RSA 2007: Microsoft marries CardSpace and OpenID 2.0

With the Vista launch behind him, Bill Gates and Craig Mundie, Microsoft's chief research and strategy officer and security patron, were on stage the 16th annual RSA Conference in San Francisco before a crowd of about 15,000 security geeks and professionals. They were preceded by a Broadway-style dance number with dozens of costumed monks and the David Bowie/Queen song "Under Pressure," something to do with the Renaissance theme of the conference.

After spending 45 minutes talking about security in general, most of which the crowd was familiar with, Gates and Mundie announced support for OpenID 2.0, marrying CardSpace and OpenID as Mundie expressed it. "At the security level interoperability is fundamental," Gates said. Microsoft identity and CardSpace guru Kim Cameron noted the support for OpenID in his blog today:

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpace™ to make the Internet safer and easier to use. Specifically:
    * As part of OpenID’s security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.
    * Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure.  Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.
    * JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users.  Information Cards, based on the open WS-Trust standard, are available though Windows CardSpace™.
    * JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.
    * JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.
    * Microsoft plans to support OpenID in future Identity server products.

During their discussion, Gates and Mundie talked about how to make security mechanisms simpler for people working together, so that they have access only to the information that they should. Gates first played the role of interviewer with Mundie, and then Mundie asked Gates questions.

Mundie gave the expected nod to Vista and Office 2007 as the first products run through Microsoft's security design lifecycle process. "This won't make them perfect....humans are human and they make mistakes. A large part of going forward is not just dealing with the engineering aspect...it's dealing with fact that errors do happen whether operational, design or intentional," Mundie said. The message is that Vista is made by smarter humans, but it isn't invulnerable to hackers.

Then the two discussed what nearly everyone in the room already knows about security issues--the network, protection and identity.

For the network, IPsec and IPv6 are the pathways for more flexibility, granularity and ease in administration in point-to-point security, with policy-based rather than topology-based systems, which will come with the Longhorn server update due later this year, Mundie said.

"There is no challenge in moving to the IPv6 infrastructure.--it's in XP and there will be no gargantuan infrastructure change-out," Mundie said. He added that all Microsoft products work with IPv4 and IPv6, or pure IPv6. "We are inverting the model where you work at Microsoft and you have access to anything. It's way too open. You not only have employees and venders, and increasingly you have partners. We have to do a good job for partners who want to have access on an ad hoc basis to the network," he said.

On the protection front, Gates talked about rights management, using digital certificates and smartcards and building applications where people responsible for the data can elect who to trust and what applications to trust. On the identity front, Gates promoted a move to certificate, away from weak passwords. "The milestone is enterprises should start the migration from passwords to smartcards," Gates said.