I met David for the first time a couple of years ago when I was excited about Certificate Auto-Enrollment and tracked him down as someone who could give me for of the nitty-gritty details.  We've had many conversations since then and I continue to enjoy the opportunity to work with him.

I remember it being "the year of PKI" for several of the years during the 1990s, when it never really came to fruition.  But, quietly and steadily, work to integrate Certificate services with Windows Server, and work to integrate with Group Policy and the introduction of autoenrollment helped PKI take some big steps forward.

Want to automatically and silently provision Certificates for secure wireless for your new employees?  You can do it because of David.  Want to automatially and silently renew an expired certificate when a user next authenticates to the domain?  You can do it because of David.

Of course, David would tell you that he was just part of a big team doing the work, and he would be right.  I salute all of them and their contributions.  However, David is one of my heroes in security at Microsoft for his dedication to security and contributions he has made in making PKI a feasible, usable reality for people, and I'm happy to feature David as my first (of several) profile on Microsoft Security professionals.

  ~ Jeff

January 2007 

       

Name  David B. Cross
Title  Director of Program Management, Windows Security
Security Super Power  Cryptography and PKI
Cool tech by David  Autoenrollment, Credential Roaming, Volume Encryption
Security standards work

http://www.ietf.org/rfc/rfc3709.txt 

http://www.ietf.org/rfc/rfc4556.txt

http://www.w3.org/2001/XKMS/Minutes/20020906-f2f3

Microsoft tenure  9 years
Early Security Influences  Bruce Schneier
Salutes Microsoft Security Colleagues  Paul Leach, Richard Ward, Steve Lipner
SW or LoTR ?  Lord of the Rings trilogy

David's Bio

David is a Director of Program Management with the Microsoft Windows Security organization focusing on security design and engineering in the Windows platform. He joined Microsoft in 1998 and has made significant technical and architectural contributions to Microsoft products such as Windows 2000/XP/Vista, Windows Server 2003 and Exchange Server 2003. In addition, David has been a contributing author on a number of whitepapers and Microsoft Press books regarding Microsoft security and PKI. Prior to joining Microsoft, he spent two years as a Project Manager and Senior Architect with the Microsoft Solution Provider/Partner community and five years active duty with the aviation electronic warfare community of the United States Navy. David has spoken at over 100 internal and industry conferences around the world including TechEd, RSA, ITForum, PKI Forum and NISSC. David holds a B.S. in Computer Information Systems as well as an MBA in Management Information Systems.


The Interview
Launch in external player
Jeff Note:  This text interview is NOT a exact transcript of the video interview, though there is a lot of overlap.  The video is about 15 minute long.

Jeff:  So, David, I want to start by getting you to weigh in on the Clerks II trilogies debate - Star Wars or Lord of the Rings, which was better?

David: I like the older (more classic), so I'll have to say Lord of the Rings.

Jeff Note:  Some may be confused by this answer, since Star Wars is the older, but I think he's referring to the books, which are classic.

Jeff:  Great - I'm going to ask other security pros this questions and we'll see who wins over time.  Let's start with some personal questions - are you Married?

David: Yes, for six years, to Christine.

Jeff:  Any children or pets?

 

David: No children, but we have one dog and a Meyers parrot named "Kerberos", or Kerby for short?

Jeff:  Kerberos is a great name for a security guy's pet.  Does Kerby talk?  Maybe I could interview him as well?

David's Parrot Kerberos

Jeff:  What about hobbies or interests?  Favorite move?

 

David: The best movie of all time in my mind is Dr. Strangelove.  It is simply hilarious and I have must have watched it 100 times.  My overall hobbies are reading (I am a big fan of Cold War history, both domestic and Soviet) and travelling around the world with my wife.

Jeff:  One final personal question - where did you grow up?

David: I was born and raised in Michigan.

Jeff:  Cool, another Midwesterner.

Jeff Note:  For those in the know, "the Midwest" in the USA are the states that formerly made up the Old Northwest Territory - Illinios, Indiana,  Michigan, Ohio and part of Wisconsin.  Wikipedia:Midwest says "Regional definitions vary from source to source", but take it from me, those other sources are wrong.

