Scott Bradner:Putting your eggs in one basket?

‘Net Insider

Microsoft Corp. said it would shut down part of its Passport single-logon system, at least for a while. This shutdown was not to mollify the many people who are concerned about the privacy implications of letting a single company, particularly one with the mixed reputation that Microsoft has, hold the keys to so many kingdoms. And this column is not about trusting, or not trusting, Microsoft. It’s about eggs and baskets.

It was a software bug that caused Microsoft to disable the e-wallet part of Passport. A bug that could, at least in theory, be exploited to get the Passport servers to send the contents of someone’s e-wallet to someone else. Microsoft says it does not think that the bug was actually exploited to expose information that should not have been exposed, but shut down the service – inconveniencing its 2 million or so users – to fix the bug.

Passport is quite a success. Of course, some of the success comes from Microsoft requiring computer owners to enroll in Passport to even install some Microsoft software, but the company has claimed that as many as 200 million people have enrolled. No matter how you cut it, that’s a lot of people. In Microsoft’s vision, Passport will make it easier for people to be identified to multiple Web sites. That’s a feature that, to me at least, is at best a mixed blessing.

The vision also has just about everyone on the Internet, or at least in the U.S. and maybe Europe, within the Passport embrace. Passport is an almost perfect example of the kind of attractant Larry Lessig talks about in his book Code. Lessig followers would embrace a potentially threatening system if it offered something that the user wanted.

But Passport is a perfect example of something else. It is an example of a vast number of people and systems dependent on something designed and run by people. If a bug pops up, it potentially could affect 200 million people.

Or, if one of the people operating Passport is bribed, millions of people suddenly become vulnerable. Passport is not alone in having this potential impact; see how successful the various e-mail-borne viruses have been in the current Outlook-rich Internet environment.

From many points of view it makes sense to standardize on one vendor’s systems and applications. Support is easier, and with scale can come efficiency and maybe even lower costs. But dependence on a single vendor brings the same kind of threat that a farmer faces if he plants all his fields with the same strain of corn. If the wrong bug comes along, everything can be lost.

As a Mac user, I’m doing my part to ensure some genetic diversity, but I have no idea how to deal with the trends in the real world other than pray that Microsoft only employs incorruptible people who write perfect code.

Bradner is a consultant with Harvard University