.NET UPDATE, August 22, 2002

.NET UPDATE —brought to you by the Windows & .NET Magazine Network
http://www.winnetmag.com


THIS ISSUE SPONSORED BY

Insider's Guide to IT Certification eBook
http://winnet.bookaisle.com/ebookcover.asp?eBookID=13475


SPONSOR: INSIDER'S GUIDE TO IT CERTIFICATION eBOOK

GET THE EBOOK THAT WILL HELP YOU GET CERTIFIED!
The "Insider's Guide to IT Certification," from the Windows & .NET Magazine Network, has one goal: to help you save time and money on your quest for certification. Find out how to choose the best study guides, save hundreds of dollars, and be successful as an IT professional. The amount of time you spend reading this book will be more than made up by the time you save preparing for your certification exams. Order your copy today!
http://winnet.bookaisle.com/ebookcover.asp?eBookID=13475


August 22, 2002—In this issue:

1. COMMENTARY

  • Microsoft Settles with the FTC over .NET Passport

2. .NET NEWS AND VIEWS

  • Microsoft Issues Second .NET Framework Service Pack

3. DOT-TECH PERSPECTIVES

  • Introducing UDDI 3.0: Support for Digital Signatures

4. ANNOUNCEMENTS

  • Take Our Survey and You Could Win a Free T-Shirt!
  • Real-World Tips and Solutions Here for You

5. RESOURCE

  • Event Highlight: Windows .NET Server DevCon

6. NEW AND IMPROVED

  • Develop Interactive Reports
  • Submit Top Product Ideas

7. CONTACT US

  • See this section for a list of ways to contact us.

1. COMMENTARY
(contributed by Paul Thurrott, news editor, [email protected])

  • MICROSOFT SETTLES WITH THE FTC OVER .NET PASSPORT

  • Within the scope of Microsoft's wider antitrust problems, the company's recent settlement with the Federal Trade Commission (FTC) regarding privacy concerns with the .NET Passport service might not rate as dramatic news. But by admitting that it hasn't done enough to respect and protect users' privacy, Microsoft ultimately will better serve its customers and engender trust in a service that so far hasn't been a success. News of the settlement arrived roughly a year after the FTC began its investigation of Microsoft. Here's what happened.

    In July 2001, 13 consumer privacy groups complained to the FTC that the privacy policies Microsoft was employing in .NET Passport were inadequate, potentially allowing the company to share confidential information about its 200 million users with third parties. The groups stated further that the security Microsoft employed in .NET Passport was inadequate and that a successful attack by a malicious intruder could expose millions of users' credit card, address, and social security information, along with other confidential data. Finally, the groups said that Microsoft was unfairly requiring users of its Windows XP OS--then in beta--to subscribe to .NET Passport to access certain XP features, such as Windows Messenger's file-sharing capability. This requirement, they said, was clearly an indication that Microsoft's illegal monopolistic practices remained unchanged.

    During the past year, the FTC investigated these claims with Microsoft's full cooperation. And about 2 weeks ago, the agency announced a landmark settlement in which the software giant agreed that its .NET Passport privacy and security measures weren't adequate. According to the terms of the agreement, which will remain in force for 20 years, the FTC states that Microsoft deceived customers about .NET Passport's security features, the amount of information the company collects from users, and the amount of control parents have over their children's personal information online. Specifically:

  • Microsoft claimed that users' ".NET Passports \[are\] protected by powerful online security technology and a strict privacy policy," when, according to the FTC, the company wasn't doing enough to protect users' privacy.

  • Microsoft claimed that using .NET Passport wallet for online purchases was "faster and more secure" than using a credit card, which isn't the case.

  • Microsoft collected personal information that the company didn't specify in its privacy statement, including personally identifiable records about the sites .NET Passport users visited along with the dates and times they did so.

