June 5, 2002 9:00 PM PDT
Microsoft targets Web services security
The software maker will announced plans on Thursday for technology code-named TrustBridge that will allow businesses to authenticate user identities between companies and applications using Web services standards.
With TrustBridge--which will debut next year--Microsoft is attempting to solve a common problem faced by workers in big companies: too many user identifications and passwords, said Adam Sohn, a product manager at Microsoft.
The company is also attempting to upstage rival Sun Microsystems, which backs a competing authorization system being defined by the the Liberty Alliance Project. The Alliance, launched last September, now has more than 40 members, including United Airlines, Sony, Fidelity Investments, AOL Time Warner.
While Microsoft's existing Passport single sign-on ID system is targeted at consumers, TrustBridge will let business users log onto Windows-based systems hosted locally, or remotely at partner companies, using a single ID. That ID can be created through Passport, through Active Directory, Microsoft's directory server software included with Windows, or through any other ID system on any operating system that supports Kerberos, a network security standard.
Kerberos is already supported by Microsoft in its Windows operating system. The software was developed by the Massachusetts Institute of Technology.
Microsoft has not yet decided how to package TrustBridge, Sohn said. It could become part of the Windows operating system or be sold as a separate software product.
TrustBridge will use a Web services standard called the Simple Object Access Protocol (SOAP) to pass user ID information over Hypertext Transfer Protocol (HTTP)-based networks, Sohn said. HTTP-based networks provide ordinary Web access for nearly every company.
A bridge to partners
TrustBridge would make it easier for a company to work with outside partners and suppliers. For instance, an automaker could use TrustBridge to give engineers at a parts supplier access to an internal manufacturing system. Or, a company could use the software to make it easier for employees to access benefits information managed by an outside provider.
Analysts said the TrustBridge "federated" security concept could help Microsoft sell more software to big businesses, especially those that still see Windows as not secure enough for their most important applications.
"Microsoft seems more sensitive to what companies need to secure systems," said Ted Schadler, an analyst with Forrester Research. "The road map for TrustBridge looks good. It shows (Microsoft customers) how to get there and where the company is headed."
But Microsoft still has to convince technology buyers that it understands how to build secure software, despite a long list of ills affecting Windows, Internet Explorer, Internet Information Server and other products. "Bill (Gates) has been pushing security pretty hard lately, and that's good. But to (put security) into products takes time," Schadler said.
Also, Microsoft's TrustBridge plan doesn't immediately address the Liberty Alliance, which is expected to release details of its specification this summer. Though Microsoft executives and Liberty Alliance members say the two sides have discussed a union of some sort, no agreement has been reached.
Laura Koetzle, an analyst at Forrester, said some details of the TrustBridge plan remain fuzzy, such as how some existing security technologies will fit into the scheme. "What about X.509 (a widely used standard for defining digital certificates), etc? Will others have to sort that out?"
Microsoft and Sun are also fighting a battle over Web services standards. Microsoft, along with IBM, co-founded the Web Services Interoperability Organization (WS-I), which aims to promote Web services by ensuring that software from technology makers is compatible. More than 100 companies have joined, but Sun has declined an invitation to join as a contributing member, campaigning instead for more influential "founding board member" status so it can help set the group's agenda.
During the Microsoft antitrust trail, evidence surfaced in written testimony that Chairman Bill Gates and other Microsoft executives attempted to steer the direction of the WS-I away from Sun.
"Sun has been left out of this party. They are not part of the WS-I and are not likely to be for some time," said Koetzle.
TrustBridge is based on Web services security work done by Microsoft in conjunction with IBM and VeriSign. That work focused on a specification called WS-Security that the companies announced in April.
Microsoft on Thursday will also detail a plan for revising existing products to work with TrustBridge:
Passport will be revamped next year to support Kerberos and SOAP messages over HTTP
Visual Studio.Net, Microsoft's development tool package, will be updated later this year to allow developers to add digital signature support and SOAP message encryption
Windows .Net Server, the next major release of Microsoft's operating system expected to reach customers early next year, will support Passport authentication through Active Directory and Internet Information Server.
Microsoft has not announced pricing or packaging information for TrustBroker. More information will be released later this year, Sohn said.