Id like to end with one final topic. It doesnt matter how you look at it, the Internet is a fairly hostile place. With the rise of the IP address on demand schemes used by most ISPs, its almost imposs
Id like to end with one final topic. It doesnt matter how you look at it, the Internet is a fairly hostile place. With the rise of the IP address on demand schemes used by most ISPs, its almost impossible to trace the same user across multiple connections in time. You never know where they might pop up next, and blocking whole ISPs is hard when some are now huge in scope and user base.
Worse still, most ISPs seem to be very unwilling to reveal the identity of a given user unless you lean on them heavily with legal writs. Theyd much rather just not know and cancel the account of anyone whos proven to be a liability. At $30 a month, can you blame them? Its even worse with the new free ISPs, as theres effectively no account to cancel. If you have your email at a Web centre like Hotmail, you dont care which ISP you use as Internet plumbing at any given time. As many are finding, this is making the Internet a more dangerous and difficult place to be. Spam email is on the eternal rise and Denial-of-Service attacks seem to be the norm rather than the exception. We have to place firewalls and intrusion detection systems on our virtual business spaces that outdo the locks and keys that are on our physical offices.
From a user perspective, things are getting ever more complex. Go to a Web site and you have to remember a username and password. It was easy when you could be John Doe, but unfortunately youre competing in an address space of millions of other John Does, so JDOE2 has almost certainly gone too. That means youre j_doe999 on one service, johndoe123 on another and SFRD444E3 on another because they dont believe in usernames based on real words.
This confusion is growing almost geometrically. Last year I had to worry about half a dozen usernames and passwords. Today its nearer to 30 and variation in them means I have to keep a record of them somewhere because my poor brain cant cope.
Given this rising problem, a set of centralised authentication services like Passport will be welcome one place to log in, one place that knows I am really me. Is this a service I would pay to have? Yes, of course. The good news, though, is that I wont have to pay for it. Microsoft has told me, in the clearest possible terms, that its prepared to scale up the base Passport system to authenticate every user on the Internet for free. This is an incredible challenge and a stunning claim, but it recognises that the new world order of The Authenticated Internet is absolutely vital to the Internet world as it moves forward through this decade.
Challenging though this is the business space is even more complex. As someone who runs his own Windows 2000 and Active Directory network, I would much rather have some means by which I could authenticate myself rather than rely on a third party to do it for me. Take the situation of a large company. It would like users to be authenticated while away from the office as john@doecorp.com, but theres a major security issue here. It isnt, under any circumstances, going to let Microsoft or another third party authenticate its users. The reason for this is simple a company is vicariously liable for the actions of its employees. In other words, if Im at work during work hours and do something, then the company is liable on my behalf. Therefore, if Im logged into a Web site as john@doecorp.com and Passport has authenticated me, then my company might well be liable for what I do or say. Due to this, a corporate will insist on authenticating an employee itself.
This is the background behind the raft of Internet-facing authentication engines we will start to see arriving from major players like Microsoft. If you think about it, theres already enough technology in Windows 2000 to successfully authenticate a user. Theres no problem putting a trust relationship in place between an authentication provider like Passport and my companys Active Directory. All the technology is there Kerberos, IP tunnelling and so forth. Microsoft has told me that the version of Windows Server after XP will allow for a one-click method by which Passport For Active Directory can be activated. In other words, allowing external authenticator engines to use my Active Directory as the master authenticator for users in my domain will be a simple matter. It does, Im sure, open up a can of worms on the realms of new forms of Denial-of-Service attacks, but well work around that.
Theres one interesting side issue from this theres no reliance on master certificate providers like VeriSign. Many people were shocked by the ease with which VeriSign issued Microsoft certificates to an impostor earlier this year. For myself, I was pleased because it brought the whole issue of authentication and trust onto the table and made people think about it.
In the future .NET-authenticated world, I might have a private trust relationship with Passport for my personal email and other HailStorm data. A company may well set up an explicit trust relationship between Microsoft Passport and its internal Active Directory service to authenticate employees. There could well be a range of authenticators and a range of authenticated personas for myself too.
Most people dont mind being authenticated and probably dont mind that you know its them, as the majority have nothing to hide and are happy that you can trust that its them. Obviously, there are groups of people who dont want to be authenticated. One cant underestimate the importance of services like The Samaritans it would need to explicitly state that it wasnt taking any user authentication information into its network unless requested by the person seeking its help. The other group of people who actively dont want to be authenticated are those who live on the underside of the Internet the hackers, warez lovers, porn merchants and all the rest. For them, the Internet is a global hideaway where they can do what they want, safe in the knowledge that its hard to track them down.
Now move forward five years into a world where most people are authenticated by one of a range of trusted online security services. If you set up a Web site, you might decide only to allow authenticated people in. You dont actually care who they are, you merely insist that theyre authenticated. Think where this will lead. I believe well start to see a slow but clear separation of the Internet into two distinct areas the authenticated and the chaotic. In effect, the oil and the water of the Internet will split into two quite discrete layers. Youll be able to freely move between them if you wish, or you might want to restrict yourself (or your children) to the authenticated space only.
I think this will have a profound effect on the shape and usage of the Internet. It will lose its Wild West feeling and gain a stronger, more line-of-business space. Yes, it will lose a lot of charm and I fear that more places will be brought to you in association with some global advertising slogan. Will the large corporates have finally won, by taking over the Internet? Yes and no. Im sure that some people will leap with both feet into the world of authenticated Internet, and so there will be opportunities for ISPs to offer authenticated-only connection facilities. But the reality is that it will be a slow move.
The move to a .NET world of online services, distributed service provision and authenticated users is one that will change the shape of the Internet forever. There will be upsides and downsides, but the public will be able to vote with their feet. If Microsoft and the other players in this field get it wrong, then customers simply wont pay to play. If HailStorm is too little and too expensive, it will get few customers. Any attempt at locking in a Windows-orientated customer base will fail because of the XML-based nature of the interconnectio