Subject: Re: An Open Source version of Hailstorm and Passport
From: Ben Tilly <btilly@gmail.com>
Date: Fri, 1 Apr 2005 05:59:29 -0500

On Apr 1, 2005 5:37 AM, Sergio Montoro Ten <sergiom@knowgate.com> wrote:
> At go-mono.com there is a very interesting analysis from Miguel de Icaza
> about Microsoft Hailstorm and Passport.
> http://www.go-mono.com/passport.html

Interesting but dated.

> I have always been suprised about the (apparently) few attention that
> identity management has attracted on the Internet.

Those who have looked at it have found it a harder problem than
they expected.  Which is why we've settled on password-based
systems that lead most people to reuse passwords in a very
insecure fashion.  Yes, we know that they are bad.  But at least
the developers have plausible deniability - we can't be blamed for
people's inability to follow our advice and use good passwords!

> Even Microsoft seemed not to belive very much in that they could convince
> people (and lawyers) to adopt Passport, giving birth to a death project from
> the begining.

My understanding is that Microsoft's lack of belief is due to the
discovery of serious security flaws in their implementation:

  http://www.theregister.co.uk/2003/05/08/2_trillion_fine_for_microsoft/
  http://www.theregister.co.uk/2002/09/04/microsoft_shut_ecommerce_wallet/

I also have a friend who won't tell me details because he is under
an NDA, but he claimed to have found extremely serious holes in
Passport that have not been publicized and are not fixable.  I have
reason to suspect that the FTC was made aware of these, and they
may have been part of the reason that Microsoft was forced to
back off on their plans.

> Does anyone know about iniciatives for an Open Source distributed
> authentication system on the net?

I don't.

Cheers,
Ben