|
|
Browse by Tags
All Tags » CardSpace » WCS » Windows Cardspace (RSS)
-
It's since April that I don't write about the book (at the time we released the entire Chapter 2 on MSDN ). Last week I received notice that 2 new reviews were published: one is from the Denver Visual Studio User Group , the other is on Paul Van Brenk's blog . Both reviews are extremely nice, for which we are very grateful; I especially like the fact that in both cases the reviewers perceived our intention to deal with the problem from an holistic point of view, regardless of our affiliation with a technology or another. Thank you guys! (update: I've just stumbled in another review I didn't know about, on (in)secure magazine issue 17 . Niiiiice). In fact, in the last months various illustrious figures mentioned our book as well: David Chappell , Drummond Reed and Francis Shanahan wrote extremely nice reviews I never mentioned here until now, while I did mention the first entries from Kim and Mike . Add that to the podcast on Perspectives , the interview on channel9 with Carlo & Caleb, the podcast on SearchWinDevelopment , the bonus chapter on codeproject , the extremely nice reviews on the Amazon US page ... and again, mentions from Neil Hutson , Alexander Strauss , Feliciano Intini , Mario Fontana , ... I am sure I am forgetting something (for which I apologize). And now that I begun to hang out at Identity conferences, I can't tell you how pleasant it is to have complete strangers zeroing on you and telling you all sorts of nice things :-) I guess I am easily recognizable Read More...
|
-
Almost one year ago I briefly mentioned the Biztalk Service SDK, here and here . A new version has recently been made available: you would not believe the amount of new features that were added to it in this timeframe. The main reason of excitement for me is that this new release supports managed cards ! It's a bit late at night here in Redmond and the drowsiness makes me feel less than bright right now, so I better defer detailed explanations to tomorrow (or the weekend). Anyway, for the identirati tuned in, this basically means that the service bus offers a R-STS that will accept, among many other means of authentication, also third party's managed cards. The behavior of the R-STS can be influenced by using the Biztalk Services identity portal , or by management API; you can translate attribute claims into authorization claims (if an incoming claim has a certain value you can issue a token which tells to the ultimate destination that the caller is authorized to perform the call; you can copy the input claims directly in the issued token so that the info is preserved; and so on). "Artist" rendering below: Again, I'll be more verbose in a later post: in fact, I plan to walk you through a sample that will make you hit the ground running exactly with that feature. The managed card support is the feature that I find most appealing ( surprised ?), but in fact there are many other great additions such as X509 authentication, REST management APIs, support for multiple languages ... Read More...
|
-
Jon Udell recently launched a new interesting format on the website perspectives.on10.net. Perspectives is a series of in-depth conversations with passionate innovators. Most work for Microsoft; some work elsewhere; all are advancing the state of the art in areas as diverse as robotics, digital identity, e-science, and social software. Information technology is the common thread, and Perspectives appeals to the technically-minded, but the show also aims to tell stories in ways that make sense to a wider audience. Each installment of Perspectives is delivered as an audio podcast, and supplemented by a partial text transcript. The first episode was an interview with two guys from the Robotics Studio team, Tandy Trower and Henrik Frystyk Nielsen. The quality of the interview is clearly top notch, the scope of the topics strategic & forward looking but still solidly rooted in technology: Jon's editing makes things flow beautifully, and the transcript is incredibly handy for speed readers & search engines. In short, I LOVE IT :-) Hence, it is with ill-concealed pride that I announce the subject of the second episode : it is a chat I had with Jon back in December , just days before the book came out. The casus belli was the book itself, that Jon was so kind to read in prerelease version, but we ended up talking about identity on a much wider sense. We touched on certificates versus managed cards, omnidirectional vs unidirectional identities, WS-*, openID... Jon is a *great interviewer*, Read More...
|
-
(continues from Part I and Part II ) Finally we've lined up all the elements we need for understanding how we can get rid of the 1-2-3 tyranny, and deal with our business requirements directly instead of relying on an old model that forces us to perform unnecessary steps and introduces artificial dependencies. For making sense of what I write in this post you *really* need to read part I and II as well; without the right context, some of those things could be badly misinterpreted. Sorry :-) Outsourcing user authentication As much as I'd like to think that everybody is super interested in authentication, reality is that you may care very little about it. Let's say you are hosting your own blog, and comment spammers harass you. You can make their life more difficult by adding an authentication step, that will ask your readers to sign in before being able to comment. That's not a perfect system, but you know... security is a ladder. If you discouraged 70% of the spammers, you already made a great job. Or did you? Now you need to set up the authentication system, and above all maintain it. That means handling lost passwords; attacks to your credentials store, which may (read: will) contain passwords (well, hopefully hash derivations) your users are reusing with websites which feature higher value transaction; and many other annoyances. The blog example is a bit extreme on the low value gamut, but there are many other situations in which owning direct credentials authentication may Read More...
