Subject: Re: authentication systems (.NET, .GNU): Its the desktop, dummy.
From: Ian Lance Taylor <>
Date: 12 Sep 2001 16:57:05 -0700

[ Sorry about the empty message. ]

Tom Lord <> writes:

> User authentication services, whether centralized or distributed, seem
> like (mostly) a red herring to me.  They seem like a red herring
> because they don't solve any serious problem -- is there something
> wrong with the kinds of authentication we currently use?  Is there a
> substantial spontaneous demand for simpler interfaces to managing
> on-line identity?  I don't believe so.

Spontaneous demand, maybe not, but I think there is something wrong
with current authentication mechanisms.  I have 61 entries in my file
which lists all the user IDs and passwords I use for different
locations around the net--not machines which I login to, but web sites
which I use, some of which store my credit card information.  My wife,
who is not a programmer but is a web shopper, would probably have just
as many entries in her hypothetical file if she didn't use the same
password every time.

Today, for people who use the web a lot, the choices I know of are

1) Use lots of different user IDs and passwords, which is too hard to
   remember, so you have to write the passwords down, which is a
   security hole.

2) Use the same user ID and password everywhere, which, besides being
   impossible in practice, is a security hole because once somebody
   cracks into one site, they have your user ID and password for a lot
   of other sites.

I believe it would be clearly beneficial to have a single secure
authentication system, one which permitted a single password for a
limited number of roles, one in which each site which used the
authentication system clearly stated in a verifiable manner which
items of information that site would use, and one which permitted easy
use of stored credit card information without having the credit card
information stored in many locations around the net.

I don't know that Microsoft is building that, and based on their past
practices I don't know that I trust them with secure information in
any case.  But I think that Passport has a clear role in the