title: Juggling eggs


by: Scott Bradner


Microsoft said they would shut down part of their Passport single-login system, at least for a while.  This shutdown was not to mollify the many people who are concerned about the privacy implications of enabling a single company, particularly one with the mixed reputation that Microsoft has, to hold the keys to so many kingdoms. And this column is not about trusting, or not trusting, Microsoft.  It is about eggs and baskets.


It was a software bug that caused Microsoft to disable the e-wallet part of Passport.  A bug that could, at least in theory, be exploited to get the Passport servers to send the contents of someone's e-wallet to someone else.  Microsoft does not think that the bug was actually exploited to expose information that should not have been exposed but shut down the service, inconveniencing its 2 million or so users, to fix the bug.


Passport is quite a success.  Of course, some of the success comes from Microsoft requiring computer owners to enroll in Passport in order to even install some Microsoft software, but it is claimed that as many as 200 million people have enrolled.  No matter how you cut it, that is a lot of people. In Microsoft's vision, Passport will make things easier for people to be identified to multiple web sites.  A feature that, to me at least, is at best a mixed blessing.  The vision also has just about everyone on the Internet, or at least the US part and maybe Europe, within the Passport embrace. Passport is an almost perfect example of the kind of attractant Larry Lessig talks about in his book "Code."  Larry people would embrace a potentially threatening system if it offered something that the user wanted.


But Passport is a perfect example of something else.  It is an example of a vast number of people and systems dependent on something designed and run by people.  If a bug pops up, it potentially affects 200 million people.  Or, if one of the people operating Passport is bribed millions of people suddenly become vulnerable.  Passport is not alone in having this potential impact; see how successful the various email-borne viruses have been in the current Outlook-rich Internet environment.


From all sorts of points of view it makes a lot of sense to standardize on a single vendor's systems and applications.  Support is easier, and with scale can come efficiency and maybe even lower costs. But dependence on a single vendor brings the same kind of threat that a farmer faces if they plant all their fields with the same strain of corn.  If the wrong bug comes along they can lose everything.


As a Mac user I'm doing my part to ensure some genetic diversity but I have no idea how to deal with the trends in the real world other than pray that Microsoft only employs incorruptible people who write perfect code.


disclaimer: Perfection and Harvard are related, at least in Harvard's mind, but the above lament is mine alone.