|
-
(continues from Part I ) You can consider this post and the fine grained analysis we made in Part I as a down payment for grasping the implications we'll see in Part III, which I plan to post in few hours (almost done). I was planning to have just 2 parts, but it came out far too long and I need 3 :). Here we'll see a very general architecture that can support the traditional authentication practice we described so far. Let me refresh your memory with those few key points we established last time: When we feel the need of authenticating users before giving access to our application, usually that's because we need the answer to some questions in order to execute correctly the service we are offering The question "are you a returning user" can be verified directly by using some mechanism, such as asking to the user to submit credentials . For almost all other questions we need to get an answer that satisfies us without a chance of verifying it directly in-band (messy, but if you read part I you'll understand) When we authenticate a user in "traditional" way, we essentially do three distinct things at the same time: We answer the question "are you a returning user?" by verifying the credentials We link the credentials to a profile in our archive We "dehydrate" that profile, and we use its content for answering our other questions We'll now review what are the architectural components that we customarily use for traditional authentication, that is to say what do we need for performing Read More...
|
-
Well, don't get fooled. I'm not going to make any big philosophical considerations about technology and privacy (though I may do that in the future), but I will talk about the little project I've put together after three gintonics & the MIX party at TAO . I am often on the road. When I am homesick I often open a terminal server session with one of my home machines and fire up the webcam; sometime I am in dramatically different timezones, so it's nice seeing that where I am it is dark but back in Redmond it's just dawning, and similar mellow stuff. Before leaving for Vegas I thought it would be nice to access the image directly, without having to fire up an entire remote desktop session for that. Hence I wrote some code for taking webcam snapshots (thanks Scott for putting together a nice WIA sample ), exposed it via WCF service, generated a certificate on my test CA, wrote a binding that uses cardspace... and I had it working. About 1 hour, during which I also managed to watch some futurama . Once I got to Vegas I was too busy with the MySpace session for playing with those things, but yesterday's atmosphere at TAO restored my playful/timewaster attitude: after the party I made the necessary adjustments for accessing the service from outside, calibrated the UniqueID from the selfissued I want to use for authenticating with the service... and it was done. One hour of distracted development, 30 mins of fiddling with the config file (after abundant party's beverages) and now Read More...
|
-
As mentioned in a post last November , Kim himself made us the huge honor of writing the foreword of our book "Understanding Windows CardSpace" . Today I had the same thrill as, while opening his blog , I've seen he dedicated an entire post to it ! You know, it's a strange feeling to go through the post and, like with the foreword, once again realize that Kim Cameron took the time to read what we wrote about a subject that owes so much to him :-) The part I personally prefer is the following: Above all, it is a readable book that balances technology with the broader issues of identity. I imagine almost anyone who reads this blog will have something to gain from it. I especially recommend it for people who want a holistic introduction to digital identity, CardSpace and web services. I think the book is excellent for students. I even expect it will be enjoyed by more than one policy maker who wants to understand the underlying technical problems of identity. That's exactly what we hoped to achieve: offering an entry point for whoever wants to participate to the discussion about identity, regardless of their previous knowledge of the subject, while trying to deliver value also to people already fairly familiar with this space. It was a challenging task and those words from Kim are the best validation of our effort we could have ever hoped for. Thanks!!!!! :-) Read More...
|
-
In short: I show a simple class that checks the signature of self issued tokens sent on a normal HTTP connection (as opposed to HTTPS); the same class takes care of generating a UniqueID and giving access to claims. It basically covers for the NoSSL case the core functions that TokenHelper offers for the SSL case. Today for few hours I found myself living in the early 90s. I agreed with Mario to meet at Victor's , the only place where coffee meets the bar of the Italian community here in Redmond, but he wasn't there. I did the obvious thing, I called his mobile: instead of connecting with him, I talk with his wife: she tells me that he forgot the phone at home, and he was already out. That happened all the time before everybody had a cell (for my circle of friends in Italy, that means '98), but now? Luckily I had my UMPC in the borsello, so I pulled it out and fired up Visual Studio. Few days ago we were chatting about the fact that we have no samples that work without HTTPS: the TokenHelper assumes that the incoming token is encrypted, which is not the case in the NoSSL scenario. It seemed engaging enough to fill the wait... so I wrote a little proof of concept that shows how an RP could handle a token sent in clear. Remember the long post I made in September about the same topic? There I was making the point that while the content of the token may now be visible (at least in the selfissued case, the one I will consider in this post), the way of authenticating the caller is unchanged: Read More...
