :)
Guess what, they told him his new password over the phone, without asking for a single proof of identification!
When he asked them if, maybe they were supposed to check his identity first, he got nowhere (something like "thanks, noted" - I couldn't hear the other end of the conversation at this point)
That's trusted computing?
Trusts who?
TODO: 753) write sig.
With scanners being so inexpensive, why are we not using fingerprint scanning based authentication yet?
Did you read "2003 a Dave Barry Odyssey"
Quoting from the aritcle:
I guess the same applies here.
No sig
I know the "natural" adversity you brits and yanks have against ID, but should we have a State Certification Authority issuing dirt cheap personal and business (for registered businesses) digital certificates, in the first case preferably in a smartcard based ID that would allow easy transferral of the certificate to the browser and mail client (and other...), we wouldn't have a problem like this to begin with! SSL client authentication would be widespread and transparent.
:(
The State has been traditionaly trusted with the task of certifying identity, so this would only be a step to adapt to a new physical reality.
The credit card companies would love it (credit cards wouldn't even need to exist physically!), public services (tax deliveries, contract signing, etc.) would be much simpler, and Economy, Web Security (no more SPAM anybody?) and the whole public and private service infra-structure would have a lot to benifit.
But no, it is better to perpetuate the interests of the existing commercial CA, issuing you a certificate for $200 a year, with who-knows-what given credentials...
I'm not sure how the Microsoft version works, but if I were implementing something like this, I would never allow logins to come from the site. Instead, I would require the site and user to log in to my system separately. Then I would give them a unique identifier or something to check if the user is logged on to the central system.
For example, I might create two unique encryption/decryption key pairs and give one decrypt to the site and the corresponding encrypt to the user and give the other decrypt to the user and the corresponding encrypt to the site. Now they can communicate safely with private key encryption.
Note that neither the site nor the user ever has login info for the other. Remember to discard the keys when done.
A side effect of this is that instead of getting a login page when you try to connect to a site using the system when you are not logged in, you would get an error page (you are not logged in; please go to the appropriate place and log in). This would be mildly inconvenient but much more secure.
Who needs a back door when Microsoft is guarding your front door?
http://drupal.org/node/view/312
It allows any FOAF / xml based backend login mechanism to be used to log into any Drupal site. It's simple, based on existing standards, and already works. Why not use this instead of vaporware / brokenware?
FYI, Drupal is the base code for Howard Dean's websites.
VIVA1023.com | Political Fashion.
No wonder it's failing, it's one of those ideas that can be argued against just by saying it out-loud. It's a single point of failure sign-on service... controlled by Microsoft.
"Computer, find me some hot grits!"
Linux? Hehe.. got a G3 laptop running Debian and an OS X machine at work, with win2k filling in the gaps. I'm all over the place. Right now, I'm hooked on the crack that is Mozilla just to keep my head on straight when I hop from machine to machine.
I'm not quite ready to re-embrace Netscape (used it back in the day) but maybe this will tip the balance.
Thanks for the advice!
If your fingerprint is compromised, you can't revoke it.
Biometrics are crappy authentication. They should never be relied on by themselves.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Disclaimer: I used to work for Andre Durand, who founded PingID. I also worked with Bryan Field-Elliot, who wrote SourceID.
Be who you are...and be it in style!
Comment removed based on user account deletion
create a step for the consumer that is not needed and collect up monies from its use by consumers.
occums razor.... the simplest route is usually the one taken...
anyone remember when computers were marketed as a device that will make things simpler?
Instant Messenging
name instead of already-taken @Hotmail or @Msn names.
No thirty day expiration ... you don't have to log in to Hotmail
regularly (or pay a yearly fee for the privilege)
--
TEXAPORT@PASSPORT.COM via MSN Messenger
No surprise there, but they think that having all of your product keys behind a nice "Passport" account is a good idea.
Well, about a week or so ago I needed to get to our product keys, but couldn't because Hotmail/Passport experienced a huge outage.
How nice. Couldn't get a bunch of machines rolled out.
I learned, tho. I printed out all of our keys and stashed them somewhere safe.
Screw Passport.
First of all, as others in this thread are already pointing out, the security issues are problematic, to say the least... you want to store all that financial information in a Microsoft server, with Microsoft's terrible security record? No, thanks.
