Ephraim Schwartz wonders if Microsoft's Wireless Provisioning Services (WPS) is a way under the tent flap for proprietary configuration: Microsoft's WPS is apparently an automatic configuration tool that will allow users with Windows XP and hotspots running Windows Server 2003 somewhere in the authentication chain to have a handshake that doesn't require a user to manually configure settings.
Schwartz wonders if this is a way for Microsoft, outside of a standard process, to lock in hotspots to using something that doesn't necessarily interoperate with many other platforms and even other Windows' versions.
It's clear that Microsoft's focus on improving link-level security in Windows XP is strategic: they don't want to devote lots of resources to re-engineering old versions of their system, and they want enterprises to abandon NT and 2000 in favor of XP, which the company will now be selling in the same architectural form until 2006, Longhorn's new shipping...uh, year.
But if you examine the flip side of the equation, as Nancy Gohring did yesterday, T-Mobile has said that they'll support WPS, but that they'll also work with any 802.1X client. 802.1X, just to remind everyone, is sung by three parts: a client, a port-restricted access point or switch, and an authentication server. The client can talk just to the AP or switch, which passes authentication messages (using EAPOL or EAPOW) to a server.
Because 802.1X allows continuous messaging, not only does each user in such a system receive a unique WEP or WPA key, but those keys can be rotated at whatever frequency a network administrator decides with zero involvement by the user.
The advantages for 802.1X in the hotspot world are enormous, and WISPs should consider subsidizing distribution of 802.1X clients to their customers of all platforms. If you review the client compatibility lists at Meetinghouse and Funk, you can see that an enormous range of platforms are available: all Windows flavors (98 and later), Mac OS X 10.2, Linux (kernel 2.4), and Solaris. On the backside, most hotspots are using some kind of RADIUS or AAA solution already.
In the open-source world, 802.1X has lagged severely due to lack of non-enterprise interest in the spec. WISPs should just build 802.1X into their clients (as T-Mobile and ostensibly Boingo is doing) or give away third-party clients. (The latest version of Open 1x appears to be moving along, however.)
Users, of course, are responsible for their own security in the hotspot world, and hotspots have gone out of their way to highlight this. The 802.1X-in-the-hotspot solution makes it possible for casual users to have a relatively high degree of data encryption without the overhead.
I'm hoping that the WPS system developed by Microsoft doesn't overshadow the general benefits of 802.1X in the hotspot. In fact, if Microsoft's new way of doing things extends here, the company will release the specification, allowing others to consider adopting it or extending it.
(Note that the brief entry pointed to says WPA several times when WPS is intended. I sent them a note.)