Gates Stumps For Hardware-Based ID Protection
TPM solutions on the physical layer, combined with general certificate-based identity strategies based on hardware, will mean the end of hard-to-remember and easy-to-compromise user passwords. The TPM architecture provides the core for "certificate-based roots of trust," Mundie said. In a Monday (Feb. 5) tutorial for TCG, industry consultant Roger Kay declared the TPM ready for mass deployment, as it already has been embedded in tens of millions of PCs, and is being offered by multiple semiconductor vendors.
"We see smart cards specifically, and certificates in general, as the direction identity protection must move in," Gates said. "Passwords already are the weakest link in information protection."
In defining networks that provide granularity in allowed connectivity, Mundie said that some corporate users had been too quick to bypass lower-layer security mechanisms defined by the Internet Engineering Task Force, such as IPsec. While it was attractive to use virtual private networks based on Secure Sockets Layer to lower the overall cost of protection, Gates said that "IPsec is still the best mechanism for defining allowed connections on a network." Mundie said that enhancing the granularity of connection protection was another reason for moving networks to IPv6, which allows greater flexibility in defining allowed links on the basis of user identity.
Mundie said that new work on active directory and meta directories for the server-based Longhorn environment, in conjunction with IPv6, will lead to more adaptive policy enforcement of connectivity rules under IPv6 and IPsec.