Thursday, December 5, 2002
The Orange SPV Smartphone Lock Down
Posted by Andy Sjostrom in "OFF-TOPIC" @ 02:43 AM
The Orange SPV is the first Smartphone 2002 and the first mobile phone with a Microsoft operating system, so it is not a surprise that anything related to the Orange SPV attracts attention. The last couple of days we've seen reports and comments about the new Orange SPV mobile phone and how the phone is "locked" from a software perspective, forcing developers to first get their applications signed by third party certificate authorities such as Verisign. Many have reacted strongly to this as it severly impacts developers ability to reach users and thereby limiting the growth of the software market and user choice. Reactions have been strong also because the process of forced application certification and device locks is uncommon in the software market we've lived in for decades: the PC market.
With these thoughts in mind, I put together the questions below to Microsoft. Check them out and read the answers.
Question: From a software deployment point-of-view, how is the Orange SPV phone locked and why?
Answer: Windows Powered Smartphone includes a X.509 based applications security model which allows operators to optionally require applications to be digitally signed prior to installation and execution on devices. The Orange SPV has applications security enabled, making devices "locked" to unsigned applications. For these locked devices, mobile operators engage public trusted authorities i.e. Verisign or Baltimore (certificate authorities) to digitally sign applications before they are installed and executed on devices on their networks
Question: What does a developer have to do and obtain to develop, market and sell Smartphone 2002 applications that Orange SPV users can buy, install and use?
Answer:
-Register as a member of Microsoft Partner Program and choose "Smartphone" on the left hand menu.
-Download the Software Development Kit (SDK) (More than 225,000 developers have already done so.)
-Once developers receive logo certification, they can submit their applications into the Mobile2Market catalog which is promoted to operators and retailers worldwide.
-Engage Mobile2Market Certificate Authority partner, Verisign or Baltimore, to digitally sign application.
Please note: There is a nominal fee for logo certification and code signing. This fee is paid directly to third party testing houses and code signing partners (and not Microsoft nor Orange). Microsoft is making a limited discount available to partners getting an app certified before 30th January. The discount is being paid directly to the third party testing labs.
Question: Is the software lock imposed as a request by Orange or by Microsoft?
Answer: Device lockdown is a choice for OEMs or mobile operators. Windows Powered Smartphone 2002 includes optional advanced applications security architecture designed to enable OEMs, operators and corporations the flexibility to meet their customers’ requirements. The X.509 based applications security model allows operators to require applications to be digitally signed prior to installation and execution.
Question: What is Microsoft's view on restricting users what they can and can't install on their devices?
Answer: A large and empowered end user and software developer community is essential to the health of the computing ecosystem. As the worlds of telephony and software converge on next generation devices like Smartphone, we'll undoubtedly see the traditions in each of these industries evolve somewhat. From a security standpoint, the Smartphone 2002 architecture (based on the X.509 certificate model) allows operators not only to protect their customers from malicious applications and viruses, but also to provide their corporate customers additional levels of device control and customization.
Microsoft supports security efforts designed to maximize user experience by protecting the integrity of:
1. User data - ensure contacts are not posted to obscure websites, for example
2. Network - prevent applications from interfering with network stability through signaling or SMS, for example
3. Billing – guarantee applications are not generating traffic or transaction events (and accruing costs) without users knowledge
By remaining 100% committed to the Windows developer community and doing our part by providing a fertile platform for innovation, Microsoft hopes to ship every software platform, with the developer community and its needs, as well as the computing ecosystem, in mind.
Question: Will an unlocked Smartphone 2002 ever be released by anyone?
Answer:The Orange SPV is the first of several Smartphone-based handsets to come to market. Microsoft has nothing to announce today but stay tuned...
As far as I can tell, Orange is in true mobile network operator spirit imposing the device lockdown. That is said with ambigious feelings: I would love to see an completely open architecture, and I read the statements about "evolving traditions" both ways: we will eventually see more open telephony architectures as well as more secure and closed software architectures. However, while it is Orange that decided to lock their devices, I don't doubt that product teams at Microsoft will address their not so perfect security track record and act when Bill Gates says: "Trustworthy Computing". Open and secure are each other's opposites, so we will see more closed and more secure architectures from Microsoft moving forward, not only in the areas of telephony.
