Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : Novell (NOVL) dirt cheap, good buy? -- Ignore unavailable to you. Want to Upgrade?

To: Pruguy who wrote (28939)	11/13/1999 11:47:00 AM
From: Jerry Feder	Respond to of 42771

found in 11/13 infoworld November 15, 1999 Microsoft and Novell compete in creating single Internet sign-on for your e-shopping Being the ever-skeptical security guys is getting to be a tough racket. And our job is going to get even harder with the soon-to-be-fought war between giants Microsoft and Novell over who will provide online information management services for the hordes of users looking for an easier online experience. We refer, of course, to Microsoft's new Passport and Novell's recently announced digitalme services (www.passport.com and www.digitalme.com, respectively). Touted as "identity and relationship management" (digitalme) and "single-sign-on/wallet" services (Passport), designed to help electronic business grow, they have the potential to revolutionize the Internet. The primary notion behind digitalme and Passport is user-centric control over transactional-information exchange, an idea discussed in-depth in the new book Net Worth, by John Hagel and Marc Singer (ISBN: 0875848893). Net Worth presages a new class of entities called "infomediaries" will spring up to manage user information, and use it as a bargaining chip in the negotiation between buyer and seller. Microsoft and Novell are placing themselves squarely into what appears to be the role of infomediaries. This is nothing new for Microsoft, which has long strived to be at the center of everything. It is a new role, however, for Novell, which is moving from that of strictly product-based organization to that of service provider. The trick that digitalme and Passport will have to pull off is user-controlled, end-to-end encryption of data - with no excuses. That means Secure Sockets Layer (SSL) from browser to service and from browser to merchant, and encryption of data while on disk in the digitalme and/or Passport server rooms. Microsoft and Novell will have to offer additional protections to ensure that their personnel who administer the services will not have inappropriate access to user data. They will also have to pay careful attention to cached credentials left on user systems or public kiosks and, of course, to logical and physical security of the servers housing user information. Descriptions of the respective architectures on the vendors' main Web sites are vague but, with a little digging, you can learn more about just how secure your information will be when residing with digitalme or Passport. In the case of Passport, Microsoft pointed us to www.passport.com/business/sdk.asp. Microsoft provides a laudable amount of information. Here are the essentials: A user visits a merchant site, clicks on a cobranded Passport button, and then the user authenticates to Microsoft-hosted servers, which then set time-sensitive, 3DES-encrypted cookies on the user's system. These cookies can be read only by the specific merchant site (using a key shared by Microsoft and the merchant). If a timeout occurs or the user signs out, the cookies are deleted. The Wallet service is similar, but it uses a simple HTTP Post action, not cookies, over an SSL connection to fill in credit card data from the Microsoft-hosted servers. The result: Merchants have outsourced their authentication to Microsoft. Novell's site was much less forthcoming, and we were unable to talk directly with the company by press time. However, by piecing together information on the Web site, we surmised that Novell intends to offer similar functionality. Where Novell diverges is on the back end; Novell Directory Services (NDS) forms digitalme's security underpinnings. This allows digitalme to provide services beyond single sign-on and filling in forms; these could include a personal directory service where access to data elements can be tailored to suit individual needs. Checking out www.novell.com/products/sso/index.html gave us a glimpse of the power of NDS-based access control using Novell's Single Sign-on technology, which keeps user information in an NDS schema extension called Secret Store; not even administrators can access user information. We wonder how tightly the newly announced (and free!) Digital Certificate Server will be integrated with future revs of digitalme. A lot of questions remain unanswered, and even if the technology can be made to appear bulletproof on paper, a great deal of trust will have to be granted to Microsoft and Novell. Third-party certification may evolve to help raise those trust levels, but ultimately users will have to put aside some risk aversion and just take a leap of faith. In our brief testing of the services, we certainly appreciated the great convenience that they brought to e-shopping and just general surfing. (It may yet cure the wrist pains we've inherited from filling in old-fashioned forms.) In the long run, it appears that improved ease of use will probably overwhelm us old security curmudgeons anyway, so we're optimistic. How about you? Send comments to security_watch@infoworld.com.