Jeff: Okay, let's move on to some security questions?  How did you first get started in computer security?

David: I have always had a natural passion and interest in security and security technologies.  My father was a cryptographic technician in the Navy which spawned my interest at a very young age that persisted throughout my career. 

Jeff:  Who were your security influences?  Any security industry folks you admire?

David: The first security book I bought was the first edition of Applied Cryptography by Bruce Schneier.  This set my interest in PKI in motion long before Microsoft.  I was determined to make security and PKI technologies easier to deploy and usable for everyone.

Click for details

Jeff:  Is that your favorite security book?  Put another way, if there were only one security book you could recommend, what would it be?

David: I definitely have a favorite book that I recommend to new and old to the security industry.  It provides a great history and basis for security design that is easy and fun to read - Security Engineering by Ross Anderson.

 

Jeff Note:  It turns out that Ross has talked Wiley into letting him publish his book electronically, by chapter, and also making some audiobook chapters available.  I recommend it too, and if you want a paper copy, Ross's site has links to buy it as well.

Now available for free download

Free download

Jeff:  Let's shift gears again, this time to Microsoft.  How long have you been working in security at Microsoft?

David:  Almost 9 years now.  My first 2 years at Microsoft were with Microsoft Consulting Services designing and deploying Security solutions with some of our largest customers.  This was an extremely valuable experience that has given me a framework and baseline for building security solutions that customers can actually deploy and use.  The rest of my career has been spent in the Windows Security organization. 

Jeff:  How did you end up joining Microsoft?  Did you work in security at other places first?

Jeff Note:  David has a very interesting answer on this, but you'll have to watch the video to hear it.

Jeff:  What are some of the security features that you've contributed to Microsoft products ?  What product did they first go into?

David:  I've worked on various PKI efforts, the encrypting file system, credential roaming, and volume encryption, among other things.  The projects have been in the Windows Security organization and contributed to Windows 2000 and other Windows releases up to and including Windows Vista.  That's not a complete list.

Jeff:  What security feature in Windows Vista (not necesarilly one you developed) are the most happy to see in the product?

Jeff Note:  Short answer: User Account Control (UAC), watch the video to hear more detail on why.

Jeff:  Do you hold any patents for your security work at Microsoft?

David:  Actually, I'm on 15 patents that have been submitted, but they are all pending and haven't yet been granted.

Jeff:  What about security standards work - have you contributed to any?

David:  Yes, I've contributed as part of the Microsoft team on X.509 work (http://www.ietf.org/rfc/rfc3709.txt), the PKIX work (http://www.ietf.org/rfc/rfc4556.txt), as well as XML Key Management working group (http://www.w3.org/2001/XKMS/Minutes/20020906-f2f3).

Jeff: One final question - what security colleagues are grateful to get to work with?

David:  Numerous, but to name 2 or 3 off the top of my head - Paul Leach, Richard Ward and Steve Lipner are some that I particularly admire and look up to.  They have all contributed so much to the industry and Microsoft and are simply brilliant.  


Bibliography - The Written Security Word of David B. Cross

Certificate Revocation and Status Checking, January 2006

Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure, July 2004

Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003

Key Archival and Management in Windows Server 2003, December 2004

Windows Server 2003 PKI operations and configuration guide, July 2004

Configuring and Troubleshooting Windows 2000 and Windows Server 2003 Certificate Services Web Enrollment, June 2004

PKI Enhancements in Windows XP Professional and Windows Server 2003, May 2003

Certificate Autoenrollment in Windows Server 2003, April 2003

Encrypting File System in Windows XP and Windows Server 2003, April 2003

The CAPIMON tool, November 2003, CryptoAPI Monitor (CAPIMON) allows an administrator to monitor an application’s CryptoAPI calls and the results.

Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services, August 2003, The Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services runs on the Windows Server 2003 family. It provides support for the SCEP protocol which allows Cisco routers and other intermediate network devices to obtain certificates.

Certificate Enrollment in Windows CE .NET, August 2002

Windows 2000 Server and PKI: Using the nCipher Hardware Security Module, April 2001

Adding Revocation Providers to CryptoAPI for Identrus Applications, December 2001