[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: [Auth]Re - [Auth} A simple server-side authentication scheme

From: Norbert Bollow
Subject: Re: AW: [Auth]Re - [Auth} A simple server-side authentication scheme
Date: Tue, 17 Jul 2001 18:45:18 +0200

"Carsten Kuckuk" <address@hidden> wrote:

> I still have to get aquainted to the ideas and thoughts of the others on
> this list.

Ok, for a bit of background info...  With .NET, Microsoft seeks
to achieve the following goals:

1. Establish a framework where people will pay for using
   computer programs.

2. Establish a dominant position in the webserver market so that
   then in a second step, Microsoft can kill Apache and friends
   with proprietary extensions to the HTTP protocol.

3. Establish a dominant position in the area of authentication
   services, which will then allow Microsoft to control the
   market for e-commerce software.

   As a side effect of Microsoft's efforts in this area (if they
   are successful), something really scary happens:  All of the
   world's authentication data will pass through Microsoft's
   "passport" servers.

4. Direct everyone's attention away from Sun's Java to a
   programming language created by Microsoft.

Some people (including me) are very concerned about points 2 and
3 and the side-effect of 3.  This was discussed on the
FreDevelopers mailing list, and then Myrddian proposed a project
for stopping all of this from happening, and called that project
DotGNU.  Essentially the idea was to build a powerful Free
Software system that provides all the benefits of .NET with one
big difference:  Instead of having a single company (Microsoft)
at the center of the .NET universe, we wanted to build a system
without centralized storage of authentication data.  This
thought eventually matured to become the basic architecture
which is outlined at

This is a very powerful concept and I have been quite happy and
excited about it - until Ron Burke came along and pointed out
that we also need to something quick right now, something that
will prevent Microsoft from gaining a dominant position in the
area of authentication services.

So now the DotGNU project must proceed on two tracks.  One track
(to which this list is devoted) for doing something quick that
will prevent Microsoft from monopolizing authentication services.
And another track for building a system that will outclass
Microsoft's .NET - the ARCH list is devoted to that.  And then
we have the DEVELOPERS list for general discussions, which don't
fit on either of these specialized lists, or which shoudl not be
limited to either list.

> >> Because the ecommerce market is the one market that really
> >> matters, and Microsoft is targeting it aggressively.
> I disagree here. You are right in that this is where the money is, and that
> this is the field that MS is targeting, but money is irrelevant for a GNU
> project,

DotGNU is not primarily a GNU project, but rather it is
primarily a project of FreeDevelopers, see

The goal of FreeDevelopers is to develop Free Software and
market it in such a way that the developers can get paid for
their work.

The Free Software Foundation has endorsed DotGNU and said that
they want the project to be part of the GNU system.  But if they
had not wanted it, we would still have done it, although we
would probably have been forced to change the name in that case.

> and I don't think people should blindly follow others. By looking
> too much at Microsoft you allow them to control your thoughts
> and take away your time. When you enter the realm of VES, CIL,
> C#, etc. you have to spend weeks and weeks reading their
> specs, learning their language and abbreviations

That's something that Ximian is doing with the Mono project.

The plan for DotGNU is to provide emulation so that Microsoft's
bytecode can be executed in a "DotGNU Secure Execution
Environment", but not more.

> and in the end you see that all they did was just to copy
> Java, and make it incompatible to Java.

Recently a Mono developer tried to convince the ARCH mailing
list that Microsoft has actually included some significant 
innovations in their stuff.  Would you be able to (without
spending much time on it) check his claims for accuracy, and
whether they're really relevant?

> I have implemented several compilers in the past decade, and
> reading their specs with this background makes it pretty
> obvious. So in the end they have lured you into wasting
> valuable weeks of your life by just reading their docs.

Wow.  Great to have you on board.

Now that I have your attention please allow me to quickly ask
(even though it's off-topic for this list), what kind of
bytecode spec should DotGNU use?  So far the following options
have been seriously proposed:

a) Java bytecode, with extensions (it looks like Java bytocode
   doesn't do everything that we need; someone told us that
   adding these extensions would not be trivial.)

b) Microsoft's new bytecode, possibly with extensions.

c) Design our own bytecode from scratch.  (Probably only
   feasible if an experienced expert in this area joins our

> Please take the time and visit
> and read David Gelernter's "The Second Coming - A Manifesto".

Read it :-)

> In this text you'll learn about a different concept of virtual
> identity -- cyberbodies -- that has almost nothing to do with
> e-commerce but has the power to transform the Internet into
> something really useful. And this is what I was thinking of
> when I made my posts on the list here. It is immediately
> useful to all online users, implementable, and non-critical in
> such a way that initial errors would not lead to lawsuits.

Ok, I understand better now what you mean.  Most is this is
quite outside the scope of the DotGNU project though.

> >> > If you stick with LAMP architecture on the server side, the system
> >> > can be rolled out right now on millions of servers.
> >> Please explain LAMP architecture, and how we can "roll out a
> >> system right now on millions of servers."  That sounds exciting.
> LAMP means Linux, Apache, MySQL and PHP. This is the standard web server
> architecture that hobyist can rent from ISPs for prices starting at USD 10
> per month. All my friends have one, I have one for myself, one for my wife,
> and one for the toastmasters club I'm a member of. They're ubiquitious. So
> if we can implement part of the system using the relational database MySQL
> for data storage, and write the access code in PHP we would have a small
> package that could be installed on almost every hobyists web server. The
> instructions would read: "Please log into your web server. Start mysql.
> Execute the following SQL statement: CREATE TABLE PROFILES( uid int, account
> varchar(100), pwd varchar(100), data varchar(200), primary key(uid)); Then
> create a directory /dotgnu under you HTML root. Copy the files
> putprofile.php and getprofile.php there." Every hobbyist can do this. And
> suddenly you have thousands, possibly millions of identity servers on the
> web.

Only if you give them an incentive to set this up.  What is the

> The clients making use of this data could be implemented as server
> plug-ins or as standalone Java applications, whatever people like. That's
> what I was thinking about. It would put an infrastructure into place very
> quickly, and more important: It would make the project known and immediately
> useful.

How will these servers be useful?  (What felt needs do they meet?)

Greetings, Norbert.

Norbert Bollow, Weidlistr.18, CH-8624 Gruet  (near Zurich, Switzerland)
Your own domain with all your Mailman lists: $15/month
Business Coaching for Internet Entrepreneurs --->
Tel +41 1 972 20 59      Fax +41 1 972 20 69      address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]