Microsoft's 'chain of trust'
It's been a few weeks since the RSA Conference 2008 and I'm now preparing for Interop. Nevertheless, I wanted to get in my two cents worth regarding Craig Mundie's RSA keynote address on what Microsoft is calling "End to End Trust."
End to End Trust? What about the often-discussed Trustworthy Computing initiative that Microsoft introduced in 2001? It's still around but Microsoft realized that Trustworthy Computing alone may not be enough. So what else is needed? Craig Mundie mentioned:
• 1. A chain of trust. As the old security saying goes, "the security chain is only as strong as its weakest link." Microsoft has done a good job making Windows more secure with each iteration but it really doesn't matter if the bad guys compromise your data by hacking in at the application layer. Microsoft is suggesting a model where the entire technology stack must adhere to a trust relationship (i.e., each piece is authenticated and validated and all changes must be approved) where every component relies on the others.
• 2. A new identity model. Identity is no longer about user name and password alone. In today's computing environment, you also have to consider device type (i.e., am I communicating via my PC, cell phone, or PDA?), location, and the user's work and personal profile. Yes, this complicates things but there is no getting around the fact that I use the same laptop to do my job during the day and then bid on vintage Gretsch guitars at night.
• 3. Industry participation. Microsoft readily admits that it can't establish end-to-end trust on its own. Of course, Microsoft won't be shy about suggesting technologies for connectivity and standardization, but it really does need help here. It's time that the security industry stop its outright mistrust of Microsoft and extend an olive branch.
In my view, Mundie's keynote was effective in that it really got the industry's attention. Many security professionals and vendors recognize the need for this End to End Trust model while organizations like the Computer Security Institute (CSI), the National Institute of Standards (NIST), and the Trusted Computing Group (TCG) are already working on similar efforts.
In past years, Microsoft keynotes were full of product demonstrations and funny video montages. Its End to End Trust discussions demonstrate a new Microsoft focus--and the remaining problems associated with information security.
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET. 
What Microsoft has in mind is a DRM system for software, where companies must pay a fee to be "authorized" (i.e., work on Windows), and free software need not apply. This is not about security, it's about vendor lock-in and the reduction of choice to one company and its faithful partners.
Before I will allow myself, my family, and those who depend upon me for computer help and advice (I'm a consultant) to take part in this Grand Scheme, Microsoft is going to have to earn back my trust. And it won't be easy, given its history. Fool me once, shame you; fool me twice, shame on me.
"You wouldn't want to do it on Windows NT, because you know nothing about what is going on inside NT,"
http://www.news.com/2100-1001-251927.html