Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
- Original Message - From: bear [EMAIL PROTECTED] [Talking about Microsoft Passport...] But it's even worse than that, because people who ought to know better (and people who *DO* know better, their own ethics and customers' best interests be damned) are even *DEVELOPING* for this system. It just doesn't make any damn sense. It does make some sense. The more people who are developing the system who know better, the more they may influence higher management. I'm sure that you know that in a big company like Microsoft, it's not the developer, architect or cryptographer that decides what is shipped out, but managers who don't care about security but more about $. The more security-conscious people who start working for Microsoft, the better, they will have more power to influence the decisions of higher management. Microsoft has the most widely used software products, it's a good place for someone to try to influence good security practices. If you are a security person or cryptographer, you can either decide to work for some small company which has good security practices and your opinions be highly considered, but their products not widely spread, or for a big company with widely spread products but which has bad security practices, and try to change things (even though your opinions are less considered). In which case does the security person or cryptographer have the most impact on the world of software security? --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
Single Signon by ITSELF is not a bad technology. But it very much depends on the architecture and implementation. A Globally Centralized SSO system like Passport certainly has problems as you suggest. A locally centralized SSO system like Kerberos is less of an issue. A Federated SSO system like Shibboleth is much better. It all depends on your threat model. Don't destroy SSO just because some company decided to do it wrong. -derek bear [EMAIL PROTECTED] writes: The widespread acceptance of something as obviously a bad idea as passport really bothers me. I could see a password manager program to automate the process of password invalidation where you discovered a compromise; but the idea of putting everything you do online on the same password or credential is just... stupid beyond belief. Why are single-sign-on systems even legal to sell without warnings? Why don't Msoft and the other members of the Liberty alliance have to put a big warning label on them that says USE OF THIS PRODUCT WILL DEGRADE YOUR SECURITY? Because that's what we're looking at here; drastically reduced security for very marginally enhanced convenience. But what really gets me about this is that it's totally obvious that that's what we're looking at, and people are buying this system anyway. That's hard to swallow, because even consumers ought not to be that stupid. But it's even worse than that, because people who ought to know better (and people who *DO* know better, their own ethics and customers' best interests be damned) are even *DEVELOPING* for this system. It just doesn't make any damn sense. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
The Liberty Alliance was stillborn to begin with. Not that it made any practical difference, but the Liberty Alliance received an additional bullet through the head the day that RSA Security, a key participant in the Liberty Alliance, announced that they would also support Microsoft Passport. {I'm not on DBS so they won't see this.} I wasn't discussing the politics, just the architecture. But anyway: if Liberty does manage to field something run by the CCard companies, then it will survive, and probably win. MSFT will have to acceede to what Visa and MC deploy. /r$ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
Rich Salz wrote: Liberty is architected to be federated, unlike Passport. The Liberty Alliance was stillborn to begin with. Not that it made any practical difference, but the Liberty Alliance received an additional bullet through the head the day that RSA Security, a key participant in the Liberty Alliance, announced that they would also support Microsoft Passport. --Lucky - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
EU Privacy Authorities Seek Changes in Microsoft 'Passport'
http://online.wsj.com/article_print/0,,SB1043436716535021744,00.html The New York Times January 27, 2003 EU Privacy Authorities Seek Changes in Microsoft 'Passport' By BRANDON MITCHENER Staff Reporter of THE WALL STREET JOURNAL BRUSSELS -- European privacy authorities this week will outline changes it wants Microsoft Corp. to make to its Passport online authentication system to settle a yearlong investigation of its privacy policies, according to people familiar with the situation. The recommendations, some of which Microsoft is said to have advanced itself in the course of discussions with European authorities, would also target Microsoft's rivals in the so-called Liberty Alliance, which includes Sun Microsystems Inc. and several other multinational companies. The proposed changes would go beyond those to which Microsoft consented last year following a complaint by a nonprofit group to the U.S. Federal Trade Commission that the company was making improper use of people's data. Passport allows users who have registered with the service to enter data such as an e-mail address and a password just once and use that digital passport to enter other Web sites without re-entering the same data or creating a new password. Microsoft has insisted that Passport complies with European data-protection rules, but European privacy authorities last year said the system raised legal issues, including the value and quality of the consent given by users and the security risks associated with the transfer of their data to Passport's partners. European data-protection commissioners are expected to discuss the recommendations Wednesday. A spokesman for the chairman of the working group declined to comment on its deliberations, as did a spokeswoman for Microsoft. People familiar with the privacy authorities' thinking say the changes they plan to request give users more information about the system and more control over how their data are used. Microsoft has accepted to make major changes, said one person familiar with the group's thinking. The group is scheduled to meet the day before Microsoft Chairman Bill Gates addresses a conference on Microsoft's Internet strategy in Brussels. The EU privacy probe is unrelated to an antitrust investigation by the European Commission, which has accused Microsoft of abusing its dominant position in the market for operating systems for desktop computers to muscle its way into related product markets. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
The widespread acceptance of something as obviously a bad idea as passport really bothers me. I could see a password manager program to automate the process of password invalidation where you discovered a compromise; but the idea of putting everything you do online on the same password or credential is just... stupid beyond belief. Why are single-sign-on systems even legal to sell without warnings? Why don't Msoft and the other members of the Liberty alliance have to put a big warning label on them that says USE OF THIS PRODUCT WILL DEGRADE YOUR SECURITY? Because that's what we're looking at here; drastically reduced security for very marginally enhanced convenience. But what really gets me about this is that it's totally obvious that that's what we're looking at, and people are buying this system anyway. That's hard to swallow, because even consumers ought not to be that stupid. But it's even worse than that, because people who ought to know better (and people who *DO* know better, their own ethics and customers' best interests be damned) are even *DEVELOPING* for this system. It just doesn't make any damn sense. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EU Privacy Authorities Seek Changes in Microsoft 'Passport'
but the idea of putting everything you do online on the same password or credential is just... stupid beyond belief. Liberty is architected to be federated, unlike Passport. /r$ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]