Sun and Microsoft compete for IDs

When Sun Microsystems took to the pulpit last week to propose an alternative to Microsoft's Passport, the move marked more than just another showdown between the technology industry's two fiercest rivals.

This time, Sun and Microsoft are on a bigger quest: to create a standard for digital IDs. One of the Holy Grails of online computing, the digital ID has been touted as the magical key that will unlock the Web and turn it into a wonderland of convenient, personalized services, while warding off crooks intent on stealing personal and credit card data from unsuspecting online users who want to live, work, and play in the virtual world.

Sun challenged Microsoft's Passport by launching the 33-member consumer-oriented Liberty Alliance Project, which will supply online user IDs and authorization. Sun announced the venture in New York City, which is still reeling from the Sept.11 terrorist attacks.

As the U.S. continues to cope with the aftermath of the attacks, better forms of identification--digital IDs as well as a possible national ID authorized by the federal government--are being mentioned by some as one of the many cures for the nation's security ills.

Rob Atkinson, the Progressive Policy Institute's director of the Technology and New Economy Project, favors linking driver's licenses with encrypted biometric information in a central database. "So when you want to get to a secure Web site, you authenticate yourself so you can vote, pay taxes, sign legal documents," he said. "Just doing that alone would have a lot of security benefits, but it would also have incalculable economic benefits."

White House spokesman Jimmy Orr said last week that President George W. Bush does not support a national ID, and such IDs are not part of Attorney General John Ashcroft's sweeping antiterrorism proposals to change a host of immigration and surveillance laws.

But industry watchers say that if lawmakers were to endorse a national ID, it could easily be linked to online efforts. The technology already exists to link physical IDs and online IDs designed to offer network access, said Tate Preston, vice president for government solutions of Datacard Group, a Minnesota developer of national ID and identity systems that have been used by the governments of Finland, Malaysia and Thailand.

In fact, the federal government is already deploying large numbers of such smart card IDs as part of a General Services Administration effort (www.smartcard.gov). Over the next two years, the Department of Defense will issue about 4.4 million Java-based smart cards to its personnel and contractors. The cards will provide physical identification and building access, network access, and may include medical records. The agency just bought 60,000 card readers from SchlumbergerSema, a subsidiary of oilfield services giant Schlumberger.

When asked about a linkup with a national ID, Microsoft said Passport wasn't designed to "pinpoint" individuals, but to promote e-commerce and the use of Web services.

Sun CEO Scott McNealy said an alternative to Passport is necessary to prevent a key element of the Internet from falling under the control of a single vendor--Microsoft--whose Passport single sign-in and user ID technology is built around the company's Windows technology. McNealy invited Microsoft to join the Liberty Alliance.

"The absence of an open, federated standard for user ID is a key impediment to our industry today," said Tim Arnoult, chief information officer of Bank of America, a key member of the Liberty Alliance.

But the alliance will have its work cut out for it. Passport is already an established service, with Microsoft claiming it has 165 million user accounts. The alliance is still planning its first meeting to construct a road map for how its system will operate, said Segaza analyst Charles King.

But Jonathan Schwartz, Sun's senior vice president, said customers of the Liberty Alliance will far out number Passport's 165 million, once it's up and running. He said the alliance, with its existing user ID and authentication systems, represented more than 1 billion consumers.

In addition to Bank of America, the Liberty Alliance includes American Airlines, eBay, Fidelity Investments, General Motors, Nokia, United Airlines, the Sabre Holdings and Travelocity.com airline reservations systems, Schlumberger, Sony and Vodafone Group. The primary technical companies involved are Apache Software Foundation, Cingular Wireless, Cisco Systems, RealNetworks and RSA Security.

Its goal is to provide the standards to hook their systems together, and let one trusted authentication provider supply the user ID for what might be multiple site visits or transactions. Instead of being a technology service like Passport, the Liberty Alliance seeks to define standards so that customers could identify themselves once, then interact with services of multiple members' sites. The alliance would not supplant existing user ID and authorization systems.

Under the Liberty Alliance ap proach, a user's health care information would reside in the directory of a trusted health care institution, and that institution's identification of the user would enable the person to visit other health care services in the alliance. Likewise for recreational, financial and other service relationships, McNealy said.

Microsoft appears to have anticipated Sun's announcement when it said it will open Passport to third-party users in mid-September. It even used some of the same terminology used by the Sun alliance, calling its move a step to "federate" Passport among many online businesses and service providers. Any third party using version 5 of Kerberos could make use of Passport, said Adam Sohn, product manager in Microsoft's .Net strategy group.

Despite theouted single sign-on and other advantages of digital IDs, questions remain as to whether on line customers really want them. In a survey released last month, Gartner found that 8 million Passport users said the main reason they registered was to have access to other Microsoft services, such as Hotmail e-mail. Gartner said more than 70 percent of online adult U.S. consumers had not signed up for Passport, and were highly unlikely to do so within the next six months.

Meanwhile, government watchers say a federally sponsored national ID would meet widespread opposition.

"It would improve the ability to identify and track people. But I can't identify how much it would improve things," said Bob Inman, who served as director of the National Security Agency and as deputy director of the Central Intelligence Agency. "You can persuade Congress to act explicitly when you know what you'll accomplish. But I don't think law enforcement agencies are capable of making a case of what precisely they'd gain from it. And if they can't, they won't get congressional approval."

Talk about national IDs has also moved the American Civil Liberties Union to get involved, while doubting the issue will be ad dressed, said Nadine Strossen, ACLU president. "We now have to take it seriously," she said.

Sun and Microsoft Compete for IDs

Sun Microsystems last week proposed an alternative to Microsoft's Passport, called the Liberty Alliance Project. A comparison:

Microsoft Passport

• A service based on centralized Passport servers developed by Microsoft
• 165 million users have signed up for service, Microsoft said.
• Online retailers and other third parties may "accept" Passport by supporting the Kerberos 5.0 network security standard. Conversely, Micro soft wants competing digital ID systems to support Passport through Kerberos, using a federated model similar tohe one used by banks for their automated teller machines.

Liberty Alliance Project

• Road map to be drawn for decentralized federation
• Existing user authentication systems will remain in place and linked.
• Third parties will get access to appropriate systems; no security approach defined.
• Endorsed by 33 companies, including American Airlines, Apache Software Foundation, Bank of America, Cingular Wireless, Cisco Systems, eBay, Fidelity Investments, General Motors, Nokia, RealNetworks, RSA Security, the Sabre Holdings and Travelocity.com airline reservations systems, Schlumberger, Sony, Sun and Vodafone Group