A Trusted Stack

By Ryan Naraine  |  Posted 2008-04-08 Print this article Print

Stathakopoulos said there are enough similarities between Microsoft's 2002 problems and the existing security nightmares haunting the Web.

"We don't want this to be interpreted as a Microsoft play," he said. "We're saying that these are the concepts that we generally support and we've put them together in this white paper and we're asking the industry to talk about it. We'd like to see everyone put the same energy into it that we put into the Trustworthy Computing initiative.

"The problem might be a little different but we think we can find ways to fix things. It's about how you exist online, what's your identity claim, how do you interact with the Internet. These are things we need to be talking about in a very serious way."

In the white paper, Microsoft spells out its own vision of how End to End Trust can be achieved through a "trusted stack" that features security rooted in the hardware, a trusted operating system, trusted applications, trusted people and trusted data.

"The entire stack must be trustworthy because these layers can be interdependent, and a failure in any can undermine the security provided by the other layers; for example, a document may be created by an identified individual, using secure hardware and a secure operating system, and sent to another as a signed attachment with integrity, but if it was created with an insecure application, it may not be trustworthy," according to the white paper.

"When trust is misplaced, it must be possible to identify the improvidently relied-upon party and have the right social and political mechanisms in place so that proactive and reactive steps can be taken. An appropriate audit capability can provide the evidence needed to inform response and drive an accountability framework."

The white paper also focuses heavily on establishing trusted identities on the Internet without abolishing the concept of anonymity.

Microsoft also makes it clear that the proposal is not meant to create unique, national identifiers or support the creation of mega-databases that collect personal information.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel