|
|
Browse by Tags
All Tags » Infocard » the Web (RSS)
-
I was dividing my attention between the Scrubs special on TV & Digg on my PC, when an article titled " Experts: Passwords May Not Be a Good Online Defense " caught my eye: well, couldn't agree more!:-) It turns out that the article is from the NY Times, and it's short & sweet hence there's no need for me to summarize it here: Mr. Stross manages to capture the problem pretty effectively, also thanks to some nice quotes from Kim . P.S.: I know, I know. I still owe you an RP post for completing the Zermatt intro series started with the STS and card issuance . Keep the faith, it's coming! ;-) Read More...
|
-
Few months ago I made a little tour of Europe , and (among various places I visited) I went to spent some quality time in Amsterdam. Here I had the pleasure of spending some time with Albert van den Broek , CGO of Figlo : Albert is an excellent host, and during a nice dinner at a typical Dutch restaurant he explained to me the vision behind one of their new products. I am not very deep in financial considerations, so I will probably explain this in the wrong way (for which I apologize in advance): in any case, you can always go to their website and take a look for yourself. The point is that personal finance is an incredibly important aspect of our lives, and yet a surprising amount of people (including me) knows nearly nothing about how it works (reminds me of the fact that I've learned the function of carbohydrates and proteins only when I was already at college. crazy!). This is bad, because without a sense of how you choices today affect your situation tomorrow it is very hard to get to your objectives. Their point is, it doesn't have to be like that! They believe that presenting the situation with the right tool, such as a streamlined process backed by the right UI metaphor, anybody can take informed decisions and make actual steps toward his wishes (early retirement, college funds, similar stuff). They also have a very catchy name for the procedure, HaWaNeDo (Have, Want, Need, Do), which always helps in end user products. The day after I met with part of their board and Read More...
|
-
On the Paris-Seattle flight, coming back after 2 weeks spent stuffing myself with all sorts of food with the excuse "after all, you can't find this in USA" :) Before hurling myself back in the vortex of daily work, and celebrate the end of the year with something crazy, I want to take some time writing down some hallucinatory (=vision without execution) thoughts about omnidirectional identities . Be warned, this may be just pointless rambling at this point. Few weeks ago I chatted about this in front of a microphone with John Udell , digressing along a crazy tangent instead of answering his questions about the book (I eventually came back to Earth and answered properly :)). I don't know if he'll deem those fragments publication worthy, but just in case I'll make a brain dump here. It's not that there's much more to do in this small seat anyway (just finished the latest Eco . He didn't mention underbite at all, I'm happy). Looking back at the activities related to identity in the past year, I am glad to report that amazing progress has been done. Something that makes 2007 very different from 2006 is the kind of work that was made: in 2007 the accent was on execution. The vision behind the metasystem is still being explored, sure, like Kim's series on linkage or the discussions about display token and first law demonstrate; and I feel that conjugating the metasystem and claims in enterprise environment is an area that still need focus (especially in fighting old forma mentis that Read More...
|
-
Ah finally. I waited for this moment a looong time :-) the first draft of "Understanding Windows CardSpace" is available in prerelease online, on Safari Rough Cuts . More details below. It's already few weeks that our book, " Understanding Windows CardSpace ", showed up on Amazon and in the in-store kiosks at Borders . It's really an emotion to make an ego search and find a book that you wrote , as opposed to books in which you are acknowledged (which BTW is always VERY nice! Thanks to the authors of " Writing Secure Code for Windows Vista™ "," Web Services Architecture and Its Specifications: Essentials for Understanding WS-* "," Web Service Security "," Windows Communication Foundation Unleashed " and " Microsoft® Windows® Communication Foundation Hands-on! Beta Edition " for mentioning me). The manuscript is finally in a shape that allows to give a good idea of what the final book will look like: and while it's true that many figures are still the sketches I made on my tablet, if you are a regular reader of this blog you are definitely used to the style... Hence, we published the manuscript in its current form on Rough Cuts . Rough Cuts is a great service provided by Safari , that can be accessed even if you are not a safari subscriber. In their own words: Sometimes you just can't wait for the book. When you need to gain early access to information on cutting-edge technologies, turn to the Rough Cuts service from Safari Books Online. With the Rough Cuts service, you'll access Read More...
