Chapter 7: Microsoft Passport


Passport, Microsoft’s single identity and sign-on solution for the Web, has since its initial release back in 1999 been a controversial technology. Most Passport-related discussions concerned the product’s security and privacy features. The primary goal of this chapter is to explore the security and privacy features of Passport. To do so, we will need to dive into the nuts and bolts of the Passport message exchanges. This chapter focuses particularly on how Microsoft has integrated Passport with its latest operating system platforms: Windows XP and Windows Server 2003.

7.1 Passport-enabling Web technologies

Passport uses common Web technologies that are supported by all browsers. These technologies are the Hypertext Transport Protocol (HTTP), Dynamic Web Pages with embedded JavaScript code, Cookies, and the Secure Sockets Layer (SSL) protocol. It is worth pointing out that so far (through Passport version 2.5)[1] Passport uses no (or very little) XML-based technology. In a future version of Passport the service will adopt a new SOAP- and XML-based authentication protocol derived from the WSSecurity specification.[2]

Passport uses HTTP to retrieve Passport Web pages from Passport- enabled Web servers, in order to transport Passport-related user information, to create client-side cookies, to retrieve information from client-side cookies, and to redirect browsers from one Web site to another. Passport makes extensive use of HTTP redirect messages. HTTP redirect messages allow Web sites to communicate with one another without setting up a direct communication between the Web sites’ Web servers: all communications go via the user browser.

JavaScript code embedded in Web server pages enables Passport to deliver dynamic Web content like personalized Web pages to the user’s browser. The reason why Microsoft has selected JavaScript over typical MS scripting technologies like VBScript is because JavaScript is supported on all browsers, not just in Microsoft browsers.

Cookies allow for both the temporary and persistent storage of Passport- related information on the user desktop. They are created by code on the Passport infrastructure servers. To store confidential user information, Passport uses encrypted cookies.

Passport uses SSL to create secure tunnels for the transport of confidential user data between browsers and Web servers. The SSL tunnel provides data authentication, confidentiality and integrity protection, and server- side authentication. The SSL protocol was explained in Chapter 6.

[1]At the time of writing (end 2003) version 2.5 was the most recent Passport version.

[2]More info on WS-Security can be found at msdn.microsoft.com/ws-security.




Windows Server 2003 Security Infrastructures. Core Security Features of Windows. NET
Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
ISBN: 1555582834
EAN: 2147483647
Year: 2003
Pages: 137
Authors: Jan De Clercq

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net