Microsoft launches 'End to End Trust' call to action, observers skeptical

SAN FRANCISCO -- In his keynote address at the RSA Conference here, Microsoft's chief research and strategy officer Craig Mundie sought to rally the high-tech industry and its customers to an idea Microsoft is calling "End to End Trust," a system for the Internet where identity claims can be validated according to sound security principles.

“We believe that End to End Trust will transform how the industry thinks about and approaches online trust and security,” Mundie said. Microsoft wants broad feedback not just from high-tech, but from government, businesses and people everywhere to make its vision a reality. As to what the idea of End to End Trust vision might entail, Microsoft published a 20-page white paper to explain it, stating “the path forward” includes having a “trusted stack” comprising trusted devices, trusted operating system, trusted applications, trusted people and trusted data plus an audit trail.

“We want to formalize a dialog with a lot more people,” Mundie said. “We need a collaboration with a lot of people making products in this area.”

Microsoft says challenges to achieving this End to End Trust goal will be political, legal and social, not just technical, since online identity touches on notions about privacy and business activity.

One of the few concrete examples that Mundie provided was the idea of a digital certificate that proved someone was at least 18 years ago.

Where exactly Microsoft will go with End to End Trust and the Trusted Stack isn’t readily apparent. Doug Leland, general manager of the identity and access division at Microsoft, said Mundie “laid out a vision for how we’re taking the Trustworthy Computing Initiative,” begun half a dozen years ago. In those years, Microsoft re-tooled its products as it sought better security. Microsoft sees End to End Trust as the next step toward an identity system for the Web. He did say the future ideal of the “trusted stack” would include Windows Server 2008.

However, many seem skeptical about Microsoft’s vision.

“Microsoft will conquer End to End Trust after they’ve conquered the online computing games,” scoffed independent security analyst  and Network World blogger Richard Stiennon, attending the RSA Conference here.

The Liberty Alliance is the organization dedicated to building federated identity across government and private enterprises based on de facto standards such as the Security Assertion Markup Language (SAML), digital certificates, and agreed-upon business guidelines. After a presentation at the RSA Conference about the group’s most recent activities, some panelists expressed views about Mundie's keynote.

“It sounds somewhat like what we’re doing,” said Soren Peter Nielsen, information architect for the Danish National IT and Telecom Agency, which has created a Web portal in Denmark for online services which it hopes to see become part of a broader European Union federated-identity portal. Nielsen said it was “good Microsoft was opening up more,” but he added that Microsoft should get involved in the Liberty Alliance.

Another Liberty Alliance member, Alex Popowycz, vice president of information security at Fidelity Investments, commented: “I understand the Craig Mundie speech as the concept to establish a more ubiquitous framework,” saying he had yet to read the white paper.

He noted Microsoft isn’t part of the Liberty Alliance today, but he hoped Microsoft would consider the group’s technical and business documents as input for the End to End Trust initiative.

Fidelity Investments now uses Liberty protocols and SAML technologies to allow authorized users logging into the Fidelity Investments portal to gain access to the federal government’s Social Security Administration Web site for the purpose of transactions with the government.

Another Liberty member, Jane Hennessy, senior vice president at Wells Fargo Bank, demoed at RSA how it’s possible to log onto the WellsSecure Trusted Identity Service with a digital certificate and have direct access to a U.S. General Services Administration site for selling services, The Liberty Alliance protocols allow Wells Fargo Bank to avoid “proprietary lock-in but also scale to the Web,” Hennessy pointed out.

These milestones in federated identity mark the start of so-called “Credential Service Providers” (CSPs) authorized to issue certificate credentials according to the Liberty Alliance’s four accepted low-to-high “assurance levels” under an accord with a “Federation Operator” -- in this case the U.S. government.

The U.S. General Services Administration “is the federal operator for the government,” said Ayisha Frazier-McElveen, program executive for the government’s eAuthentication program at GSA, which now requires the “Liberty Interoperable testing” under the identity-governance framework.

“In the U.S. government, we need to identify employees, contractors, and citizens before they log in for e-authentication federation,” she said in her presentation.

As a next step, Liberty Alliance is working on an accreditation program for assessors to be approved to evaluate and approve candidate CSPs, said Roger Sullivan, president of the Liberty Alliance and vice president of identity management at Oracle. It’s expected to be announced later this year.

Learn more about this topic

Liberty Alliance releases spec for identity

Microsoft exec gives his company B+ on security

Microsoft, IBM identity plan criticized

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.