Remarks by Brian Arbogast
Vice President, Microsoft .NET Core Platform Services
Trusted Computing Forum
Nov. 8, 2001
In a keynote address to the Trusted Computing Forum Thursday, Brian Arbogast, Microsofts vice president of .NET Core Platform Services, told participants that consumer control of privacy and security is crucial to the success of the companys ecosystem. Arbogast stressed that it is important to give users a trusted way to share their personal information securely but allow for outside access, at the consumers consent, to use that data to deliver richer and more personalized Internet experiences. It is to this premise, that the .NET My Service is tethered.
According to an analyst study conducted about two and a half months ago, the three things consumers want most from the Internet are privacy, security and single sign-in, a Passport feature. In addition to control, the study revealed consumers want convenience. Microsoft believes that if it can deliver services a user finds valuable, that a user trusts, such as the collection of XML Web services that allow users to store key personal information securely and control access to, people will be willing to pay for that. Arbogast said the company views privacy as an opportunity to be a differentiator for anybody whos in the service space.
Arbogast conceded such lofty goals are not without difficulties yet to be completely deciphered, including just how high can the company reasonably set the bar, and how exactly does one establish parameters for an Internet trust network? But Microsoft is dedicating itself to developing ways to make the ecosystem work easier and more efficiently for customers, consumers and businesses.
BRIAN ARBOGAST: Thanks very much. I’m very happy to talk to you today, and I assume that given that this is day three of a conference that’s been pretty involved, that this is like the hard core that I’m looking at. (Laughter.) All the guys who couldn’t keep up have gone home, and I’m left to talk to the hard core, which I love.
So it was great listening to Dick Clarke last night and it brought a couple things to mind. One was, you know, my background is technical. I’ve never really been a marketing guy. So I’ve never focused a lot on the value of a great codename or a great product name. But the fact that I almost — you know, Dick almost inadvertently put a pitch in there for Passport last night, I thought like that is the sign of a great product name.
Now, given that like I used to be in developer tools and for two years I was running a product called Visual Interdev, I don’t think I got anybody in the government to ever kind of give me like a freebie on Visual Interdev.
Now, more recently I’ve had this other codename I’ve been associated with, and I’ve seen actually a lot of people who have kind of mentioned “HailStorm,” but it never seems to actually be in a very positive light, so I’m very excited to have made the shift from that old codename, and thank you, Michael Lukowski, to our new product name, .NET My Services. And one of the things I’m going to do today is go over just what is that platform and why are we building it.
One of the things I want to start up front is to set a little bit of context also that I thought of when I was listening to Dick last night. I’ve only been involved with Passport since this January, so I actually was at SafeNet last year kind of as an interested observer, because for a while, for a few years now I’ve believed in my gut that trustworthy computing was not only what the industry needs, but kind of what Microsoft needed to embrace as our kind of call to action.
I remember when I first became a VP at an off site, we had this opportunity to go off and each person could do like an infomercial, a 30-second infomercial on something that they thought they wanted to go take a bunch of people and spend three hours thinking about, and it could be anything that you thought was relevant to the business. And my topic was Microsoft focusing on privacy as a way that we win with consumers and win trust and deliver a fantastic set of products that have wonderful brand attributes and that privacy was a core trust principle. And that’s something I’ve believed in for a while in my Microsoft persona. I’ve believed it all my life in my home persona. I don’t know if Barry is here. I’ve certainly seen him and other people in my outside of Microsoft persona.
So that was back then and what did Dick say last night, be careful what you endorse because you may become it. So here I am today leading the Passport team and the .NET My Services team, proudly leading those teams. I know I’ve got them some good challenges ahead to build out a trusted platform, but it’s an incredibly exciting thing and hopefully by the end of my talk today you’ll see what’s so exciting about it and hopefully I’ll get some engagement so you can help me on some of the things that are so challenging about it.
So quickly what I want to cover is how did we get here, why are we doing what we’re doing with Passport and My Services, what are they and then specifically why and how have we focused on privacy, on baking privacy into this new platform. And obviously everyone in this room knows you don’t have privacy without security, so I’m going to focus also on what do we do about security, and then I’m going to talk a little bit about an announcement we made probably about eight weeks ago now for federated authentication on the Internet, because that’s another thing that we’ve heard remarkable interest in and it’s a topic that I think this room can absolutely contribute to.
So I wanted to start with some of what helped us get started on the whole .NET My Services vision.
Now, I’m going to show you about a two-minute clip from a marketing video that we first showed last June, June 2000, at the Forum 2000 event. Actually, how many people have seen any of those Forum 2000 videos? All the Microsoft people are putting their hands up. (Laughter.). Well, that’s good, that’s good. There are lots of them and they were very well done like in terms of production quality and they were just kind of day in the life of various individuals in this future, fictional future where everybody is connected, their personal information is online, they have access to it, the devices and the people that they trust have access to it, and how does that impact their life, how can it make their lives better.
And we did a bunch of these vignettes, and frankly when we did them, you know, we didn’t know how one would ever deliver on these scenarios. This was pure vision stuff. This was us trying to paint a picture that we could get excited about. And obviously we felt excited enough that, you know, this is something that we could go after and if we did it would make a difference.
And so as you watch the short video, I ask you to do kind of what we all did, which was look at it through two lenses. One is you as an individual in dealing with technology in your lives, you know, how interesting are these scenarios and the multitude that you can come up with just taking this a little bit further. But then second, as professionals, with focus on privacy and security, how the heck would you ever get there? What are the big issues? And then that will put us in a place where you’re exactly in my shoes and set the context for the rest of the talk.
So let’s see if we can get this to roll.
BRIAN ARBOGAST: So that gives you just a little glimpse of what the world might be like. It’s a little Jetsons like in some regard, but then when you think about it, it’s not really that far out.
But what do you need? What did we see? Well, we saw somebody getting access to calendars for everybody in their family, and then we saw instant messaging, you know, alerts, reaching multiple devices. There is some implied stuff there that you didn’t really see like maybe the restaurant had access to the free/busy of their calendars or had some way to push an event onto their calendar. Maybe they could push an event on a calendar that had driving information for how to get there, et cetera.
