Snowboarding at Baldface 2008

Meet Dottie

Dorothy Mae Murphy Mortimore was born on Jan 14th at 6:06. At 9 lb. 1 oz. and 21", she gave us a little fright, when she refused to be pushed out. After a grueling 24 hours of labor, Dottie joined us via c-section. Mom and baby are happy and healthy.

Check out pictures and news at http://babymortimore.com

Baby Pictures

Mara and I had a 3D ultrasound for our 5th Anniversary. The technology is pretty insane.

Click here for the full slide show!

 

Identity Deployment of the Year

Rearden Commerce just won the Liberty Alliance's Identity Deployment of the Year!




I just accepted the award at Digital Identity World 2007, and will be speaking there on a panel at 11:30.

Speaking of panels, Rearden has been invited to speak at a couple panels on online platforms recently (office 2.0 and webguild). Joining the likes of Google, Yahoo, Salesforce, and WebEx, I sat on 2 panels and debated the composition of these emerging development environments. You can check out the webguild video here.

If you're interested in online platforms, than come help us build ours!

$5000.00 cash

The startup I work at, Rearden Commerce, is in the midst of a major growth spurt. We've recently become the technology platform for American Express Business Travel, and were selected as one of Business 2.0's Next Net 25.

With that in mind, we're hiring like crazy. I'm looking for Product Managers to work on our Developer Network, our Administrative Consoles, and our Platform Services. We also need top engineering and engineer management talent.

So drop me a line and come join Rearden Commerce...or send us your friends. To help sweeten the deal, we're currently paying a $5000.00 referral bonus to anyone that refers Engineering Directors & Managers, Sr Engineers, Product Managers, or a Director of Merchant Network (BizDev). All other positions pay $1000.00 cash.

Send me those resumes!

Snowboarding at Baldface

Finally have the video from our annual trip to Baldface Lodge online:

http://xmldap.org/BaldFace.mov ~99MB

http://xmldap.org/BaldFace-medium.mov ~37MB

http://xmldap.org/BaldFace-small.mov ~13MB

We're already signed up for next year - drop me a line if you're interested!

Need a new Identity?

My wife Mara would be happy to help you out. She just started a new letterpress and design business called Dutch Door Press.

If you need business cards, invites, cards, stationary or anything you can think of, they can help design and print it.

Check them out on the web: http://www.dutchdoorpress.com

xmldap as a plugin to perpetual motion

Kevin Miller's new Firefox plugin wraps the native Windows CardSpace identity selector, and in the process provides a great card parsing implementation. Since Kevin was kind enough to implement a plugin framework, I figured I'd take advantage and added plugin support to the xmldap selector.

If you pick up the latest version of the plugin (requires Java 1.5 on your system) you will now find a new Identity Selector option in your preferences. If you have both Kevin and my extension installed, and you're on Windows, you can now flip back and forth between the CardSpace selector, and the xmldap selector at will.




The great news is that people implementing selectors will no longer need to worry about augmenting the browser. Now hopefully we can all quickly agree on a preferences structure to allow any implementation to easily add itself to the list.

If you're interested in writing you're own plugin, it's pretty simple...here's the basics of an XPCOM component that implements the plugin interface:

http://openinfocard.googlecode.com/svn/trunk/firefox/components/Identityselector.js

have fun!

Another Firefox Cardspace Extension

Check out this cool extension for Firefox by Kevin Miller

http://www.perpetual-motion.com/

It basically wraps the native CardSpace implementation on Windows so you can use it from Firefox. Very robust looking parsing card detection, and the ability to implement an XPCOM interface to plugin other selectors:

IIdentitySelector..GetBrowserToken(issuer , recipientURL, requiredClaims ,data.optionalClaims , tokenType, privacyPolicy, privacyPolicyVersion , serverCert );

The selector implementation can be determined by the user's preferences, so it should be very simple to adapt the xmldap selector or other cross platform implementations to this model and let user's choose their selector.

Nice work Kevin!

Combining CardSpace and OpenID

At IIW I demo'd a little proof-of-concept showing the ability to login to a CardSpace relying-party, using an OpenID based identity. For those who didn't get a chance to see it, I provided a little screen cast here:

How-To Decrypt a CardSpace backup file

Having posted a utility that decrypts CardSpace backup files, I thought I'd take a moment to explain how it works. The backup file format is rather obscure, so hopefully this should help serve as a guide to people looking to import and export cards with non-Windows selectors.

The first thing to do is take a look at the CardSpace backup file format (edited for brevity):

<?xml version="1.0" encoding="utf-8"?>
<EncryptedStore xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity">
<StoreSalt>3BprRlJ6LpWvvLvuGS6hXQ==</StoreSalt>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#">
<CipherData>
<CipherValue>...Base64 Encoded Ciphertext...</CipherValue>
</CipherData>
</EncryptedData>
</EncryptedStore>


Here we have the file format. There are really just two things we care about...the Salt, and the CipherValue. The first thing to do is extract these 2 values.

At this point, it's probably good to get an overview of what you'll be doing. The ciphertext is actually a 16 byte Initialization Vector, 32 bytes of signature data for validating integrity, and then a CardSpace RoamingStore xml document encrypted using a PBE. Specifically, it's a PKCS5v1 derived key and AES with CBC.

