.NET Passport

Passport User ID (PUID)

• 64 bits
• Unique
• Linked to user's passport (i.e. same value every visit)
• Transferred encrypted.
• Individual Sites can ask for a Security Key if simply being logged in as the correct user (i.e. the PUID) is not considered secure enough. A Security Key is a four character value.

Operational Info

• Version Number (incremented by MS every time the user saves a change to their passport account)
• Whether:
  • E-mail address has been verified
  • Its a Kids Passport
  • Has associated .NET Passport Wallet info
  • Its a public or private listing
  • The account has been deactivated

  (Note: Unlike other info, the user cannot control access to Operational Info)

Legal Stuff & Registration Requirements

Companies using Passport have to have a privacy statement of acceptable level to use the Passport service. Haven't seen a definition of "acceptable level".

MS does not "mine" user info or track click-through information. They do however collect aggregated information about the number of users by attributes such as gender, age or region.

Users cannot refuse e-mails from MS about passport (i.e. service updates and surveys). That said, you don't have to reply to the surveys (and I've never had one).

Sites must agree to:

• Only to use information from the .NET Passport to supply goods and services the user has actually requested
• Not use information from the .NET Passport to contact the user without having previously obtained the user's consent
• Not share the .NET Passport Info with other sites, except where this is necessary to complete a transaction (for example, a site probably has to supply the user's name and address to a 3rd party parcel delivery company) and the 3rd party must confirm to a long list of requirements (privacy policy etc.). It is acceptable to supply the PUID (and only the PUID) to another .NET site.

To register, you must supply:

• E-mail address
• Password (6 chars+)

or, if registering on a mobile device:

• Mobile Phone number. Mobile device users can use this in place of the e-mail address when signing in (being easier to enter on a numeric phone keypad).
• Mobile PIN (6 to 16 digits). Mobile device users can use this in place of the password when signing in.

Additionally, you can record the following in the passport as well (anything else, the individual site has to store outside of passport and (presumably) link by the PUID):

• Accessibility Options
• Date of Birth
• Country / Region
• First Name, Last Name
• Gender
• Iccupation
• Postal Code
• State (!)
• Time Zone

XP Integration

Required to use:

• Messenger
• Remote Assistance
• MSN Explorer (yuk)

Nag screen / bubble goes away after 5 connections / refusals.

XP can log you into Passport automatically (if you want)

.NET Passport Express Purchase Service

When the Express Purchase button is clicked the user is redirected to a https:// address on a MS server. Here they can sign into passport (if they haven't already), then select the billing and delivery address information previously entered. This information is sent back to the merchant's website and the user re-direct back.

Kids .NET Passport Service

Supports the American COPPA (Children's Online Privacy Protection Act). Parents can set a consent level ("Deny", "Limited" or "Full") that controls a site's ability to access information about the child.

Cookies

Passport creates 3 cookies:

• Ticket
  Contains the PUID and a timestamp
   
• Profile
  Contains the user's .NET Passport profile
   
• Site
  Contains a list of sites to which the user has signed in

Misc

• Signing Out
  Signing out of passport deletes all the (passport) cookies from all the (passport implementing) sites visited during that browser session. No idea how it does it, something to do with IMG tags and redirects.
   
• Passport.com
  The site to visit to update your passport account. This site also contains a list of participating sites (probably an incomplete / cherry picked list. It doesn't say.)