New industry group could help drive security standards

Have you ever hesitated a few moments before sending your credit card number over the Internet? Perhaps more importantly, are customers or partners hesitant to conduct e-business with your company, for fear of poor security practices? Can we ever fully trust whoever is on the other end of our computer connections? How can we be sure they are who they say they are?

A new industry alliance has formed to address the technology issues at the root of these fears. Oct. 11 marked the birth of the Trusted Computing Platform Alliance (TCPA), which will focus on improving trust and security on various computing platforms. Microsoft, Intel, IBM, Compaq and Hewlett-Packard Co. are founding members, and more companies are expected to join in the coming months.

What’s interesting about this group is it recognizes that creating a trusted computing environment requires the collaboration of PC industry platform, operating system, application and technology vendors. In other words, answers to security problems are rooted not in just hardware or software, but in all aspects of the total platform.

Much as I dislike approaches developed by committee, which tend to reflect the lowest common denominator, the TCPA may be the best way to develop broad desktop security standards accepted throughout the industry. Single-vendor approaches often fail to garner commercial acceptance, usually because of the proprietary nature of the innovation or a “Big Brother” assault on personal liberties.

Remember last winter when Intel announced it would embed a personal identification number in its Pentium III chips? Though Intel’s intention was to increase security over the Internet by identifying the owners of various transactions, the proposal generated a backlash from civil rights activists who viewed it as a violation of privacy rights. Ultimately, Intel opted to turn off the feature in its chips. This identification number strategy would have had a better chance of acceptance if it had been part of an industry-wide PC security plan that included promotion by the likes of heavyweights Microsoft, Compaq, IBM and HP.

A few weeks ago, I read a press release from IBM about its new PC models that incorporate an embedded security chip on the motherboard, and smart card access and encryption. A great strategy, but it probably won’t catch on with the general PC-using population.

Why not? Though based on existing industry security protocols, portions of this approach are still unique to IBM. That means it’s unlikely that the other top PC hardware manufacturers — Compaq, Dell, HP and Gateway — will adopt it. Without acceptance by these vendors, the IBM approach will remain proprietary rather than become an industry standard.

With the TCPA bringing together the top players in the desktop market, we’re likely to see greater sharing of knowledge and broader acceptance of jointly designed offerings. The organization’s goal is to develop a specification that delivers a set of hardware and operating system security capabilities that customers will use in their computing environments.

The specification release candidate 1.0 document is due out in the second quarter of 2000. This document will ultimately be submitted to a still-unnamed standards body for consideration and adoption. The alliance is also developing a white paper that describes the specification and how it will improve computing. The TCPA promises its specification will complement existing security standards, such as IP Security, public-key infrastructure, Secure Multi-purpose Internet Mail Extensions, Secure Sockets Language, X.509, virtual private networks, smart cards and biometrics.

Working together, TCPA members intend to enhance existing approaches and simplify the deployment, use and manageability of security elements on PCs. The group will encourage wide industry support and adoption of the specifications. What’s more, the specifications must be broadly exportable and ubiquitous, resulting in worldwide acceptance.

Membership in the TCPA is open to anyone with a vested interest, including eventual end users of the technology. To learn more about what this alliance can do for you or how you can contribute to its progress, visit

Musthaler is vice-president of Currid & Company, a Houston-based technology consulting firm. She can be reached at