Declaring "war on hostile code" here on Tuesday, Microsoft Corp. detailed several new features for securing privacy in both current and future Microsoft products here at the RSA Conference 2001.
On the Windows .NET front, XML-based user authentication technology, code-named "HailStorm", topped the list. HailStorm will allow client-side applications and Web services to exchange user information.
"Privacy is at the core of the HailStorm system," said Dave Thompson, vice president of Windows development, who delivered a keynote address. "The only way that it [is] tractable for a user to deal with ... the myriad of Web services ... is through personalization. The only way to easily move from site to site and have your destiny under control is ... for you to give information up, as you want, to the right sources."
The Windows XP operating system, too, will feature beefed-up security. In particular, Thompson noted that PKI (Public Key Infrastructure) improvements are in the pipeline.
"We're filling in some of the places where we could have done better," he said, adding that new auto-enrollment and auto-renewal services for users "will make it very easy to deploy PKI."
Smart card support will further bolster XP privacy, according to Thompson. "All the functions that an administrator needs to do can be done with smart cards, including Terminal Service sections. You can uniformly require an administrator to use smart cards. That eliminates the risk of using passwords," he said.
XP will also allow for interoperability between smart cards and EFS (electronic filing system), which will let companies accept certificates issued by other PKIs.
Other XP announcements included faster SSL (Secure Sockets Layer) services, version 2 of the company's Security Configuration Wizard, which will let users configure access controls and turn off unneeded services, and an Internet Connection Firewall to allow users to safely connect directly to a network.
Thompson also addressed Microsoft's upcoming Internet Explorer 6.0 browser. As the company announced on March 21, IE 6.0 will feature native support for P3P (the Platform for Privacy Preferences). P3P is a privacy standard developed by the World Wide Web Consortium that notifies users about the privacy rules used at visited Web sites.
Another part of Microsoft's IE 6.0 privacy plan involves the Privacy Statement Generator, which will generate policy statements at IIS (Internet Information Server)-hosted Web sites.
Thompson also announced a strategy to lower the cost of guaranteeing privacy for its customers. By reducing the need for users to reboot patched systems and sending out bulletins that list virus severity ratings and patch availability, Microsoft hopes to streamline its customers' operations, according to Thompson.
As well, Microsoft is trying harder to train its developers to spot privacy loopholes, Thompson said. He noted that the company's Secure Windows Initiative team has been assigned to scrutinize privacy in Microsoft products and train internal developers to create secure code.
Thompson was careful not to overstate Microsoft's role in determining privacy standards.
"I don't want to imply ... that Microsoft is driving or controlling or is the leading expert in security," he said. "[But] because of our role and the products we ship, we have an obligation to provide leadership [by] catalyzing the advancement of security knowledge."