[DotGNU]Microsoft Unveils Web Services Security

[Seth Johnson]

(Forwarded from Digital Bearer Settlement List,
address@hidden)

-------- Original Message --------
Date: Thu, 6 Jun 2002 16:08:41 -0400
From: "R. A. Hettinga" <address@hidden>


http://news.com.com/2102-1001-933297.html

Microsoft unveils Web services security


By Mike Ricciuti
Staff Writer, CNET News.com
June 6, 2002, 8:00 AM PT

http://news.com.com/2100-1001-933297.html


Microsoft is developing new security software it hopes will
make Web services and its entire product lineup more
appealing to big companies.

The software maker as expected announced plans on Thursday
for technology code-named TrustBridge that will allow
businesses to authenticate user identities between companies
and applications using Web services standards.

With TrustBridge--which will debut next year--Microsoft is
attempting to solve a common problem faced by workers in big
companies: too many user identifications and passwords, said
Adam Sohn, a product manager at Microsoft.

The company is also attempting to upstage rival Sun
Microsystems, which backs a competing authorization system
being defined by the the Liberty Alliance Project. The
Alliance, launched last September, now has more than 40
members, including United Airlines, Sony, Fidelity
Investments and AOL Time Warner.

While Microsoft's existing Passport single sign-on ID system
is targeted at consumers, TrustBridge will let business
users log onto Windows-based systems hosted locally, or
remotely at partner companies, using a single ID. That ID
can be created through Passport, through Active Directory,
Microsoft's directory server software included with Windows,
or through any other ID system on any operating system that
supports Kerberos, a network security standard.

Kerberos is already supported by Microsoft in its Windows
operating system. The software was developed by the
Massachusetts Institute of Technology.  Microsoft has not
yet decided how to package TrustBridge, Sohn said. It could
become part of the Windows operating system or be sold as a
separate software product.

TrustBridge will use a Web services standard called the
Simple Object Access Protocol (SOAP) to pass user ID
information over Hypertext Transfer Protocol (HTTP)-based
networks, Sohn said. HTTP-based networks provide ordinary
Web access for nearly every company.

A bridge to partners

TrustBridge would make it easier for a company to work with
outside partners and suppliers. For instance, an automaker
could use TrustBridge to give engineers at a parts supplier
access to an internal manufacturing system. Or a company
could use the software to make it easier for employees to
access benefits information managed by an outside provider.

Analysts said the TrustBridge "federated" security concept
could help Microsoft sell more software to big businesses,
especially those that still see Windows as not secure enough
for their most important applications.

"Microsoft seems more sensitive to what companies need to
secure systems," said Ted Schadler, an analyst with
Forrester Research. "The road map for TrustBridge looks
good. It shows (Microsoft customers) how to get there and
where the company is headed."

But Microsoft still has to convince technology buyers that
it understands how to build secure software, despite a long
list of ills affecting Windows, Internet Explorer, Internet
Information Server and other products. "Bill (Gates) has
been pushing security pretty hard lately, and that's good.
But to (put security) into products takes time," Schadler
said.

Also, Microsoft's TrustBridge plan doesn't immediately
address the Liberty Alliance, which is expected to release
details of its specification this summer. Though Microsoft
executives and Liberty Alliance members say the two sides
have discussed a union of some sort, no agreement has been
reached.

Laura Koetzle, an analyst at Forrester, said some details of
the TrustBridge plan remain fuzzy, such as how some existing
security technologies will fit into the scheme. "What about
X.509 (a widely used standard for defining digital
certificates), etc? Will others have to sort that out?"

Microsoft and Sun are also fighting a battle over Web
services standards. Microsoft, along with IBM, co-founded
the Web Services Interoperability Organization (WS-I), which
aims to promote Web services by ensuring that software from
technology makers is compatible. More than 100 companies
have joined, but Sun has declined an invitation to join as a
contributing member, campaigning instead for more
influential "founding board member" status so it can help
set the group's agenda.

During the Microsoft antitrust trail, evidence surfaced in
written testimony that Chairman Bill Gates and other
Microsoft executives attempted to steer the direction of the
WS-I away from Sun.

"Sun has been left out of this party. They are not part of
the WS-I and are not likely to be for some time," said
Koetzle.

TrustBridge is based on Web services security work done by
Microsoft in conjunction with IBM and VeriSign. That work
focused on a specification called WS-Security that the
companies announced in April.

Microsoft on Thursday will also detail a plan for revising
existing products to work with TrustBridge:

*  Passport will be revamped next year to support Kerberos
and SOAP messages over HTTP

* Visual Studio.Net, Microsoft's development tool package,
will be updated later this year to allow developers to add
digital signature support and SOAP message encryption

*  Windows .Net Server, the next major release of
Microsoft's operating system expected to reach customers
early next year, will support Passport authentication
through Active Directory and Internet Information Server.

Microsoft has not announced pricing or packaging information
for TrustBroker. More information will be released later
this year, Sohn said.

-----------------
R. A. Hettinga <mailto: address@hidden>
The Internet Bearer Underwriting Corporation
<http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and
antiquity, [predicting the end of the world] has not been
found agreeable to experience." -- Edward Gibbon, 'Decline
and Fall of the Roman Empire'