Subject: Re: Q: Can you build an authentication system on OS?
From: Shiraz Kanga <>
Date: Mon, 09 Jul 2001 22:21:01 -0700

"Stephen J. Turnbull" wrote:

> >>>>> "Shiraz" == Shiraz Kanga <> writes:
>     Shiraz> then do you agree that how such data can be used should be
>     Shiraz> regulated by a public license?
> Er, what do you mean by a "public license" on _private_ data?

This issue is about ALL data. In the case of authentication info it is private
data but in other cases (the example I used was CDDB and Tim used the example
of IMDB) it is public data. In either case if I create the data then I should
specify how it is used and nobody should be able to privately hijack it at a
later date as has happened in both of the above cases.

>     >> While it may be possible that .NET could still control the
>     >> authentication infrastructure and keep data at the edges of the
>     >> network, i cannot see how this could happen.
>     Shiraz> There are probably many ways [...].
> Of course there are, and that's where we need to attack.

How do you attack this. I do not follow your argument here.

> As Seth points out:
> >>>>> "Seth" == Seth Gordon <> writes:
>     Seth> [...] the confounding of browser-related with
>     Seth> non-browser-related code in Windows was an essential
>     Seth> component of Microsoft's business strategy.  Likewise,
>     Seth> confounding Passport with the .NET components is an integral
>     Seth> part of the .NET strategy.
> So we need to show that it is technically not necessary, and hammer on
> the fact that Microsoft's whole business model _has_ to be predicated
> on invasion of privacy (ie, using your personal data for the profit of
> Microsoft).  We need to insist on the difference between Land's End
> remembering your wife's shoe size, and Microsoft selling that data to
> Eddie Bauer so the latter can spam you.

I do not think we can rely on spreading the word and hammering on the facts.
"Outmarketing" MS this way will be pretty close to impossible. Since they have
such a huge installed base and simply buying the OS will probably give you a
passport account in the box - this is a slippery cliff

> I think that, especially among small merchants, there is a lot of
> resentment of the "VISA tax".  I doubt they'll want to pay "Passport
> tax" on top of that.  It may be possible to spark interest in a free
> authentication service among them, simply to guarantee competition.

Excellent point. However "free service" is something that will be exceedingly
difficult to provide since a reliable, secure infrastructure costs $$$. I'm
hoping people will be willing to pay for the service (assuming  there are some
value adds like say credit card verification in this case) if they know that
their data will remain freely available. Just like people pay RedHat and
others for Free Software.