As you get started, one thing to be aware of is the byte order mark. Regardless of what it claims, this xml in this file is actually encoded using UTF-16LE. So...it's prefixed with 3 bytes of data. Here's what you should expect for the byte order mark:

byte[] bom = {(byte)0xEF, (byte)0xBB, (byte)0xBF};

You'll also want to know about a couple pieces of static entropy used in the algorithm:

byte[] encKeyEntropy = { (byte)0xd9, (byte)0x59, (byte)0x7b, (byte)0x26, (byte)0x1e, (byte)0xd8, (byte)0xb3, (byte)0x44, (byte)0x93, (byte)0x23, (byte)0xb3, (byte)0x96, (byte)0x85, (byte)0xde, (byte)0x95, (byte)0xfc };

byte[] integrityKeyEntropy = {(byte)0xc4, (byte)0x01, (byte)0x7b, (byte)0xf1, (byte)0x6b, (byte)0xad, (byte)0x2f, (byte)0x42, (byte)0xaf, (byte)0xf4, (byte)0x97, (byte)0x7d, (byte)0x4, (byte)0x68, (byte)0x3, (byte)0xdb};


So - back to business. Once you've extracted the salt and the ciphertext, you can begin to decrypt the backup file. Here are the steps you'll want to take:

1. Remove the Byte Order Mark, and parse the XML file, extracting the Salt, and the CipherText
   
2. Base64 decode the salt, and set it aside
3. Base64 decode the ciphertext
4. Copy the first 16 bytes of the ciphertext, and set it aside as your IV
5. Copy the next 32 bytes of the ciphertext, and set it aside as your integrity check
   
6. Concatenate the remaining bytes together with the IV. ( IV + remaining bytes ) Set this aside as your data
   
7. Derive your keys using PKCS5v1. Take the bytes of the user's password used to encrypt the data, and concatenate it with the salt bytes. Take a SHA256 hash of those bytes, and then SHA256 hash the output another 999 times.
8. Generate the encryption key by concatenating the static encryption entropy together with the derived key. Generate a SHA256 byte hash of these bytes, and that is your encryption key
   
9. Generate the integrity key by concatenating the static entrgrity entropy together with the derived key. Generate a SHA256 byte hash of these bytes, and that is your integrity key
10. Decrypt the data using AES/CBC/OAEP with the encryption key you generated
11. Remove the byte order mark, and you have the decrypted RoamingStore.
    

So - that's the basics of decryption. If you'd like to encrypt a store, you simply perform that process in reverse.

Next, you'll want to validate the integrity of the data. Here's how:

1. Concatenate the IV, the integrity check data ( bytes 12-48 that you set aside earlier), and the last block of data (the last 16 bytes)
   
2. Sha 256 hash this, and you have the computed integrity check. Compare your computed value to the integrity check...if they match byte for byte, you're in luck.

That's it. Be wary of character encoding, but if you follow these steps, you should be able to encrypt/decrypt backup files

CardSpace Backup viewer

Ever wonder what's inside a CardSpace backup file? Now that the xmldap.org codebase can decrypt the backup files, I thought I'd add a quick tool that allows you to peek inside. Here's a little web app which will decrypt your backup file and return the xml inside:

http://xmldap.org/sts/decrypt

And here's a screencast of how it works:

Minor Bug Fixes

I updated the Firefox Selector to fix a few minor bugs introduced in the Managed Cards support update.

Thanks to Axel and to Antoine Galland from Gemalto for trying it out and reporting the bugs.

http://xmldap.org

Managed Card Support for Firefox

One more important update for the Firefox selector - With this new release, I've added a simple proof-of-concept around Managed Cards.

The Firefox selector now supports importing managed cards, and retrieving tokens from an STS. It only has support for Username/Password authentication over the simple TransportBinding (this means transport security rather than message level security) Also, I've only tested against the xmldap.org STS...it may work against other implementations, but I haven't yet focused on interop.

That being said, this now demonstrates a complete end-to-end exchange without any Microsoft components. An opensource STS issuing a token to an opensource Relying Party, via an opensource selector...all on a Mac.

Here's a screencast of how it works:



As always, the selector and source are available at http://xmldap.org

Firefox Plugin Updated

Thanks to the hard work of Axel Nennker and his friends, I've posted an update to the Firefox Selector. The selector now has these great features:

1) Support for Firefox 2.0 - the plugin should now work on 1.5+ and 2.0

2) Internationalization Support - Axel added i18n, and has localized to:

• English
• German
• French
• Norwegian
• Swedish
• Turkish
• Czech
• Arabic
• and Chinese

3) There's also initial support for Logotype certificates, so that a website's icon embedded in a certificate can be displayed to the user as part of the verification process



You can download the latest plugin at http://xmldap.org/

Thanks Axel!

STS is finally working

I finally checked in a working copy of the xmldap Security Token Service. It's a simple STS, which only supports the Transport Binding of CardSpace, but it's enough to see managed cards in action.

If you'd like to try it out, go to https://xmldap.org/relyingparty/ There you'll find a link to where you can create managed cards. You'll then be able to install them into CardSpace and use them to login to the Relying Party. Below is a screencast which demos the basic steps you should follow:

Here's a screencast demoing what you should see.

As always, it's open source. The code is pretty messy at the moment, but if you're curious you can take a look at http://xmldap.org. Special thanks to the other contributors, and the folks at Arcot who figured out one of the missing pieces.

back online

Thanks to Ian, Ebe, and a new router, xmldap.org is back online.

Kim - you owe us $65.00 :-)

identityblog effect

Looks like Kim's two new posts have melted my server. He's the slashdot of the Identity world.

Sorry - the crack sys-admin team has been deployed. Hopefully we're back up soon!

The Missing Infocard Schema

The Infocard Schema has been notoriously missing since Microsoft published RC1.

Here's the schema for the http://schemas.xmlsoap.org/ws/2005/05/identity namespace

Playing with Managed Cards

I've just checked in code that can create Managed Cards that import into CardSpace RC1.

To allow people to play around, I've also added a quick little web app, which creates cards for you. You can try this out at:

https://xmldap.org/sts/cardmanager

Here's a screencast of what you can expect.

If you'd like to try it out, you can either download the source from http://xmldap.org