And this was all kind of, when you think of what do you need to deliver on this, the first thing that you start thinking about is well people want to be able to have their information accessible to those services that they trust and to those people that they trust. And that was just one of the threads that, you know, we probably had 40 minutes worth of video, and it got a lot of people thinking about how valuable it could be to build a trusted platform that lots of different service and use experiences could be built on top of.
So some other things that we thought about are imagine a Web where things are automatically personalized for you, and it may not be personalized based on like knowing that I’m Brian Arbogast, but there is a persistent pseudonym, there is some way that I am recognized by the places I go on the Internet, and some people know that that’s Brian Arbogast and some people know that it’s just the same person who was here last time and did all these customizations to this experience and that’s why I’m going to give them a great user experience when they get back.
A key thing and something that you would have — if you were at Forum 2000 last year, you would have heard us say loudly and over again and over again, and then again at the Hailstorm announcement in March and then throughout, user in control is kind of the mantra, because we think that that’s the way that we win user trust, not just us as vendors that are going to build some services on top of this platform but anybody else who wants to build on top of this platform. So we think that for this whole ecosystem to be successful, user in control has got to be at the heart of it.
Giving an ability for users to have a trusted way to share their personal information, their personal data like their calendar or their contact list, have that be private, secure, but have an ability, have a mechanism by which services can, with the consent of the user, have access to some of that information and then make use of it to deliver even more rich and more personalized experiences.
Having services that can cooperate on behalf of users, so to have one service that was developed independently, then another that was developed independently and then one of them or even some third party service being able to do some orchestration across services, that that could open up tremendous opportunities for innovation.
And then another thing we talked about, which Richard mentioned when he opened, around the business model, the user model, it’s funny, a lot of people are wondering, you can deliver innovation on the Internet, but how do you make money doing it. And we firmly believe that if you have a model for delivering services that the user finds valuable and that the user trusts, trusts to work, trusts to be there, trusts to be secure and keep their information private, that users will be willing to pay for that.
And so we are as a company focused on building out a set of experiences on this platform that we are going to go to end users and say, “Hey, for this experience, that’s going to be like a subscription offering.” And at Microsoft this is kind of a leap of faith, because there aren’t a lot of people making a lot of money in subscription services on the Internet today, but we think that this is a very viable model, and, in fact, we’re throwing a lot of our internal efforts at building the kind of value proposition for users that would have them happy to pay for subscription services on the Internet.
So these are a lot of the different kind of inputs into what we wanted to do with the platform.
Now, there are lots of other inputs here. When you look at what we hear from studies, from talking to users, from our own experiences, what do people want out of the Internet? So there was this interesting Gartner study about two and a half months ago that listed what consumers want, the three things consumers want the most out of the Internet: Privacy, security and single sign-in. Now, the single sign-in, again as our Passport guys are like, “Wow, that’s nice.” Privacy and security I knew.
They want some other things. They want something convenient. We know that if we develop a system that’s not convenient and easy to use, that it doesn’t matter what kind of security controls you put in. You know, our friends who did all the great work around security zones and the browser, you know, a lot of work but how many people really understand it and get to use it. So that’s the other challenge is how to make this convenient.
Now, there are obviously things that they want and then there are fears, fears like identity theft, the scariest, credit card fraud, spam. These are the things that users don’t feel in control of today.
And, of course, it’s not just end users; it’s all of us who represent, anybody who represents end users. So these are the issues that governments focus on, that public policy groups focus on, that many of you are focused in on.
Now, there are other players in this ecosystem, like enterprise, for instance. They certainly don’t want to go to a world where all that data is hosted out in a cloud they have no control over. They want to have control over their data. They want to have control over their employees’ data. They also want the new mechanisms to be able to reach out to their customers and their partners. And so a platform that delivers that would be very compelling for enterprises.
And of course we know what their fears are around opening up systems, around any opening and any firewall that lets anybody from the outside get into data, or even how to set up their DMZ to appropriately make use of their corporate data in extranet scenarios.
Then, of course, service providers, they want to be building lasting relationships with customers.
And their fears are how do I get to critical mass. If I have any prerequisites for my service, how do I make sure that that’s not a barrier for somebody to sign on? And they want to make sure that their customers remain their customers.
So what .NET My Services is all about is a set of Web services, just core services that are data elements that users in many cases already have online today, but it’s basically a platform that puts the user at the center; so whether that’s getting access to their calendar, their credit card information in their wallet, alerts or any of the other services that we announced back in March.
So .NET My Services is about a set of services, like the services we focused on here, but even more importantly an underlying platform that we think can scale to many providers, many operators and provide a secure foundation for these kinds of Web services that will operate on a user’s behalf.
Now, we talked a lot about users but the whole model is really more identity centric services. So you might have a calendar that’s just attached to a group identity or even to some kind of organization. The same model holds and all the same infrastructure and architecture we’re building holds.
So to drill in a little bit in terms of what do we mean by kind of the platform or what we call the service fabric, what is behind every one of those .NET services, so .NET Calendar, .NET Contacts, it’s basically a pipeline, a set of logic that accepts a request coming in over the Internet in SOAP format, which is a standard that’s been embraced by all the big vendors, you know, Microsoft, IBM, Sun, Oracle are all building systems that support XML and SOAP. XML and SOAP are at the heart of the architecture for .NET My Services.
Now, when we say they’re at the heart of it, it means that the data is actually stored in XML. It means that the certificates that authenticate the user, the Kerberos tickets that authenticate the user and the service get passed, wrapped up in this SOAP, XML message. And it means that the logic at the listening end gets to do the authorization, gets to do the mapping in a highly scalable way to the back end that actually is storing that data. And it gives you mechanisms to do things like have session encryption on data that’s on a per user basis, and build other capabilities in that are so necessary to security and to ensuring that only the people that somebody’s granted access to the data truly have access to it, so things like all the monitoring capabilities that you need to put in that pipeline to know whether or not you’re getting bizarre patterns of access that you need to pay attention to.
