I saw a commercial for robots tonight. Allow me to paraphrase:
I'm a neat freak...I'm obsesive compulsive...The Roomba is more intelligent than some people I know....It is a full featured robot...I know it's about to do a great service for me...the rumba finds more dirt than is humanly possible...I love robots...I don't know why I didn't buy one sooner.
I Love Robots!!!
Monday, November 21, 2005
I saw a commercial for robots tonight. Allow me to paraphrase:
Monday, November 07, 2005
Pat Patterson氏は、1997年にロンドンにあるソフトウェア開発会社のTrustbase社に入社。その後2000年にSunがTrustbase 社を買収し、以来Sunのアイデンティティ・管理製品グループのテクニカルアーキテクトを勤めています。フェデレーションとアイデンティティベースの Webサービス技術を中心に活動を行っています。JavaOne Tokyoでは２つのテクニカル・セッションのスピーカを担当。その内容について伺いました。
Obviously some fairly interesting claims about Pat's reputation/credentials, but unfortunately, not in one of my required formats. Fortunately BabelFish's STS allows for some simple claim transformation:
You will observe identity management technology to this session! (Pat Patterson)
Pat Patterson joins the Trustbase corporation of the software development company which London is in 1997. After that Sun purchases the Trustbase corporation in 2000, serves the technical architect of the identity management product group ever since Sun. Focusing on the federation and identity based Web service technology activity is done. With JavaOne Tokyo you take charge of the speaker of two technical sessions. You asked concerning the contents.
Awesome. Looks like the metasystem is going to need to stick to statically typed claims, with well defined transforms, for awhile yet...
Craig Burton recently replied to my comments on his I Cry Post. While I generally agree with his sentiment on the metasystem, I have to take issue with the oversimplification of Infocard, Microsoft's implementation.
WS-* is not the encapsulating protocol. WS-Trust is the encapsulating protocol.
WS-Trust is actually just the encapsulating protocol for claims transformation. Microsoft's paper on the Identity Metasystem defines encapsulating protocol as the following:
"The encapsulating protocol provides a technology-neutral way to exchange claims and requirements between subjects, identity providers, and relying parties."
While WS-Trust may provide for claims transformation, it certainly does not provide provide the complete working pieces of an Identity Metasystem. In order to build a metasystem, you need a number of other critical pieces. In this case Microsoft is requiring:
- WS-SecurityPolicy and WS-MetadataExchange for declaration and negotiation of claims requirements
- WS-Security/dsg/encrypt and for message integrity, confedntiality, and claims presentation
- WS-SecureConversation for channel security and trust associations
- WS-Addressing for action, address, and message correlation
- SOAP for transport abstraction
- ...and some other tiny required specs...
Although not all of these are required components of an abstract metasystem, they all seem to be requirements of the Microsoft implementation, and that seems to run contrary to his call for an "architecture that is independent of mandated adoption" You gotta buy in.
Craig goes on to say:
What does WS-Trust do? It converts a token (in any format) into another token (in any format). You input an existing token, a request for a new token, and get back the new token. In otherwords, it is a token exchanger – between constituent systems.
Properly characterized, I'd say WS-Trust simply allows you to request this action to be performed. It's a simple request/response protocol, where the magic of any to any token transform is left out of band. At that point we're left up to systems that implement an Security Token Service (STS). I can name 1 commercial STS implementation (IBM's FIM), the Indigo Beta from Microsoft would allow you to build one fairly easily, and prototype code from sourceid. (Anyone know any others?) Unfortunately, given the above protocol requirements, there is some serious impedance in place of ubiquitous adoption.
Compounding the protocol requirements, in order for an STS to convert a token in any format, to any format, some sort of semantic equivalence between the two would need to be defined and implemented...something which is generally non-trivial, and sometimes not possible. Additionally, without a single canonical token format, and lacking a registrar of token formats and transforms, we're also left with a pretty serious scale issue. How does one know what the possible transforms are, and who can fulfill them? How do you incent the Supplying and Relying parties to negotiate (and by this I really mean implement) to a common set of claim formats?
Realistically, I think we'll probably end up in an environment where we negotiate to a limited set of common claims formats for the common stuff, and allow transport of a variety of vertically focused claims. Bridging between the participating parties is critical, but I'm not convinced that its the transform that's the killer app.
