MS's new IM strategy: Greenwich?

Stephen D. Williams sdw@lig.net
Sat, 01 Mar 2003 19:15:33 -0500


--------------010201070505070605080806
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

The original Exchange IM protocol was very bloated HTTP-based and used 
polling to some extent.  A Microsoft developer from that team explained 
it to us (IETF IMPP working group) at the San Francisco meeting.

If they have changed to SIP/RTSP, that would be interesting, however it 
would only be standards compliant with SIP and their IM/Presence 
proposal.  I am not back up to date, but the last I looked, IMPP had 
been disolved because no agreement could be reached and each team was 
off pushing their own view: SIP, Jabber, Beep-based, etc.  I think that 
the SMTP-like proposal was finally dropped.

Bill Kearney wrote:

>>From: "Stephen D. Williams" <sdw@lig.net>
>>The Jabber method of using your domain, and really your email address,
>>as the address space will obviously win in the long run.  The discussion
>>below about a new domain namespace that companies would have to register
>>in is silly.
>>    
>>
>
>Exchange supports using username@domain for IM traffic.  The extensions to DNS
>records to support it are implemented similarly to an MX record.  It's been in
>there for over 3 years.  The underlying stuff is based on SIP and RTSP.  MS is
>actually the most standards compliant of the bunch.
>
Yes, and Jabber was the first one to define SRV records for DNS 
resolution of IM/Presence for a domain.

>>Having people communicate is one thing, having applications communicate
>>WILL require proper authentication and authorization, unlike the MS
>>comments below indicate.  It's too bad that X.500/LDAP is still
>>surviving because of PKI.  Hopefully it will become more universally
>>usable soon.
>>    
>>
>
>Of all platforms, the PKI intergration in w2k and later is arguably the most
>robust.  You're correct about a&a being absolutely critical to the success of
>this stuff.
>
>-Bill Kearney
>  
>
Please feel free to give me better information, but this is what I know now:

What counts is PKI integration in an application.  I don't see a method 
to sign documents or fields in MS Word, Excel, Powerpoint, etc.  Both 
Outlook and Netscape Communicator support S/Mime for email, but beyond 
session security (SSL), PKI support in both IE and Netscape is pretty 
weak.  Netscape does however have the ability to PKI sign the content of 
a form, which I don't believe that IE can do.  Still, it isn't enough 
for most applications meaning that signed Java applets will need to be 
used for serious security.  Microsoft's out of luck there in a sense as 
nothing but Java is close to being trusted enough for secure mobile-code 
PKI-enabled applications.

Win2K and XP have some good integration for login (via PKI smart card 
for instance) and this can be used to authenticate with a server as far 
as I know.  Beyond this, Win2K and XP mainly rely on ACLs as metadata in 
NTFS for authorization for applications and resources.  This has several 
shortcomings.  What is needed is an extensible, open repository for 
standardized authorization information.  This will obviously be XML 
based and is being standardized on to some extent by at leaset one group.

PKI login can be accomplished in Linux fairly easily because of the 
plugin-based PAM authentication and authorization system.  SSH of course 
can make use of standard PKI certificates.

The real problem is that you can't secure the Windows PC platform enough 
to really trust it, especially if you connect to multiple network 
environments, run misc. applications, don't have physical security to 
prevent tampering, and have less-than-perfect users that might be 
tricked into running a virus, trojan horse, or bogus update.  In 
particular, I don't believe that there is any way to stop 'windows 
subclassing' where one program latches onto the events of another and is 
able to modify keystrokes or hide the real window with a misleading one. 
 This is where X-windows and secure operating systems have large advantages.

sdw

-- 
swilliams@hpti.com http://www.hpti.com  Personal: sdw@lig.net http://sdw.st
Stephen D. Williams 43392 Wayside Cir,Ashburn,VA 20147-4622
703-724-0118W 703-995-0407Fax Oct2002



