Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
I met David for the first time a couple of years ago when I was excited about Certificate Auto-Enrollment and tracked him down as someone who could give me for of the nitty-gritty details. We've had many conversations since then and I continue to enjoy the opportunity to work with him.
I remember it being "the year of PKI" for several of the years during the 1990s, when it never really came to fruition. But, quietly and steadily, work to integrate Certificate services with Windows Server, and work to integrate with Group Policy and the introduction of autoenrollment helped PKI take some big steps forward.
Want to automatically and silently provision Certificates for secure wireless for your new employees? You can do it because of David. Want to automatially and silently renew an expired certificate when a user next authenticates to the domain? You can do it because of David.
Of course, David would tell you that he was just part of a big team doing the work, and he would be right. I salute all of them and their contributions. However, David is one of my heroes in security at Microsoft for his dedication to security and contributions he has made in making PKI a feasible, usable reality for people, and I'm happy to feature David as my first (of several) profile on Microsoft Security professionals.
David is a Director of Program Management with the Microsoft Windows Security organization focusing on security design and engineering in the Windows platform. He joined Microsoft in 1998 and has made significant technical and architectural contributions to Microsoft products such as Windows 2000/XP/Vista, Windows Server 2003 and Exchange Server 2003. In addition, David has been a contributing author on a number of whitepapers and Microsoft Press books regarding Microsoft security and PKI. Prior to joining Microsoft, he spent two years as a Project Manager and Senior Architect with the Microsoft Solution Provider/Partner community and five years active duty with the aviation electronic warfare community of the United States Navy. David has spoken at over 100 internal and industry conferences around the world including TechEd, RSA, ITForum, PKI Forum and NISSC. David holds a B.S. in Computer Information Systems as well as an MBA in Management Information Systems.
Jeff: So, David, I want to start by getting you to weigh in on the Clerks II trilogies debate - Star Wars or Lord of the Rings, which was better?
David: I like the older (more classic), so I'll have to say Lord of the Rings.
Jeff: Great - I'm going to ask other security pros this questions and we'll see who wins over time. Let's start with some personal questions - are you Married?
David: Yes, for six years, to Christine.
David: No children, but we have one dog and a Meyers parrot named "Kerberos", or Kerby for short?
Jeff: Kerberos is a great name for a security guy's pet. Does Kerby talk? Maybe I could interview him as well?
David's Parrot Kerberos
Jeff: What about hobbies or interests? Favorite move?
David: The best movie of all time in my mind is Dr. Strangelove. It is simply hilarious and I have must have watched it 100 times. My overall hobbies are reading (I am a big fan of Cold War history, both domestic and Soviet) and travelling around the world with my wife.
Jeff: One final personal question - where did you grow up?
David: I was born and raised in Michigan.
Jeff: Cool, another Midwesterner.
Jeff: Okay, let's move on to some security questions? How did you first get started in computer security?
David: I have always had a natural passion and interest in security and security technologies. My father was a cryptographic technician in the Navy which spawned my interest at a very young age that persisted throughout my career.
Jeff: Who were your security influences? Any security industry folks you admire?
David: The first security book I bought was the first edition of Applied Cryptography by Bruce Schneier. This set my interest in PKI in motion long before Microsoft. I was determined to make security and PKI technologies easier to deploy and usable for everyone.
Click for details
Jeff: Is that your favorite security book? Put another way, if there were only one security book you could recommend, what would it be?
David: I definitely have a favorite book that I recommend to new and old to the security industry. It provides a great history and basis for security design that is easy and fun to read - Security Engineering by Ross Anderson.
Jeff: Let's shift gears again, this time to Microsoft. How long have you been working in security at Microsoft?
David: Almost 9 years now. My first 2 years at Microsoft were with Microsoft Consulting Services designing and deploying Security solutions with some of our largest customers. This was an extremely valuable experience that has given me a framework and baseline for building security solutions that customers can actually deploy and use. The rest of my career has been spent in the Windows Security organization.
Jeff: How did you end up joining Microsoft? Did you work in security at other places first?
Jeff: What are some of the security features that you've contributed to Microsoft products ? What product did they first go into?
David: I've worked on various PKI efforts, the encrypting file system, credential roaming, and volume encryption, among other things. The projects have been in the Windows Security organization and contributed to Windows 2000 and other Windows releases up to and including Windows Vista. That's not a complete list.
Jeff: What security feature in Windows Vista (not necesarilly one you developed) are the most happy to see in the product?
Jeff: Do you hold any patents for your security work at Microsoft?
David: Actually, I'm on 15 patents that have been submitted, but they are all pending and haven't yet been granted.
Jeff: What about security standards work - have you contributed to any?
David: Yes, I've contributed as part of the Microsoft team on X.509 work (http://www.ietf.org/rfc/rfc3709.txt), the PKIX work (http://www.ietf.org/rfc/rfc4556.txt), as well as XML Key Management working group (http://www.w3.org/2001/XKMS/Minutes/20020906-f2f3).
Jeff: One final question - what security colleagues are grateful to get to work with?
David: Numerous, but to name 2 or 3 off the top of my head - Paul Leach, Richard Ward and Steve Lipner are some that I particularly admire and look up to. They have all contributed so much to the industry and Microsoft and are simply brilliant.
Certificate Revocation and Status Checking, January 2006
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure, July 2004
Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003
Key Archival and Management in Windows Server 2003, December 2004
Windows Server 2003 PKI operations and configuration guide, July 2004
Configuring and Troubleshooting Windows 2000 and Windows Server 2003 Certificate Services Web Enrollment, June 2004
PKI Enhancements in Windows XP Professional and Windows Server 2003, May 2003
Certificate Autoenrollment in Windows Server 2003, April 2003
Encrypting File System in Windows XP and Windows Server 2003, April 2003
The CAPIMON tool, November 2003, CryptoAPI Monitor (CAPIMON) allows an administrator to monitor an application’s CryptoAPI calls and the results.
Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services, August 2003, The Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services runs on the Windows Server 2003 family. It provides support for the SCEP protocol which allows Cisco routers and other intermediate network devices to obtain certificates.
Certificate Enrollment in Windows CE .NET, August 2002
Windows 2000 Server and PKI: Using the nCipher Hardware Security Module, April 2001
Adding Revocation Providers to CryptoAPI for Identrus Applications, December 2001