My passport to PC freedom?

My Services, released last week, lets users access files from any machine and makes e-business easy. But is it secure, and will...

My Services, released last week, lets users access files from any machine and makes e-business easy. But is it secure, and will users want to keep their data in a Microsoft repository? Ian Murphy reports

At Microsoft's Professional Developers Conference in Los Angeles last week, the company delivered the first copies of its long-awaited .net My Services developer tools.

My Services (formerly known as Hailstorm) uses the Internet to deliver a range of services that allow users to interact more easily and securely with Web sites. It will also give developers opportunities to capitalise on the use of electronic wallets. The system has been described by James Culbert, co-author of O'Reilly My Services Essentials, as an operating system for Web services.

The framework comprises a small set of core services, defined by Microsoft, that will allow developers to build client-side applications. Microsoft is attempting to exert tight control over the contents of the core and is discouraging developers from writing their own core services. It says this restriction is based on the need to manage the integrity and security of the project.

Underpinning the My Services initiative is Microsoft's Passport, which provides a single sign-on mechanism for Web users. After registering their personal details, a user visiting a Passport-enabled site is authenticated by the Passport service, which passes an encrypted authenticated token back to the site. While logged into Passport, the user's token is passed from site to site, obviating the need to remember multiple log-on names and passwords. The encryption of the token ensures that the user's credentials are protected during transmission.

Although the security in Passport has been the subject of significant criticism, it will be improved by the addition of Kerberos support in version 3.0, which is expected to ship early next year.

The importance of this mechanism to My Services is that the Passport User ID can be used to control access to a vast amount of personal information. Under My Services, users will be able to store, for example, credit card details in the My Wallet digital wallet and their contact details and address book in My Contacts.

The My Calendar online scheduler and My Devices, which holds details of the devices owned by the user, can also be stored in My Services. Other services that will be immediately available include My Location and My Alerts, which can be used to provide a wide range of time-critical and location-centric information.

In total, 14 services are available now, and Microsoft is likely to add a number of additional services as My Services develops.

One example of a future service that fits Microsoft's plans, and for which there is increasing commercial pressure, is My Digital Rights, which would control access to copyrighted documents, images and audio. This could be extended to cover all digital rights, as Microsoft moves into new markets such as digital TV boxes based on Embedded Windows XP. There is even a hint that it could eventually cover software - My Devices already contains fields to hold details of subscriptions and expiry dates.

The extensibility of the underlying services and the way they can be combined lies at the heart of Culbert's view of My Services as an operating system. Each of the services looks after its own data but by combining the services you get a complete, mobile replacement for a computer system.

My Contacts, My Calendar and My Inbox combine to offer an alternative to personal information management applications, especially when enabled through a Web server such as Hotmail or MSN.

My Application Settings, My Documents and My Services provide mobile workers with a complete Web-based back-up of their critical data, software settings and hardware configurations.

For application service providers (ASPs) in particular, this has the potential to allow them to offer customers secure access to applications and data from anywhere in the world and ensure personal settings are maintained. It even allows ASPs to be loosely linked to Internet service providers around the world so that access to applications is available locally rather than through transfers across the Internet to a primary server.

From the user's perspective, My Services is relatively transparent and provides a means by which they can control who has access to their personal data. Access will only occur when the user explicitly allows it by entering a Pin code or password.

Another advantage of this process is that the user does not have to repeatedly re-enter their data on online forms. This reduces the number of opportunities for it to be intercepted and stolen. Once the user allows credit card details, for example, to be used by a Web site, simply entering their Pin will allow the information to be read directly from the site where their My Services data is held and transferred securely to the e-commerce application.

This process makes data available to the user from wherever they have access to the Web. The only proviso is that all participants in a transaction need to be using Passport for data to be transferred through My Services.

This has raised concerns about Microsoft imposing restrictions on using data. Sensitive to such accusations, Microsoft has recently started to talk about My Services as just one of a range of independent Web data storage services.

The phrase that Microsoft is keen to use is "federated" services, to indicate that there is nothing to stop AOL, for example, from creating its own virtual wallet application and then allowing an AOL user to take part in a transaction with a Passport-enabled site.

The mainstay of the system will be the Kerberos authentication in Passport version 3.0, although Microsoft will need to be careful how it implements this open source system. It has already alienated a significant portion of the security industry by using proprietary extensions to the Kerberos specification, making interoperability with other implementations difficult.

Another issue is ownership of data. The only way My Services will work is if users can be persuaded to part with their data and trust Microsoft to store it securely. Given Microsoft's track record, that is asking a lot, but the problem is compounded by differing data protection laws around the world. The rules for managing credit card data laid down by the various card issuers may yet create a problem for the My Wallet service.

Microsoft is keen to say that the servers used will simply be repositories and will require the user's Passport User ID before any data can be accessed. An examination of the software development kit for My Services makes this quite clear.

However, the company has failed to say whether the data will be stored in clear or encrypted form. It is also questionable whether Microsoft will be able to manage the vast amounts of data that are likely to be stored. Current indications are that it will contract out some of the storage and services will be charged on a pay-per-use and pay-per-service model.

What is My Services?
Part of Microsoft's .net initiative, My Services (formerly known as Hailstorm) is a set of consumer-focused XML Web services. They allow a user to access files, data and machine settings from any computer, anywhere, at any time. A key element is Microsoft Passport, which provides a secure method of authentication for conducting e-business transactions.

Developers that know how to use XML to create Soap messages to send over HTTP or Dime (Direct Internet Message Encapsulation) will be able to build applications that take advantage of these services.

Currently, My Services includes:

My Location: A user's physical presence information.
Lets others know where to get in touch with them
My Devices: Details of the user's hardware
My Alerts: Allows applications and Web sites to alert the
user of events
My Calendar: Diary
My Contacts: Address book
My Inbox: E-mail access
My Documents: Document storage
My Wallet: User information for purchasing items online. Removes the need for repeated online form filling
My Application Settings: User information such as toolbars,
icons, and screensavers. Any device the user signs on to automatically adjusts itself to those settings
My Profile: Information such as addresses, birthdays etc
My Favourite Web Sites: Personal bookmarks.

How much will it cost?
Microsoft is planning to charge developers $10,000 (£7,010) a year to sign up their applications for My Services. It will also charge developers and business partners to deploy services and applications, plus an additional fee for accessing .net users.

Although the company expects most of its revenue to come from consumer subscriptions, Bob Muglia, vice-president of the .net services platform, said that companies offering services will be charged the yearly fee plus $1,500 (£1,051) for each application made available to My Services. To encourage small-scale developers, the fees will be $1,000 (£701) a year sign-up and $250 (£175) for each application deployed.

Consumers will be charged a subscription fee for accessing My Services through Microsoft's Passport authentication. Muglia said it will still be free to join and access some Passport services, My Alerts, and .net Presence, a service that locates online users. However, services that use more resources, such as calendars and document storage, will carry a charge.

Read more on Business applications