In term so the authorization, we’ll actually walk through kind of in steps what are the inputs to the authorization that underlines the whole consent model for .NET My Services. But in a sense .NET My Services, it’s an XML web service out there with a particular schema based on the data types, whether that’s calendar, contacts, et cetera.
Now, I talked about the ecosystem and one thing that’s hard even for us to kind of like as people who have been in the platform business before, this is a different kind of challenge. So not only do we have this platform that we’re providing, we give it to developers, developers innovate it. What we’ve seen time and time again is what makes a platform is developers innovating on that platform and building things that users love. And the more users love it, the more valuable that platform is.
But in this ecosystem we’ve got something kind of new here, which is that it’s not just your machine that the system is running on. All of a sudden we’re in a world where there are people offering services that make up this platform over the Internet and has all kinds of interesting ramifications and new challenges.
For instance, every time you call one of these services, somebody is actually like footing the bill for that. It’s adding cost to the operator who’s running the set of services. It means that if you want to scale, you scale out with operators being able to scale out and then with multiple operators being able to meet different needs of different customers.
So Microsoft is going to be a platform operator. We think that in this model every enterprise is going to be a platform operator. We think that there will be also a market for lots of other big commercial operators to run these services on behalf of end users. And especially when we look at how do you kind of set some baseline expectations with regards to security, with regard to privacy policies, you’ll see that while the federation isn’t completely necessary for this platform to actually deliver on the vision, it introduces all kinds of new complexities, but we need to be ready to kind of step up to those new complexities to actually deliver on the vision.
So I talked about the federation model. I’ll actually go into a little bit more detail around how we see Passport just the authentication part of the puzzle federated.
But in this model the way any access to data happens is the user first gets authenticated and whether that’s by Passport or by some other federated operator, gets back a secure ticket. There’s also authentication of the service that’s calling to get information, the service that is reading free/busy from your calendar, for instance. And then those authenticated tickets get passed along with the query, the data request to the underlying My Service. And again that could be hosted in a corporation, that could be hosted in an MSN data center, that could be hosted in a different commercial operators data center. So that the whole model has been designed to be “federatable” and distributed from day one.
Now, one thing people sometimes ask is how distributed. Well, we like to talk about everything we do in the services world kind of from a crawl, walk, run. In other words, to build anything to scale you first get it going, then you have to kind of build up scale and we do the same thing on many of our design elements, but the vision around how distributed the system is is as distributed as it needs to be.
Services running on devices, services running on your laptop, that’s part of the vision for this distributed My Services platform. Now, that’s not going to be there on day one. That is something that we get very excited about and it’s something that all the people in the peer-to-peer space also get very excited about.
So I want to focus kind of on trust, because, I mean, as the guy with the teams that are building Passport and .NET My Services, it’s super clear to me that if we don’t have the trust, if we’re not continually building trust, not only from customers but also from partners, from anybody who’s choosing or considering building their service, building their business on top of this platform, trust is essential.
So I talked about putting users in control of their information. I’ll go into a little bit of kind of the mechanisms we give there, ensuring that that end user information is protected, ensuring that that end user information is always available, so availability is a close third in terms of trust, and then finally the user can sacrifice usability to get these other trust factors.
So let’s drill in on privacy a little bit. The first thing that we realize when we try to kind of map out a set of privacy policies is that there are some things that we can bake into the technology and then there are other things that we just don’t know how to do that or that will take a lot more evolution to bake in and to enforce at the technology level.
So the other mechanism we have is at the licensing level. So, for instance, the fact that Passport partner sites, for instance, today sign a licensing agreement with Microsoft, and the main reason is because there’s a set of expectations and commitments not only that we give to that partner site but that they give to participate in this trust network. And when you see the ecosystem, we believe that there needs to be basically guidelines that anybody who participates, whether as an operator of one of these services or as an application that’s built on top of these services, signs up to certain guidelines, and those are oftentimes the only way that we can implement the next level of privacy.
So, for instance, the things that we can do in technology we can make sure that we never give up any information out of a My Service, that our technology is written in such a way that it doesn’t give up information unless you actually have validated Kerberos tickets from the individual, from the application that’s calling it, and that there’s an entry in the secure document that lists out all the permissions that that user has set and that that user has set through a secured interface, and if it doesn’t match one of those permission statements there’s no access to data.
So that’s something that we think we can do a lot of great work in the technologies to solve, but there’s another problem, which is, okay, if I give — you’ll see how we think intent for why a service wants to have access to the data is as important as the data that they’re asking for. And a question that I often get is, well, so if somebody says I want access to, say, my address information to send me a package or some information, and they specifically are not presenting the intent that they’re going to sell that information, how do we enforce that they don’t? And I don’t know yet a way to enforce that technically or with technology.
So one of the things that we try to do is in our licensing agreements, in other words, that service if they’re found to not support the commitments that they’re making to the users exposed to our platform, then we reserve the right to have some third party audit them, find out if that’s the case and remove them from the system.
So what does that mean? That means that hopefully if there’s any business benefit for somebody being a participant in this trusted network, then that’s significant disincentive for them to basically lie, you know, break their promise to the end user.
But one of the things I want to do over the course of all of today’s presentation is kind of talk through a bunch of the challenges, because frankly it’s going to be discussion over those challenges and feedback to us and feedback through lots of other mechanisms that’s going to get us to a model that’s really going to work and scale.
Now, again we don’t think that’s any silver bullet, but we do think that it’s a great step forward, because what it does is it gives the users one more tool for understanding what really are the privacy principles of this service I’m considering interacting with. What are they planning to do? What information do they gather? For what reason? And so we see P3P as a great first step here. We think the whole challenge of defining intent and being able to have that be an input to an authorization system is really important for this kind of a platform. So we think that not only is P3P a good starting point, but we’ve got to take it further in terms of how you model what a user is going to understand they’re giving consent to.
And one of the things that we’re trying to do with My Services is to enable, to have a platform that enables kind of more of a progressive model, where you might when you first come in not be asked for any personal information. At the time when that service operator, service provider would like to offer some value in exchange for some information, that becomes visible to the user; they have the opportunity to consent or not, and as the use gets deeper into the interaction with the server, you might even have a model where the service comes back and asks for the same information but for different purposes.
