At a panel discussion about online authentication systems featuring representatives from Microsoft Corp. and Sun Microsystems Inc., the gloves stayed on until the last few minutes, when a pointed question from the audience about Microsoft's definition of "interoperability" finally sparked debate between the rival architects of Passport and the Liberty Alliance Project.
Microsoft doesn't expect identity and authentication services to be the provenance of any one company, its spokesman maintained throughout the discussion, held Friday here at Jupiter Media Metrix Inc.'s Financial Services Forum. Instead, the software maker has "put our stake in the ground" and selected the Kerberos network authentication protocol as the basis for its Passport system, said Greg Nelson, a product unit manager with Microsoft's Financial Technologies Group. Any third-party authentication system utilizing Kerberos, an open standard developed at the Massachusetts Institute of Technology, will be able to interface with Passport, Nelson said.
But a Sun executive working on the Liberty Alliance system insinuated that Microsoft's version of interoperability differs from the industry's: "I'll let the elephant in the room. When someone preaches interoperability -- any vendor -- check the math and make sure you really know what that means," said Hal Stern, chief technology officer of Sun's iPlanet E-Commerce Solutions subsidiary.
An audience member quickly followed up on that comment, quizzing Nelson on how Microsoft intends to insure that Passport's use of the open Kerberos protocol isn't "polluted," as was Microsoft's infamous Java implementation.
Java offered a fundamentally different situation because it was created in-house by an industry rival, Nelson answered. Kerberos and other open standards, in contrast, have been adopted by industry consortiums and standards bodies -- groups in which Microsoft participates, he said.
"We're part of the conversation about how a technology like Kerberos develops. That was certainly not true about Java," Nelson said.
Still, the proof of genuine standards compliance lies in a product's implementation -- and on that count, Microsoft's record isn't impressive, Stern countered. "With Passport and its use of Kerberos today, (interoperability is) not the case. While the standard is obeyed, the implementation only works on other Microsoft platforms," he said.
Stern urged Microsoft to observe the open-standard spirit and implement Kerberos "without the special sauce."