Microsoft Courts OpenID

Bill Gates touts collaboration with an open source identity framework to augment Microsoft's Windows CardSpace initiative and Web security standards.
Despite recent security improvements to its next generation of software, Microsoft announced plans Tuesday to augment its own identity authentication standards with the OpenID framework.

The company is presenting a proof-of-concept demonstration and collaboration between its Windows CardSpace initiative and the OpenID 2.0 specification at the RSA Security Conference in San Francisco this week. The relationship is expected to help eliminate what's sometimes known as the "man-in-the-middle" attack, where a third party can read and modify messages between two unsuspecting parties.

Microsoft chairman Bill Gates and chief research and strategy officer Craig Mundi said the company would be adopting the decentralized identity management system because it realized that authentication was needed at the application layer for many Web 2.0 products. The announcement comes five years after Gates issued to Microsoft employees his "Trusted Computing" directive, which stressed security as the company's highest priority.

"Those were the days when we talked mostly about the 'I Love You' virus," Gates said during his keynote address at RSA.

Fast-forward to today, where Microsoft itself is acknowledging that attacks are more focused on areas other than the network, such as the application level.

"We realized that we still needed to create a GUI for credentials and for situations that were more on an ad hoc basis," Mundi said during the morning keynote. "It should be no more difficult for a person to identify themselves online as it is to walk in person and take a driver license and credit card for identification."

Developed by Brad Fitzpatrick of LiveJournal, OpenID is fast gaining market acceptance by Web 2.0 groups such as Wikipedia and Technorati, as well as computer security firms like Symantec.

Windows CardSpace -- formerly InfoCard -- is part of Microsoft's .Net 3.0 framework and integrates with Microsoft's Windows Communication Foundation, Windows Workflow Foundation, and Windows Presentation Foundation.

Gates noted also that the OpenID 2.0 spec would help support Microsoft's own Web security protocols, which are widely used in Web services transactions.

"There are reputation and trust issues involved that this helps solve," Gates said.

Gates and Mundi said the CardSpace/OpenID proof-of-concept demonstration is expected to be implemented in the Windows Longhorn Server product, currently in beta testing and due out later this summer.

In addition to testing OpenID in its architecture, Microsoft announced Tuesday security-related products and partner initiatives, including the launch of its Identity Lifecycle Manager 2007, the release of a public beta for its Forefront Server Security Management Console, and additional support of Extended Validation SSL Certificates in Internet Explorer 7. Microsoft also recently announced other key security-related initiatives, including the general availability of the Intelligent Application Gateway 2007, a Microsoft Network Access Protection 100-partner milestone, and the launch of Windows Live OneCare.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing