announced its participation at the first Digital Identity World 2002 Conference Thursday in no small fashion, pledging to open up some of the code for its controversial Passport digital identity service.The announcement was made by the Redmond, Wash. concern’s Craig Mundie, senior vice president and chief technical officer, during a keynote address for the Denver-based trade show.
Under the aegis of the company’s oft-scorned Trustworthy Computinginitiative, Mundie detailed the Passport Manager Licensing Program, which vows to make source code more available so that interested parties can bundle applications with Passport. This play falls under the company’s Microsoft Shared Source Initiative, in which the outfit loosens its grip on code “while preserving the intellectual property rights that sustain a strong software business.”
Specifically, Microsoft plans to offer Passport code freely to customers, partners, developers and academicians as soon as November. With it, they may develop, debug and support both commercial and noncommercial software for the purpose of integration. Businesses must pay if they sign up for Passport use across their enterprise. Microsoft said it hopes its shared source endeavor will be applied as a model for raising the visibility of its code throughout software.
Passport Manager runs at a Passport partner Web site to manage communication and integration with the Passport service. Currently, Microsoft makes versions of the Passport manager available for the Windows operating system and certain versions of UNIX.
Windows 2000, Windows XP, Windows .NET Server, Windows CE 3.0 , Windows CE .NET, Windows .NET technologies and Microsoft Passport have source code available through the Shared Source Initiative.
The company also unveiled a Passport Password Quality Meter, whereby user names and passwords provide a security mechanism for accessing important user data. Microsoft argues that the strength of a user’s password can be increased by including uppercase and lowercase letters, numbers and symbols, while avoiding commonly used passwords such as a middle name, the name of a pet or a birthday.
Gartner security analyst John Pescatore told
“Shared source at least lets outsiders review MSFT source code — if MSFT includes draconian disclosure restrictions, the community will roar and MSFT will get soundly embarassed,” Pescatore said.
The revelation of the pending code peek was applauded by at least one member of the group known as the Liberty Alliance Project, spearheaded by Sun and a number of firms who propose an open, federated method of digital identity management. The group, which released version 1.0of its ID management technical specifications last month, has been very vocal against Microsoft for not following a similar approach over the last year.
Justin Taylor, chief strategist for directory services for Novell, applauded the decision.
“The announcement coupled with Microsofts decision to integrate WS-Security in their future revisions shows that Microsoft is beginning to understand the need for transparency in identity management,” Taylor told internetnews.com. “Making Passport more transparent to the industry will go a long way in making Passport more trusted and make in easier for companies like Novell to support it.”
However, Gartner’s Pescatore said he’s not sure either Passport or Liberty will be embraced.
“We’ve done surveys and found widespread lack of interest in using Passport (or Liberty for that matter),” Pescatore explained. “The real issue is that consumers see no benefit and see a good deal of privacy risk. Enterprises see some benefit but much risk in letting MSFT or Liberty get between the business and their customers.”
Indeed, there is no shortage of privacy concerns when it comes to Passport. While being the most prolific software company in the world, Microsoft’s products are, by extension, the most poked and prodded at by hackers and crackers alike.
Because of this, Microsoft pays the price — above and beyond the $100 million it spent of its Trustworthy Computing initiative. Just last month, Microsoft agreed to 20 years of independent, third-party audits of the Passport identification and authentication system to settle Federal Trade Commission (FTC) charges that Microsoft falsely misrepresented the privacy and security of personal information collected from consumers through Passport.
At the time, FTC Commissioner Timothy J. Muris said his agency’s review of Passport procedures found no actual examples of security or privacy breaches but “we found there was potential for both.”