What I do think Craig really hits on here is that it's mandatory that a multitude of claims formats be supportable; a successful metasystem will neither be able to predict, nor prescribe the token/claim/assertion/attribute/etc formats which will flow across it. The transform is really just a facilitator, often necessary, but perhaps not a required one. I think Microsoft really nailed the decision to leave the token format out of band for the metasystem. This is critical to ubiquity, and I'm singing along with Craig on this. I am skeptical that they've got the right design center for adoption in the encapsulation protocol, when looked at in terms of it's complexity.
This does bring up a few outstanding questions I've got about Infocard:
- What is the metadata format for "cards"? A combination of a WS-Addressing Endpoint Reference and Ws-SecPol? Something else?
- How is it advertised and acquired? - Discovery seems totally opaque in the information I've seen so far. Kim Cameron alluded to the ability to advertise that one provides a card on a website at IIW this year, but what are the details?
- At IIW, Microsoft mentioned that in order to promote usability aspects of the system, they'd be binding a human readable explanation of the machine readable claim. What is that format, and how is this not a new mandatory claim format for us to adopt?
Anyone out there have the answers?
Thursday, October 27, 2005
Went down to Atlanta earlier this week for a Sxip install...ended up getting awfully nostalgic for Sun when I saw this sucker:
That's a $5 million dollar Sun StorEdge L8500. Basically, it's a giant array of backup disks serviced entirely by robots, complete with a built in fire suppression system.
In 4 years at Sun, I never actually saw one in the wild.
Tuesday, October 04, 2005
Interesting development...AllState is providing Identity recovery insurance:
"With Allstate's identity restoration coverage, you have a dedicated team to handle the complicated, time-consuming and tedious work needed to help restore your good name and your credit rating. They will make the phone calls, handle the paperwork and deal with the credit bureaus. Some services focus solely on credit card theft or offer limited expense coverage, but Allstate goes further to help protect your good name — and your time."
Sxip's at Web2.0 this week trying to kill this market off before it starts.
Monday, July 25, 2005
Benji at SalesForce.com had an interesting post today on the sforce blog. Here's the juicy part:
How do the clients, which all use web services to authenticate (using login and password today calling our login call), know where to get the SAML token from, in a standard way? There is no standard way to do this today, and even standards like WS-Trust don't seem to solve this problem. For example, you build a client using our web services apis. You deploy to all our customers. Customer A has one SAML provider. Customer B has another SAML provider. How does your code know where to go to get the token when deployed at customer A and at customer B, without configuring all of the clients with the location of the SAML provider?
Benji raises some excellent points here...he's effectively pointing out the issue of discovering a security token service. What makes this complicated is the security token service in many of Sxip's customers is on a private network, and customers don't wish to expose the url to the general public. An anonymous discovery service either can't personalize the response to either customer a or b, or you end up exposing sts endpoint locations inside customer a or b.
Anyone have any ideas on this tricky problem?
Sunday, July 10, 2005
Sunday, June 26, 2005
Tuesday, June 21, 2005
Sunday, June 19, 2005
This was sent to my service. As, you can see that InfoCard has automatically created a SAML 1.1 assertion bearing the email address provided in the selected InfoCard. What's not clear to me is what's going on with the action - its' using a wa-addressing action that is not defined in ws-trust...hmm. Anyone? I wish the body weren't mysteriously encryted....
[Update: Mark Wahl passed this along
"When requesting and returning security context tokens the following Action URIs are used
in WS-SecureConversation Feb '05.