Second, Microsoft already has a ridiculous amount of power over the lives of the ordinary consumer, and the ordinary consumer knows it and deeply resents it. Even if they're not technically literate enough to be able to use non-MS products regularly, they still don't want to give Billgatus of Borg any more power over them than they absolutely have to.
Related to that, Passport is designed to force people to use MS products. I have a Passport ID (which I created only because I have friends on MS Messenger, not because I wanted to), and it's nothing but one solid headache. Just as an experiment, I've tried to log in to a number of sites with Passport using my regular browser, Safari, and it never works. It works fine in Internet Explorer, though -- gee, you don't suppose MS purposely designed it not to function with any browser other than its own, do you? Nah... I mean, they've never done anything like that before...
Who would trust M$ with that kind of info? With there history of a complete lack of security in any form, it's amazing anyone even registers anymore. I wouldn't let them have a credit card number if Gate paid the bill!
Professional Politicians are not the solution, they ARE the problem.
I used to work helpdesk for Microsoft. Well it was another company that they contracted, but anyway. After doing Win98 support I got moved to multimedia and games. Part of that support was for Asherons Call.
Asherons Call (when it originally came out) used the MSN Zone login system to keep track of whos in the game, who has accounts, etc. Probably a year or so later, they (being Microsoft) decided that it would be better of all of the MSN Gaming Zone went to passport instead of using their own login system. When this first went thru, the passport servers got hammered, and people were unable to make passport accounts. Most of these people that were making new accounts were because of Asherons Call. Then the real troubles began.
First, they had it setup so only one active Asherons Call account could be tied to a passport. Sure, you could have multiple accounts under one passport, but you would have to go to the Asherons Call website each time you wanted to use a different account, and change that info on the webpage. (What pretty much happens is you login to passport when you go to the AC page, and then you go into the game, you dont put another password or anything in the actual game interface). So, when you logged in, it just used the "active" AC account tied to the passport you used. This really isn't a big deal for those who have just one account, but there was a lady who called in with 22 AC accounts. Don't ask me why she had so many, people get a little crazy with these games I guess. So, for her to be able to easily login to each one of those accounts, she would have to create 22 seperate passport accounts. So much for the "single sign in system" that they like to tout so much.
Second, the MSN Gaming Zone, and Microsoft are pretty much 2 seperate companies. They don't really share much info behind the scenes (im talking support wise). So, when someone called me up, they would say they couldn't login to Asheron's Call. I would have them go thru the process of making a passport account. At times, the passport account creation wouldn't go well, and Microsoft (at least at that time) had not a single person who could really help me with the passport system at all. There really isn't a phone extension I could have called to get more info, i just had to like figure it out on my own. Not something I dont think really should be done in a big support deal. Anyway, walk the person thru creating the passport account, and then going in and linking the AC account with the newely created passport account. For the few weeks after they decided to do this, it was the worst that you could think of, having to fix that 20 times in a day. It wasn't really our problem (games and multimedia) but they didn't have anywhere else for them to go.
Ok, so that said, I couldn't imagine what a seperate company would get in terms of support when trying to, lets say, integrate passport into thier website. I was representing myself as a Microsoft employee and I couldn't really find anyone to help fix problems with passport, and I was access to the full MSKB (one of the cool things they have, even if it is all just text)Eventually we got some tools towards the end of my days that we could look up what account was tied to what passport, but it really didn't matter much because all the problems we had with it were pretty much taken care of. As a side note, if you were to call them up today, you would be talking to someone in India.
I know of a firm using Liberty Alliance 1.1 / SAML protocols to bridge between two proprietary SSO domains, with Netegrity vendor support on one side. Widespread use will likely wait for full implementations of 2.0, it seems. Which will still be before widespread use of PassPort or H*** freezing over.
Bill
I would love to know if Bill Gates stored his personal credit info on Passport. Odds are 100 to 1 that he didn't.
Lots of people have hooked up on slashdot personals...it's just a "private-labeled" match.com, complete with the same ads. I suppose match.com realized that Spring Street Networks was making a mint with their private label personals sites (salon.com personals, fuckedcompany.com personals, nerve.com, etc. all back up to the same network), and decided to join the party.
Now, I, personally have "hooked up" over Internet personals more than once - in fact, I suppose all my "hook-ups" these days are the result of Internet personals ads, since I met my wife on webpersonals.com (which is now lavalife.com). My college suitemate met his wife on the old wbs.com, or Webchat Broadcasting System - this was back in 1995! So people have been hooking up via the web almost as long as there has been a web.
