John Manferdelli, general manager of Microsoft’s “Palladium” business unit, provides a Q&A on Palladium. (Manferdelli is on the board of ContentGuard — you can read his bio on their web site. He’s also one of several Microsoft authors contributing to the WS-Security effort which intends standardize enhancements to SOAP messenging with security tokens for various purposes.)
The end result is a system with security similar to a closed-architecture system but with the flexibility of the open Windows platform.
Palladium has lots and lots of implications for end users, particularly in the corporate/enterprise environment. In particular, as was the case with Microsoft’s Hailstorm initiative, it will be very important for enterprise customers to tell Microsoft how they feel about this approach.
And it will be important that Microsoft listens carefully to the needs of their customers — as they seemed to do with Hailstorm — and realize that they are not the center of this particular universe but that their customers are. In particular, Palladium has to incorporate the features that the enterprise needs for trusted platforms, not just the needs of digital rights content providers and software licensors.
Palladium was originally described in a Newsweek article by Steven Levy. Levy’s article provoked a sharp response from Robert X. Cringley, among other places. The BBC has also picked up the story. Hal Varian wrote an article about it in yesterday’s New York Times.
Cringely, in a follow-up posted yesterday, Cringely highlights a recent change to the End-User License Agreement for Windows Media Player. The change was part of a “critical security update” to the Player and requires the end-user to agree to allow Microsoft to:
…provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer.
As a brief aside, here’s a good article about clickwrap and shrinkwrap licensing of software.
Rereading Manferdelli’s comments in his published Q&A, it’s curious that the answers Manferdelli provided didn’t mention Trusted Computing Platform Alliance (TCPA) — his choice of words makes Microsoft the center of this particular universe of activity.
TCPA, the group setting standards for the new architecture that Palladium intends to exploit, already has a long list of participating member companies and advisors.
Phoenix Technologies, producer of the majority of BIOS chips used in today’s PC’s, also has a security initiative designed to ensure a trusted computing environment from the initial power-up point of a PC.
Ross Anderson has been following TCPA for some time and shares his point of view in a recently posted FAQ. (Lots of folks have already linked to Anderson’s FAQ based upon his ranking at the top of the Google search results for “TCPA”!)
Joshua Allen (from Microsoft) has also been having a bit of back and forth with others on his weblog regarding plans for Palladium.