Microsoft to Share Passport Code

announced its participation at the first Digital Identity World 2002
Conference Thursday in no small fashion, pledging to open up some of the
code for its controversial Passport digital identity service.

The announcement was made by the Redmond, Wash. concern’s
Craig Mundie, senior vice president and chief technical officer,
during a keynote address for the Denver-based trade show.

Under the aegis of the company’s oft-scorned Trustworthy
initiative, Mundie detailed the Passport Manager Licensing
Program, which vows to make source code more available so that interested
parties can bundle applications with Passport. This play falls under the
company’s Microsoft Shared Source Initiative, in which the outfit loosens
its grip on code “while preserving the intellectual property rights that
sustain a strong software business.”

Specifically, Microsoft plans to offer Passport code freely to customers,
partners, developers and academicians as soon as November. With it, they may
develop, debug and support both commercial and noncommercial software for
the purpose of integration. Businesses must pay if they sign up for Passport
use across their enterprise. Microsoft said it hopes its shared source
endeavor will be applied as a model for raising the visibility of its code
throughout software.

Passport Manager runs at a Passport partner Web site to manage communication
and integration with the Passport service. Currently, Microsoft makes
versions of the Passport manager available for the Windows operating system
and certain versions of UNIX.

Windows 2000, Windows XP, Windows .NET Server, Windows CE 3.0 , Windows CE
.NET, Windows .NET technologies and Microsoft Passport have source code
available through the Shared Source Initiative.

The company also unveiled a Passport Password Quality Meter, whereby user
names and passwords provide a security mechanism for accessing important
user data. Microsoft argues that the strength of a user’s password can be
increased by including
uppercase and lowercase letters, numbers and symbols, while avoiding
commonly used passwords such as a middle name, the name of a pet or a

Gartner security analyst John Pescatore told the play would be taken seriously.

“Shared source at least lets outsiders review MSFT source code — if MSFT includes draconian disclosure restrictions, the community will roar and MSFT will get soundly
embarassed,” Pescatore said.

The revelation of the pending code peek was applauded by at least one member of the group known as the Liberty Alliance Project, spearheaded by Sun and a number of firms who propose an open, federated method of digital identity management. The group, which released version 1.0 of its ID management technical specifications last month, has been very vocal against Microsoft for not following a similar approach over the last year.

Justin Taylor, chief strategist for directory services for Novell, applauded the decision.

“The announcement coupled with Microsofts decision to integrate WS-Security in their future
revisions shows that Microsoft is beginning to understand the need for
transparency in identity management,” Taylor told
“Making Passport more transparent to the industry
will go a long way in making Passport more trusted and make in easier for
companies like Novell to support it.”

However, Gartner’s Pescatore said he’s not sure either Passport or Liberty will be embraced.

“We’ve done surveys and found widespread lack of interest in using
Passport (or Liberty for that matter),” Pescatore explained. “The real issue is that consumers see
no benefit and see a good deal of privacy risk. Enterprises see some benefit
but much risk in letting MSFT or Liberty get between the business and their

Indeed, there is no shortage of privacy concerns when it comes to
Passport. While being the most prolific software company in the world,
Microsoft’s products are, by extension, the most poked and prodded at by
hackers and crackers alike.

Because of this, Microsoft pays the price —
above and beyond the $100 million it spent of its Trustworthy Computing
initiative. Just last month, Microsoft agreed to 20 years of independent, third-party
audits of the Passport identification and authentication system to settle
Federal Trade Commission (FTC) charges that Microsoft falsely misrepresented
the privacy and security of personal information collected from consumers
through Passport.

At the time, FTC Commissioner Timothy J. Muris said his agency’s review of
Passport procedures found no actual examples of security or privacy breaches
but “we found there was potential for both.”

News Around the Web