Subject: Re: Q: Can you build an authentication system on OS?
From: Zimran Ahmed <>
Date: Sun, 8 Jul 01 19:57:16 -0400

>So your main concern is a users authentication
>information. I would generalize that to include any
>data. Now if MS controls this data it does not matter
>whether it is stored in one central location or on the
>client PC's in some form of a distributed database.

agreed. I think we are saying the same thing though. Microsoft is moving 
from a liscensing model that controls software products, to an 
authentication model that controls software services (this is what I 
refer to as "controlling the network", and I believe you call 
"controlling the data.") Microsoft can only control the network if it 
centralizes authentication infrastructure because in .NET *it matters 
where the authentication comes from.* The reason this is an architectural 
issue is that if authentication data resides at the edges of the network, 
then it does not need to come from one source, so one source (.NET) 
cannot control the authentication infrastructure. While it may be 
possible that .NET could still control the authentication infrastructure 
and keep data at the edges of the network, i cannot see how this could 

>Sorry to sound like a broken record but I'd say that
>MS cares about controlling the data - not the code!

i say "controlling the network" (by controlling access to the data 
through authorization infrastructure), you say "controlling the data. I 
think we mean the same thing.

Because of .NET's authentication infrastructure is centralized, MSFT can 
"control the data" as you say, on top of code that's been liscencsed in 
any way. Open source, closed source, GPL, LGPL, X, BSD, artistic liscense 
etc. etc, if the authentication must come from redmond servers, it does 
not matter how the code is liscensed, nor will that impact how microsoft 
can use that data. Running its .NET authentication servers on Apache does 
not impact the rates MSFT charges merchants for credit card verification, 
nor its policy selling personal data to third parties.