Secure channel sign-in requires all authentication communication to use SSL to protect information transmission between the browser and the Web site and between the browser and the Login server. An intruder can't extract cookies from any captured encrypted information. In addition to the standard sign-in cookies, the Login server and Web site each create a secure HTTPS cookie that can't be manipulated, then compare the PUID in the secure cookie with the PUID in the regular cookies. If no secure cookie exists on the user's machine or if two PUIDs don't match (which would be the case if an intruder manipulated one of the standard cookies), the user must repeat the sign-in process.
Strong credential sign-in requires the user to enter a four-digit security key after successful secure channel sign-in. The user creates this security key in his or her .NET Passport account the first time he or she visits a participating Web site that requires strong credential sign-in; the key then becomes part of the user's credential. During key creation, the user must answer 3 out of 10 "secret" questions (i.e., questions not related to the user's credential or profile) and confirm the answers on a separate registration page before the .NET Passport system activates the security key. .NET Passport uses these questions and answers to confirm user identity in the event a user forgets his or her key.
The EP Service
Participating sites that offer the EP service include the official .NET Passport express purchase link, which Figure 5 shows, with the site's shopping cart information. After a user adds goods to the shopping cart, the user clicks the link to initiate the EP service. To protect the user's .NET Passport wallet, the Web site requires the user to reenter his or her password to sign in to the wallet. After wallet sign-in, the Web site redirects the user's browser to the .NET Passport Wallet server. The Wallet server displays the wallet information on the user's browser so that the user can select the appropriate credit card, billing address, and shipping address for the order. The wallet server can embed this information in the Web site's check-out page, as the fictitious example in Figure 6 shows. .NET Passport uses a Luhn algorithm to confirm the validity of the credit card number but doesn't perform credit card authorization.
To complete the purchase, the user clicks Continue or Buy Now at the bottom of the check-out page. The Wallet server then constructs an HTTP POST form containing the credit card information in Electronic Commerce Modeling Language (ECML) format (an industry-standard e-commerce schema that Microsoft, Visa, American Express, MasterCard, and other third parties developed). The Wallet server uses the Web site's site-encryption key to encrypt the information, posts the information to the return URL, and redirects the browser to the Web site's shopping-cart page. The Web site extracts the encrypted credit card information from the HTTP POST form, uses its site-encryption key to decrypt the information, then completes the appropriate payment authorization and shipping procedures. The EP service uses SSL to protect transmitted information.
Participating Web sites can use the .NET Passport EP service without providing the SSI service. However, sites that also use the SSI service can use the PUID as an index for shopping-cart status and order-tracking databases. Even Web sites that don't implement the SSI service must provide the Sign Out link to protect the user's wallet information.
Becoming a Participating Web Site
To enable .NET Passport on your Web site, you need to run .NET Passport objects on your Web servers and incorporate the .NET Passport functions (e.g., sign in, sign out) into the site. The free Microsoft Passport software development kit (SDK) contains the .NET Passport objects, a Passport Manager administration utility, a test Web site, and a sample Web site.
The Passport objects run on the Web server and handle all the .NET Passport service tasks, such as authentication, encryption, decryption, and reading and writing cookies. Passport Manager, which Figure 7 shows, lets you define your site's .NET Passport configuration (e.g., sign-in time window, forced sign-in, language ID, site ID, return URL, parameters for cookies and cobranding). You can also use Passport Manager to remotely configure Passport-enabled Web sites. The test Web site (current-login.passporttest.com) lets you run tests with your Web server. The sample Web site, Adventure Works, is a fictitious e-commerce site that uses SSI and EP; you can experiment with this site on your Web server, or you can access it over the Internet at adventureworks.passport.com.
You can download the SDK and related documentation from the Microsoft Developer Network (MSDN) at http://msdn.microsoft.com/downloads/default.asp?url=/code/sample.asp?url=/msdn-files/027/001/644/msdncompositedoc.xml. Two versions of the SDK are available: Passport SDK 2.0 and Passport SDK 1.4. Passport SDK 2.0 requires XP or Windows 2000 Server, Microsoft Internet Information Services (IIS) 5.0 or later, and IE 4.01 SP2 or later. Passport SDK 1.4 supports Win2K Server, Windows NT 4.0 Server SP4 or later, Internet Information Server (IIS) 4.0 or later, and IE 4.01 SP2 or later. Passport SDK 2.0 includes support for secure channel and strong credential sign-in, advanced cobranding (e.g., flexible-layout cobranding, context-sensitive cobranding), the Platform for Privacy Preferences (P3P) standard for describing privacy policies in a machine-readable XML format, mobile devices, and XP. To use secure channel or strong credential sign-in and EP, your Web site needs an SSL certificate. You can obtain an SSL certificate from a Certification Authority (CA), which can be your organization (if it provides its own public key infrastructure—PKI—and CA service) or an external CA service provider, such as VeriSign.
The Passport SDK also supports non-Windows OSs (e.g., Sun's Solaris, Hewlett-Packard's HP-UX, Linux) and Web servers (e.g., Apache, Netscape, iPlanet). You can find more non-Windows support information in the Passport SDK documentation.
