Microsoft calls for talks on Internet trust, safety

Launches 'End to End Trust' effort, touts 'trusted stack' and calls for input

Microsoft called for broad discussions about the safety of the Internet, and initiative it dubbed "End to End Trust" in a white paper released during the RSA Conference that opened this week in San Francisco.

In a keynote address at the security conference, Craig Mundie, chief research and strategy officer at Microsoft, talked up the company's plans. Core to the concept of End to End Trust, said Mundie, is something he called "a trusted stack," where security is housed or rooted in the hardware, but each piece -- the hardware, software, the data and even the people involved -- can be authenticated if necessary.

"We believe that End to End Trust will transform how the industry thinks about and approaches online trust and security," said Mundie. "End to End Trust will enable new opportunities for collaboration on solutions to social, political, economic and technical issues that will have a long-term impact on Internet security and privacy."

In the white paper, which was authored by the chief of Microsoft's Trustworthy Computing group, Scott Charney, Microsoft laid out its ideas. "Microsoft and the technology industry alone cannot create a trusted online experience," Charney said in remarks released before Mundie's speech. "For that to happen, industry must not only band together, but must work with customers, partners, governments and other important constituencies on a road map for taking Trustworthy Computing to the Internet.

"Trustworthy Computing" is the tag that Microsoft applied to its efforts, now six years old and counting, to improve the security of its own software, primarily Windows. Mundie, who wrote the white paper outlining that initiative, pointed to four so-called "pillars" that the company would create: security, privacy, reliability and business integrity.

End to End Trust is an extension of that work, George Stathakopoulos, the general manager of Trustworthy Computing, said in an interview today. "The goal today [of End to End Trust] is to make it a platform for a dialogue. We want to discuss the broad concepts with everyone else, and work to create a trusted stack."

Any and all will be welcome in such discussions, which Microsoft has yet to clarify or even define. "We'll have forums and dialogue," said Stathakopoulos, "and we'll be updating everyone at regular intervals and reporting on progress."

Page Break

Even the Charney white paper, which Microsoft posted to its Web site following Mundie's address, was light on details and heavy on generalities. Stathakopoulos said that is by design. "This isn't a strategic or prescriptive paper. We already have the solutions for many of these problems. This is more a call for the industry coming together.

"Let's have an open discussion."

The introduction of End to End Trust does not mean that Microsoft considers its own security efforts finished and done, countered Stathakopoulos when asked to clarify some of Charney's statements. "We still have a lot of work [on security] ahead of us," he said. "We still have to do the fundamentals on our own software.

"Trustworthy Computing was the springboard to getting our own products more secure," said Stathakopoulos. "But can we move those concepts to the Internet as a whole? This isn't something like a silver bullet. It's more a long-term plan."

Much of Charney's white paper was devoted to authentication issues, including establishing identities on the Internet to, for example, provide children-only zones where kids can interact without the fear of adult predators. Other sections spelled out long-time Microsoft ideas, such as linking the operating system with the hardware for a "trusted boot" environment that guarantees the code hasn't been tampered with, and digitally signed applications.

But Charney also took time to promise what the End to End Trust would not do. "First, nothing in this paper is meant to suggest that anonymity on the Internet be abolished," wrote Charney. "Second, nothing in this paper is meant to create unique, national identifiers, even if some countries are creating identity systems that do so. Third, nothing in this paper supports the creation of mega-databases that collect personal information."

"A lot of the concepts [in End to End Trust] already exist on the Internet, all of which we generally support," Stathakopoulos said.

He acknowledged that not everyone will take to Microsoft's pitch, or acknowledge its right to step up and call for talks. "In the end, our actions will speak for themselves," he said.