  • Microsoft advertised Kids Passport as a service that would let parents control their children's online privacy. In actuality, Microsoft collected information about Kids Passport users and passed the information to .NET Passport-enabled Web sites.

    According to the settlement with the FTC, Microsoft agreed to stop misrepresenting .NET Passport security features and how the company collects information; the company faces fines of $11,000 per violation per day if it violates the agreement. Microsoft must also hire a third-party consulting firm to assess .NET Passport's security risks both immediately and every 2 years during the time the settlement remains in force. The company says that it has already resolved some of the concerns listed in the settlement by bulking up .NET Passport's security features and ensuring that Kids Passport works as advertised.

    Interestingly, the FTC settlement didn't address one of the privacy groups' key complaints--about XP and .NET Passport bundling--and the commission had no comment about this charge when it announced the settlement. FTC Chairman Timothy J. Muris did point out during a press conference explaining the settlement that the agency didn't uncover any security vulnerabilities during its yearlong investigation but rather found only the potential for compromise. Muris also noted that Microsoft never shared any private customer information with third parties.

    What does the FTC settlement mean to you? If you're a current .NET Passport customer, it means that .NET Passport and any personal information you store with the service will be more secure than it was previously. In my opinion, .NET Passport will undergo major changes or be dropped entirely in the near future, and Microsoft's agreements regarding the service will be rendered moot as a result. Given Microsoft's earlier changes to .NET My Services (formerly code-named HailStorm)--which was originally planned as a consumer-oriented set of services connected with .NET Passport--and the company's interest in interoperability with the standards-oriented Liberty Alliance Project authentication server, Microsoft clearly is reassessing the role .NET Passport will play in future .NET implementations. But either way, your online data will be safer than it was before the FTC moved in. Wasn't that the point behind the investigation and resulting settlement?

    2. .NET NEWS AND VIEWS
    (contributed by Paul Thurrott, [email protected])

  • MICROSOFT ISSUES SECOND .NET FRAMEWORK SERVICE PACK

  • Microsoft has issued the second .NET Framework service pack, which the company recommends all users download and install. The .NET Framework Service Pack 2 (SP2) release addresses security concerns and other problems Microsoft has found since SP1's release; this release also includes all the fixes from .NET Framework SP1.

    The company says this release targets several customer groups, including developers who are creating .NET-based applications and services, Visual Studio .NET users, administrators who want to deploy the update throughout an organization or development team, and end users who want to take advantage of .NET applications and services.

    Because SP2 is considered a critical update, Microsoft will soon release it to Windows Update. Developers and other interested parties can download the release now, however, from the Microsoft Web site. Note that you can't uninstall SP2.

    3. DOT-TECH PERSPECTIVES
    (contributed by Christa Anderson, [email protected])

  • INTRODUCING UDDI 3.0: SUPPORT FOR DIGITAL SIGNATURES

  • In the August 8 issue of .NET UPDATE, we started looking at the new features in Universal Description, Discovery, and Integration (UDDI) 3.0. In this column, I discuss UDDI's new support for digital signatures. Digital signature use has a twofold purpose. First, by signing data in a UDDI registry, publishers of the data can be sure that they can't be impersonated. Second, users of digitally signed data in a registry can be sure that the identified publisher of the data is genuine and that the data hasn't changed since it was published. Support for digital signatures lets anyone who queries a UDDI registry view only entities that have been digitally signed.

    UDDI 3.0 supports digital signing of any of five elements: businessEntity, businessService, bindingTemplate, tModel, and publisherAssertion. (Of these, businessEntity is the top-level element and the other elements are children, related in descending order.) Data is signed when it's published to the UDDI registry, but the mechanism for signing needs to be in place before then. The UDDI specification recommends that digital signatures use well-known key formats to make identifying and validating a signature easier for client applications.