And again everything is in an option, affirmative consent model, and I think later on I’ve got just a screen shot of one of the prototypes of that consent dialogue that anybody at the PDC would have seen in all the demos.
I’ve talked about, you know, we understand that privacy is critical to the success both as service operators and as people building apps on top of the platform. A lot of this I’m hoping you know though there are a lot of misconceptions, for instance, around platforms. There is a database of Passport information that can contain up to 13 pieces of profile information. That came from when Hotmail first launched. That was all the personal information that they held.
The site that registers somebody at Passport is responsible for saying these are the pieces of information that I want in this registration process, that I want to gather, and those are the only things that get put into that Passport database; and nothing beyond the 13 Hotmail fields have ever been in a Passport database. And in reality most of the records have very little of that information. In fact, you can go and you can get a Passport account with just a user name and a password today.
So a key misunderstanding is I think a lot of people assume that Passport is this big database, this huge marketing opportunity for Microsoft. And it’s not. That’s not the intent, but not only is it not the intent, we make a firm commitment that that is not what we will ever do. We make no secondary use of the information in that database.
Applications built on top of Passport, so our partner sites today, if a user consents to share their profile information on the partner sites that they visit, they can choose to do so. That’s now also opt in. But the user is in control of that. And you’ll see in a moment kind of how we are moving our whole sharing model forward to try to give more flexibility to end users.
There are some things we do that I think establish us as leaders in terms of service providers on the Internet. I think we were one of the first companies to sign up to support Safe Harbor and we don’t do that just for our EU customers; we step up to that part for all of our customers worldwide.
And so we are very serious about trying to make privacy not only not a essential negative for Microsoft, but we think there is an opportunity for this to be a differentiator for us. We think it’s an opportunity to be a differentiator for anybody who’s in the service space.
Now, I’d like to talk about just some of the kind of core platform pieces that we think are important with regards to privacy. So they come into play at different points in the interaction. So authenticating a user every time: What happens when you actually want to authorize somebody for access to a particular piece of data? What happens just at the registration process when you’re setting it up and then what can you do after, you know, out of band if you want to change your permissions, et cetera?
And I’m just going to cover these pretty quickly, but we are basically in the process of fleshing out all of these and putting forth models for all of these. And one of the things that occurs to me is that I’ve got a tremendous opportunity hopefully like first quarter of next year to get interested parties from groups like this together to actually do a much deeper drill down on all these elements of the platform.
So let’s start with authentication. I think everybody in this room doesn’t need to really be explained the difference between authentication and authorization, but I do like to point out that at its core Passport is just about authentication, not about authorization. It’s not about identity verification. It’s just about a system that lets the user present credentials and lets other participants know that that user has presented the same credentials as the last time; so that whole idea of the persistent pseudonym.
Now, the way that the data actually flows, what data is in Passport, what data is in other places, the key thing to think about it is a user comes to any customer site and that customer site, any Passport partner site, that site wants the user to be authenticated, a redirect happens and the user is redirected to the Passport site, that at that site that the user enters in their username and their password, that they present their credentials. That’s the only place where those credentials are presented. Those databases are the only places where those credentials are stored.
What happens if the authentication is successful is that persistent pseudonym goes back to the partner site.
Now, if the user has their settings set so they want to share the profile information, whatever amount of that they have filled out in their Passport profile today, then that also gets encrypted, encrypted with a key that is specific to that partner site, and sent back to the partner site. So a partner site gets back either just the identifier or the identifier and some profile information. They decrypt it with their shared secret and then they can use that to populate forms, satisfy the registration or in many cases all that they’re doing is they’re taking that identifier, that’s their index into their databases that points to all their real customer information, that points to how that user has customized their Web site, what’s the information that that site is storing on behalf of that user, their account history, et cetera.
So no partner data ever goes back into Passport to get stored, and the credential information only stays in the Passport world.
One thing also to be aware of is Passport has been actually up and running at pretty significant scale since 1999. Now, obviously like any service, we’ve been evolving it a lot, but I wanted to point out just kind of how this service has evolved and will evolve with regard to the sharing model.
So, for instance, today we’ve got these 13 fields of profile information that you could go to Passport member services and fill out, and that’s the extent of what the whole system supports sharing of.
In the world of My Services, first off that profile information that’s currently like closely associated with Passport, that becomes just another one of the My Services and Passport becomes just the credentials, the secret questions, secret answers, et cetera, just the authentication store and service.
But all the My Services now have the same ability for the user to be able to share them with trusted partners, whether that’s trusted services or trusted individuals. That’s the second point, provide a mechanism whereby you can share your calendar with your wife or with your coworkers. You can share the free/busy on your calendar with the service where you make dentist appointments.
The sharing mode used to be opt out and earlier this year it went to opt in in terms of that profile sharing.
The granularity in the system is still pretty core. You set whether or not I want to share my profile information. It’s either with all Passport partner sites or with none, and in the My Services world those permissions are set on a service by service basis, much more finely grained.
And then finally on authentication options, obviously we started with username, password. In recent releases earlier this year we’ve added capabilities for a secure PIN as a secondary credential. We’ve also added capabilities for phone number and PIN for access for mobile devices.
And then we’re very focused on enabling of we’ll have a stronger credential, because frankly when you look at the security of the system and therefore the privacy that the platform is able to support, you know, a lot of it does come down to what are the user credentials, how is the user presenting themselves to this authentication system. And one challenge that we have and I think that we all have is how do we move to a world where as users want to get more and more of their life online, we help them with stronger and stronger credentials. And so whether those are things like use of certificates and smart cards or even things like just secondary pin or stronger password or passwords that change, and those as a platform provider we believe we’re not going to make the call for all services but we think it’s our job to provide the option for all services.
And we’re not there yet today. We don’t have a way for you to sign into Passport with your smart card yet. But rest assured that we’re working on it and we think that this whole vision only comes to fruition if you do have models whereby very sensitive data can be put on the net and users can feel good about it, something not only that they know but that they know and something that they have. And for some services it may be biometric information that gets involved.
