RE: JAVA

[Russ <Russ . Cooper @ RC . Toronto . on . ca>]

Rather than listening to others talk about what they think Microsoft is up 
to with its "Windows Trust Verification Service", why not download the 
ActiveX development kit and read the document WINTRUST.DOC which contains 
the specification for the WinVerifyTrust API? If you don't want all 12MB of 
the AXDK, then send me a mail message and I'll forward you the API spec 
only.

Basically, Microsoft is proposing an API which can be used to contact a 
Trust Authority, through either a Trust Provider (a piece of software which 
determines rules for how Trust is to be verified) or a Trust Administrator 
(which could be local or off-site and determines which Trust Authorities 
should be consulted, how, and when).

Please note, none of the companies I will mention here have, to my 
knowledge, made any indications yet about supporting this mechanism, I'm 
only using them to provide an example of how this mechanism might work in 
practice.

This mechanism provides a means to use a company, say McAfee for example, 
as your Trust Authority for verification as to whether or not an object 
contains a virus. You might, at the same time, for the same object, use 
Microsoft as the Trust Authority for the validity of their products. You 
might also use the Association of Shareware Developers (or whatever that 
group is called) as your Trust Authority for any object which is not 
supported by your other Authorities. You might, again, for the same object 
at the same time, use Stream, or Corporate Software, as your Trust 
Administrator, using them to verify that the object is licensed.

The point is, with this API, it offers current vendors a way to supply 
licensing across the net. It also provides a means for shareware or 
freeware vendors to add some legitimacy to their products by having them 
certified by some authority, much as they do now by having their products 
hosted in the SWEG forum on CompuServe. You might use one authority to 
verify that the product really is the product it says it is, and another 
authority to verify whether or not the product is the latest version, and 
still another to verify whether or not it has a virus. If any one of these 
authentication's fail, you could prevent the use of the object either 
through a local administrative model or through a service set up and hosted 
by some other trusted entity.

This really opens the potential for selling software over the Internet in a 
way that will ensure that royalties are paid, customers receive the real 
product, and virus don't get introduced in the process. Providing a means 
to do this via the Internet should substantially increase the opportunities 
for smaller software vendors whose marketing models don't allow them to 
compete globally. What the heck do I do with a cheque from Prague in 
Toronto? and what does the customer do until I get, and clear, the cheque?

As for freeware and shareware, well, today that is discouraged in many 
organizations anyway simply because of the potential problems it can create 
on a network. This mechanism provides a means for the Browser to validate 
an object with the appropriate authorities before it can execute, so even 
if someone brings something in on a diskette and tries to use it 
internally, the authentication would have to be validated within the 
constructs of the Trust Administration model that has been established.

Now this is only a spec, and subject to all the derision that the usual 
folks will subject it to, but if you ask me, as a spec, its far better than 
anything we've seen from Sun for Java. We still have not seen what the 
Trust Administration or Trust Authority server platform is going to look 
like, where it will be hosted, or how it will force the browser to 
communicate with it, but I suspect that this will be a public spec put 
forward as an RFC and that Microsoft will encourage its adoption into many 
platforms. I think this is something that will have to be integrated into, 
or work closely with, firewalls.

Many of you may not believe this, but I was convinced at the Microsoft 
Professional Developers Conference recently that Microsoft has finally 
figured out what the Internet is, how the RFC process works, and what it 
takes to get people to take you seriously when it comes to the Internet. 
They have shown very significant changes in their OS products which 
essentially turn the entire OS into a browser. Now as yet they have not 
shown much in the way of security beyond crypto stuff for doing VPN type 
things, but I believe we will see a change in this respect as well, this 
coming quarter.

See, you can teach an old dawg new tricks...;-]

Cheers,
Russ