A group of industry heavyweights has endorsed a new security standard proposed by Intel (INTC), called Common Data Security Architecture (CDSA), as a framework for developing security applications for e-commerce and Internet transactions.
Conspicuously absent from the list is Microsoft, which did not participate in discussions within the Open Group, a standards group with roots in the Unix world. Ironically, Microsoft has asked the Open Group to take its ActiveX specification and turn it into a standard.
"This is the first open, interoperable security infrastructure," said Milind Khare, product manager at Intel Architecture Labs, where the original CDSA spec was developed two and a half years ago. "We will work with all the other companies to try to get CDSA adopted in the industry."
But Microsoft's Jason Garms, Windows NT security product manager, questions whether CDSA offers Windows developers anything new.
"CDSA is a complex and evolving specification that addresses many of the same functional requirements satisfied by Crypto API," Garms said. CAPI is Microsoft's security framework for its Windows platforms.
In addition to Intel, other endorsers of CDSA include IBM, Netscape, Hewlett-Packard, Sun Microsystems, Motorola, certificate authority Entrust, firewall and consulting firm Trusted Information Systems, Shell Oil, and banker JP Morgan.
Netscape, which had its own security framework, is adding additional services around CDSA for its developers.
"CDSA will supply the APIs [application programming interfaces] through Netscape products so developers can use security in applications for the client and the server side," said Netscape's chief scientist and security guru, Tahere Elgamal.
Backers say CDSA, because it provides a way for different kinds of security to interoperate, will be a boon to e-commerce and boost cross-platform interoperability among software applications that require security.
Microsoft is challenging those claims, saying that its Crypto API has been shipping since 1996, while products based on CDSA have yet to appear. IBM, however, is supporting CDSA in its KeyWorks software toolkit, and Intel says it will deploy CDSA in several products this year.
CDSA supporters say the protocol will help build confidence that the Net is secure, thus opening the way for selling more high-value goods over the Net. Microsoft argues that existing standards--including Secure Sockets Layer (SSL), Secure Electronic Transactions (SET), and S/MIME for secure email--form the basis for secure e-commerce.
CDSA requires software to address four different areas: encryption, digital certificates and their management, "trust policy," and database functions for handling certificates. Commercial cryptographic key recovery is an optional module, pushed by endorser TIS.
The CDSA encryption module can support any kind of cryptographic algorithm, and the digital certificate module can accommodate digital IDS from various issuers. The "trust policy" component is how companies regulate what data an individual can access. Key recovery was made optional, in part, because it is a highly controversial aspect of the encryption export debate that some companies may not want to implement.
Both Microsoft's CAPI and CDSA address the sale of software with encryption outside the United States and Canada, but in different ways. The U.S. government requires export licenses for overseas sales of strong encryption.
Microsoft says CAPI creates a flexible framework so that software used in a particular country can be made to comply with U.S. crypto export rules. CDSA backers say their protocol can be configured to comply with any government rules without redesigning applications or middleware for each jurisdiction.