Blogging Weight Loss, Distance Education, and more at verlin.com
There are also methods where you need M of N pieces to reconstruct the secrets, eg. that you need any 3 of 5 pieces. Such approach could increase both the security (by decentralization) and the reliability (by redundancy).
I personally think that it's becoming the groupthink/chic thing to do to point out that the Slashdot crowd doesn't like Microsoft.
I think you're purposely being naive if you don't recognize that there is a decidedly anti-"M$" slant here.
Personally, I'd say the posting of that story should stand as proof that Slashdot isn't so biased as you seem to indicate.
Did you even see it? The study indicated that Linux was the most-breached OS. So what does Slashdot do when they post it? Change the headline to read, "Linux Most-Attacked OS?" They change "breached" to "attacked" and add a question mark.
Then we get an article called "Microsoft Violates Human Rights In China" because Windows has a userbase there. Never mind that China has its own custom Linux distribution.
Last year we took on a Windows programming contract, so I went ahead and bought an MSDN subscription. In order to log into the online stuff I needed a .Net passport, and this required an email address.
The address I gave had been around for 3 years and had never received more than a couple of spam messages a week. Within 24 hours of getting the .Net passport that email address was getting over 20 spams a day, and it has grown significantly since then. (Thank goodness it wasn't my primary email account!)
Conclusion: either the passport user list is being sold, or security is nonexistent. Either way this is not a system anyone sane person would subscribe to!
No, I'm sorry but it does not for anyone who is serious about security.
There is much better solution for that problem, Password Safe:
"Many computer users today have to keep track of dozens of passwords: for network accounts, online services, premium web sites. Some write their passwords on a piece of paper, leaving their accounts vulnerable to thieves or in-house snoops. Others choose the same password for different applications, which makes life easy for intruders of all kinds."
"Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm."
Of course there isn't anyone who might be able to implement such a system, becuase the whole idea is inherently flawed.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Jeez. The whole passport, name everything .NET, hailstorm junk is like three years old. MS uses passport for its own verification, but they haven't been pushing it for at least two years now.
Find something else to gripe about.
http://chicagodave.wordpress.com
Monster.com seems to be the forgotten child of passport. Either everyone here has a job and hasn't noticed the monster board login, (passport is optional there) or ... well, dunno how else to explain it.
/. crowd (and its many unemployed) hasn't chipped into this little popularity poll, but it sort of clarifies to me how useless (or "unused" ?)job boards are.
Struck me as odd that the
Hate to break it to you, but several products couldn't be patched, because someone (hint, the letters M & S are prominent) were scrambling to get the patch out. Oh, and that patch didn't patch it, so there was another patch, which, omg, still didn't fix the stupid security hole. (if I still had the link, I'd post it)
Oh, and .NET has issues too.
and if you just want to dwellThe cesspool just got a check and balance.
And FireFly had to die for this...
I miss the FireFly universe. It was quite a cool community until Microsoft came in, trashed the joint, and then threw away all the cool stuff -- all so they could play with Passport.
Why do we need something like passport? Shouldn't browsers provide this functionality. Or instead of username password combos why can't we authenticate using a single secret key that the user need only remember? Hash the secret key and a seed from the website. Send the hash to the sites to authenticate the user.
c f7b3860a50ec7f21a2c09bb3
Example:
User's Passphrase: My dog is brown.
User's hash: 87c5630aaae21c773ea493aab54022b2
Site's domain: kavlon.org
Site's Passphase: Red Rover, Red Rover.
Site's hash: b4d1fe9cf7b3860a50ec7f21a2c09bb3
Combined hash: kavlon.org87c5630aaae21c773ea493aab54022b2b4d1fe9
Unique hash: e833a1237ac1afcaeed8f91139dc8e53
So neither the user nor the site admin need know their hash.. just their passphrase. The site never needs to know the user's private passphrase or hash. The only code the site needs to know is the unique hash which is specific to just that site. Using a one way hash (this used md5's) it's impossible to brute force calculate the value of either passphrase or hash (although obviously the site's hash is public). Because the combined hash uses the site's domain and the browser verifies that domain there is no way for another site to trick the browser into giving it the unique hash for another site.
