[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Digital Signature Inititiative
Good afternoon,
I am the program manager at Microsoft responsible for putting the
digital signature program in place. I am sending this mail in response
to a recent mail string sent to these aliases appearing at the bottom.
To summarize some important points of the program:
* The program creates a certificate authority infrastructure which
consists of thrid party non-software affiliated companies such as
VeriSign and GTE who will act to grant certificates to allow code to be
signed. The policies defining who can be a certificate authority and
what it means to be a trusted software publisher will be a matter of
public policy(standard). The point being that Microsoft does NOT
control who can/cannot sign code.
* This approach solves the problem of identity and integrity, and is
viewed by MS as complementary to the sandboxing approach used by Java
scripting, which we view to be incomplete and unsatisfactory by itself.
We believe that Java needs to sign platform dependent Java classes in
addition to their sandboxing scheme.
* The W3C is creating a working group in this area to develop standards
around the policies mentioned in the first point, and the formats of the
certificate and signature formats. Microsoft is committed to making
this a open, industry, x-platform standard...
* regarding the mac question - there already is a version of Internet
Explorer for the Macintosh, available for download at
www.microsoft.com/ie. Microsoft is has already announced its committment
to building cross-platform internet products.
I would be happy to answer more questions you may have about this
program, inluding proving more information.
Stuart Theodore
Program Manager
Microsoft Corporation
[email protected]
>I recieved a copy of "Microsoft Interactive Developer" today in the
>mail.
>In it, it has a preview of Microsoft Explorer 3.0. (Flux by David
>Boling on
>page 120.)
>
>Of interest to Cypherpunks is this paragraph (in the section on OLE
>support
>in web browsers):
>
>"Since OLE controls could potentially pose a security problem,
>Microsoft is
>studying how to create an infrastructure to certify them. The idea is
>that,
>once certified, an OLE control would contain an RSA security signature
>indicating that it has passed muster -- the OLE eqivelent if the Good
>Housekeeping Seal of Approval! Users of Internet Explorer 3.0 could
>specify
>whether or not noncertified OLE controls should be loaded and executed
>by
>the browser."
>
>As a web developer, I have some problems with this scheme. Giving
>Microsoft
>access to virtually every OLE control on the Web does not make me more
>secure. Sounds like a way to rip off ideas from the rest of the
>development
>world. If someone has a control that might compete with a Microsoft
>product, it could be shelved and/or delayed for "further security
>testing".
>
>Java has a decentralized mechanism for security. No one group controls
>what
>is a "certified" control and what is not. You write the code and
>compile it
>and that is that. Furthermore, you are not stuck with Microsoft
>approved
>platforms. (I wonder if there will ever be a version of Explorer for
>the
>Mac.)
>
>I expect the Microsoft plan to garner a bit of resistance from the Web
>development community over this one...
>
>I do not expect to see many OLE crypto apps for the web with this plan.
>
>---
>Alan Olsen -- [email protected] -- Contract Web Design & Instruction
> `finger -l [email protected]` for PGP 2.6.2 key
> http://www.teleport.com/~alano/
> "We had to destroy the Internet in order to save it." - Sen. Exon
>
>
>
>
>
>
>