To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://comment.silicon.com/0,39024711,10004119,00.htm

The Bloor Perspective: Trusting Trustworthy Computing and m-commerce made easy
This week Robin Bloor and his team of analysts look at whether Windows Server 2003 is the secure platform Microsoft can build on and mobile buying technology from Bango.net...

By Bloor Research

Published: Monday 12 May 2003

There are two elements to trustworthy computing: the trustworthiness of the vendor's offering and the extent to which the offering delivers the backbone of an enterprise trust infrastructure.

In Microsoft's case, the big challenge is how much do you trust them? A fundamental constituent of Microsoft's Trustworthy Computing initiative is: "Reliability. The customer can depend on the product to fulfil its functions." No-one wants to be a guinea pig and, after all, Microsoft hardly has a track record of designing secure platforms.

Only that's not entirely true. Recent accreditation to Common Criteria EAL4 puts Windows 2000 on a security par with most hardened versions of Unix. For a commercial off-the-shelf operating system that is no mean feat and is a fairly good precedent for the future because, once achieved and for it to be meaningful, accreditation has to be maintained. Expect to see the same for Server 2003.

How far Server 2003 goes to supporting an enterprise trust infrastructure is more dependent on your perception of Microsoft than about the capabilities of Server 2003. As a platform to support secure anytime, anywhere, any device computing it incorporates a rich set of capabilities balanced with a security discipline formally only known to the B1 fraternity. One wonders why it really took Microsoft so long to realise everyone else was right.

Microsoft has invested significantly in its catch-up exercise, particularly in the area of "secure by default". This has been achieved through a combination of adopting good practice by reducing the total number of services running by default, running services at lower privileges to system, redesigning IIS and with a bit of innovation through the introduction of the Common Language Runtime.

In addition to which, Microsoft has introduced better and more secure auditing capabilities. Furthermore, there is now a wealth of supportive guidance to help customers deploy securely.

The PKI capability in Server 2003 focuses on ease of use and cost of ownership. Microsoft sees it as an important technology, especially in the wireless environment, and in conjunction with smart cards. Not that this totally rules out Kerberos. Server 2003 security is the ability to support Kerberos and PKI with a mechanism to translate between them - protocol transition. However, one is left thinking that Kerberos support has been enhanced solely to facilitate support of the Kerberos legacy. That is, backwards compatibility.

In light of recent announcements from the Liberty Alliance camp, it is interesting to observe that a significant amount of effort has been put in to support a federated trust environment. Regrettably this appears to be unilateral.

That is, Server 2003 can accept credentials and create a useful single sign-on experience for your partners, suppliers and clients but it seems that you cannot pass out an identity tailored to their requirements. Which, I guess is OK if everyone is using Server 2003 but then they are probably not. This is the type of parochialism that gave IBM a bad name twenty years ago.

It would not be too far off the mark to describe Server 2003 as a near fully integrated security appliance. It supports PKI, data encryption, identity management, system management, network security, audit, authentication and authorisation. It is designed to provide a platform for secure web applications and secure mobile access, as well as its more mundane duties.

If you believe that maybe Microsoft have cracked it, then security appliance vendors could well be under threat since Microsoft have bundled 'free' just about everything they do, either in Server 2003 or at little extra cost with ISA server.

It's not going to be for everyone but some of the case studies might be worth a look.

*Bang goes anonymous m-commerce*

What if you could access items of content from content providers but not have to keep logging-on each time? Now this might sound like the idea behind Microsoft's .Net Passport with one account for all online services but this is different.

First it's for mobile phone users. Last week Bango.net announced Bango Fingerprint, which provides a unique identity aimed at smoothing the communication between a mobile user and a mobile site that offers content. This identity or fingerprint can be used in a similar way to a website and browser using cookies. This means a content provider can automatically authenticate a returning user, and even provide some continuity services such as managing a 'shopping basket' of multiple items being purchased.

All well and good you may say but what about my privacy? Bango itself holds the fingerprint tokens on its server, and these tokens don't reveal the user's name or phone number to the content provider, just the fact that you're the same user who was there earlier. Bango accounts also provide access to a variety of billing services for content providers, so this is really an extension of that facility. Again, the content providers don't access the user's billing information directly, they just get to know if they're good for the money.

And fraud? From the content providers' perspective they can see if the fingerprint is valid and even double check over the air with Bango. Users have to be careful but no more so that usual. The fingerprint uses the unique id of the phone in conjunction with checking the route from the operator's gateway, so is tied to the SIM.

Of course if a phone is lost or stolen there is the possibility of fraudulent use until reported and barred, when the Bango account would be frozen. However, the average Bango account balance is around 40p, so in the event of phone theft or loss, it's likely that losses from fraudulent expensive calls would be the larger concern.

So why is this important? First, it's a slicker and friendlier user experience, and second, from the content providers' viewpoint, they can offer a personalised service, because they recognise who's coming back. That's not from their true identity but on their buying patterns with that content provider. They can concentrate on marketing and how best to generate returns from their content.

But ultimately it's important because if mobile commerce is to succeed, it has to be convenient. Anil Malhotra, one of the founders and VP of marketing and strategic alliances at Bango, states: "It's not the quality of the product that prevents a sale, it's how easy or difficult it is to make the purchase."

That's a challenge for a mobile user, where the screen is tiny, and user interface navigation can be tedious.

Ringtone provider, Phunkyphones, has already adopted Bango's Fingerprint, and with many other mobile content providers looking for ways to increase revenues, there are sure to be others.

Bloor Research is a leading independent analyst organisation in Europe. You can find out more at www.bloor-research.com or by emailing mail@bloor-research.com.