(June 18, 2002) - Taking the next step toward a more connected and secure Web services environment, Microsoft Corp. has announced a new Windows® technology, code-named "TrustBridge," that will enable businesses to share user identity information between applications and organizations. "TrustBridge" technology will allow different organizations using the Windows operating system to exchange user identities and interoperate in heterogeneous environments using industry-standard XML Web services protocols including Kerberos, WS-Security, and forthcoming protocols in the WS-Security family.

Microsoft also delivered the Microsoft Federated Security and Identity Roadmap, for federated security and identity management across the Microsoft® product line. Both "TrustBridge" and the Microsoft products, tools and services outlined in the roadmap build on the WS-Security specification to establish a federated model for user identity exchange. Introduced by Microsoft, IBM Corp., and VeriSign Inc. in April, WS-Security is a security specification that defines a standard set of Simple Object Access Protocol (SOAP) extensions or message headers for exchanging secure, signed messages in a Web services environment and provides a foundation on which to build federated and interoperable Web services. In conjunction with the WS-Security specification, Microsoft and IBM coauthored a roadmap, Security in a Web Services World, that outlines plans for future specifications in the family and defines the architectural approach to establishing a federated trust model for user identity.

By providing a way to establish and maintain trust relationships, Windows "TrustBridge" removes many of the barriers IT organizations face, allowing them to securely authenticate and share user identities across business and security boundaries.

Businesses that manage user identities with the Active Directory® service in Windows will be able to deploy "TrustBridge" to recognize and share identities with other organizations running Windows or any other identity infrastructure on any operating system that supports Kerberos v5.0. Kerberos, supported in Windows platforms and a variety of UNIX environments, is a widely adopted open standard for authentication maintained by the Internet Engineering Task Force. To enable an organization to federate with another, "TrustBridge" will use the WS-Security protocol family. By using WS-Security and SOAP over HTTP, "TrustBridge" provides the additional benefit of eliminating a company's need for further firewall configuration.

The initial release of "TrustBridge" technology is scheduled for 2003. Information on "TrustBridge" pricing and delivery vehicles has yet to be released.

In its roadmap announcement, Microsoft outlines the products and approach it will take in implementing support for the WS-Security family of specifications. Microsoft will embrace WS-Security, building support for a federated security model throughout current and future products, tools and services, including the following:

.NET Passport. .NET Passport, an Internet-scale authentication service for business-to-consumer interactions, will support SOAP messages over HTTP, add support for Kerberos and embrace WS-Security in 2003. These enhancements will enable .NET Passport to federate with "TrustBridge" and other WS-Security-based authentication systems.

Visual Studio .NET. Later this year, Microsoft will provide support for WS-Security and federated security within Visual Studio® .NET. This will allow developers of Web services to easily add digital signature support and SOAP message encryption as outlined in the WS-Security specification.

Enterprise infrastructure products. By embracing WS-Security as a foundation for identity sharing, current and future product functionalities in Windows Server products will enable organizations to achieve a more federated approach to security. In addition to heterogeneous federation via "TrustBridge," Windows .NET Server, scheduled to release to manufacturing this year, will provide cross-forest trust for Active Directory, integration of Passport authentication with both the Active Directory Service and Internet Information Service, security protocol translation, and constrained delegation to support federation.

Microsoft Metadirectory Service 2.2, a centralized service that stores and integrates identity information from multiple directories, enables organizations to synchronize directory information into Active Directory in real time.

In February Microsoft announced a new sample XML filter for Microsoft Internet Security and Acceleration Server that provides application-level filtering at the edge of the network to screen and inspect incoming SOAP and XML data. The sample helps companies prepare to secure their networks as they adopt Web services. The Microsoft Federated Security and Identity Roadmap is available for download at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebsrv/html/wsfederate.asp?frame=true. The WS-Security specification and the coauthored roadmap are also available at http://msdn.microsoft.com/ws-security/.