[DotGNU]Authentication against Microsoft's "Passport" system?

[Norbert Bollow]

Zimran Ahmed <address@hidden> wrote:

> >     DotGNU is to .NET, as Linux is to Windows.  If you like
> >     Linux, then you will love DotGNU.
> 
> this would not be quite true though. Linux is a competitor to windows. 
> Depending on how DotGNU and .NET ends up being implemented, anything 
> using that architecture could still have to go through servers in Redmond 
> (as it is currently described, authentication from .NET *has* to come 
> from Microsoft).

That will definately not be true for DotGNU.

DotGNU will support multiple bytecode formats; one of them will
be Microsoft's IL.  While on Microsoft platforms, IL-based
Portable Executables may be hard-coded to use Microsoft's
"Passport" authentication system, on the DotGNU platform the end
user will at least have the option to override that.  In fact I
personally think that the way to go will be to officially declare
Microsoft's "Passport" authentication system to be *evil* and
boycott it altogether.  I think that we should instead make it
easy for vendors of proprietary software to support an
alternative, non-centralized authentication system so that their
software will run on the DotGNU platform.

Since DotGNU is Free Software, that does not stop those who are
interested in the success of the "Passport" system (Microsoft,
Inc. comes to mind) from releasing patches for DotGNU that add
support for the "Passport" system.

If you want DotGNU to include support for the "Passport" system,
you may possibly also have legal problems in addition to the
ethical and PR problems:

As far as I know, Microsoft has not even published an API for
its "Passport" authentication system yet.  From a published
explanation of how the system works, I know that it is a very
simple system, and hence I'm sure that it would be trivial to
reverse-engineer it.  However, in DotGNU we must be very careful
to avoid stepping over any legal boundaries, and it is not clear
whether Microsoft's license agreements allow reverse-engineering.

(I say "it is not clear" because the parts that explicitly
forbid reverse-engineering may in fact legally be null and
void.)

Tony Stanco is working on putting together a legal team for
DotGNU.  As soon as this team is in place I will ask this
question:


  "Is it within my rights to analyse how the 'Passport'
  authentication system works exactly, and then publish a paper
  on any security problems and design flaws that I may find?"


> So, DotGNU is something that help Windows spread its liscensing regime to 
> more places.

Defintately not !!!!

Greetings, Norbert.

-- 
A member of FreeDevelopers and the DotGNU Core Team   http://dotgnu.org
Norbert Bollow, Weidlistr.18, CH-8624 Gruet  (near Zurich, Switzerland)
Tel +41 1 972 20 59      Fax +41 1 972 20 69      http://thinkcoach.com
Your own domain with all your Mailman lists: $15/month http://cisto.com