MS--don't trust us? We'll open Passport

Microsoft appears to understand that you don't trust it and its plans for storing all your personal information. Unexpectedly, it's acting on that understanding--by changing Passport's security model and assuring users that Hailstorm won't be the only game in town, says David Coursey.

COMMENTARY--Microsoft says it wants Passport and Hailstorm, its foundation services for Web-based applications, to play well with others. So in a shocking move, the company is announcing today that Passport will be changed to use an Internet-standard security model and Hailstorm won't be the only place for users to store their personal information.

For months, Microsoft has been taking heat from critics upset about Microsoft's apparent plan to make itself the repository of users' passwords, calendars, contact lists, and other information that might prove useful to future Web-based applications. Now, Microsoft says, anyone will be able to join what it's calling a "federation of trust" and provide those services themselves.

In practice, this means that competitors like AOL or Yahoo, along with corporate customers, will be able to create their own user authentication services, with each accepting credentials supplied by the others.

Microsoft compares this to an ATM network where customers, who originally could use their cards only at machines owned by the issuing bank, are now able to use their ATM cards at any bank virtually worldwide. That is possible because each bank accepts the user information presented by the bank where the customer is using the card.

On the Internet, this means that an AOL or Yahoo login could someday be just as valid for accessing Microsoft's MSN, or even corporate networks, as they are on the service that originally issued the user name and password.

The change to allow Hailstorm--now rechristened ".Net My Services"--to interact with other data repositories should quell the concerns of many customers who feared Microsoft would misuse their personal data. Under the new plan, users would be able to store their information at a location of their choice (provided it was a member of the trust federation).

These two changes--which Microsoft says aren't changes at all, but rather a clarification of what the company planned to do all along--may go a long way toward easing concerns that MS was trying to muscle its way into domination of the Internet the way it already controls personal computing.

Underlying the "new" Passport, when the service is updated next year, will be the Internet-standard Kerberos 5.0 security architecture. Under the new plan, Passport and other "federated" services would accept Kerberos "tickets" supplied by the others.

Microsoft said it does not know whether a central authority should be created to oversee the open-trust network it hopes these changes will help create. In an interview late yesterday, an executive working on the project said the company is open to an industry group--such as those already controlling Kerberos and other Internet technologies--taking the lead role if it becomes necessary.

I should tell you that I am writing this column after deadline, having just hung up the phone. I questioned the Microsoft exec who was explaining this to me fairly closely on the main points outlined above. As the story develops and more questions are asked, some of this may change, but at a high level this appears to be Microsoft responding to critics--especially those who don't consider the company trustworthy enough to be a custodian of critical information.

With this announcement, Microsoft also may be getting ahead of the U.S. Dept. of Justice, which has indicated that new technologies--generally assumed to include Passport and Hailstorm--should be dealt with as the antitrust case is concluded. With these announcements, Microsoft seems to have gone a long way in turning issues into non-issues.

Industry support is critical, however, and Microsoft has yet to sign any of the major players to join its trust federation, although talks are supposed to be underway. If companies like AOL see this as a valid attempt to make the handling of user security and personal information into new Internet standards, they might join. Or they might abstain simply to try to gain some competitive leverage over Microsoft.

Whatever happens, this is a story that we'll be watching in the coming days and weeks. It is unusual for Microsoft to make such an abrupt about-face, and when we know more about what led up to it, the move will be easier to understand. But at first glance, this is good news for Microsoft, the industry, and consumers.

What do you think these changes will mean to users? TalkBack to me.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All