******** Date: Fri, 5 Oct 2001 08:08:32 +1000 From: Roger Clarke <Roger.Clarkeat_private> Subject: Passport: Notes on MS VP's Presentation Cc: rotenbergat_private (Marc Rotenberg), Chris Hoofnagle <hoofnagleat_private>, Declan McCullagh <declanat_private> This is a report on a presentation by the Microsoft Vice-President responsible for .NET Core Services (i.e. Passport, Wallet, MyServices), Brian Arbogast. The presentation was to a National Academy of Sciences Symposium on 'Authentication Technologies and Their Impact on Privacy', on Thursday 4 October, in Washington DC. It was a public event, although in practice the relevant Committee and the invited speakers made up the c. 30 present. Arbogast agreed to make the PowerPoint slides available to the Committee. As an inveterate M$ sceptic, I was impressed with the professionalism of the presentation and responses, and very interested in the information provided. Feedback much appreciated. For Passport, see: http://www.passport.com For EPIC's resources on Passport, see: http://www.epic.org/privacy/consumer/microsoft/default.html Arbogast stated that the focus of his presentation was on privacy, because the services he is responsible for "will succeed or fail based on trust by customers and partners". He began with some 'if onlys' [a cute way of outlining a requirements statement]: - users had to deal with only a few online personas (rather than needing to remember lots of loginids and passwords) - users were in control of their personas, associated data, and if or when their data is shared - web-services were in control of the preferences and data that they manage for each customer persona [a bit dodgy, that one] - web-services could cooperate on behalf of users [ditto] - business models that fuel innovation flourished He defined authentication as "the process of uniquely and securely identifying a user". [That's conventional, but not careful enough. See: http://www.anu.edu.au/people/Roger.Clarke/DV/Intro.html#Auth http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Auth ] Authentication precedes authorisation, which is the process of determining what the user can do. [That's also conventional.] Passport is an authentication mechanism, which extends to the Internet the notion of single-signon. [That has been a focus for many years in large organisations whose staff have to access multiple, independent corporate applications, some of which are typically 15-20 years old]. Passport was installed as the means whereby Hotmail users gain access to their accounts, and has consequently achieved 165 million accounts since launch in 1999, and over 2 billion authentication transactions per month. Consider a situation in which a user who has previously registered with Passport in relation to a particular web-site (say Starbucks) goes back to the Starbucks site. The process is as follows: - user requests page from the Passport-protected web-site - the web-site auto-redirects to passport.com - passport.com prompts the user for login and password (SSL-protected) - passport.com auto-redirects back to the web-site, with tokens in the HTTP header as dictated by that web-site (presumably SSL-protected) - the web-site requests the user's browser to set a cookie to enable state maintenance (and won't work without it) Serious issues arise of a practicality, security and privacy nature, e.g.: - the power MS gains as an authenticator of people - the power MS gains in the form of personal data - the power MS gains in the form of logs of people's traffic The identifier used (or at least used currently) is the user's email-address [a la PGP ...] A key question was what authentication does MS perform when a person first registers. Arbogast stated unequivocally that the only authentication measure is a message sent to the email-address provided as part of the registration, which must be responded to in the affirmative before the registration is completed. Hence, when a user signs on, all that is actually known is that the current user was aware of the loginid and password that the original user provided. [In the terms I use, this is weakly authenticated, persistent pseudonymity: http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Spect http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Inet ] Arbogast was asked what the undertakings were in relation to privacy of the personal data. He responded with what's up on the site now [after the fracas last April when they still had the 'we can do prettymuch anything' statement up on the site]. The present statement is strongly expressed, and more or less 'no use or disclosure without explicit consent'. He was then asked whether there is any undertaking in relation to the changing of those conditions. Arbogast said that there is a very strong commitment to *not* change those conditions. He said that he's been working with the lawyers to make that commitment as iron-clad and credible as legally feasible. Any change requires explicit consent from each user. He was also asked what logs are kept of transactions. He stated (not quite so emphatically, however) that only operational logs are kept, and only for a short period of time. [That needs to be pursued in order to ensure that a clear statement to that effect is part of the fixed undertakings]. I then asked about the location of the Passport data-store. I identified the following alternatives: 1 in Redmond, as at present, which is the most threatening of all 2 distributed geographically, but within MS (e.g. for the corporate and especially government markets, the data would have to be within-country, or government policy could preclude its use) 3 distributed geographically, within MS and its Passport Partners 4 on whatever client the user chooses, e.g. - local ISPs, whether MS Passport Partners or not - personal proxy-servers, e.g. on one's home-network 5 on the user's machine (which doesn't work for the increasing numbers of people who use many machines, including at home, at work, in cafes, in their hands, on their wrists, etc.) [Clearly, from a privacy viewpoint, distributed is crucial, wide choice is vital, and control is very strongly preferable. 5 is impractical. I argue very strongly for 4, and would be uncomfortable even with 3. That's a judgement about the needs of people generally, not just me in particular]. Arbogast confirmed that currently it's emphatically 1. And there's lots and lots of site-security to avoid any nasty accidents. [It does seem that at long, long last the thick hides at MS have registered the fact that MS's atrocious track-record on security is a problem and should be addressed]. He said, however, that "they were giving serious consideration" (or similar expression) to a federated model, once the Kerberos-based version is released in 2002. That's effectively 3. I didn't manage to squeeze any reaction from him about 4. He went further, and stated that they envisage that there will later be an 'Internet Trusst Network' with peer-to-peer cross-validation between Passport and such other comparable schemes as emerge. [The sceptic would say that he *has* to say that, to avoid being attacked for monopolistic behaviour. But at least he said it]. In answer to a question, he said that an informational RFC is "forthcoming shortly" with open information on the use of Kerberos in the next version of Passport, including (it was implied) any 'enhancements'. [Not-quite-documented, not-quite-standard is one of MS's key means of locking people into MS, and locking other suppliers out of a pseudo-standardised market. The tricks they've been playing in the browser wars have been multiplicitous, not merely duplicitous]. [From a privacy perspective, Passport is (at least currently) absolutely ghastly, because of the centralisation of data and power; and EPIC and many friends have a complaint before the FTC about many aspects of it. But, *if* it is developed as Arbogast stated, then it could arguably become 'a very good thing' in one very important respect. That's because it would then tend to entrench the expectation of weakly authenticated pseudonymity as the norm on the Internet, not identification]. -- Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/ Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, and 6288 6916 mailto:Roger.Clarkeat_private http://www.xamax.com.au/ Visiting Fellow Department of Computer Science The Australian National University Canberra ACT 0200 AUSTRALIA Information Sciences Building Room 211 Tel: +61 2 6125 3666 ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 07:39:12 PDT