Monday, November 21, 2005

I for one...

I saw a commercial for robots tonight. Allow me to paraphrase:

I'm a neat freak...I'm obsesive compulsive...The Roomba is more intelligent than some people I know....It is a full featured robot...I know it's about to do a great service for me...the rumba finds more dirt than is humanly possible...I love robots...I don't know why I didn't buy one sooner.

I Love Robots!!!

Welcome!

Six Sigma


My new Salomon shipped with the following "quality control" device.



Anyone?

Monday, November 07, 2005

Identity Claims Transformation in Action!

Speaking of transforming claims, my good friend Pat is off in Tokyo at the moment speaking at Java ONE. As it turns out they've got a nice little posting of his bio for the converence:


アイデンティティ管理テクノロジーはこのセッションに注目しよう!(Pat Patterson氏)

Pat Patterson氏は、1997年にロンドンにあるソフトウェア開発会社のTrustbase社に入社。その後2000年にSunがTrustbase 社を買収し、以来Sunのアイデンティティ・管理製品グループのテクニカルアーキテクトを勤めています。フェデレーションとアイデンティティベースの Webサービス技術を中心に活動を行っています。JavaOne Tokyoでは2つのテクニカル・セッションのスピーカを担当。その内容について伺いました。


Obviously some fairly interesting claims about Pat's reputation/credentials, but unfortunately, not in one of my required formats. Fortunately BabelFish's STS allows for some simple claim transformation:

You will observe identity management technology to this session! (Pat Patterson)

Pat Patterson joins the Trustbase corporation of the software development company which London is in 1997. After that Sun purchases the Trustbase corporation in 2000, serves the technical architect of the identity management product group ever since Sun. Focusing on the federation and identity based Web service technology activity is done. With JavaOne Tokyo you take charge of the speaker of two technical sessions. You asked concerning the contents.


Awesome. Looks like the metasystem is going to need to stick to statically typed claims, with well defined transforms, for awhile yet...

Reply to Craig Burton

Craig Burton recently replied to my comments on his I Cry Post. While I generally agree with his sentiment on the metasystem, I have to take issue with the oversimplification of Infocard, Microsoft's implementation.

Craig states:

WS-* is not the encapsulating protocol. WS-Trust is the encapsulating protocol.


WS-Trust is actually just the encapsulating protocol for claims transformation. Microsoft's paper on the Identity Metasystem defines encapsulating protocol as the following:

"The encapsulating protocol provides a technology-neutral way to exchange claims and requirements between subjects, identity providers, and relying parties."


While WS-Trust may provide for claims transformation, it certainly does not provide provide the complete working pieces of an Identity Metasystem. In order to build a metasystem, you need a number of other critical pieces. In this case Microsoft is requiring:


  • WS-SecurityPolicy and WS-MetadataExchange for declaration and negotiation of claims requirements
  • WS-Security/dsg/encrypt and for message integrity, confedntiality, and claims presentation
  • WS-SecureConversation for channel security and trust associations
  • WS-Addressing for action, address, and message correlation
  • SOAP for transport abstraction
  • ...and some other tiny required specs...


Although not all of these are required components of an abstract metasystem, they all seem to be requirements of the Microsoft implementation, and that seems to run contrary to his call for an "architecture that is independent of mandated adoption" You gotta buy in.

Craig goes on to say:

What does WS-Trust do? It converts a token (in any format) into another token (in any format). You input an existing token, a request for a new token, and get back the new token. In otherwords, it is a token exchanger – between constituent systems.

Properly characterized, I'd say WS-Trust simply allows you to request this action to be performed. It's a simple request/response protocol, where the magic of any to any token transform is left out of band. At that point we're left up to systems that implement an Security Token Service (STS). I can name 1 commercial STS implementation (IBM's FIM), the Indigo Beta from Microsoft would allow you to build one fairly easily, and prototype code from sourceid. (Anyone know any others?) Unfortunately, given the above protocol requirements, there is some serious impedance in place of ubiquitous adoption.

Compounding the protocol requirements, in order for an STS to convert a token in any format, to any format, some sort of semantic equivalence between the two would need to be defined and implemented...something which is generally non-trivial, and sometimes not possible. Additionally, without a single canonical token format, and lacking a registrar of token formats and transforms, we're also left with a pretty serious scale issue. How does one know what the possible transforms are, and who can fulfill them? How do you incent the Supplying and Relying parties to negotiate (and by this I really mean implement) to a common set of claim formats?

Realistically, I think we'll probably end up in an environment where we negotiate to a limited set of common claims formats for the common stuff, and allow transport of a variety of vertically focused claims. Bridging between the participating parties is critical, but I'm not convinced that its the transform that's the killer app.


What I do think Craig really hits on here is that it's mandatory that a multitude of claims formats be supportable; a successful metasystem will neither be able to predict, nor prescribe the token/claim/assertion/attribute/etc formats which will flow across it. The transform is really just a facilitator, often necessary, but perhaps not a required one. I think Microsoft really nailed the decision to leave the token format out of band for the metasystem. This is critical to ubiquity, and I'm singing along with Craig on this. I am skeptical that they've got the right design center for adoption in the encapsulation protocol, when looked at in terms of it's complexity.


This does bring up a few outstanding questions I've got about Infocard:

  • What is the metadata format for "cards"? A combination of a WS-Addressing Endpoint Reference and Ws-SecPol? Something else?
  • How is it advertised and acquired? - Discovery seems totally opaque in the information I've seen so far. Kim Cameron alluded to the ability to advertise that one provides a card on a website at IIW this year, but what are the details?
  • At IIW, Microsoft mentioned that in order to promote usability aspects of the system, they'd be binding a human readable explanation of the machine readable claim. What is that format, and how is this not a new mandatory claim format for us to adopt?

Anyone out there have the answers?