Being the ever-skeptical security guys is getting to be a tough racket. And our job is going to get even harder with the soon-to-be-fought war between giants Microsoft and Novell over who will provide online information management services for the hordes of users looking for an easier online experience.
We refer, of course, to Microsoft's new Passport and Novell's recently announced digitalme services (http://www.passport.com and http://www.digitalme.com, respectively). Touted as "identity and relationship management" (digitalme) and "single-sign-on/wallet" services (Passport), designed to help electronic business grow, they have the potential to revolutionise the Internet.
The primary notion behind digitalme and Passport is user-centric control over transactional-information exchange. A new class of entities called "infomediaries" will spring up to manage user information, and use it as a bargaining chip in the negotiation between buyer and seller. Microsoft and Novell are placing themselves squarely into what appears to be the role of infomediaries.
This is nothing new for Microsoft, which has long strived to be at the center of everything. It is a new role, however, for Novell, which is moving from that of strictly product-based organization to that of service provider.
The trick that digitalme and Passport will have to pull off is user-controlled, end-to-end encryption of data -- with no excuses. That means Secure Sockets Layer (SSL) from browser to service and from browser to merchant, and encryption of data while on disk in the digitalme and/or Passport server rooms. Microsoft and Novell will have to offer additional protections to ensure that their personnel who administer the services will not have inappropriate access to user data. Descriptions of the respective architectures on the vendors' main Web sites are vague but, with a little digging, you can learn more about just how secure your information will be when residing with digitalme or Passport.
In the case of Passport, Microsoft pointed us to www.passport.com/business/sdk.asp. Microsoft provides a laudable amount of information. Here are the essentials: A user visits a merchant site, clicks on a cobranded Passport button, and then the user authenticates to Microsoft-hosted servers, which then set time-sensitive, 3DES-encrypted cookies on the user's system. These cookies can be read only by the specific merchant site (using a key shared by Microsoft and the merchant). If a timeout occurs or the user signs out, the cookies are deleted. The Wallet service is similar, but it uses a simple HTTP Post action, not cookies, over an SSL connection to fill in credit card data from the Microsoft-hosted servers. The result: Merchants have outsourced their authentication to Microsoft.
Novell's site was much less forthcoming, and we were unable to talk directly with the company by press time. However, by piecing together information on the Web site, we surmised that Novell intends to offer similar functionality. Where Novell diverges is on the back end; Novell Directory Services (NDS) forms digitalme's security underpinnings. This allows digitalme to provide services beyond single sign-on and filling in forms; these could include a personal directory service where access to data elements can be tailored to suit individual needs. Checking out http://www.novell.com/products/sso/index.html gave us a glimpse of the power of NDS-based access control using Novell's Single Sign-on technology.
A lot of questions remain unanswered, and even if the technology can be made to appear bulletproof on paper, a great deal of trust will have to be granted to Microsoft and Novell. In the long run, it appears that improved ease of use will probably overwhelm us old security curmudgeons anyway, so we're optimistic. How about you? Send comments to email@example.com.
Stuart McClure is an independent consultant with Rampart Security Group. Joel Scambray is a consultant with Ernst & Young. They have encountered numerous technologies during their 10 years in information security. They recently wrote the security book Hacking Exposed (Osborne/McGraw-Hill).