|
-
In short: I discuss a new feature, introduced by the .NET framework 3.5 and by a (future) update of IE, which enables the use of CardSpace also on websites on normal http (as opposed to https). Back in January I was asking Caleb (SDET on the CardSpace team and most excellent buddy author) when he would have started blogging. It took 9 months, but it eventually worked ! Not only he is going to blog, but he got the entire team to do it... if I were you I would subscribe the feed this instant! (being me, I can actually take a 10 mins walk and go bug the guys directly in their lairs). In the first technical post Ruchi presents a very important innovation, introduced with the .NET framework 3.5: the capability of using CardSpace also with websites without SSL. She goes into the detail of system requirements, how the new functionality can be leveraged and how things like PPID generation and transmission of the RP identity in the RST are affected by the new regimen. I won't repeat those details here: I invite you to read that post and consider it the main reference on the subject. Here I'll just highlight few points, largely derived from the QA sessions we had internally when the new feature was first discussed. This change opens up the advantages of using CardSpace to a significantly wider range of scenarios I know what you're thinking, or at least what many of you are thinking. A cert comes down for just few bucks, come on! Actually, the cert in itself is rarely the problem. The fact Read More...
|
-
In short: I talk a bit about the idea of resource STS, and I give the ropes of the messages exchanged for engaging it. When you get introduced to the Identity Metasystem, one of the first things you hear about is the role subdivision it proposes: subjects, relying parties and identity providers. The next step is usually showing you a diagram, where those roles are played by some concrete element: the relying party is the website of a wine seller, the identity provider is represented by the STS of the department of driving licenses, and the subject is they typical faceless guy of the MSDN clipart who proudly brandishes a browser as a shield. Then we go through the classic fable of the faceless guy who for some reason is always craving alcohol in a country where there is a drinking age, and the happy handing is always the department of driving license sending back a token containing a claim that certifies to the relying party that the guy is in his legal right of getting a good glass of Chianti (the problem of actually drinking it without a mouth has to be solved out of band). Below there's an example (in Japanese, just for adding some variety :-)). Now, our reductionism (yes, it's starting to affect me as well) may suggest you a couple of generalizations that are actually not entirely true: An STS is an Identity Provider . Nope. Saying that STS and IP are interchangeable terms is a bit like saying that you are a browser. In fact, the browser is the tool that you use for expressing Read More...
|
-
I knew that this edition of Catalyst was going to be exciting! If you are not among the lucky crowd that is attending the event, you can catch some news from the official news in Catalyst Live . Among those news, my eye got caught by the announcement of SignOn.com . It is an OpenID provider with a twist: it allows you to sign in with Windows CardSpace! Above you can see their home page: they don't use the new information card logo yet, but my guess is that they'll update the page. I immediately registered, in under a minute as advertised; unfortunately I was not able to create an account just using a card and I was forced to start via username and password. Once I signed up, I was able to associate a card to my account. I would be really happy to eliminate the password part altogether, because I see it as a liability, but it's still great to be able to use information cards for this. Now that I have an openID+ card, I wanted to try it right away: then I went to LiveJournal to give it a try. Below there's the page I was greeted with: I diligently entered my openid in the text field in the center and pressed login. As expected I was redirected to the signon.com pages: Of course I went straight to the information card link, getting my familiar identity selector: Piece of cake. I sent my usual main card, that the selector showed conveniently on top of the collection, and I went in. "Allow Forever" sounded a commitment a bit too heavy for somebody who wants to retain the right to user Read More...