One of the things I think in the very beginning of the video, he just came up and pressed his thumb on and got logged into the system. On the day that it gets that easy for consumers to strongly identify themselves to a system, we’re in a much better place in terms of the security and privacy that all of the services on top can make use of.
So I talked to you a little bit about authentication. The next step is authorization. So once the system has authenticated the user, knows what application is trying to access the data, there’s a set of steps that basically come into this authorization pipeline and either get granted access or don’t.
There are a couple different ways, different mechanisms, different inputs that come into this decision. So first off there’s what user, being represented through what application, and being represented with what strength of credential. That’s one of the inputs.
And the data that they get out is completely dependent on how does the user, the owner of that My Service data, has that user ever proactively gone in and added an entry that gave access to that user coming from that application with that degree of credential strength?
And the framework, the platform we’ve built has the ability to have very fine grained control, so you can say somebody only gets access to read my calendar and only gets access to the role that provides them with free/busy. And so sending those permissions doesn’t give anybody access to the contents of my calendar. There are also mechanisms to have auto exploration, so to be able to set, say I want to give somebody permission, but that’s going to time out in an hour or ten minutes or in a week.
So in that level of granularity that the different views on that data and the auto exploration are things that are kind of baked deep in, in a technical sense into the platform. Those are kind of the — figure those as the tools that we then have a service, both people who are building a new My Whatever Service and also the applications that are built on top of, these are now the tools that we get to build into as rich a consent model as we would like. And these do provide inputs that make it far richer than anything that we’ve ever seen before.
It means that somebody could build on top of the system a service that said, “You can come to my service and you can see all the account history, the information that I think is not highly sensitive, with just username, password,” and maybe I’ll say I want you to have signed in within the last hour, but then if there’s somewhat more sensitive information maybe I’m going to ask you for a secure PIN, and then if you’re actually going to, say, you know, execute a stock trade that’s over a certain amount, then that provider could have provisioned the end user with a smart card and required that that is the credential that needs to be shown in order for that transaction to take place.
So it’s that kind of like progressive, because there’s this tradeoff between convenience and security, we know that we need a model that is not one size fits all, and so the focus I’m building this platform is delivering the ingredients that people can use to customize what their own experience is and what their own tradeoffs are of user convenience versus security.
So I think I’ve touched on most of this, the fact that the consent model is always user consented at the time of the interaction and the user is in control of what amount of information they share.
Now, the kinds of interesting challenges we have are I think, okay, so I’ve got this time window that I can set at the technology level, but what I really want to do, the thing that I’ve asked the teams to spec out is I would love it that when I go to make an appointment for my car, that I can give them one time access to my calendar to see my free/busy, to help me set up the right time that’s going to work for them, that’s going to work for me. That’s a great scenario. I want to make that super easy.
Well, one time access is exactly what the kind of user model, what the user, the way the user needs to think of it. You know, it’s like, “Ah, I haven’t done business with this service before, with this provider. You know, I’m going to give them one time access, but I don’t like the idea of giving them access to my free/busy on my calendar like from here on out.”
So that’s the user experience we want to have. Well, what does it really mean when the only way that you can really support it at the technology level is you can make one call or N calls into the service or you’ve got an N minute window available? And those are the kinds of design issues that we’re currently working through right now. You know, when the user experience says one time access, is there a hyperlink there, you click on it and it says what that really means is that this Web site will have access to this information for the next five minutes? So those are the kinds of things that we’re still kind of hashing out, how you have a user model that makes sense to users that maps down to a technology model that you can really implement and secure.
The things that we ask of the partners that participate in this ecosystem is obviously notice, consent, certainly consent for any secondary use. So that’s the obtain consent when any additional access is required. Provide end users the ability to delete their information and share the minimum amount of information with their parties and disclose that.
Now, with security we use best practices to secure sensitive data and other things like do you ever show a credit card on the screen in toto or not, that we’re also thinking through that, and here again the whole model is how do we just try to set a baseline for privacy and security in this ecosystem.
How far do we need to go? How far can we even go?
So at the PDC we had a bunch of our early adopter partners basically show user experiences of people taking advantage of this kind of a platform to book tickets and get notified when the plane was late and all these other interesting scenarios.
And every time that the service wanted access either to send an alert to somebody or to get access to read information out of a contact list, this is the user interface that popped up. This was kind of where we were four weeks ago, I guess, and this is one of the prototypes that we had.
This is a place again where we’re spending a lot of time. There are lots of things that aren’t in this prototype. We don’t have any mechanism for saying one time only, which I kind of am inclined to think might be the default, and then a very easy way for users actually, you know, I’ve done business with this site now three times; I don’t want to see this anymore, you know, grant permanent access to that site for access to this data with this intent.
So lots of interesting challenges around how to package it, but the model is that whenever a new access comes in, basically the only way that a service can get access to your My Service data is to drive this UI, this core platform UI to get popped up, the user interacts with this UI, this app is the only app that can write those permissions to the permissions file, and that’s how you secure the whole consent model.
In terms of registration, again it’s another place where the user is interacting with the platform and here what we want is a way to again make sure that it’s very secure, that the data that the user — only the data that the use is saying they want to share, ever even store in a My Service is going into a My Service, that that’s clear to users. And so again here there is a need for some consistent UI but also a need for rich branding.
In all cases for this to be a compelling platform for partners, they want to make sure that the platform isn’t getting in the way of the user experience. Well, with the consent dialogue we’re absolutely getting in the way of the user experience, but we’re trying to do it in the most user friendly way possible. But it really is a place where we’ve turned the dial to the user in control, do what’s right for users even if sites who want to make use of it feel like, ah, you know, that’s a problem. Now it’s our challenge to make that as soonest as possible and do things like have the service be able to present in their words what they want the interaction to be, as well as kind of the well-defined standard intent statement that never changes from site to site.
So if we just kind of walk through a sample registration here, and say I think this was a case where we had a fictional service provider, and one of the things that they’re doing is they’re offering to set somebody up for their .NET account.