Thanks Mark! ]
POST /simpleservice HTTP/1.1 Content-Type: application/soap+xml; charset="utf-8"; action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT"
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<a:Action u:Id="_1" s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
<a:To u:Id="_3" s:mustUnderstand="1">http://192.168.9.10:8080/simpleservice</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<e:EncryptedKey Id="uuid-dfeed4a3-da17-4699-80aa-dad0cccc082e-1" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<c:DerivedKeyToken u:Id="_6" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionId="uuid-30365992-d9e4-46ad-9443-41b1aa1cc917" Issuer="http://schemas.xmlsoap.org/ws/2004/10/identity/issuer#self" IssueInstant="2005-06-20T00:44:35.718Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions x:Id="1" NotBefore="2005-06-20T00:44:35.500Z" NotOnOrAfter="2005-06-20T00:54:35.500Z" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://schemas.microsoft.com/2003/10/Serialization/"/>
<saml:AttributeStatement x:Id="1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://schemas.microsoft.com/2003/10/Serialization/">
<saml:NameIdentifier x:Id="1" Format="http://schemas.xmlsoap.org/ws/2004/10/identity#KeyThumbprint">9TGi5d7p2VFFnGtOZ5bmUwbpOJI=</saml:NameIdentifier>
<saml:Attribute x:Id="1" AttributeName="http://schemas.microsoft.com/ws/2004/10/identity#E-Mail-Address" AttributeNamespace="http://schemas.microsoft.com/ws/2004/10/identity">
<e:EncryptedData Id="_7" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
With all that out of the way, I finally can invoke my client, and get into the InfoCard interface, as well as take a look at the resulting message enrichement
When I invoked the client, the first thing it does is validate the Identity of the service using the cert in the addessPropeties. Assuming validity, the InfoCard UI is invoked. The first thing you seen is presentation of the relying party, and potentially their terms of service, as well as prompt to either agree to their terms, or cancel the operation. I wish I had a screen shot, but there doesn't seem to be a simple means to remove a relying party from your trust list, or change its settings. I expect this will show up in future versions.
Once I accepted the terms, I'm prompted to select an InfoCard. This shows the UI for infocard actually being invoked:
Click for a larger version
A few things to notice here
1) They track which card I've previously presented, and when I did it
2) They track what the relying party already knows about me
From here, I can choose a card to submit. This talks to a local STS in the current beta, and generates a SAML assertion, which is used to enrich the SOAP call...
InfoCard ends up getting invoked (at least in the Indigo use cases) via a custom binding in the services configuration file (app.config or web.config depending on selfhosting or was/iis hosted services)
The config file has 3 main sections required for InfoCard usage. The first is a custom binding. The binding section basically describes the protocol indigo will use to expose or talk to services in a declarative fasion. It ships with a number of default bindings for WS-I basic profile interop, WS-*, as well as some MSFT proprietary binary optimizations. You do have the ability to define a custom binding which gives you granular control over protocol. In order to use InfoCard, you seem to need to use a custom binding. Here is an example:
<!-- Define custom binding for InfoCard. -->
<security authenticationMode="IssuedTokenForCertificate" contextMode="Session">
<wst:TokenType xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsid="http://schemas.xmlsoap.org/ws/2004/10/identity" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
<wst:Claims xmlns:wsid="http://schemas.xmlsoap.org/ws/2004/10/identity" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
This basically says that the authentication mode is IssuedTokenForCertificate which I believe indicates "Use InfoCard" It then designates the parameters which will be passed into the WS-Trust RST - in this case stating that it wants a SAML assertion with email address attribute assertion
Next, we need special behavior section which is referenced from the endpoint configuration. This indicates how to find the local certificate to exchange for the SAML assertion. This required importing the certificate into my local trusted store:
<behavior configurationName="TrustedCredentials" returnUnknownExceptionsAsFaults="true">
<serviceX509Certificate findValue="Fabrikam" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
It's not yet clear what other credential types can be used - there seem to be many options in the core Indigo APIs, but the authenticationMode of IssuedTokenForCertificate has me a bit concerned others aren't yet supported...
Finally, a addressProperties section is required:
<addressProperties identityType="Dns" identityData="Fabrikam">
I've got to say I don't understand this at all...or more to the point, don't see how it's viable. I believe what this is doing is providing the Identity of the service itself. Since this is statically declared in the clients config, it looks like a huge distribution issue. I'm sure microsoft must have something else in mind, like fetching this over ws-mex...anyone?
That pretty much covers what is required for the client and service config files - they're pretty close to the same. Next, we'll take a look at what happens when we invoke
Next, we need a simple client to go with my service.
//This replicates the services contract - just raw Messages
[OperationContract(IsOneWay = true, Action = "*")]
void Send(Message msg);
void SendMessage(IGenericMessageChannel channel, string input)
contentDocument = new XmlDocument();
" + input + "");
XmlNodeReader content = new XmlNodeReader(contentDocument.DocumentElement);
MessageVersion messageVersion = MessageVersion.CreateVersion(EnvelopeVersion.Soap11);
using (Message msg = Message.CreateMessage(messageVersion, "http://tempuri.org/ISimpleService/Receive", content))
catch (Exception e)
Console.WriteLine("Exception: " + e.ToString());
public void Invoke( string input)
IGenericMessageChannel channel = channelFactory.CreateChannel();
I call this client from another class which is irrelevant to the InfoCard/Indigo magic.
