META Trend: Identity and permission management infrastructures will emerge to provide directory, authentication, authorization, delegated administration, and data quality for e-business applications (2001-03). External solutions will migrate into the enterprise, competing against new network operating system (NOS) functionality. Directory interoperability issues will drive integration standards (e.g., LDAPv4, XML-based) and improved metadirectory services (2002-04). A directory-enabled networking (DEN) revival will address voice/data convergence, and extranet service providers will source ID infrastructure. Metadirectory utilities and services will become part of directory control, management, and administration services of the identity/permission management infrastructure (2002/03) as well as enterprise application integration (2005+).

IT organizations (ITOs) have struggled for many years with the concept of identity and its use in authenticating users for access to applications. This issue became much more complex with the introduction of e-business and the concept of authentication across multiple enterprises and Web application delivery to millions of consumers. Microsoft's .Net Passport, the Sun-inspired Liberty Alliance, and AOL's Magic Carpet all represent efforts to create a standard identity infrastructure for consumer-based authentication, enabling applications access across multiple enterprises.

Microsoft will attempt to evolve Passport (in a series of phased steps) from a proprietary-based simple authentication and identification service (in 2002) to a federated, Kerberos-based strong authentication model in late 2003. But it will encounter significant technical and political obstacles due to the complexity of inter-enterprise authentication and the alliances needed to avoid monopoly. This will delay any broad-based use in corporate environments until 2004. Addressing interoperability as a result of limited Liberty Alliance successes will occur after 2005.

The Liberty Alliance (see table) will seek to establish a much broader view of identity and attempt to define standards for both identity and single sign-on in 2002, but it will be forced to narrow its scope due primarily to alliance partner politics. Drafts of such standards will not be widely available before YE02; products based on them will not be available in any significant quantity before 2003/04 due to implementation complexity and competing standards from Passport and Magic Carpet. The alliance is also missing key players such as IBM, Oracle, Novell, Microsoft, and Amazon, though they may join later.

AOL's Magic Carpet initiative will parallel Passport deployments in an attempt to protect AOL's firm grip on its installed base, offering similar functionality but oriented to the consumer audience. Recent conflicts with Microsoft regarding instant messaging make it unlikely that AOL will abandon or modify current identity plans to partner, though few will occur before YE02. Both Passport and Magic Carpet will enjoy limited success in the enterprise, but neither will achieve overwhelming use before 2006. Passport is better positioned in the enterprise to ultimately achieve some dominance, depending on Microsoft's compliance with Liberty Alliance goals.

Passport Service 2002
Through Passport, Microsoft has established the foundation for a managed authentication service providing simple (i.e., userid and password) authentication across multiple enterprise Web sites. This approach is currently done with the Passport Domain Authority, a series of Internet Information Server (IIS) farms throughout the world processing more than 3.5 billion transactions per month for more than 200 million accounts. The user identity information Passport stores generates privacy and trust controversies, considering Microsoft's checkered record with security and monopolistic practices. The technical architecture also raises concerns regarding overall performance, availability, management flexibility, and integration as the number of accounts and demands for stronger authentication increase. ITOs looking to leverage the current Passport will find only the simplest mechanisms (e.g., ID, password) for Web application authentication, focused primarily at B2C markets.

Tomorrow's .Net Passport Services
Microsoft must be able to address issues on several fronts to be successful as a standard authentication and single-sign-on service for the Web environment. This includes the introducing Kerberos Version 5 without Microsoft custom extensions into Passport's architecture to ensure interoperability (a minor issue already agreed to by interested parties in the standard) and establishing third-party relationships to build a horizontal brokered model (instead of current vertical industry models) to ensure privacy and verification services. Using .Net Profile services, Microsoft will introduce (in 2003) interoperability with third parties to exploit digital signatures, public key technologies (i.e., PKI), and certification services to bolster the model and offer strong authentication.

A potential move to further ensure interoperability and defuse identity politics involves Microsoft's inclusion in the Liberty Alliance, an intriguing but unlikely occurrence. Other moves include pressuring e-business Web sites to partner or link with Microsoft sites to use .Net Passport (potentially controversial) and improving perceptions within the industry regarding overall security of the application. Privacy issues will be partially addressed through the implementation of the World Wide Web Consortium's Platform for Privacy Preferences Project (P3P) standards, but this remains a long-term goal (i.e., 2H03) due to P3P immaturity. Microsoft must apply a combination of technology and politics (i.e., partnering opportunities to create a broker model) to ensure broad-based success of .Net Passport among enterprises.

Obstacles and opportunities
For 2003 and beyond, Microsoft will continue tightly integrating its consumer and corporate software efforts, anchored around a subscription-based licensing model. .Net Passport remains the key to Microsoft's view of a federated authentication service. By leveraging dominant client platforms (Windows XP, Messenger, and Office) with its Internet properties (Microsoft Network), interconnected to its corporate platforms (.Net servers such as IIS, SQL Server, Exchange, SharePoint Portal Server, and Windows 2000 Active Directory), Microsoft is in a controlling role with consumers, business organizations, and its technology competitors. Although ITOs should note that most of .Net Passport promises for the enterprise will remain primarily planning concerns throughout 2002 (with limited delivery likely in 2003), balancing customer wishes against allowing the delivery of core security/identity functions by services such as .Net Passport will require caution.

Bottom line: Attempts at providing a secure, federated model for authentication across multiple enterprises will be slow, complex, and difficult for the near term. IT organizations must first define the root of identity for the enterprise and use identity infrastructure elements to construct a foundation for eventual standards-based authentication before considering such a model.

Business impact: The need for a common, adaptive approach to defining, using, and managing identity in an age of globalization and mobility is both urgent and critical for an enterprise attempting to leverage its IT and e-business services.

		ARTICLES  Web services face-off  Passport flaw diverts Hotmail users  Watchdog: MS Passport lets crooks in  Is .Net ready to go anywhere?  The Liberty Alliance--national ID connection
		Visit the Platforms/OS Update Center

Newsletters
	Tech Update Today eBusiness Update Tech Update Weekly	Linux Update Security Update Windows 2000/XP Update		All newsletters FAQ Manage my newsletters

[an error occurred while processing this directive]

[an error occurred while processing this directive]