|
-
It's that time of the year again: the end of June marks the end of the fiscal year, and for us it's time to reflect on what we've done in the past 12 months. Vast majority of the things I've done are internal-only or with high profile customers that can't be mentioned publicly until their PR departments give the green light, hence I won't discuss those here; however I think it's interesting to share with you a summary of some of the things that I worked on, just to give you a measure of how .NET3.0 (especially CardSpace in my case) is relevant. It should give you an hint of how much impact you can have working in my group, so you'll be able to put announcements like this in the right perspective! I also hope that this will boost your confidence that the content of our upcoming book is based on very solid real world experience, earned by working daily with our key accounts in the identity space: the PG intent is tempered by immersing it in requirements from customer actually shipping solutions based on this thing that we call CardSpace. Which, by the way, is the reason for which I'm still at the computer at this time... big stuff is going on in cardspaceland! Projects, Briefings, Deep Dives This year I've worked with or briefed more than 45 enterprise companies on CardSpace/WCF/WF, good part of it at the very top of the fortune100 and global100 (ah, btw: just subscribed to Fortune. I was buying it all the times anyway). Sometimes it was just a 2 hours personalized QA, some other Read More...
|
-
In short: I briefly discuss some differences between the password based authentication model and the token based one; then I propose that we lack a proper term for describing some of the transactions enabled by cardspace and the token based model. Sometime we get so used to the metaphors used in computer science, that they cease to be metaphors. When I use my Windows' desktop I certainly don't think of my physical desk (though they are messy in a very similar fashion), nor I think of real folders when I design the directory structure of a Visual Studio project. During almost 2 years spent explaining CardSpace to a wide variety of people, I have noticed some consequences of this phenomenon in the identity management space. The Identity Metasystem offers a very natural way of thinking about identity, one that allows us to leverage the knowledge and skills that serve us well in identity-related transactions in the offline world (the beaten up driving license for buying alcohol example comes to mind). CardSpace supports that fully, by supplying a solid & intuitive way of handling tokens and exercising full control on what information is disclosed to whom. However, is that message intuitively compatible with the idea that the typical web site tenant have of authentication? In my experience, not always; luckily, however, bridging the gap is very easy and takes few simple considerations. In basic scenarios, authentication is often viewed as one mechanism for making sure that who Read More...
|
-
This morning I was reading Newsweek (before you get any ideas: I subscribed to BOTH Newsweek and Time) and the interesting account they made about the history of a person. Much is being written on the subject, just browse your favourite news website for the details: however the summary is that this person was traveling through Europe while having a drug-resistant form of tuberculosis, raising worries about the spread of the disease. Health officials tried to locate him and minimize his chances of infecting others (apparently the infection is much more likely to occur when you spend a long time with the subject, like in an airplane cabin). When they finally managed to talk to him he was in Rome: since there was no way for him to travel in "normal" ways back to US without endangering also the pilot, the guy was advised to hire a private jet or go to an Italian hospital. NOW there's the part of the story that is relevant to identity. This person didn't go to stay in an Italian hospital, nor he hired a private jet: he boarded a commercial flight and simply flew home. How did he do that? According to Newsweek, his name was promptly included in the no-fly list; however the man flew from the EU to Montreal, and apparently Canada was not alerted about the situation. Once entered in Canada he rented a car and drove into the US, managing to go through the border after few routine questions. The article I read is available in electronic form here . This story uncovers one drawback of relying Read More...
|
-
In short: this is the description of a sample that sends a CardSpace-obtained token to an AJAX service implemented with the new Orcas features. Few posts ago I published a tutorial about using CardSpace with Silver. While talking about it with Kushal Shah from the Workflow team, he suggested that it could be nice if we'd also demonstrate how to use CardSpace with the new RESTful capabilities of WCF: that sounded perfect for my "cardspace+<technology_of_choice>" series, hence I promply jumped on the task. The post below documents the results. Preamble Before diving into the code, let's take a moment for understanding what is this all about. The .NET framework 3.5, currently in beta , extends WCF with new capabilities explicitly designed to enable web development scenarios. There's really a lot to say on the subject, however for our context it is enough to say that you can now expose WCF services in ways that makes them extremely easy to consume from web pages. In practice, this mean that you can 1) invoke WCF services via HTTP verbs (POST and GET) and 2) handle messages in web-friendly formats, such as JSON. The macroscopic implication is that you don't need a proxy. Calling a WCF service becames a simple exercise in BLOCKED SCRIPT you gather the data from whatever UI element you need to, you create "by hand" a web request in AJAX style (with the object XMLHttpRequest or the activeXs Msxml2.XMLHTTP/Microsoft.XMLHTTP) and finally you use the results for updating selcted parts Read More...
