My Services, released last week, lets users access files from any
machine and makes e-business easy. But is it secure, and will users
want to keep their data in a Microsoft repository? Ian Murphy
reports
At Microsoft's Professional Developers Conference in Los Angeles
last week, the company delivered the first copies of its
long-awaited .net My Services developer tools.
My Services (formerly known as Hailstorm) uses the Internet to
deliver a range of services that allow users to interact more
easily and securely with Web sites. It will also give developers
opportunities to capitalise on the use of electronic wallets. The
system has been described by James Culbert, co-author of O'Reilly
My Services Essentials, as an operating system for Web
services.
The framework comprises a small set of core services, defined by
Microsoft, that will allow developers to build client-side
applications. Microsoft is attempting to exert tight control over
the contents of the core and is discouraging developers from
writing their own core services. It says this restriction is based
on the need to manage the integrity and security of the
project.
Underpinning the My Services initiative is Microsoft's Passport,
which provides a single sign-on mechanism for Web users. After
registering their personal details, a user visiting a
Passport-enabled site is authenticated by the Passport service,
which passes an encrypted authenticated token back to the site.
While logged into Passport, the user's token is passed from site to
site, obviating the need to remember multiple log-on names and
passwords. The encryption of the token ensures that the user's
credentials are protected during transmission.
Although the security in Passport has been the subject of
significant criticism, it will be improved by the addition of
Kerberos support in version 3.0, which is expected to ship early
next year.
The importance of this mechanism to My Services is that the
Passport User ID can be used to control access to a vast amount of
personal information. Under My Services, users will be able to
store, for example, credit card details in the My Wallet digital
wallet and their contact details and address book in My Contacts.
The My Calendar online scheduler and My Devices, which holds
details of the devices owned by the user, can also be stored in My
Services. Other services that will be immediately available include
My Location and My Alerts, which can be used to provide a wide
range of time-critical and location-centric information.
In total, 14 services are available now, and Microsoft is likely to
add a number of additional services as My Services develops.
One example of a future service that fits Microsoft's plans, and
for which there is increasing commercial pressure, is My Digital
Rights, which would control access to copyrighted documents, images
and audio. This could be extended to cover all digital rights, as
Microsoft moves into new markets such as digital TV boxes based on
Embedded Windows XP. There is even a hint that it could eventually
cover software - My Devices already contains fields to hold details
of subscriptions and expiry dates.
The extensibility of the underlying services and the way they can
be combined lies at the heart of Culbert's view of My Services as
an operating system. Each of the services looks after its own data
but by combining the services you get a complete, mobile
replacement for a computer system.
My Contacts, My Calendar and My Inbox combine to offer an
alternative to personal information management applications,
especially when enabled through a Web server such as Hotmail or
MSN.
My Application Settings, My Documents and My Services provide
mobile workers with a complete Web-based back-up of their critical
data, software settings and hardware configurations.
For application service providers (ASPs) in particular, this has
the potential to allow them to offer customers secure access to
applications and data from anywhere in the world and ensure
personal settings are maintained. It even allows ASPs to be loosely
linked to Internet service providers around the world so that
access to applications is available locally rather than through
transfers across the Internet to a primary server.
From the user's perspective, My Services is relatively transparent
and provides a means by which they can control who has access to
their personal data. Access will only occur when the user
explicitly allows it by entering a Pin code or password.
Another advantage of this process is that the user does not have to
repeatedly re-enter their data on online forms. This reduces the
number of opportunities for it to be intercepted and stolen. Once
the user allows credit card details, for example, to be used by a
Web site, simply entering their Pin will allow the information to
be read directly from the site where their My Services data is held
and transferred securely to the e-commerce application.
This process makes data available to the user from wherever they
have access to the Web. The only proviso is that all participants
in a transaction need to be using Passport for data to be
transferred through My Services.
This has raised concerns about Microsoft imposing restrictions on
using data. Sensitive to such accusations, Microsoft has recently
started to talk about My Services as just one of a range of
independent Web data storage services.
The phrase that Microsoft is keen to use is "federated" services,
to indicate that there is nothing to stop AOL, for example, from
creating its own virtual wallet application and then allowing an
AOL user to take part in a transaction with a Passport-enabled
site.
The mainstay of the system will be the Kerberos authentication in
Passport version 3.0, although Microsoft will need to be careful
how it implements this open source system. It has already alienated
a significant portion of the security industry by using proprietary
extensions to the Kerberos specification, making interoperability
with other implementations difficult.
Another issue is ownership of data. The only way My Services will
work is if users can be persuaded to part with their data and trust
Microsoft to store it securely. Given Microsoft's track record,
that is asking a lot, but the problem is compounded by differing
data protection laws around the world. The rules for managing
credit card data laid down by the various card issuers may yet
create a problem for the My Wallet service.
Microsoft is keen to say that the servers used will simply be
repositories and will require the user's Passport User ID before
any data can be accessed. An examination of the software
development kit for My Services makes this quite clear.
However, the company has failed to say whether the data will be
stored in clear or encrypted form. It is also questionable whether
Microsoft will be able to manage the vast amounts of data that are
likely to be stored. Current indications are that it will contract
out some of the storage and services will be charged on a
pay-per-use and pay-per-service model.
What is My Services?
Part of Microsoft's .net
initiative, My Services (formerly known as Hailstorm) is a set of
consumer-focused XML Web services. They allow a user to access
files, data and machine settings from any computer, anywhere, at
any time. A key element is Microsoft Passport, which provides a
secure method of authentication for conducting e-business
transactions.
Developers that know how to use XML to create Soap messages to send
over HTTP or Dime (Direct Internet Message Encapsulation) will be
able to build applications that take advantage of these services.
Currently, My Services includes:
My Location: A user's physical presence information.
Lets others know where to get in touch with them
My Devices: Details of the user's hardware
My Alerts: Allows applications and Web sites to alert the
user of events
My Calendar: Diary
My Contacts: Address book
My Inbox: E-mail access
My Documents: Document storage
My Wallet: User information for purchasing items online.
Removes the need for repeated online form filling
My Application Settings: User information such as toolbars,
icons, and screensavers. Any device the user signs on to
automatically adjusts itself to those settings
My Profile: Information such as addresses, birthdays
etc
My Favourite Web Sites: Personal bookmarks.
How much will it cost?
Microsoft is planning to charge
developers $10,000 (£7,010) a year to sign up their applications
for My Services. It will also charge developers and business
partners to deploy services and applications, plus an additional
fee for accessing .net users.
Although the company expects most of its revenue to come from
consumer subscriptions, Bob Muglia, vice-president of the .net
services platform, said that companies offering services will be
charged the yearly fee plus $1,500 (£1,051) for each application
made available to My Services. To encourage small-scale developers,
the fees will be $1,000 (£701) a year sign-up and $250 (£175) for
each application deployed.
Consumers will be charged a subscription fee for accessing My
Services through Microsoft's Passport authentication. Muglia said
it will still be free to join and access some Passport services, My
Alerts, and .net Presence, a service that locates online users.
However, services that use more resources, such as calendars and
document storage, will carry a charge.