With something like this the user only need to remember a single pass phrase and they could type it just once per session on any browser with any website. No doubt there are problems with it but it could be improved and then I think it'd be easier than something like Passport.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
I'd be especially wary of sites locked into ASP or .NET, not just for the inherent security problems. PayPal, for example,. is at potential risk, as it is owned by eBay. But read the changes to HotMail or other similarly MS-Passport encumbered services.
There are ways to do secure, platform independent, centralized authentication for web and other services, but MS-Passport isn't one of them. See Kerberos + LDAP instead. If you don't wish to experiment on *BSD or something else, all the major Linux distros include both clients and servers. There are even ways of scaling enourmously. Universities and libraries with electronic subscriptions should be able to get the most mileage out of Kerberos.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
It's not vapor folks. The fact that you may not *see* the fact that your name is getting federated across a set of services as a federated namespace in Liberty has nothing to do with whether or not federated names are in use.
We're just about to ship, transparently, a Liberty architecture here - and we're doing so internally amongst ourselves and our assembled services. There's nothing vapor about the technology.
The fact that there's no pretty website offering a "Passport" to be used anywhere on the internet for Liberty is missing the point: that isn't what Liberty is all about. The fact that you could has nothing to do with whether or not you *would* do so.
-- A mind is a terrible thing.
I think it looks very interesting, and it is much better than both Passport and Liberty Alliance in that you control your own data and decide yourself what you want to share (if I have understood it correctly).
I haven't seen it been discussed a lot on /., and:
2004-02-22 20:10:08 Shibboleth For User Info Exchange (developers,privacy) (rejected)
Employee of Inrupt, Project Release Manager and Community Manager for Solid
I gotta confess I'm getting great mileage out of those new services like dodgeit.com or mailinator.com -- temporary receive-only e-mail addresses which are perfect for registering (you don't even need to create them, they're created automatically when mail arrives).
F*ck the system from the _inside_...
Time to clear this up.
1) Liberty Alliance protocols aren't about setting up a single auth provider that the world uses to authenticate you: It's a way of businesses and sites to create an agreement to allow each other to cross-login, or to support logins from foreign systems. Any site wishing to turn its login system into an Identity Provider is free to do so - other sites can then use that federated identity.
2) Liberty Alliance protocols don't require that one central identity hold all information. Each service provider has a local account which can hold information specific to that service without requiring your private information to be shared indiscriminately.
You can Liberty-enable a set of websites today. This can be done transparently to users, and is about businesses sharing sign-ons and authentication information without actually having to share your data. Site X doesn't need to have your account information, or your password; it can find out from the identity provider enough information to know whether you've been authenticated, or direct you over to them to authenticate safely.
Read the docs, folks. It's not Passport. It's not even really *like* passport, in its intended use. It's real, it's implementable, it serves a real purpose, and it's going to be BIG.
-- A mind is a terrible thing.
Supposing for a moment that we are not including Paypal or online purchases or other things requiring very strong security, couldn't one use PGP keyservers for authentication?
In some magic way you use your PGP public key to identify yourself to Slashdot or some other website (this identification is built in to your browser, which prompts for the private key's passphrase when needed), and the site can check against a keyserver to see you do have that name and address.
-- Ed Avis ed@membled.com
I didn't say there isn't bias. I would be naive to suggest there isn't. Being able to read through the bias is part of reading anything presented as news.
But ultimately, you've got to consider that very seem thing when you read something pro-Microsoft too. I pointed out the bias in your corollary, which was rather silly, but they ignored most Microsoft-related security breaches and by doing so, counted Linux as more insecure.
If you don't want to read slashdot, then don't. I'm guessing you won't be missed.
-N
I've nothing to say here...
Comment removed based on user account deletion
Passport is important not because of it being a breakthrough technologically speaking, but because the company is in a position to drive most people toward being suscribers of it. There is already a Large list of participating sites. There are many current users of it and Microsoft will be driving more users towards Passport as it integrates it in their upcoming release of Windows. Microsoft has also developed a toolkit to enable current web merchants to integrate their services with passport. To the end user, there is a clear benefit: they only have to log into a single network and not remember multiple passwords across sites on the internet. Companies that adopt passport will have a competition advantage over those that dont.
read more at http://www.go-mono.com/passport.html
Before adopting WHATWG, read the moonlight.NET EULA [http://www.microsoft.com/interop/msnovellcollab/moonlight.mspx]