    Because the goal of digital-signature capability is to enable anyone searching a UDDI registry to distinguish between signed and unsigned data, publishers of data in a UDDI registry should calculate digital signatures for the top-level element in the UDDI registry according to rules laid out in the Worldwide Web Consortium's (W3C's) Recommendation document "XML-Signature Syntax and Processing". That is, the publisher should place the data's signature according to how the data is published. For example, if data is published as a service, the signature should be calculated on the businessService element, which becomes the top-level element; if the data is published as a business, the signature should be calculated on the businessEntity element. The signature applies to all child elements for published data unless the use of a transform file specifically excludes applying the signature to a child element. Therefore, when businessService elements are signed, the bindingTemplate element in the published UDDI data will also be signed (unless excluded), and when the businessEntity element is signed, the businessService element will be signed.

    The new support in UDDI 3.0 for entity promotion (a device that lets a publisher propose a new identifying key for an entity rather than rely on an automatically generated key) is important for making digital-signature functionality work. Entity promotion makes copying elements to new registries without breaking the signature file possible by letting the publisher name the entity key rather than rely on the node to automatically generate the key, which would invalidate the signature. For a signature to be valid, it needs to be generated before the data it's associated with is published in the UDDI registry. Therefore, the UDDI specification recommends that anyone who publishes data in the registry should generate a digital signature only on elements with publisher-assigned keys. Signatures on elements with node-assigned keys (i.e., automatically generated keys) will work only if the node will not generate additional keys.

    An application searching a UDDI registry examines the top-level element (such as businessService, in the earlier example) that the registry returns to verify whether the element has a signature. To validate the signature, the client machine that runs the application searching the registry must examine the keys in the signature.

    To examine the complete UDDI 3.0 specification, go to http://uddi.org/pubs/uddi_v3.htm.

    4. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • TAKE OUR SURVEY AND YOU COULD WIN A FREE T-SHIRT!

  • We need to hear your thoughts on the future of technology! Take our reader survey and you'll be entered to win a T-shirt, compliments of Windows & .NET Magazine. All responses are completely confidential, so visit http://www.up2research.com/windotnet.

  • REAL-WORLD TIPS AND SOLUTIONS HERE FOR YOU

  • Register online for Windows & .NET Magazine LIVE! before this conference sells out. Network with the finest gathering of Windows gurus on the planet. This conference is chock-full of "been there, done that" knowledge from people who use Microsoft products in the real world. Register now and you'll receive free access to sessions of the concurrently running XML and Web Services Connections.
    http://www.winnetmagLIVE.com

    5. RESOURCE

    EVENT HIGHLIGHT: WINDOWS .NET SERVER DEVCON

    September 3 through 6, 2002
    Seattle
    http://www.microsoft.com/misc/external/serverdevcon

    Be ready for .NET Server (Win.NET Server)! The Windows .NET Server DevCon is the premier conference for learning everything about writing scalable, trustworthy enterprise applications for the Windows server family. Designed for systems architects, enterprise developers, Independent Software Vendors (ISV) developers, and technical decision makers, the DevCon offers more than 100 highly technical sessions and provides the best training opportunity for all the new features of Win.NET Server.

    For other upcoming events, check out the Windows & .NET Magazine Event Calendar.
    http://www.winnetmag.com/events

    6. NEW AND IMPROVED
    (contributed by Carolyn Mader, [email protected])

  • DEVELOP INTERACTIVE REPORTS

  • GreenPoint released WebCharts 3D 4.7 with .NET support, a data visualization tool for developing graphical interactive reports and applications on the Web. The software is a native .NET component and is fully integrated with Visual Studio .NET. WebCharts 3D uses XML as its native data format and lets you design and deploy cross-browser graphical pages. The software is available in professional and enterprise editions. For pricing, contact GreenPoint at 212-765-6982 or 877-932-2427.
    http://www.gpoint.com

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

    7. CONTACT US
    Here's how to reach us with your comments and questions:

    This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
    http://www.winnetmag.com/sub.cfm?code=wswi201x1z

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    TAGS: Security
    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish