Microsoft Submits Draft on Security Interoperability to W3C

Reaffirms commitment to open Internet review and standards processes

May 1996

Microsoft submits the Personal Information Exchange (PFX) draft to W3C and reaffirms its commitment to open Internet review and standards processes.

Microsoft's Goals for Security Technology
Microsoft's Commitment to Openness

SET - Secure Electronic Transactions
STLP - Secure Transport Layer Protocol
PFX - Personal Information Exchange

MicrosoftÆs Invitation

Microsoft's Goals for Security Technology

To address a critical need for increased security in personal computers and on the Internet, Microsoft Corporation will be taking a leadership approach to providing security technologies to meet the needs of developers, corporations, and end users. Microsoft's goals are as follows:

The right security technology at the right time. Ensure that secure ID, secure channels, secure transactions, and secure communications technologies are made available as soon as possible.
An open process. Ensure that any security technology that is developed gets processed through the appropriate standards bodies such as the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), so that multiple developers get a chance to comment on the technology, and the process of creating industry standards is open. An additional goal is to ensure that the industry leverages existing and imminent standards, such as X.509, PKCS #7, ASN.1, SET, and STLP, the transport-layer security protocol now being developed by the IETF.
The right technology on multiple platforms. Ensure that security technology is available on multiple platforms, including Windows®, UNIX®, and Macintosh®.

Microsoft's Commitment to Openness

To date, Microsoft has made several efforts to deliver on the goals stated above.

SET - Secure Electronic Transactions

Last fall, Microsoft worked in conjunction with Visa, Mastercard, Netscape, and others to agree upon a single standard for secure transactions. Despite the fact that two different specifications existed -- Secure Transaction Technology (STT) and Secure Electronic Payment Process (SEPP) -- Microsoft worked hard to contribute to a converged specification. By June 1996, a combined spec -- Secure Electronic Transactions (SET) -- will have been through an open comment process and will be finalized. Both the industry and customers will benefit from this single standard.

STLP - Secure Transport Layer Protocol

Microsoft has made a similar effort to create a single specification for secure channels. Today, there are two widely used secure channels protocols: NetscapeÆs Secure Sockets Layer (SSL) and MicrosoftÆs Personal Communications Technology (PCT). As with SET, the industry would benefit tremendously from a single standard that combined the best of both of these specifications. To help facilitate a single specification, Microsoft created a discussion draft called STLP (Secure Transport Layer Protocol). The discussion draft is not a specification suitable for implementation; it's a starting point for a converged specification.

This draft starts with Netscape's SSL 3.0 and adds features from Microsoft's PCT 2.0 based on feedback from cryptographers and implementers. It is intended to provide a simpler and more robust implementation, with additional scalability, improved security, and the additional functionality needed for wider application of the specification. This draft has been shared, via the IETF, with Netscape and other firms who have provided substantial input to SSL and to PCT.

To support this effort, the W3C has created the ietf-tls@w3.org list server to foster convergence of these protocols. The current plan calls for a draft document to be presented at the IETF Montreal Conference in June.

By working with the IETF and by fostering an open design review, Microsoft hopes that the industry will be able to benefit from a single secure channels protocol.

PFX - Personal Information Exchange

Today, users face another tough security problem in the protection of the following private information:

Personal secrets such as secret ID numbers and account numbers
Certificates and certificate revocation lists (CRLs)
Private keys

Users must be able to transport this personal property securely and offline from one browser to another, and from one platform to another. Specifically, users cannot accept being locked into using only one machine or one browser make and model for cryptographic operations. The scenario below clearly explains the need for this functionality.

A single end user, letÆs call her Alice, may spend hours at the office getting certificates, keys, and secrets on her office IBM-compatible machine with the æ"brand X" browser. She then needs to take them home -- securely -- to use on her home Macintosh with the "brand Y" browser. She should also be able to take them to a neighborÆs house, to a mall, to a kiosk, and so on. If she does NOT have this capability, she will be locked into using one machine, one platform, and one brand of browser.

Currently, no standard exists to facilitate this transportation of information. However, as of today, Microsoft is submitting a discussion draft called Personal Information Exchange (PFX) to the W3C Subgroup on Identity. PFX is a discussion draft that provides a way for clients to transfer personal data from one environment to another without online server intermediaries.

As with both SET and STLP, the goal with PFX is to establish a single technology solution (as agreed upon in an open process via an established standards body) to solve an important security need. Microsoft encourages any developer who is interested in this technology to provide comments in the upcoming W3C forums and meetings.

MicrosoftÆs Invitation

To end up with the best security technology to meet the needs of developers and end users alike, and to prevent incompatible standards from emerging, Microsoft would like to encourage other software developers to submit their security technologies to be processed through an open design review. To date, Microsoft has made efforts with SET, STLP, and PFX. There are several other technologies we expect to submit for open review in the coming months. In the spirit of providing the industry with the right technology, for review in an open process and for use on multiple platforms, weÆd like to encourage other developers to do the same.