|
-
The monthly report from http://www.antiphishing.org/ is always an instructive read. This April report contains some surprising numbers, as shown by the graphic below: The happy spike you notice in April07 is in fact not happy at all: it shows the efforts of phishers to strain the antiphishing countermeasures offered by IE7 and Firefox 2. It's a 166% up from March and 48% more than the former record in the past 12 months: a similar resolution really deserves a very firm answer. A strategic one. I personally believe that the best answer is defusing the situation is by changing the rules of the game ; but if are reading this you probably already know, don't you ;-) Read More...
|
-
Passwords are bad. It is really necessary to restate it? Wired has a very interesting story about the singer of Linkin Park (one of the most interesting bands in the last years IMHO, but that's not important here). Long story short, a hacker guessed one password ("Charlie", not a very strong one) in use in his household and stalked his family for a year. Luckily everything is resolved now, but the conclusion of the article is especially interesting (edited by me for strong language): Meanwhile, Chester Bennington is grappling with the headaches that increased security brings. His passwords are now long strings of random letters and numbers that he changes frequently. "I keep a list for every different thing, and it drives me out of my f**** mind," he says. "I want to go back." Back to Charlie. Mr. Bennington, that's called password fatigue. We are well aware of it, and we think we have a good solution: Windows CardSpace. If by any chance you'll land on this post and you'll want to know more, I will be happy to explain what it is about in details. Read More...
|
-
Dennis announces the CTP of the Biztalk Services, one of the webbyest CTP we have: those are actually services, the only thing you need (if you want a quick start) is the SDK . There is much to be said about this new release, and I hope I'll be able to play with it soon (dear Editor, don't worry: I know I have to send the next chapter first :-)). However, I think that the most exciting news is in the following Dennis words: "your service opens at a URI on the connect.biztalk.net machines. Then a client connects to that URI and can start sending messages. We don’t want to be in the way of your app, so our relay will immediately try to establish a direct connection between clients" See? True P2P! What are you doing still reading this post, aren't you toying with it yet? :-) BTW, take a close look to the Identity Selector in the screenshot in Dennis' post: I'm sure that the loyal readers of this blog will recognize some of the cards (thanks James for pointing this out!) Read More...
|
-
[Edit: Added Silverlight SxS con WPF/E] In short: this is a tutorial on invoking Cardspace from a Sliverlight [WPF/E] control and how to use Silverlight [WPF/E] for showing data from a token . So easy that a long haired architect can do it :-) Silverlight [WPF/E] is Microsoft's technology for developing rich internet applications, but it is also going to be CROSS PLATFORM ( the CTP it is already available for Mac ). In light of the awesome work of the Bandit guys on an identity selector on other platforms , I believe it is important to start thinking about how to use this new RIA technology together with identity. In recent times I'm hearing more and more people interested in Rich Internet Applications, or RIA. That usually brings the discussion pretty quickly on Silverlight [WPF/E], our cross platform presentation technology that leverages a subset of XAML for doing cool things inside your browser. I am often asked how to plug CardSpace into it, so I thought to put toghether a post that shows how to do that. As you know it's few years that I am a server guy, so I don't spend too much time on colorful stuff: however I also like to cross pollinate different technologies, and I especially love to do it with CardSpace (I did it with WPF , with WF , with WCF and WPF ). Yesterday night I downloaded the WPF/E SDK , the WPF/E runtime for Windows and blocked 1 hour on the calendar of my excellent colleague Laurence Moroney , probably the best mentor I could get for ramping up super fast Read More...
|
|
|
|