Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, February 06, 2007

OpenID Joins Microsoft’s New Security Features

Five years after helping to launch Microsoft’s Trustworthy Computing initiative, Bill Gates put some grace notes on how far and wide the extensive effort helped improve the company’s product lines.  “It was just last week that we released Vista and that’s a big milestone for us in terms of security because we had a chance to apply our development process, our secure design lifecycle process to that product,” he said during the RSA Security Conference here.  Gates, who is transitioning out of day-to-day management of the company by 2008, called security the fundamental challenge that will determine whether the industry can successfully create a new generation of connected experiences.  “The answer for the industry lies in our ability to design systems and processes that give people and organizations a high degree of confidence that the technology they use will protect their identity, their privacy and their information,” he said.  In an update that reflected a thaw in Microsoft’s approach to some open source projects, Gates said the company’s Windows CardSpace identity management metasystem will work with OpenID 2.0, an open source user-driven digital identity framework.

OpenID is a decentralized digital identity system, in which any user’s online identity is given by URI (define), such as a Web address, and can be verified by any server running the protocol.  Web sites that support OpenID are fashioned in such a way that Internet users don’t need to create and manage a new account for every site before being granted access; users need only to authenticate with an identity provider that supports OpenID.

Gates and Microsoft Chief Research and Strategy Officer Craig Mundie also outlined Microsoft’s conceptual approach to supporting Trustworthy Computing.  Mundie said policy will be the key to managing computer access, rather than the gear connecting to the network.  This includes adapting to the evolution of networks, protection and identity.

Gates also said Microsoft is a strong supporter of IPSec (define) and IPv6 (define). IPsec calls for Internet Protocol (IP) communications to be protected by authenticating or encrypting each IP packet in a data stream.

Microsoft announced Identity Lifecycle Manager (ILM) 2007, which adds support for managing strong credentials such as certificates and smart cards over, as the name suggests, the life cycle of a user identity. The company will rev ILM “2” in late 2008.

Microsoft also announced the public beta of the new Forefront Server Security Management Console, a Web-based management application that does on site or remote administration of Microsoft messaging and collaboration security software.

Finally, the company said it is supporting Extended Validation (EV) SSL Certificates in Internet Explorer 7. When a user visits a site with a valid EV Certificate, Internet Explorer 7 will alert the user to the identity information by turning the background of the address bar green and displaying identity information.

Posted on 02/06