Now onto some real infocard work. To begin with, I developed a simple webservice and client using Indigo. This service basically displays the raw SOAP which it is sent:
//This is the Indigo namespace
Here, I'm using an interface to define the service contract.
Service contracts are explicit in Indigo, and can be distict
from application/class level contract as seen here.
//A very raw service - interface accepts low level message type.
[OperationContract(IsOneWay = true)]
void Receive(System.ServiceModel.Message msg);
public partial class SimpleService : Form, ISimpleService
//selfhosting ServiceHost using generics to be types to my implementation
private void button2_Click(object sender, EventArgs e)
public void Receive(System.ServiceModel.Message msg)
MessageBox.Show("New Message:\n\n" + msg.ToString());
private void Start()
sh = new ServiceHost
static void Main(string args)
SimpleService service = new SimpleService();
Making a WS-Trust RST Issue call from Indigo is pretty simple. I defined a custom security binding with a endpoint reference and presto...ws-trust.
To do this, I added this to the federationParameters section of a custom binding security element:
<endpoint address="http://192.168.9.10:8080/simpleservice" bindingConfiguration="WSTrustBinding" bindingSectionName="wsProfileBinding"/>
I then reference the binding from my client endpoint reference, and when I invoked my client, it makes this call:
POST /simpleservice HTTP/1.1
Content-Type: application/soap+xml; charset="utf-8" action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue"
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<t:RequestSecurityToken Context="uuid-58ae93d3-a412-4ee4-97ab-288bc880b35a-2" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<EndpointReference xmlns="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://schemas.microsoft.com/2003/10/Serialization/">
Looks to be using a web serivce binding of SPNego by default. I wish I had a remote STS to play with...
The InfoCard API is pretty straight forward (and I suspect in flux). There are only really 2 classes to pay attention to:
public static System.ServiceModel.Security.GenericXmlToken GetToken(System.ServiceModel.EndpointAddress endPoint, System.Collections.Generic.IEnumerable
policy, System.Xml.XmlElement requiredRemoteTokenIssuer)
public static void Manage()
(Notice no constructor)
public override System.IAsyncResult BeginGetToken(System.ServiceModel.EndpointAddress target, System.AsyncCallback callback, object state)
public override System.ServiceModel.Security.Tokens.SecurityToken EndGetToken(System.IAsyncResult result)
public override System.ServiceModel.Security.Tokens.SecurityToken GetToken(System.ServiceModel.EndpointAddress target)
public override bool TryApplyIssuedTokenParameters(System.ServiceModel.Security.IIssuedTokenParameters parameters)
public override bool WillGetTokenCompleteSynchronously(System.ServiceModel.EndpointAddress target)
Besides that, it's all exceptions:
A few other intersting things show up in the Indigo APIs:
Support for SAML, Kerb, X509, UserName, Windows, and WindowsUserName Tokens
Looks like support for April 04 and Feb 05 versions of WS-Trust
Saturday, June 18, 2005
Since I'm un-employed this weekend (I'm starting a new job at Sxip Identity on Monday), I thought I'd sit down and poke around the new Microsoft.InfoCards API and Indigo.
To start with, I suppose I'd better state up front that I haven't ever used Windows as my primary Desktop OS, and this is my first dive into C# as well. Fortunately, it seems to be enough of a Java clone that the learning curve is really quick...it feels a lot like Java 1.5.
Invoking the InfoCard UI:
My first step was to get the WinFX CTP and VisualStudio Betas installed. This was pretty straightforward, but make sure you have the latest of each, as there are some linking dependencies in the .NET build that require a specific combination. Also, I'd recommend the express version of Studio, as the full version is several GB.
To start out hacking with InfoCard, I thought I'd simply invoke the InfoCard UI. The simple way to do this is to hit the ControlPanel -> Digital identities. (Note that you can start the system by running: net start "InfoCard Service" at the command prompt if the system is not started for you) The result is the following wireframe UI:
Click for a larger version
It's also quite simple to invoke this via code. To do so, you can simply use the Manage() method on Microsoft.InfoCards.InfoCardClient. Simply create a new Console application, and add a reference to the Microsoft.InfoCards assembly. Then, the following code will invoke the InfoCardUI
static void Main(string args)
That's all it takes to invoke the InfoCard system from code. More to come....
