[Timesink]

bump for bump lists

[zeugma]

If I remember correctly Bruce Schneier at Counterpane has written about other fundamental problems with passport. It is apparently broken no matter what microsoft does, short of a complete re-design.

Anyone who trusts microsoft's security gets what they deserve, and deserves what they get.

[Paul_B]

My own policy: avoid permanently.

MS has a lousy security record, and is basically too doggone big.

[Reaganwuzthebest]

A serious security flaw shows that Microsoft Passport identities could be easily compromised.

Microsoft will have a solution for all these security flaws soon. All we'll have to do is go out and buy brand new computers with their new OS Palladium installed on it. It will phone home regularly to the fatherland in Redmond to make sure everything's okie dokie.

Big brother to the rescue.

[TechJunkYard]

Enterprises considering Passport services should delay adoption until at least November 2003 or until Microsoft has completed a thorough security review of Passport, including outside reviewers.

Yeah, like that's gonna happen.

Microsoft can reduce this impact and regain market confidence by submitting Passport's code to a full open-source review.

What have these folks been smoking? Microsoft will make the reviewers sign NDAs so they can't even talk amongst themselves and do a proper review. MS doesn't want to know about their flaws; they just want to continue to dominate the market.

If MS had been paying attention, they would have picked up on the Passport thing soon after April 12th, when the researcher first tried to contact them. But nooooobody at MS knew a thing about it until he finally posted it to the Full-Disclosure list out of desperation.

Remember back in February (the shortest month of the year, BTW) 2002, when MS took a whole month off to train their folks and review all of their code? Does anyone really think that it could all be done in a single month? Does anyone else have a strange suspicion that it was all for PR?