Dear .NET Passport Participant,

This notice is to inform you of the immediate phase-out of the inline sign-in feature of the MicrosoftR .NET Passport service.

You are receiving this message because you currently have an application in Preproduction (DEV/TEST) for which the inline sign-in feature has been provisioned by means of the .NET My Services Manager system. As of Monday, May 13th, 2002, we will permanently disable the feature and will not be allowing any applications that use it to roll into Production.

Inline sign-in was introduced in .NET Passport version 2.0 (August,

2001) as an optional alternative to the standard single sign-in (SSI) mechanism. It allowed participating sites to embed the sign-in dialog box directly in a page on their site, instead of redirecting users to a .NET Passport-hosted sign-in page. However, in a recent security evaluation of the .NET Passport service, inline sign-in was identified as representing an unacceptable security risk to the service. Therefore, effective immediately, this functionality is being phased out.

The rest of this notice is in question-and-answer form, to help explain the reasons for and effects of this change.

Q: What does "phased out" mean?

A: The process of removal of functionality from the .NET Passport service consists of two stages: phase-out and removal. In the phase-out stage, the following changes occur:

Descriptions of the functionality are removed from the software development kit (SDK) documentation and marketing materials.

The option to enable the functionality is removed from the provisioning process for any new participating sites.

Any sites whose implementations of .NET Passport SSI have not yet been rolled into Production are not allowed to do so using the phased-out functionality. These sites must modify their implementations to remove their use of the functionality before they can be rolled into Production.

Any partners already in Production with the phased-out functionality are contacted directly by Microsoft to help them plan their migration from the functionality.

The removal stage occurs only after all participating sites in Production have migrated from the phased-out functionality. At that point, the functionality will be completely removed from the .NET Passport service. At least 12 months will be allowed between phase-out and removal, to give all participating sites in Production sufficient time to migrate away from the functionality.

Q: Why is inline sign-in being phased out?

A: During a recent security evaluation of the .NET Passport service, inline sign-in was identified as representing an unacceptable security risk to the service. The details of this issue were investigated, and it was determined that the inline sign-in feature could not be supported on a long-term basis. It is important to note that we know of no security compromises resulting from the use of this feature. We are phasing it out simply as a precaution.

Q: If I'm using inline sign-in, are my customers at risk?

A: The use of inline sign-in at an individual site does not increase the security risks to users at that site in any way. However, the availability of inline sign-in within the .NET Passport service represents an increased risk to the service as a whole.

Q: What is the alternative to inline sign-in?

A: Use of the standard .NET Passport SSI behavior with flexible-layout cobranding is the recommended alternative to inline sign-in. (For more information, see the "Cobranding" section of the current .NET Passport SDK documentation.)

Q: Inline sign-in includes useful functions that allow my site to determine the sign-in state of a user before that user is authenticated. Will this functionality be provided in some way after inline sign-in is removed?

A: These functions are being evaluated, and techniques for providing similar functionality in a future release are being considered. However, there are currently no firm plans regarding this issue.

Thank you,

Microsoft .NET Services