RSSMicrosoft 'TrustBridge' to Secure Identity Sharing
By Nate Mook | Published June 6, 2002, 10:04 PM
Redmond today unveiled the Federated Security and Identity Roadmap outlining plans for standards-based security in Microsoft products, and announced an upcoming set of technologies code-named "TrustBridge" that will enable the sharing of user identity information between applications and organizations.
TrustBridge technologies will run on Windows .NET Server and build upon Web services protocols including the WS-Security specification introduced in April.
TrustBridge integrates with Active Directory and .NET Passport, allowing businesses to authenticate and share user identities directly with other organizations. As more applications implement support for WS-Security and Kerberos, TrustBridge will allow for a federated security model without the need for complex custom architectures.
Key features outlined by Microsoft in the announcement include support for browser-based single sign-on, trust management and auditing tools, as well as full integration with existing Windows Server tools.
"Early on, Microsoft recognized that the key to taking the success of XML Web services to the next level hinged on the industry's ability to 'federate' or establish cross-company trust," said Sanjay Parthasarathy, Microsoft's corporate vice president of the Platform Strategy Group. "Microsoft is filling a critical need for our customers and the industry by supporting the industry standard protocols for federating XML Web services across the Microsoft product family."
While pricing and deployment plans have yet to be announced, Microsoft expects to ship TrustBridge technologies in 2003. Windows .NET Server is currently slated for release early next year, after a slew of delays set back development. A pre-release candidate of the server operating system, build 3628, was made available to testers last week.
Microsoft will also upgrade .NET Passport in 2003 to embrace full support for WS-Security, and pitch the authentication service as the standard for businesses and consumers alike.
How many people are still gullible enough to trust MS when security is concerned? I mean come on, face it MS you have a decent OS, but you couldn't figure out how to lock your back door if it came with "coke can" instructions.
Score: 0
|Fewt, you *still* wanting your old job back at MS? LOL!!!
Just "wait and see"; they may do a better job at programming in security than you did ;)
James Wheat
http://belprecomputerwizard.com
Score: 0
|LOL, I check my buffers.
Score: 0
|Who else are you going to trust? The CIA or FBI who want to spy on you? Oracle? AOL?? At least Microsoft has no incentive to screw you, as they need you to keep buying their products. Can't say that about many other people these days. Or I guess we could keep relying on weak security implemented by individual companies who don't have a real understanding of what security is. Most of the retailers you buy from online right now probably don't even encrypt your credit card data in their database.
Sorry fewt, but your post seems pretty much just flamebait to me. WS-Security was developed by IBM and Microsoft and is backed by Verisign and numerous other industry leaders. Not only that, but it's an open standard, which means if the Linux kiddies don't want to get involved that is their own choice.
If you have some other suggestions, please do speak up. But Microsoft is not going to halt work on any progress with security simply because they don't have a perfect track record.
Your employer obviously trusts Microsoft (http://verizon.net/policies/privacy.asp) :)
Score: 0
|Sure, it sounds like flamebait, but really look at their track record. I'd put my money here: http://www.projectliberty.org/. btw, I don't work for that department. :-P haha
Score: 0
|i have to agree, your post does seem very unlike you. I know you are not a huge Microsoft fan but they have been doing an excellent job in the past few months at stepping up security in all there software. I agree they should have done this from day one but Nate is right just because they have a bad past doesnt mean that they cant make secure software, you have to admit Microsoft have some of the greatest programmers in the world (look at the MS Research "Task Gallery" thay is proof of some amazing coding), i have faith in MS and i cant wait to see what they have to offer when TrustBridge is released.
Score: 0
|I have yet to see anything real out of their security initiative. I will gladly change my tune when I see real hard results, but not until then. ;-)
Score: 0
|Project Liberty does look like a great initiative as well. And the great thing about what Microsoft is doing, is that everything will be federated. Meaning Project Liberty can interoperate with Passport and vice versa. That is the genius of WS-Secuirty and what TrustBridge will allow. Everything here is being built on open standards developed by numerous companies. Project Liberty is also utilizing these new XML standards (WS-Security, WS-Authentication, etc.) - it's the only way everyone will be able to easily work together.
But the simple fact right now is that Microsoft is the only company really putting their money where their mouth is. Right now Microsoft is the key propontent of *open* secuirty standards that interoperate. Sure, in the process they will also be able to make Passport a global standard, but you can't blame them for also having some business sense.
I'm not a big fan of everything that comes out of Redmond either, but they really do deserve to be commended for the work being done on Web services and even .NET. Microsoft simply wants to facilitate the technology in order to promote thier servers, without sacrificing the open standards and outside partnerships that will make these technologies actually usable. That's more than I can say about Sun and Java.