Now it's your turn! What would be the best move by a mobile network operator and by Microsoft moving forward on their next Smartphone projects?
With these thoughts in mind, I put together the questions below to Microsoft. Check them out and read the answers.
Question: From a software deployment point-of-view, how is the Orange SPV phone locked and why?
Answer: Windows Powered Smartphone includes a X.509 based applications security model which allows operators to optionally require applications to be digitally signed prior to installation and execution on devices. The Orange SPV has applications security enabled, making devices "locked" to unsigned applications. For these locked devices, mobile operators engage public trusted authorities i.e. Verisign or Baltimore (certificate authorities) to digitally sign applications before they are installed and executed on devices on their networks
Question: What does a developer have to do and obtain to develop, market and sell Smartphone 2002 applications that Orange SPV users can buy, install and use?
Answer:
-Register as a member of Microsoft Partner Program and choose "Smartphone" on the left hand menu.
-Download the Software Development Kit (SDK) (More than 225,000 developers have already done so.)
-Once developers receive logo certification, they can submit their applications into the Mobile2Market catalog which is promoted to operators and retailers worldwide.
-Engage Mobile2Market Certificate Authority partner, Verisign or Baltimore, to digitally sign application.
Please note: There is a nominal fee for logo certification and code signing. This fee is paid directly to third party testing houses and code signing partners (and not Microsoft nor Orange). Microsoft is making a limited discount available to partners getting an app certified before 30th January. The discount is being paid directly to the third party testing labs.
Question: Is the software lock imposed as a request by Orange or by Microsoft?
Answer: Device lockdown is a choice for OEMs or mobile operators. Windows Powered Smartphone 2002 includes optional advanced applications security architecture designed to enable OEMs, operators and corporations the flexibility to meet their customers’ requirements. The X.509 based applications security model allows operators to require applications to be digitally signed prior to installation and execution.
Question: What is Microsoft's view on restricting users what they can and can't install on their devices?
Answer: A large and empowered end user and software developer community is essential to the health of the computing ecosystem. As the worlds of telephony and software converge on next generation devices like Smartphone, we'll undoubtedly see the traditions in each of these industries evolve somewhat. From a security standpoint, the Smartphone 2002 architecture (based on the X.509 certificate model) allows operators not only to protect their customers from malicious applications and viruses, but also to provide their corporate customers additional levels of device control and customization.
Microsoft supports security efforts designed to maximize user experience by protecting the integrity of:
1. User data - ensure contacts are not posted to obscure websites, for example
2. Network - prevent applications from interfering with network stability through signaling or SMS, for example
3. Billing – guarantee applications are not generating traffic or transaction events (and accruing costs) without users knowledge
By remaining 100% committed to the Windows developer community and doing our part by providing a fertile platform for innovation, Microsoft hopes to ship every software platform, with the developer community and its needs, as well as the computing ecosystem, in mind.
Question: Will an unlocked Smartphone 2002 ever be released by anyone?
Answer:The Orange SPV is the first of several Smartphone-based handsets to come to market. Microsoft has nothing to announce today but stay tuned...
As far as I can tell, Orange is in true mobile network operator spirit imposing the device lockdown. That is said with ambigious feelings: I would love to see an completely open architecture, and I read the statements about "evolving traditions" both ways: we will eventually see more open telephony architectures as well as more secure and closed software architectures. However, while it is Orange that decided to lock their devices, I don't doubt that product teams at Microsoft will address their not so perfect security track record and act when Bill Gates says: "Trustworthy Computing". Open and secure are each other's opposites, so we will see more closed and more secure architectures from Microsoft moving forward, not only in the areas of telephony.
Now it's your turn! What would be the best move by a mobile network operator and by Microsoft moving forward on their next Smartphone projects?