While you wait- here are some interesting links on Infocard, and Indigo which I found useful:
Indigo Docs on Infocard
A weekend with Indigo
Andy's InfoCard Blog
Simple Indigo Client
Simple Indigo Service
I recently ran across an old book of Barksdale-isms from Netscape. I thought I'd share some of the choice ones.
Today's - The three rules of snakes:
Tuesday, June 14, 2005
Monday, June 13, 2005
Tuesday, June 07, 2005
Thursday, June 02, 2005
Monday, May 30, 2005
An interesting identity question that I pass on the way to work each day:
Given that the artist poses the question in the first person, I tend to trust "me." As soon as you direct the question from the third person, it's the asserted attributes of the entity that are trusted, and not the entity itself.
Of course, as the always excellent read of luke razzel's blog points out, names can be a bit tricky too.
Wednesday, May 11, 2005
Tuesday, May 10, 2005
- Start with good people
- Make something customers actually want
- Spend as little money as possible
I work in the posterchild facility for Rule #3...a warehouse attic above a gay porn production facility.
What I find particularily ironic about this is that A) They seem to be doing a better job of executing on Rule #2, and B) they're called Titan Media. I mean what are the chances? Titan Media producing Blue Movies below a software startup called Blue Titan...
At this point, you're probably wondering what the heck this post has to do with crackheads. Well...I've come to have a mature understanding of a few of the subtler points of life in SOMA.
First off, apparently the music in porn is dubbed in after the movie is made. This means nothing covering up the uhmm...noise...from below. This is suprisingly disruptive to the engineering processes, and, when properly timed to coincide with important meetings, an effective deterrent to investment and customer acquisition.
The other thing I've learned (at my poor motorcycle's expense) is that, in a pinch, you can smoke crack out of sparkplugs.
This brings us all the way back to rule #1 - start with good people:
Monday, May 09, 2005
I was recently using one of BEA's many SOAP stacks, and discovered that while comprehensive, their documentation isn't actually accurate...a particularily frustrating combination.
Lucky for me, I happen to sit next to the guy who used to be in charge of all of them. He clued me into the site of manoj, who writes the server stack - apparently its where support sends people.
If you're using web services on weblogic...you'll need this: http://www.manojc.com/
Here is an intersting aspect of my digital identity...online records of the skateboarding ticket I received back in college.
I'd be a little scared by this if the State of Wisconsin were at all threatning...that is assuming you're not a feral house cat Ahh....wisco...
If you're feeling especially geeky today, you can query my WI criminal record over SOAP
Another interesting scientific paper (don't worry - the last for awhile) is the Google Labs write up on GFS.
As I read this paper, I was struck with the architectural similarities to Directory Server as well as work we'd done on a system called the "distributor'". While many Directory servers have reasonably good vertical scaling capacity, there is a certain point where the management functions of a system becomes too fragile, sequential operations take to long, and the statistically low write volumes (that tend to be a directory design center & increasing liability) still result in large write volumes as a function of a user population. Deployment of a single physical system, while technically viable, starts failing to meet design constraints in ways which simply aren't an issue at low scale. Ultimately, decomposition of data into smaller logical "chunks" not only allowed better aggregate write throughput, but also allowed parallelization of time dependent operations (backup, recovery, etc).
I had a lot of fun working on this with some of my favorite people there - Steve Shoaff and Neil Wilson. I hope that Sun let's this loose. - in the meantime, read about GFS.
Sunday, May 08, 2005
Here's an intesting read on how ideas emerge from holes.
So, why's this the first post to my blog?
Having spent 5 years in the IdM industry, and having done so at one company (err...3? Netscape/iPlanet/Sun? ), I recently decided to jump through a structural hole, and see what was on the other side. As it turns out, it was a small SOA startup.
8 months later I've decided to jump on the bandwagon, and I've decided to call my blog xmldap - a nice hybred between my old and new industries, which is what I intend to write about...I hope you enjoy.
The paper itself does a nice job articulating (and partially quantifying) the intangible social capital assigned to social supernodes (see the 6 degrees of bowen ). As the new generation of emergent identity systems gets designed, we must provide for liberal acceptance of tokens/assertions/claims. Physical manifestations of social networks like LinkedIn have tremendous potential as transitive "trust" overlays...picture a Web of Trust model without key management. Some powerful Identity claims exist in untapped form (eBay reputation, social webs, etc ) - as in any good protocol design, let's be liberal with what we accept.