During the month since Microsoft Corp. announced Palladium, the new plan to marry hardware and software security inside every Windows PC has been hailed as either a potential savior or a scourge for computer security and user freedom.
Details about Palladium, which remains years from mass deployment, have been sketchy and are bound to change, but Microsoft is now providing more information about the system, what it will do and what it won't.
Palladium will create a "trusted space" within a PC where certain applications and operations can run. Palladium will require a security chip, as well as rewritten software designed to take advantage of the chip. Because the "trusted space" will be separate from Windows, Palladium should be able to better protect sensitive information and stop the spread of viruses and the like, according to Microsoft. The system will also allow users to create documents that expire after a certain amount of time or are limited in how they can be shared, Microsoft has said.
The initial reaction to Microsoft's announcement was mixed, with critics charging that the system would curtail users' ability to control their own PCs, possibly removing fair use rights related to music and movie files and that it could even further Microsoft's operating system monopoly.
Those reactions are not the rule, according to Microsoft.
"The responses overall have been very positive," said Mario Juarez, group product manager for the content security business unit at Microsoft. "Almost nobody has taken issues with the premise that systems need better integrity."
Nonetheless, Microsoft is taking pains to clarify exactly what Palladium is and is not.
"Palladium is not DRM (Digital Rights Management), but it's a great platform for building DRM on," Juarez said. Palladium was initially linked to a series of patents granted to Microsoft on a "Digital Rights Management operating system" and it remains unclear how those patents will play into the system. DRM is a technology that allows content owners to place on their work restrictions that can control how the files are shared and copied.
Palladium is also not a technology that Microsoft hopes will permanently lock down content such as movies and music by tying such content to DRM, Juarez said.
"We absolutely believe that anything of any value will be brought into the clear," that is, made available through various means without content protections, he said. Palladium isn't designed to lock down content permanently because "we don't want that to happen," he said.
Palladium will also not be open source, despite some reports and conjecture at its announcement. Instead, Microsoft will publish the Palladium source code in much the same way as it currently offers its shared source program -- as a way to allow programmers to inspect the code, Juarez said.
Because the system will be shared source, rather than open source, programmers will not be allowed to modify the code or port it to other platforms, he said.
"We don't want people to necessarily create derivative works (from this)," he said. Publishing the code will let programmers "verify that what we say is happening is (in fact) happening."
Giving developers a way to verify the code is a key step, said Laura Koetzle, infrastructure research analyst at Forrester Research Inc. in Cambridge, Massachusetts.
"If they want people to actually trust that this operating system does what they say, it has to be transparent," she said.
While "shared source is a good start," Koetzle said that "open sourcing it is probably the right public relations move" since having a third party create a Palladium system would be a major credibility boost for the technology.
Peter Lindstrom, senior security strategies analyst at the Hurwitz Group Inc. in Framingham, Massachusetts, isn't so sure that these steps are necessary.
He predicts that "six months after the specs for the hardware chips are available (along with) the source, there will be a Linux version that does the same thing."
All of that is still distant, however, as Palladium won't likely see release for years. To that end, Microsoft plans to publish its first Palladium road map this fall, Juarez said. The road map will include when the company will release Palladium SDKs (Software Development Kits), when important public meetings about the technology will occur and other information.
Koetzle expects the Palladium road map to be a long one.
"I think (it will be released in) 2006 if they're lucky," she said.
"You're talking silicon here and that always takes forever," she said, referring to the required security chip.
Palladium will be an opt-in system, meaning that it will ship in PCs turned off and users will have to turn it on to gain its benefits, said Alan Geller, group program manager for Palladium.
Geller knows the challenge of getting new users to adopt Palladium won't be easily solved.
"It's a huge challenge for us to make this powerful, but easy ... accessible to people who aren't technical at all," Geller said.
"It better be pretty simple and easy and painless" for the average user because Microsoft wants "to reach the people who haven't bought a computer yet because they're afraid of it," he said.
Geller expects that users will embrace such an easy-to-use system without much hesitation, he said.
"The biggest downside is they have to go out and buy a new computer," he said.
Microsoft will provide a way for users to transfer their data from one Palladium system to another, he said, adding that the mechanism for that transfer has not been decided. Because Palladium will tie content to the specific hardware of each PC, there had been concern about whether content could be moved when PC components or full systems were upgraded.
The major question hovering over Palladium, though, is why users will want to turn it on, said Forrester's Koetzle.
"I don't see any demand-side drivers for this," she said. "What's in it for consumers?"
The system makes sense for Microsoft, for PC makers and for companies that control copyright digital content, since it will help them all sell more of their products, she said. But the system doesn't make sense for consumers, she said.
"What do consumers want that they can't have (unless they use Palladium)? The answer is nothing," she said. "I have a hard time seeing Palladium as a selling point."
Microsoft needs to find compelling applications that will cause consumers to want to use Palladium, as well as find third parties interested in creating those compelling applications, she said.
Offering new levels of system security may be compelling enough to persuade some users to switch, said Hurwitz's Lindstrom.
"This is the stuff for 30 years security folks have been saying we need in mainstream computing," he said.
Beyond that, "I think it's critical that Microsoft pushes forward with it because it's probably the only way they're going to get out from under their security vulnerability overhead," he said.
Despite Juarez and Geller's assurances, questions still persist about whether Microsoft, a company that has been hit by a torrent of security vulnerabilities in recent years, can make such a sweeping security system work.
Those questions have been answered for Juarez and Geller. Microsoft has emphasized security more over the last year, with the launch of is Trustworthy Computing initiative and other steps, Juarez said.
"Microsoft has shown that when it recognizes the strategic importance of something ... it tends to respond effectively," he said. "This is critical for Microsoft to succeed in its vision."