Win 2000 at Center of Security Storm

FRAMINGHAM (05/05/2000) - A consortium developing biometrics interfaces and a standards group overseeing Kerberos are both fuming about what they see as Microsoft Corp.'s duplicitous development of security features in Windows 2000.

In the shadow of government recommendations to break up Microsoft, the two groups last week separately charged the software giant with again extending established standards and ignoring proposed standards in favor of technology which locks users into Windows.

Microsoft insists it is adhering to those standards for interoperability while racing to develop technologies that customers are demanding.

Last week the Kerberos development community blasted Microsoft about restrictions on proprietary data formats in the Win 2000 implementation of Kerberos Version 5. Also, the BioAPI Consortium, a 49-member group of biometrics vendors and customers, says Microsoft is trying to squash standards work and seize control in that industry. Biometrics use physical characteristics such as fingerprints, retina or voice for authentication.

The latest salvo over Kerberos, an Internet Engineering Task Force (IETF) standard for authentication, concerns Microsoft's recent publication for review only of its proprietary Privilege Access Certificate (PAC) in Win 2000 Kerberos. As part of the review process, reviewers must agree to something similar to a nondisclosure agreement license and cannot commercially implement the specifications. The IETF says restrictions on implementation do nothing to help interoperability with Unix-based Kerberos servers.

"Microsoft is being complete and total slime," says Jeff Schiller, IETF's security area director and network manager at the Massachusetts Institute of Technology. MIT developed Kerberos and has a freely available Kerberos server.

"Microsoft is trying to get an open review, which is one of the tenets of good security, but they are not contributing anything," he says.

Schiller says he refuses to even read the PAC specification, which he contends locks Kerberos users into Win 2000. "People will reverse engineer this PAC and want us to put it in our [Kerberos] server. Therefore, I won't read the specification so Microsoft can't come back to me and say I broke the review agreement not to implement."

Microsoft published the PAC format April 28 after years of goading from critics, but restricted any implementation. The company probably will license the PAC, which is another sore spot with critics.

"Microsoft's behavior, in conjunction with its monopoly in the desktop market, may be viewed as an aggressive strategy to eliminate competition in the Kerberos server market," says Paul Hill, a senior programmer analyst at MIT and a member of the Kerberos Version 5 development team.

Microsoft says it published the specification to answer customer questions about interoperability and security issues raised by the media. "Our Kerberos is 100% interoperable and 100% secure," says Shanen Boettcher, product manager for Win 2000.

While the Kerberos debate rages, Microsoft opened a rift last week in the biometrics arena. Members of the BioAPI Consortium say Microsoft's acquisition of proprietary biometrics hardware and plans to develop its own application interfaces undercut the recently completed application-layer BioAPI developed by the consortium - which Microsoft helped found but later dropped out of.

Last week, Microsoft secured rights to the Biometric Application Programming Interface (BAPI) from biometrics vendor I/O Software. BAPI is a proprietary interface for securely connecting biometrics hardware to a PC. Microsoft plans to package BAPI with an application-layer API to create a development platform.

No timetable has been set for release of the API.

"There is a lot more to providing a biometrics platform than what the consortium is focused on," says Microsoft's Boettcher. Microsoft's platform will include a development environment, interfaces for hardware, applications, management and a software developer's kit. Boettcher says the intent is not to undercut the consortium, adding that Microsoft will work with it through I/O Software. "But we need to move quicker than they have shown they can move," she adds.

However, more than a month ago the consortium approved its BioAPI, a specification for use in developing biometrics-enabled applications. The group plans to have a reference implementation in two to three months, and hopes to present the work to a standards body before year-end.

"Basically, the industry has formed a standard, and Microsoft ignores it and does something else," says John Wilson, author of the BioAPI. "They are freezing the market when we have an API that is ready to go now. We invited them to join us several times but they declined."

Several biometrics proponents say that Microsoft is derailing efforts to provide open standards in a market that is severely fractured by incompatible hardware and software.

"Vendors will have to develop and support special versions of their software to work with Microsoft's APIs or only develop versions for Windows," says James Cambier, a vice president for Iris Scan, a developer of iris scanning technology.

An API that creates a standard interface between applications and biometrics devices is key to adoption of the technology, observers say.

"It is critical to have an API standard so that developers can rapidly create applications that use one or more biometrics [devices]," says Judith Markowitz, a consultant in Evanston, Illinois, who specializes in voice biometrics.

"We are pleased that Microsoft is interested in biometrics," says Catherine Tilton, director of special projects for biometrics vendor SafLink Corp..

"However, we are very disappointed they chose to ignore industry consensus on a standard that we have worked on for nearly three years that is cross-platform."

Join the newsletter!

Error: Please check your email address.

More about IETFInternet Engineering Task ForceMassachusetts Institute of TechnologyMicrosoftMITSAFLink

Show Comments

Market Place