Who do you trust?
While my column discussed the risks of creating a master key to everything a user might access on the Internet, there's no doubt in my mind that some people will accept those risks in exchange for the convenience of SSI. According to Gartner security analyst John Pescatore, "users may not want a master key to unlock their access to every site they access, but they may want that capability within a community of sites." Companies like yours that do business with those users may end up -- willingly or not -- a part of one of those communities, with no choice but to provide SSI capability. The success of SSI as a concept is pretty much a given
The Liberty Alliance announced its intent to deliver a competing solution to Microsoft's Passport, but at this juncture it's just that -- an announcement -- while Passport is already here. Microsoft requires Passport to access some of its existing services (e.g., Hotmail, MSN, and the certified partner areas on Microsoft.com), effectively grandfathering in over 165 million users into the Passport program. And those millions of users are getting SSI capability without even knowing it. Very clever. As a side note, there is some dispute about the 165 million figure, as some critics claim it represents the number of registered users for Microsoft's various services, but doesn't necessarily represent active users.
Meanwhile, the Liberty Alliance, with 33 members and a press release, appears to be starting out already well behind. Even if it does have services that millions of people are already accessing, there's no Passport-like technology to collect all those users yet. At the Gartner Symposium/ITxpo 2001, Sun CEO Scott McNealy said that Sun's forthcoming solutions would be "Liberty compliant." But later, when I asked him what it means to be Liberty compliant, McNealy indicated that it was still work-in-progress, saying that "the group [working on that], made huge progress in the last two days." Referring to a Webcast from the day before in which Microsoft's CEO repeatedly bashed Sun, McNealy added "the group's resolve was further forged after it watched Steve Ballmer yesterday."
During a keynote speech delivered at Symposium, McNealy issued stern rebukes to Ballmer's rhetoric. And so, yet another war between the two companies is erupting -- this time over SSI technology and the issue of "net presence" -- and battle lines are clearly drawn.
But this battle is just plain ridiculous. The SSI problem is begging for a standard and if Microsoft and the Liberty Alliance continue down their separate paths, everybody loses. The last thing we need is another set of competing standards that force companies and consumers to either choose between the lesser of two evils, or to support both.
The last time we had a problem with such potential mind-boggling scope was the Netscape-Internet Explorer imbroglio. Site developers who wanted to build a rich user experience based on the more advanced browser features were forced to choose one over the other. Some decided -- at added expense -- to develop sites compatible with both browsers. Just view the source code for the pages of many popular sites (including ZDNet), and you will see the if-then-else statements that check for browser dependencies. But sites that couldn't afford to support both had to choose, forcing consumers to have both browsers installed if they wanted to reach every destination on the Web without problems.
Notwithstanding a sorely needed détente, Microsoft's early lead in terms of SSI technology, installed base, and a leg up on Web services, there's still plenty of opportunity for the Liberty Alliance. For starters, SSI technology is a chicken-and-egg issue. Users won't bother unless there are a lot of Web destinations and services that support it and, faced with two competing solutions, the sites and services that might be considering support for SSI will need assurances that the one they pick is the one that's going to get traction.
Microsoft's Ballmer might argue that Passport's critical mass means the chicken-and-egg problem has already been resolved. But the issue here really has nothing to do with the penetration of technology. It really just boils down to trust, and that's where the Liberty Alliance has an edge.
Based on the mail I've been getting, Microsoft needs to deal with a serious trust problem. The distrusters generally fall into two groups. The first group says "Microsoft is getting to be too powerful and it will be a cold day in hell before I trust them with my personal information." The second has been watching as some of Microsoft's core infrastructure products fall prey to one security folly after another and have concluded "Microsoft can't be trusted to protect my personal information because it relies on its own technology which has proven to be incapable."
Many point to the way that Microsoft's free e-mail service Hotmail was victimized by Code Red. Even worse though, was an instance of where a TechUpdate reader's failed login at a Passport-protected area on Microsoft.com treated his browser to a dump of all the VB-script source code that failed. The source code included the names of ODBC-based databases as well as the usernames and passwords needed to login to them. Real-world transgressions such as these ones committed by Microsoft itself are hardly the stuff that trust is made of.
So, who do consumers trust? This is the critical question for any company looking to support an SSI standard. According to a study by Jupiter Media Metrix this past summer, it's not Sun, Microsoft, or even American Online, the last of which is rumored to be working a potentially third SSI technology called Magic Carpet. As it turns out, most people trust financial institutions like banks and other well-known merchants more than portals and Internet service providers. These survey results ought to put smiles on the faces of Liberty Alliance members.
For starters, the Liberty Alliance already includes several financial institutions such as Fidelity, Bank of America, and Dun & Bradstreet. Second, the Liberty Alliance is advocating a distributed approach to SSI as opposed to Microsoft's centralized approach.
In the distributed approach, customers will receive an authentication token when they do business with a particular merchant. If they move on to do business with another merchant that supports the scheme, the second merchant will check for the token and confirm its authenticity with the first merchant. According to Gartner's Pescatore, "In the distributed approach, there will be communities of trust. After an authenticated user navigates from Fidelity to Yahoo, Fidelity may say 'I trust Yahoo' and therefore Yahoo can check to see if the token I issued, most likely a Kerberos ticket, is valid."
The result is that individual merchants, such as the banks, end up being responsible for authentication, the storage of other personal information, and establishing communities of trust. This is good for the Liberty Alliance, because people already trust banks and other well-established merchants with this information.
Microsoft's approach is a bit more centralized. Official Passport authentication always takes place with the central Passport Data Center, rather than at merchant sites. Recently, Microsoft opened the Passport specification up a bit to allow resource access to those already authenticated by Kerberos; a more prevalent scheme that is doesn't require centralized authentication. Whether or not this move will guarantee interoperability with the Liberty Alliance remains to be seen.
Consumers can opt to have other personal information centrally stored on Microsoft's Hailstorm servers, but it's not a requirement. Hailstorm, now officially dubbed .Net My Services, is just another Web service that runs on de facto Web service protocols, and there's no reason merchants can't build their own repositories of personal information (Hailstorm clones, in a way) so that customers have a choice of where to keep this sensitive data. Perhaps even more interesting is that there will be merchants who build these services using Microsoft's .Net, and in those cases, the customers might never know that they've ultimately put their sensitive information on a Microsoft server anyway.
It remains to be seen whether customers will demand to know what platforms their merchants are using, and whether that will become a determining factor when deciding what merchants they'll do business with. If Sun really looks to make an issue of this, we could see the equivalent of an "Intel Inside" campaign that's designed to bolster buyer confidence.
Hopefully, the bickering will end and a true standard will emerge. But right now, Sun and Microsoft can't even agree over whether Microsoft was invited to join the Liberty Alliance. At Gartner Symposium/ITxpo 2001, Ballmer said Microsoft wasn't invited. One day later, McNealy begged to differ, saying that Liberty Alliance charter member and United Airlines CIO Eric Dean invited Microsoft. Even though some spin-doctor will eventually have an explanation, it sure feels like someone isn't being truthful. That doesn't bode well for the one who ends up with egg on his face because the outcome of this battle will have nothing to do with the technology. It will come down to who customers trust.
What do you think? Share your thoughts with your fellow readers at ZDNet TechUpdate's Talkback, or write directly to david.berlind@cnet.com.
Got a great tip? An industry rumor? Or do you want to submit your own column to ZDNet TechUpdate? Send David your submission, and if we use it, you'll be compensated with some of the cool vendor schwag that arrives in our mailboxes on a daily basis.