The Web Services Advisor
(Receive this column in your inbox,
click Edit your Profile to subscribe.)
What you need to know about Passport
The most publicly contentious aspect of Microsoft's .NET architecture is its Passport service, designed to allow consumers a single sign-on that will give them access to many different Web sites and Web services, without having to sign onto each site individually. Microsoft hails it as a great time-saver, built to make consumers' lives easier. But critics, ranging from Microsoft competitors to privacy advocates and all the way across the Atlantic to the European Union, argue that the technology is in essence a land grab – a way for Microsoft to control the consumer, and potentially invade their privacy.
Which is the truth? In this column, we'll find out by taking a look at Passport and at TrustBridge, a related technology for enterprises that Microsoft expects to roll out some time next year.
Where Passport is today
Passport is Microsoft's version of a "federated" system - a system that allows a user to sign on once to the Internet, and then automatically sign in to other, cooperating sites. It is built on top of .NET, and a Web site that wants to include Passport can use the Passport SDK to build a Passport application and incorporate it online. (To get a copy of the SDK, go here.)
Microsoft's initial plans for Passport were that it would be the center of its consumer .NET strategy, that included a host of My .NET Services, such as stock alerts. The idea was that when you signed up for Passport, you'd get a host of .NET-based services to sign up for as well.
Those consumer-level services haven't appeared and today, Passport is primarily used as a sign-in for Microsoft-only sites and services such at HotMail. Passport's vast installed base is driven by people registering for specific Microsoft-built sites and technologies, notably HotMail, Microsoft Messenger, and Windows XP, which nags at you continually until you cry "Uncle" and give in and register. In fact, according to a Gartner study, 84 percent of Passport users surveyed signed up with Passport only because they had to use it if they wanted to use various Microsoft services. A scant two percent signed up for the express purpose of convenience, so that they would not have to use multiple IDs and passwords when using Web sites. (For more information about the study, click here.)
Microsoft has taken several steps to attempt to jump-start Passport. Architecturally, it has announced that it is going to overhaul Passport next year by adding the support for the Kerberos security standard, and by giving Passport the capacity to handle SOAP messages sent via HTTP. The company has also said that the Windows .NET Server, due out next year, will handle Passport authentication. On the business end of things, Microsoft has signed a deal with Arcot Systems that will integrate Arcot's TransFort credit card authentication system into Passport. This means that Passport users will be pay securely online using VISA and MasterCard. They won't have to type in their credit cards each time they want to buy; their Passport alone will authenticate them.
Microsoft is doing all it can to shore up Passport because the Liberty Alliance has finally come out with its own federated sign-on system, based on the Security Assertion Markup Language (SAML). A wide variety of companies support the Liberty Alliance, ranging from Sun to Nokia, MasterCard, American Express, America Online, United Airlines and many others. It's unclear at this point which of the sign-on systems will dominate. Microsoft has been making vague statements that it might find a way to have Passport work with the Liberty Alliance, but has given no details.
Passport has other problems aside from competition. Almost from the day it was announced, there have been complaints about it, primarily around privacy issues. Privacy advocates have long been concerned that Microsoft would use people's private information in ways they didn't want it used - something that Microsoft disputes. But the European Union (EU) is concerned enough about the issue that it is investigating Passport to see whether it violates EU privacy rules.
There have also been worries that the Passport system could be cracked and identity information stolen, and in fact, a security consultant was able to get people's credit card information from Passport servers back in August of 2001, according to USA Today. (For the article, click here.) That hole has been fixed, but many people still don't trust Microsoft's security expertise and remain leery of Passport.
A look at TrustBridge
Passport is aimed squarely at consumers, but Microsoft has announced a similar .NET technology for the enterprise and business-to-business purposes. It's called TrustBridge, and the details about what it is and how it will work remain somewhat hazy. But it's clearly at the center of Microsoft's .NET strategy for businesses. It will use .NET technologies, WS-Security, Kerberos and SOAP over HTTP to authenticate identities and companies so that they can more easily do business with one another. So, for example, a Web service built to allow a manufacturer to buy from suppliers would use TrustBridge as an authentication mechanism.
TrustBridge would also allow companies to share common network resources, or retrieve documents from each other's networks, if they agree to do so. Employees would be able to do it right from the desktop, using My Network Places.
Don't expect TrustBridge until sometime in 2003, and possibly later. And given how much change there is in "federated" identity technologies these days, expect alterations between now and its release. But if you'd like a look at Microsoft's current thinking about TrustBridge, Passport, and the entire issue of federated identities, check out the companies road map, detailed in a white paper at here.
About the Author
Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. As a well-known technology guru, he appears frequently on TV and radio shows and networks, including CNN, MSNBC, ABC World News Now, the CBS Early Show, PBS's All Things Considered and others. He has won a number of awards for his writing, including from the Computer Press Association for the Best Feature in a Computer Publication. He can be reached at firstname.lastname@example.org.
For More Information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Choking on the alphabet soup of industry acronyms? Visit our Glossary for definitions and explanations.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.