Microsoft's Support for Open Security Standards

Microsoft Corporation

July 12, 1996

Introduction

In the emerging world of electronic commerce and private business-to-business communications on the Internet, security is vital. Open security standards, developed and managed through industry standards groups and consortiums, are required to ensure that the infrastructure for secure electronic commerce and communications between parties that have had no prior communications can be created. Because of this need for secure electronic commerce between all parties on the Internet, no matter what browser or server is used, standards need to be open to ensure that change control does not belong to a single company or individual. Industry groups are critical to developing and maintaining standards to guarantee smooth interoperability across the entire Internet. Microsoft is committed to helping develop open, robust, secure standards for Internet security in several areas.

Microsoft's Mission for Internet Security

1. Providing the most robust technology to meet customer security needs as they interact on the Internet.
   
   
2. Working with standards bodies to ensure adoption of the best technology to meet customer needs and ensure interoperability.
   
   
3. Proliferating security standards in Microsoft technologies and delivering them in Microsoft operating systems and browsers.
   
   
4. Building security into our existing applications.

Microsoft Promotes Open Internet Security Standards

Microsoft promotes open Internet security standards by:

1. Actively participating in standards working groups (such as the Internet Engineering Task Force [IETF]).
   
   
2. Contributing ongoing technical resources to the collaborative development of new standards through the World Wide Web Consortium (W3C) and the PKCS (Public Key Cryptography Standards).
   
   
3. Reviewing, refining, and sharing its technology with other Internet developers in open design reviews.
   
   
4. Posting new security technology proposals on its Web site for comment and eventually for Internet standards.
   
   
5. Sponsoring ad hoc meetings with other companies to discuss and promote cooperation on security standards.
   
   
6. Distributing critical security software free-of-charge on the Internet.

Examples of Microsoft Standards Efforts

W3C Code Signing

• Microsoft submitted proposal
  
  
• Proposal endorsed by over 40 companies
  
  
• First working group includes Microsoft, Netscape, IBM, Java Soft, and Apple
  
  
• Microsoft chairs one of two working groups
  
  
• Microsoft submitted PFX proposal to ensure interoperability of private information from browser to browser, O/S to O/S, and machine to machine

Transport Layer Protocol Working Group (IETF-TLS)

• Group created at Microsoft's urging
  
  
• Microsoft published straw man "discussion draft" protocol based on Secure Sockets Layer (Netscape's protocol)
  
  
• Active participation and funding of independent consultant to write next draft of specification

JEPI (Joint Electronics Payment Initiative)

• Microsoft is on core team committing technical resources to the project
  
  
• Microsoft browsers featured in interoperability demonstration fall 1996

SET (Secure Electronic Transactions) VISA, MasterCard

• November 1995, Microsoft urged MasterCard and Visa to unify Secure Transaction Technology (STT) and Secure Electronic Payment Process (SEPP)
  
  
• Part of SET core working team
  
  
• Major contributor of cryptography technology

Special Interest Group

• Hosted an ad hoc meeting to promote security standards (May 1996)
  
  
• Purpose: to prioritize security initiatives and provide this as input to standards bodies so they can focus on most important issues
  
  
• Results: one meeting held, most issues are now being covered by IETF and W3C working groups