Andy Gordon and Karthik Bhargavan - Web services security research

Play Andy Gordon and Karthik Bhargavan - Web services security research
Sign in to queue


Andy Gordon and Karthik Bhargavan (researchers from Microsoft's research center in Cambridge, England) take us out to see "Lake Bill" back on Microsoft's main campus in Redmond where we avoid the geese and talk about their Web Services Security research and get a tour of their toolkit.

They also talk about the F# language, which they've used to build their toolkit.



Download this episode

The Discussion

  • User profile image

    a bit over the top for many folks to "Get" but sounds like some good work going on.

    the outdoors laptop was not a good idea IMHO.

    I'd have walked into a room and done the demo and then back out after it.
  • User profile image
    Very cool.  A while ago I did a SecurityContextToken (SCT) "getter" to allow you to get a SCT using TCP channel (or http) and an RSA public key (i.e. does not require X509 cert).  This is nice, because if you sign your assem, you already have the public key and don't need to mess around with certs.  I wonder if Andy or Karthik can prove this out using the first tool.  The desc and c# code is at!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry

    I know one weakness is the public key.  If someone can change that at the client side, then a man in the middle attack could be done.  But failing that, I wonder if the rest is ok.  Cheers!

    --William Stacey [MVP]
  • User profile image

    Thanks; we didn't say in the interview but we have a website about the project at http://Securing.WS  The whole project is joint work with Cédric Fournet, who couldn't make the interview.

    We have papers and talks there, info about how to download the two tools, and lots and lots of web services security links.

    I guess the Channel9 guys thought that the outdoors interview was a good experiment.  I was impressed by how much of the screen you can see in the video; it didn't seem to be a problem.

    The interview was a lot of fun.  Wednesday at the TechFest Jon Pincus said we should mail Charles about doing an interview.  We sent mail about 6pm, he replied in the evening, and we arranged to meet by the bit of the Berlin Wall at the conference centre at 11am Thursday.  We had 60 minutes until the TechFest opened.  We couldn't find an office so Charles and Robert just took us across the street to "Bill's lake".  I've done formal presentations to the press before on behalf of MS, and there is usually a heck of a fuss about it, many rehearsals etc etc.  This was entirely impromptu, which undoubtedly shows, but still I hope it's informative.

Add Your 2 Cents