Score: 0
|How have you not seen anything?! What about the Microsoft Baseline Security Analyzer and all the delays in .NET Server for a total security overhall.
Score: 0
|It's crap, it doesn't work. No matter what you do it still tells you your system isn't patched. That's just one small example of an initiative that should have happened before November 1995.
Score: 0
|I'll gladly support it as soon as it's proven secure, and not just another of their "own the market NOW" initiatives.
Score: 0
|Let me add,
- ----------------------------------------------------------------------
Title: Unchecked Buffer in Gopher Protocol Handler Can Run Code
of Attacker's Choice (Q323889)
Date: 11 June 2002
Software: Internet Explorer, Proxy Server, Internet Security and
Acceleration Server
Impact: Run Code of Attacker's Choice
Max Risk: Critical
Bulletin: MS02-027
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com...y/bulletin/MS02-027.asp.
- ----------------------------------------------------------------------
- ----------------------------------------------------------------------
Title: Unchecked Buffer in MSN Chat Control Can Lead to Code
Execution (Q321661)
Released: 08 May 2002
Revised: 11 June 2002 (version 2.0)
Software: MSN Chat, MSN Messenger, Exchange Instant Messenger
Impact: Run Code of Attacker's Choice
Max Risk: Critical
Bulletin: MS02-022
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com...y/bulletin/MS02-022.asp.
- ----------------------------------------------------------------------
- ----------------------------------------------------------------------
Title: Heap Overrun in HTR Chunked Encoding Could Enable Web
Server Compromise (Q321599)
Date: 12 June 2002
Software: Internet Information Server
Impact: Run Code of Attacker's Choice
Max Risk: Moderate
Bulletin: MS02-028
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com...y/bulletin/MS02-028.asp.
- ----------------------------------------------------------------------
- ----------------------------------------------------------------------
Title: Unchecked Buffer in Remote Access Service Phonebook Could
Lead to Code Execution (Q318138)
Date: 12 June 2002
Software: Windows NT 4.0, NT 4.0 Terminal Server Edition, 2000, XP,
Routing and Remote Access Server (RRAS)
Impact: Local Privilege Escalation
Max Risk: Critical
Bulletin: MS02-029
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com...y/bulletin/MS02-029.asp.
- ----------------------------------------------------------------------
- ----------------------------------------------------------------------
Title: Unchecked Buffer in SQLXML Could Lead to Code Execution
(Q321911)
Date: 12 June 2002
Software: Microsoft SQLXML
Impact: Two vulnerabilities, the most serious of which could run
code of attacker's choice.
Max Risk: Moderate
Bulletin: MS02-030
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com...y/bulletin/MS02-030.asp.
- ----------------------------------------------------------------------
Who's dumb enough to trust security like this? They have had knowledge of these for how long now? Where are the patches? 'TrustBridge' IMHO is just another product that will allow my to share my personal information with anyone that knows how to overfill a buffer. No thx.
Score: 0
|Are you saying Microsoft doesn't spy on people? What do you call its new Windows XP copy protection? That's to name one of their horrendous invasions of privacy.
Score: 0
|Typical sour grape BS from someone who's pissed off at Microsoft because now it's more difficult for himt o steal their products.
But let's address your ridiculous drivel anyhow:
You claim that Windows Product Activation "spys on people" and is a "horrendous invasion of privacy"
Can you give one concrete example of a single bit of personal information sent to Microsoft by the Windows Product Activation feature?
Or are you willing to admit that what you are talking about (with translations) is:
Microsoft (copyright holder and intellectual property owner) invading (trying to prevent) your privacy (your desire to steal their product)
Score: 0
|Sorry but i have to disagree, i do not believe that fewt is posting about WPA (Windows Product Activation) because it "it's more difficult for himt o steal their products.", i highly doubt fewt "steals" copies of Windows XP, mainly because he is intelligent enough to understand the dangers of running illegal software, both at home and at work, and because it is obvious (just read his old posts) that he favours *NIX (UNIX and Linux) over Windows OS.
WPA might not be a huge invasion of privicy but it DOES send personal data to Microsoft, it sends hardware configuration details to Microsoft in an unreversable hash (according to Microsoft that is), i dont know about you but myself and alot of people i know regard MY computers hardware configuration as "personal" information, after all it is MY system. I do not have a huge problem with sending my hardware configuration to a company (any company) and i sometimes choose to in certain product registration (such as my Sound Card registration) however i do like to have the option to send it or not send it.
Score: 0
|I think you work for Micro$haft....
Score: 0
|the only tune you'll change is to learn LINUX like many others who will be unwilling to pay a monthly fee to use Micro$haft WinBlows....
Don't be dumb people that's where their headed !
Score: 0
|I'd put $1.00 on my knowing as much as, or more about Linux than almost any other person reading this website. :-P
Score: 0
|