Andy Gordon and Karthik Bhargavan - Web services security research

Posted: Apr 26, 2005 at 9:12 PM

By: The Channel 9 Team

(1)

17,117 Views

3 Comments

Video format

Option selected may change based on video formats available and browser capability.

Auto

Use our suggested format for this video.

Smooth Streaming

Adaptive bitrate streaming - little buffering but lower video quality at times of low bandwidth. Silverlight 5 required

Progressive

Traditional buffered video format. Silverlight 5 required

HTML5

For browsers that support H.264 MP4 or WebM video playback such as:
IE9+, Firefox 4+, Chrome 5+, or Safari 4+.

Flash

For browsers that have the Adobe Flash Player plugin installed.

Andy Gordon and Karthik Bhargavan (researchers from Microsoft's research center in Cambridge, England) take us out to see "Lake Bill" back on Microsoft's main campus in Redmond where we avoid the geese and talk about their Web Services Security research and get a tour of their toolkit.

They also talk about the F# language, which they've used to build their toolkit.

Follow the Discussion

Follow
Oops, something didn't work.

Try again?

Sign In to be begin to follow these comments

What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in. You need to be signed in to Channel 9 to use this feature.

Getting "follow" information

Stop following these comments

Start following these comments

What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in and view them all on your notifications page.

Removing your "follow"

Setting up your "follow"

Did you know you can
sign up for email notifications?
- Subscribe to this comments

figuerres ???

Apr 27, 2005 at 8:57 AM

interesting...

a bit over the top for many folks to "Get" but sounds like some good work going on.

the outdoors laptop was not a good idea IMHO.

I'd have walked into a room and done the demo and then back out after it.
staceyw Before C# there was darkness...

Apr 27, 2005 at 9:16 AM

Very cool. A while ago I did a SecurityContextToken (SCT) "getter" to allow you to get a SCT using TCP channel (or http) and an RSA public key (i.e. does not require X509 cert). This is nice, because if you sign your assem, you already have the public key and don't need to mess around with certs. I wonder if Andy or Karthik can prove this out using the first tool. The desc and c# code is at http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry

I know one weakness is the public key. If someone can change that at the client side, then a man in the middle attack could be done. But failing that, I wonder if the rest is ok. Cheers!

--William Stacey [MVP]
adg Andy Gordon

May 03, 2005 at 4:28 AM

Thanks; we didn't say in the interview but we have a website about the project at http://Securing.WS The whole project is joint work with Cédric Fournet, who couldn't make the interview.
We have papers and talks there, info about how to download the two tools, and lots and lots of web services security links.

I guess the Channel9 guys thought that the outdoors interview was a good experiment. I was impressed by how much of the screen you can see in the video; it didn't seem to be a problem.

The interview was a lot of fun. Wednesday at the TechFest Jon Pincus said we should mail Charles about doing an interview. We sent mail about 6pm, he replied in the evening, and we arranged to meet by the bit of the Berlin Wall at the conference centre at 11am Thursday. We had 60 minutes until the TechFest opened. We couldn't find an office so Charles and Robert just took us across the street to "Bill's lake". I've done formal presentations to the press before on behalf of MS, and there is usually a heck of a fuss about it, many rehearsals etc etc. This was entirely impromptu, which undoubtedly shows, but still I hope it's informative.