|
-
You know, even before considering its merits (and they are many): I've always *LOVED* the sheer fact that the Higgins project exists . Higgins in the tangible proof that all this user centered identity talking truly is a movement that touches everyone. You have no idea of how many times, during the many briefings I gave on CardSpace and the IdM in the last 2+ years, somebody in the audience invariably rose to say "Hey, this is all fine and dandy, but you're Microsoft: what guarantees do I have that this stuff won't lock me in?". That is usually the point in which I get ROI for the monstrous amount of money I spend with my dentist, because I can't help but smile as I go on telling the tale of this amazing project. People from SocialPhysics , IBM, Novell, ooTao, Parity... working on supporting multiple aspects of identity management, from the selector itself to RP & IP components, supporting multiple platforms, and happily interoperating (for real!) with CardSpace; icing on the cake, all released under the Eclipse Foundation Software User Agreement! That never failed to defuse the question, of course. With time the momentum grew, and now I can even point people to the big interop matrix that OSIS publishes after every event ( Mike , thank you for having picked a short & easy to remember URI for your blog; that's how I usually get to the wiki ); for what I remember Higgins was the first OSS effort I've heard of, and it occupies many columns in those matrixes :-). So, dear Read More...
|
-
From time to time it's healthy to challenge the assumptions, and look at (allegedly) familiar things with new eyes. Few weeks ago I had to do just that with the idea of authentication : I wanted to shake a bit an audience of architects, and make them * think* about the problem instead of relying on the stereotypes they had about it. Judging from the evals I've got, it worked :-) if you want to give it a try, check in at the door what you already know on the subject and come to play! The Tao of Authentication authentic being actually and exactly what is claimed from M-W When I say "authentication", what do you think of? No, I don't mean you identirati people, put your hands down; I mean what's the intuitive idea in the collective imagery. The typical answer you get from a generic audience is something like "it's when you check the identity of the user before giving access". That sounds in line with what traditionally happens as of today, but we'll see that there's more than meet the eye. Why do we authenticate, whatever that means? Simple. During the execution of the service we are offering we need the answer to some specific questions: the authentication phase is one of the ways in which we obtain the answer to those questions. Too abstract? Let me give you some notable examples. Questions Looks different from my usual messy sketches, eh? :) Well, that's a sample of my slides style. Some says they're too busy, some likes them... pick your camp. But I digress. Here we see our usual Read More...
|
-
Progress , my friends, is a wonderful thing :-) Read More...
|
-
Good news everyone! Our very own Mike will represent Microsoft on the OpenID Foundation board of directors, which to me seems a natural choice given all the work he has done in that space (for example, this ). Wait a minute, a Microsoft representative in the OpenID Foundation?!? If that surprises you, that means you didn't get the news : Google, IBM, Microsoft, Verisign and Yahoo joined en masse the OpenID board of directors. The future is now people! Read More...
|
-
Very impressive! I am sure that this great ranking is also thanks to the readers of this blog... so THANKS :-) Amazon stats are very volatile (I'll make a more detailed post about it), but it's still great. I think this is the best rank we got since publication. I am so glad that the topic elicits all this attention. I can't imagine what will happen once we'll move to the next phase ;-) Read More...
|
-
[synopsis for the English readers: a financial newspaper in Italy published an article about CardSpace ; I make some considerations about it] Cari lettori italiani, e' parecchio che non scrivo un post nella lingua natia... come e' parecchio che non trovo il tempo di pescare qualche collega italico e immortalarlo per Italia9 ; provero' a fare qualcosa a fine febbraio, ma non prometto nulla :-) Comunque. Oggi sono passato dall'ufficio di Kim Cameron , per portargli una copia del Libro (autografata :-))e ringraziarlo ancora per la sua lusinghiera prefazione. Mentre stiamo amabilmente discutendo come sta andando il libro (bene, grazie!!! ;)) improvvisamente si interrompe ed esclama "ah, I've got something to show YOU". Woah, chissa' cos'e'.. non gli sara' piaciuto qualcosa che ho detto nel video uscito ieri su channel9 e mi vuole bastonare? Si mette ad armeggiare con la stampante e mi porge il printout di un articolo su cardspace ... in italiano! Quando e' passato dall'Italia lo scorso Novembre (Feliciano ne ha parlato qui ) e' stato intervistato da ilSole24Ore, che oggi ha pubblicato un articolo al riguardo . L'articolo e' ben bilanciato, e IMHO riesce bene nel comunicare l'essenza del problema anche ai non addetti ai lavori. Sono davvero felice che una testata prestigiosa come ilSole24Ore contribuisca a portare il problema all'attenzione di tutti e soprattutto dei business decision makers. L'unica cosa che mi sento di sollevare e' lo spelling sbagliato del progetto Higgins ("HiggHins"), Read More...
|
-
Last week Caleb and I have been surprised in my office by Charles "Carlo" Torre and his camera. The result is an impromptu interview about CardSpace , which is currently on the front page of Channel9 (direct link here ). If you have time, take a look… we laugh a lot, but we manage to make some serious point here and there :-) and of course we mention the book , which is even on the "front frame". I have to remark that I am *always* amazed by Carlo 's skills as interviewer. He provides a fresh perspective, making the right questions, and yet he discreetly blends giving space to who is interviewed to make his point with his own personal style. And he's not afraid to put you in the spot and ask tough questions... he really takes the part of the audience. Carlo, it's always a pleasure to chat with you :-) Read More...
|
|
|
|