--------------010201070505070605080806
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body>
The original Exchange IM protocol was very bloated HTTP-based and used polling
to some extent. &nbsp;A Microsoft developer from that team explained it to us
(IETF IMPP working group) at the San Francisco meeting.<br>
<br>
If they have changed to SIP/RTSP, that would be interesting, however it would
only be standards compliant with SIP and their IM/Presence proposal. &nbsp;I am
not back up to date, but the last I looked, IMPP had been disolved because
no agreement could be reached and each team was off pushing their own view:
SIP, Jabber, Beep-based, etc. &nbsp;I think that the SMTP-like proposal was finally
dropped.<br>
<br>
Bill Kearney wrote:<br>
<blockquote type="cite"
 cite="mid049501c2dda4$85138820$2000a8c0@wkearney.com">
  <blockquote type="cite">
    <pre wrap="">From: "Stephen D. Williams" <a class="moz-txt-link-rfc2396E" href="mailto:sdw@lig.net">&lt;sdw@lig.net&gt;</a>
The Jabber method of using your domain, and really your email address,
as the address space will obviously win in the long run.  The discussion
below about a new domain namespace that companies would have to register
in is silly.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Exchange supports using username@domain for IM traffic.  The extensions to DNS
records to support it are implemented similarly to an MX record.  It's been in
there for over 3 years.  The underlying stuff is based on SIP and RTSP.  MS is
actually the most standards compliant of the bunch.</pre>
</blockquote>
Yes, and Jabber was the first one to define SRV records for DNS resolution
of IM/Presence for a domain.<br>
<blockquote type="cite"
 cite="mid049501c2dda4$85138820$2000a8c0@wkearney.com">
  <blockquote type="cite">
    <pre wrap="">Having people communicate is one thing, having applications communicate
WILL require proper authentication and authorization, unlike the MS
comments below indicate.  It's too bad that X.500/LDAP is still
surviving because of PKI.  Hopefully it will become more universally
usable soon.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Of all platforms, the PKI intergration in w2k and later is arguably the most
robust.  You're correct about a&amp;a being absolutely critical to the success of
this stuff.

-Bill Kearney
  </pre>
</blockquote>
Please feel free to give me better information, but this is what I know now:<br>
<br>
What counts is PKI integration in an application. &nbsp;I don't see a method to
sign documents or fields in MS Word, Excel, Powerpoint, etc. &nbsp;Both Outlook
and Netscape Communicator support S/Mime for email, but beyond session security
(SSL), PKI support in both IE and Netscape is pretty weak. &nbsp;Netscape does
however have the ability to PKI sign the content of a form, which I don't
believe that IE can do. &nbsp;Still, it isn't enough for most applications meaning
that signed Java applets will need to be used for serious security. &nbsp;Microsoft's
out of luck there in a sense as nothing but Java is close to being trusted
enough for secure mobile-code PKI-enabled applications.<br>
<br>
Win2K and XP have some good integration for login (via PKI smart card for
instance) and this can be used to authenticate with a server as far as I
know. &nbsp;Beyond this, Win2K and XP mainly rely on ACLs as metadata in NTFS
for authorization for applications and resources. &nbsp;This has several shortcomings.
&nbsp;What is needed is an extensible, open repository for standardized authorization
information. &nbsp;This will obviously be XML based and is being standardized
on to some extent by at leaset one group.<br>
<br>
PKI login can be accomplished in Linux fairly easily because of the plugin-based
PAM authentication and authorization system. &nbsp;SSH of course can make use
of standard PKI certificates.<br>
<br>
The real problem is that you can't secure the Windows PC platform enough
to really trust it, especially if you connect to multiple network environments,
run misc. applications, don't have physical security to prevent tampering,
and have less-than-perfect users that might be tricked into running a virus,
trojan horse, or bogus update. &nbsp;In particular, I don't believe that there
is any way to stop 'windows subclassing' where one program latches onto the
events of another and is able to modify keystrokes or hide the real window
with a misleading one. &nbsp;This is where X-windows and secure operating systems
have large advantages.<br>
<br>
sdw<br>
<pre class="moz-signature" cols="$mailwrapcol">-- 
<a class="moz-txt-link-abbreviated" href="mailto:swilliams@hpti.com">swilliams@hpti.com</a> <a class="moz-txt-link-freetext" href="http://www.hpti.com">http://www.hpti.com</a>  Personal: <a class="moz-txt-link-abbreviated" href="mailto:sdw@lig.net">sdw@lig.net</a> <a class="moz-txt-link-freetext" href="http://sdw.st">http://sdw.st</a>
Stephen D. Williams 43392 Wayside Cir,Ashburn,VA 20147-4622
703-724-0118W 703-995-0407Fax Oct2002
</pre>
<br>
</body>
</html>

--------------010201070505070605080806--