So as you flow it out, and so in this case, for instance, this is information that would go into my profile. Computer type, modem speed, those are things that, for instance, there’s nothing in any of the My Services today that correspond to that. That service provider is just going to get back that information. It’s not forwarded in any service.
And this experience, we call it flexible sign-in and flexible reg, and what it does is it gives a service provider the ability to provision somebody here or get somebody to have this .NET account filled out so that they can then make use of it later on in their service experience.
It’s totally up to the service provider how much of this — you know, they could choose that they don’t for some reason even want to have these .NET options, address, city, state. You know, it’s up to the service provider to kind of define that user experience. But we do it within the context of some consistent concepts.
So the last pieces of kind of platform mechanism, I guess, is account management. Once you set up an account, once you have a .NET account, you have a Passport and you have some services associated with that Passport or ID, we obviously feel we need to give the ability to add, delete and modify that data, so proactively add or modify permission, to go back and revoke people’s permission, and potentially even mechanisms to audit the use of your data.
Now, again auditing is another hot topic because anything that’s auditable by the user means it’s in our system. And there are lots of people who for good reasons want to be completely in control of what’s in our system, right. If it’s auditable by them, it means that it’s subpoenable by the government, for instance. And so we think that there are some cases where there’s operational data that just is in our system for us to keep the service up, but then there are other places, for instance, if we want to provide a feature that says do you want to track all the accesses to your information, that too would have to be kind of an opt-in model where the user is deciding, yes, I want to because that’s just another piece of the platform that we believe needs to be user in control.
So obviously security, everybody knows there’s no privacy without securing the data center, securing access to the system. The guys that I talk to at Microsoft around security are always talking, listen, security is a journey, not a destination. I don’t know if you’ve heard that from other Microsoft people in the past two days. We know that like you’re never going to hear us say we’re secure, unbreakable, uncrackable, no way. What you will hear us say, because we know that you can’t say that — we wish we could say it. In cases where we’ve figured out like we can say it about that, we may try to say it, but in general we don’t claim security. What we do claim, what we do is we invest like an insane amount of effort and focus on improving our security, day to day, week to week.
Now, why? Because we think like our business is depending on it. We’re not going to be successful if we’re not getting better and better and better at security.
So, you know, Microsoft, if nothing else, is a great learning company. I think we’ve been doing a lot of learning for a long time on security. We continue to learn. I think some things we’re great at relative to all of our peers in the industry, but relative to our ambition and our desire to enable the kind of vision that I laid out, we know we’ve still got lots of learning to do. And every time there’s an issue we learn more. Every time there’s an issue that our test team finds that none of our guys knew, before anything sees the light of day, there are many more of those, we learn a lot.
So we are constantly learning, but I recognize that this is actually a big challenge for us to step up to is to continue to build the trust around security. And one of the reasons why events like this are fantastic is for us to understand what is it that we need to learn next, like what is it that we’re really not delivering on, that’s the next thing we need to focus on, and then how can we kind of contribute to everybody being able to kind of take the next step together in terms of our work getting more and more secure.
So obviously we’ve focused at the platform level a lot on how do we help the platforms to protect the data that’s stored in the platform, so obviously other things that we need to do in terms of the developers and the sites that sign up to make use of this platform, what are the best practices, are there things that you can actually say “thou shalt do this” that make business sense. Those are the questions in terms of the people who are making access to all these data services.
We are in a process of basically going through a certification process based on SAT 70, so Service Audit Standard. It’s a very common standard. Probably all the security guys, my guess is, are familiar with it. It’s a standard for asserting what your policies, processes and systems are, and then having a third party come in and basically attest to those operating policies.
As we are talking to more and more potential partners, who are interested in making more and more business use of this kind of a platform, it’s become clear to us that we need to be able to get very clear on what we are doing around all the trust issues and operational issues, and then have somebody come in and represent that that, in fact, is the case. And we recognize that this is also what other platform operators are going to need to do.
And so a lot of work right now for us we’re trying to figure out from Microsoft as a platform operator what’s the bar that we need to set for ourselves, what’s the bar that we need to set for us to be able to engage in the relationships in the industry that we need to, but we’re also thinking about this as these are also kind of like the same kind of issues that anybody who’s going to be a commercial operator like at the same level in this kind of a federated network is going to need to do.
And so this is an area where you’ll definitely see us spending more time focusing and engaging the industry on to figure out, you know, for those of you who have gone through SAT 70 certification processes of your data center, what was important, what was it? What would be important for you to do business on a trusted relationship with a Microsoft data center?
Those are things that we’ve just started to engage customers that we’re already talking with on, and absolutely look forward to input from any of you.
We talked a lot just in terms of the security controls, for instance, around Passport, around the Passport protection. If the most important thing in our system right now is all those credentials, and because they are what give access to the other things in the system, how do we secure that data center?
Well, we talked about it as a vault, because it is. The Passport vault is different from all the other data centers that Microsoft is operating. And one of the things that that points to is that we all need to know that there are different levels of security, even at the physical security level, and they relate to a lot of considerations and not the least of which is economics.
So, for instance, we do the kinds of things at he Passport data center that we couldn’t afford to do in the Hotmail data center. We’ve got much more rigorous detections at every level, so Hotmail data centers absolutely have first level physical security, have second level physical security, but the additional things about how we built out that data center, about what we do to ensure that, for instance, no data ever leaves that data center without being erased, no media ever leaves without being destroyed, about bonding operators and ensuring that there are security screens and additional rules about the people who have trusted access to this mechanism, how you build out the dedicated infrastructure around those databases that contain the information, that information, of course, is also encrypted on disk, how do you manage those keys; there’s a lot of focus and infrastructure around the Passport physical data center.
Now, one thing that I said I’d talk about is the model for federating authentication. It’s something that I think there’s been a lot of interest in, because people recognize that we do need kind of this next level of capability on the Internet for how people can trust the identity of a user. And again that identity could be loose. It could be just this identifier and no other attributes associated with it, or it could be attached to a certificate that does assert something about the individual. Or it could be attached to profile information and that profile information may or may not have been attested to by anyone.
So the whole understanding of identity on the Internet, I think that what we talked about here, what I’ve talked about with Passport, that’s just the one piece. There’s also again an entire ecosystem around identity verification and attribute verification that again I don’t think is Microsoft’s core competency, core business, but what we hope is to be able to provide a platform that does enable all those companies’ just core competencies in businesses are around identity verification, attribute verification certificate, authorization, et cetera, to be able to participate in this ecosystem.
So this trust network is all about establishing trust around organizations, and we basically think that for this to be successful what we need are there are two different elements to this trust. The first one is there needs to be a technological model for federating systems, disconnected, independent system, or maybe not disconnected but independent systems running on whatever software, whatever hardware over the Internet.
We’ve chosen Kerberos as what we think is the best, most mature standard for federation of trust. It’s a standard that has been around since ’89, developed at MIT, currently being stewarded by the IETF on version 5 of the standard specs. That we think is a very well understood, well known security protocol. It’s one obviously that we know, that our Windows guys know, that’s actually fairly close in many ways to the way that we fashion the whole Passport ticketing system that’s in place today. And so we think that it’s a very viable model, not only for Microsoft to evolve to but for the whole industry to evolve to. And we’re very hopeful that others will participate and help not only adopt Kerberos V5 but help us engage with the IETF to figure out what are the ways in which Kerberos should be evolving to kind of make this trust capability more rich.
Now, the second thing, of course, there’s technology and then there’s the operating area, because the whole requirement around trust is critical to everything I’ve spoken about being successful. So, for instance, when we promise to customers that we will not make secondary use of their data, and when we promise to partners that we will not make secondary use out of any tracking information that may come through us an authentication system, those are things that we would like to be able to assert for the whole platform.
Because the vision here is one where your average Web site shouldn’t need to know about Kerberos at all, that we do not succeed if your average Web site needs to say, “Well, God, I guess I trust Kerberos tickets to come from these guys, these guys and these guys, but I don’t accept Kerberos tickets to come from those guys, these guys and those guys.”
The average Web site should be able to say, if I’ve got a Kerberos ticket and I know that it came from this one trusted partner, that is how I attach into this network, then that partner can attest to some things about that ticket. That partner can attest to the fact that, for instance, the originator of the ticket was a Kerberos key distribution center that was actually third party certified, and that there’s got to be a mechanism in the network for different expectations to be set and then asserted.
But there has to be kind of think of it as a strength level, not as at an operator level. We’re not looking to anyone to say, “Well, I’m going to take Microsoft tickets and not Yahoo tickets in a world where Yahoo is federated into this network, nor the reverse. It would be more, I will accept tickets — the ideal, the default case should be, I’ll accept any tickets by anybody who’s been certified as a commercial operator of a platform.
And so those are the kinds of things that get baked into we think the operating agreements that happen frankly in an ad hoc basis in any apparent relationship that there is today in any network of trust.
And so to take you through one of the key issues there and how do we formalize that, it’s something that we just started to think about. And I’ll walk through a couple slides that set up kind of one specific question that I think would be interesting to get your feedback on.
First, the operating agreement, I think I’ve touched on most of this. It is going to have to address things like privacy commitments, security practices, support for basic Service Level Agreements. And in some cases we’ll require independent certification, and then that needs to be the way that a service provider who is accepting an authenticator can say, “Listen, I’m going to accept anything above this level in terms of certification.” I may say that I will only accept people who have come in who are being authenticated with this strength of credential as well.
So giving sites the tools so that the sophisticated sites can ratchet up security wherever they want, but where the system is secure by default so that your average, the next person who would sign up, for instance, as a Passport partner site would get access only to — like would only accept tickets that are being third party certified, for instance.
Now, if they choose to say, you know, “I don’t care, I’m happy to accept an authenticated ticket from anybody, because I’m only using it for customization, I don’t worry about anybody tracking on any level and spoofing a user,” then they could say, “You know what, I’m going to ratchet down my security requirements there.”
But we think that it’s critical for this to be a successful platform that it’s low barrier to entry but it gives you great security.
Similarly with the users, you use My Services by default. It’s not shared by any of your other devices. It’s not shared by any people, any services. You need to proactively define and set up the sharing models that you want.
So to walk through just kind of in a diagram that helps to understand where are we today and where are we going just with Passport, today we’ve got, you know, we’ve got our 200 million user accounts in Passport, and so those are the secure databases here with the credentials. And then the Passport trust broker is the one that says, yes, this person has been securely authenticated, and then does the encryption pass through that information to the partner site encrypted with that shared secret. So Passport is both kind of the authentication system and this trust broker with those partner sites.
Now, once we evolve this service next year to support pure Kerberos tickets, that’s the mechanism by which we enable federation, not only with enterprises who have Kerberos systems for their own employees, but any other partner that wanted to authenticate users and then share those credentials through Kerberos with Passport, engage in a trust relationship with Passport, any of those individuals — so whether you were authenticated by Passport, by, you know, Boeing, if Boeing was a federated enterprise or a partner, a different service provider who was doing authentication, if they were in this federated model, those credentials, those identities would be recognized at partner sites just in the same way that Passport identities are recognized today.
And that federation is two-way. It also means that people who are here would at least get recognized by services that hang off here.
Now, again it’s completely independent whether or not any of those individuals are authorized to do anything, but it means that you at least have a model where, for instance, in an enterprise, an enterprise could decide that they are going to accept the incoming Passport identities and then use that as a mechanism for their extranet to allow three external parties and nobody else access to resources on their internal network.
When we talk about the Internet trust network, we think about something broader, and the analogy that we use or that I like the most is the one of ATM networks. Most of us can probably remember back to when we first got our first ATM card and it only worked at our bank. Now, if you remember back then that was a bit of a hassle because if you were near your bank, you had to go out of your way to get to your bank to get your money; and then what first of all was a set of networks, so Cirrus network, Accel, et cetera, that were multiple banks banding together so that they could basically make use of each of their points of presence to deliver better customer value. And then we’re getting to the point now where even these networks, these kind of trust networks have now appeared at almost a higher level so that, you know, I go to Europe and I can go to almost any bank machine and still get money out of my account in Seattle.
And we think that that’s been a very interesting evolution of a trust network, that we think could provide an interesting analogy for the way that this might evolve.
Now, a key question that we have that none of us have the answers to is what’s the best way to evolve this kind of a trust network. Is it just a set of peer relationships between a bunch of big networks on the Internet? You know, you could imagine Indentress and their banking network; basically they’re building a trust network across banks. They could be like a big network that peers at the highest level. AOL has huge consumer reach. They could be a big network that peers at this high level.
And you could absolutely imagine this system evolving where there’s some relatively small number of top nodes and everybody else plugs in just at some level in the hierarchy with some service operator that they have a relationship with. And that’s exactly the identical way in the banking community. It’s seven banks at the top. Any other bank in the world can plug into one of them and participate in the network.
But the other way that this could evolve is it would look more like this, which is where there is really a root node. Rather than a set of operators that have agreed to some peering relationship and have evolved that over time, so it went like a bilateral agreement that then got extended, that then got extended, that then got extended, it might be that the way that this plays out is a world where there are some — you know, think of it as like an ICANN like entity that is cross border, cross vendor, not any one company but that is providing that trust broker, is helping define guidelines, helping set forward what this looks like.
And we’ve just started to talk to partners and frankly to some competitors about how should this evolve, because when we talk to partners, partners want us to evolve this capability and they don’t want us to evolve it as multiple distinct non-interoperable islands.
And so there is clearly a desire at its heart, there are a lot of challenges to evolve in this, but I think it’s kind of inevitable. And so this is another area where you’ll see us kind of try to provoke some discussion and get some momentum around how do we think the right way to evolve this trust network is.
This is just, you know, for people who are trying to connect to the Passport network today what are the options. We talked about what’s available today, the ability to kind of have control of a namespace but still have it hosted in the Passport service, all the way to federation. And then we think that there are models in the federated world were you can have a service provider that’s hosting authentication for lots of individuals or lots of entities, lots of organizations in an ASP hosting model.
Now, I want to wrap with just kind of a few more things that they’re just like teasers I guess. One of my goals here was to try to kind of get people thinking — first off, I’m hoping that folks are excited about the vision about what we could enable in a world where you have these services, when users have the control that I’ve talked about and it’s a trusted ecosystem. I think it’s very exciting all the scenarios you can develop. I think there are many ways in which it would just make life better for users, for customers, and I think that there’s a lot of business opportunity for anybody who wants to then participate in that.
But the kinds of things that make it hard, the kinds of things that I worry about and that my guys worry about and that our partners worry about are things like how do we actually build out even kind of bit by bit this Internet trust network, both from a technical standpoint and from a policy standpoint.
How do we get users to basically adopt stronger security rather than abandon a system? There are things like if, you know, we’re successful with this, a user could have a credential and it could become pretty valuable to them, because it’s the way by which all these different sites know them. And if they were to abandon that credential, they’d abandon all that value associated with all those sites knowing them through that credential. So, you know, what’s the model by which we could like, a user could change their username, which in Passport, for instance, is their e-mail account, but not lose all that value.
There’s also a big challenge. As somebody who tracks privacy issues outside of the technology sphere, you know, the whole about is this Passport identifier just like the social security number or e-mail accounts or phone number that all these database markers are using to aggregate information today, only it’s going to be that much more valuable, and these are things that I actually do worry about and things that we’re trying to put at least some guidelines in place for.
For instance, having the licensing agreements states, all the partner contracts, that they are not allowed this breach of agreement to use that identifier in any offline mechanism, to ever publish or share any personal PII data associated with that identifier.
So there are things that we’re trying to do to, like I said, when we can’t lock things down from a technology standpoint, trying to get out ahead of the curve in terms of the policies that we’ve put in place, and demand partners to commit to, to participate in the system. Really, this is a system where no application participates unless they have a secure app ID, which is a secure credential that gets strongly authenticated.
Well, I also think, you know, in a world where there has being leakage, like in today’s world, wouldn’t it be great if you could change your social security number. If you talk to anybody who’s actually had identity theft happen, the problem is there’s no way to then fix it. You get all these systems that are tied to the thing that got breached and there’s no way to move forward.
So figuring out how do we let a user, for instance, say I want to change that persistent pseudonym, but I want, you know, can you give me some help and tell me all the people that I’ve used it at, so if they’ve chosen to have the platform store that information, and then I want to pick and choose who I want to be updated of my new identity. So a world where your identifier could change, all the value would go with it, and maybe you’d just go back to square one and you’d say these ten sites, I want those to know that I’ve changed my address in the online world, but nobody else.
So there are some interesting challenges, and I don’t profess to have the answers, by any means. I just want to give people a sense of the ways in which I think we can evolve the system to be way better from a privacy standpoint than today’s current system.
Another example is, you know, in a world of the future, merchants shouldn’t have to know my credit card number to know that I’m good for the transaction that just happened. There should be some mechanism where the issuer, the bank could actually say that they’re good for it, trust me, and here’s the token that you can use this one time.
Similarly, merchants shouldn’t have to know your home address to be able to ship you something. If UPS knows your home address and can give that same, you know, secure credential that says, “Hey, I’ll get it there, trust me.” That might be a lot more comfortable for users. In a world like that, would there be a lot more e-commerce?
So there are lots of ways in which I think that we can move the whole industry forward by building kind of a platform that supports more privacy at every step and it’s challenging, but it’s an exciting vision.
So to wrap up, trust is not something that I or we think about just kind of during these three days. We think that it’s actually pretty tied to how well Microsoft’s products, services and corporate image are going to be considered years from now, and key to our whole business.
We love making platforms, and as kind of a new kind of platform it’s got a lot of its own challenges, but it seems very doable, and it seems doable in a way that is going to have an impact, could have an impact on the whole industry in very positive ways.
And everything that I’ve seen, or all the authentication mechanisms, the authorization models, those are all models that we believe people will be able to then incorporate in their own silos within their own enterprises running their own My Services identity-centric services of their own creation but with the same underlying architecture.
I think we’re making great progress and clearly have lots of work left, and I look forward to working together with many of you to help us actually get there.