> My concern stems from the use of a central authority...

Yes, I agree. I think Microsoft is trying to make this a more open repository, so other repositories can authenticate users through the passport mechanism. I'm not sure how much work has been done in that direction.

I always wonder whether MS will spin Passport off as it's own organization at some point... (Again, these are just my personal thoughts).

> Then there's the issue of the failure of the authentication actor; if MS is
> designated as the arbiter of access to detail, and suddenly the MS
> authentication servers sink to the eighth level of Hell, the world of
> nodes reliant on that administrative authority had better hope we have good
> connectivity to the underworld. We establish a single or finitely limited
> point of reference for information we are intrisically reliant on to
> work at all.

Agreed. But again: I trust MS more than any small SP. But this is a very valid point. In fact,the Passport servers had to be taken down recently to avoid security issues...

> As long as I can restrict the PID consumer (West-Wind) from granting another
> consumer the right to access private detaile exposed to the first PID
> consumer (EPS), or they identifying entity is made aware of the consequence
> of exposing the detail, fine. I don't mind the relationship between
> West-Wind and EPS, but might well be annoyed with a relationship between
> West-Wind and the Jehovah's Witnesses entity (or kiddie porn sites, or
> Delphi advocacy sites, or whatever). I don't want to find myself assaulted
> in the early morning of the day by people out to save my soul because I
> bought Web Connection!

I couldn't agree more! In fact, as a Passport partner, one signs a very strict agreement that prevents this kind of activity. Microsoft has avery close eye on its partners for this kind of stuff.

The big issue here is that all that's known is the PID. With the PID all by itself, one can't do much, unless the user actively navigates to the site that has knowledge about the PID and can then grant premium access...

>> BTW: Talking about data privacy concerns. Have you ever taken a look at
>> www.publicdata.com? Scary! That's where we need to start to voice our
>> concerns...

> No question - the individual is ultimately responsible for the security
> ofd their identity.

Unfortunately, it's not that easy. Here in the US, it's basically impossible to protect one's privacy. This fact became obvious very quickly to me. As a European, I was used to strictest privacy laws. Here, you can pay cash at Radio Shack and still get spammed with snail mail 3 days later.

But heck, I've chosen to live here, so I agreed to that, I guess... ;-)

>> BTW: Spamming is a big no-no for a Passport partner, since one would get
>> kicked off the program before one could email the word "spam" :-)

> If that's the case, I'm in favor of it, because I don't like SPAM!

Actually, the only way to really send notifications to people is through .NET My Alerts. This is a service I really like! As a partner, one can send alerts to a certain PID.
As a user, one can configure ones alerts, so only certain ones go through. So that should be the end of spam right there (well, there is always those other sites that don't use Passport, of course < s >).

Markus