|
|
Browse by Tags
All Tags » Identity » WCS » Architecture - WS (RSS)
-
Jon Udell recently launched a new interesting format on the website perspectives.on10.net. Perspectives is a series of in-depth conversations with passionate innovators. Most work for Microsoft; some work elsewhere; all are advancing the state of the art in areas as diverse as robotics, digital identity, e-science, and social software. Information technology is the common thread, and Perspectives appeals to the technically-minded, but the show also aims to tell stories in ways that make sense to a wider audience. Each installment of Perspectives is delivered as an audio podcast, and supplemented by a partial text transcript. The first episode was an interview with two guys from the Robotics Studio team, Tandy Trower and Henrik Frystyk Nielsen. The quality of the interview is clearly top notch, the scope of the topics strategic & forward looking but still solidly rooted in technology: Jon's editing makes things flow beautifully, and the transcript is incredibly handy for speed readers & search engines. In short, I LOVE IT :-) Hence, it is with ill-concealed pride that I announce the subject of the second episode : it is a chat I had with Jon back in December , just days before the book came out. The casus belli was the book itself, that Jon was so kind to read in prerelease version, but we ended up talking about identity on a much wider sense. We touched on certificates versus managed cards, omnidirectional vs unidirectional identities, WS-*, openID... Jon is a *great interviewer*, Read More...
|
-
(continues from Part I and Part II ) Finally we've lined up all the elements we need for understanding how we can get rid of the 1-2-3 tyranny, and deal with our business requirements directly instead of relying on an old model that forces us to perform unnecessary steps and introduces artificial dependencies. For making sense of what I write in this post you *really* need to read part I and II as well; without the right context, some of those things could be badly misinterpreted. Sorry :-) Outsourcing user authentication As much as I'd like to think that everybody is super interested in authentication, reality is that you may care very little about it. Let's say you are hosting your own blog, and comment spammers harass you. You can make their life more difficult by adding an authentication step, that will ask your readers to sign in before being able to comment. That's not a perfect system, but you know... security is a ladder. If you discouraged 70% of the spammers, you already made a great job. Or did you? Now you need to set up the authentication system, and above all maintain it. That means handling lost passwords; attacks to your credentials store, which may (read: will) contain passwords (well, hopefully hash derivations) your users are reusing with websites which feature higher value transaction; and many other annoyances. The blog example is a bit extreme on the low value gamut, but there are many other situations in which owning direct credentials authentication may Read More...
|
-
(continues from Part I ) You can consider this post and the fine grained analysis we made in Part I as a down payment for grasping the implications we'll see in Part III, which I plan to post in few hours (almost done). I was planning to have just 2 parts, but it came out far too long and I need 3 :). Here we'll see a very general architecture that can support the traditional authentication practice we described so far. Let me refresh your memory with those few key points we established last time: When we feel the need of authenticating users before giving access to our application, usually that's because we need the answer to some questions in order to execute correctly the service we are offering The question "are you a returning user" can be verified directly by using some mechanism, such as asking to the user to submit credentials . For almost all other questions we need to get an answer that satisfies us without a chance of verifying it directly in-band (messy, but if you read part I you'll understand) When we authenticate a user in "traditional" way, we essentially do three distinct things at the same time: We answer the question "are you a returning user?" by verifying the credentials We link the credentials to a profile in our archive We "dehydrate" that profile, and we use its content for answering our other questions We'll now review what are the architectural components that we customarily use for traditional authentication, that is to say what do we need for performing Read More...
|
-
In short: I show a simple class that checks the signature of self issued tokens sent on a normal HTTP connection (as opposed to HTTPS); the same class takes care of generating a UniqueID and giving access to claims. It basically covers for the NoSSL case the core functions that TokenHelper offers for the SSL case. Today for few hours I found myself living in the early 90s. I agreed with Mario to meet at Victor's , the only place where coffee meets the bar of the Italian community here in Redmond, but he wasn't there. I did the obvious thing, I called his mobile: instead of connecting with him, I talk with his wife: she tells me that he forgot the phone at home, and he was already out. That happened all the time before everybody had a cell (for my circle of friends in Italy, that means '98), but now? Luckily I had my UMPC in the borsello, so I pulled it out and fired up Visual Studio. Few days ago we were chatting about the fact that we have no samples that work without HTTPS: the TokenHelper assumes that the incoming token is encrypted, which is not the case in the NoSSL scenario. It seemed engaging enough to fill the wait... so I wrote a little proof of concept that shows how an RP could handle a token sent in clear. Remember the long post I made in September about the same topic? There I was making the point that while the content of the token may now be visible (at least in the selfissued case, the one I will consider in this post), the way of authenticating the caller is unchanged: Read More...
|
-
From time to time it's healthy to challenge the assumptions, and look at (allegedly) familiar things with new eyes. Few weeks ago I had to do just that with the idea of authentication : I wanted to shake a bit an audience of architects, and make them * think* about the problem instead of relying on the stereotypes they had about it. Judging from the evals I've got, it worked :-) if you want to give it a try, check in at the door what you already know on the subject and come to play! The Tao of Authentication authentic being actually and exactly what is claimed from M-W When I say "authentication", what do you think of? No, I don't mean you identirati people, put your hands down; I mean what's the intuitive idea in the collective imagery. The typical answer you get from a generic audience is something like "it's when you check the identity of the user before giving access". That sounds in line with what traditionally happens as of today, but we'll see that there's more than meet the eye. Why do we authenticate, whatever that means? Simple. During the execution of the service we are offering we need the answer to some specific questions: the authentication phase is one of the ways in which we obtain the answer to those questions. Too abstract? Let me give you some notable examples. Questions Looks different from my usual messy sketches, eh? :) Well, that's a sample of my slides style. Some says they're too busy, some likes them... pick your camp. But I digress. Here we see our usual Read More...
|
-
Good news everyone! Our very own Mike will represent Microsoft on the OpenID Foundation board of directors, which to me seems a natural choice given all the work he has done in that space (for example, this ). Wait a minute, a Microsoft representative in the OpenID Foundation?!? If that surprises you, that means you didn't get the news : Google, IBM, Microsoft, Verisign and Yahoo joined en masse the OpenID board of directors. The future is now people! Read More...
|
-
Few days ago I've been notified that the 2nd chapter of our book "Understanding Windows CardSpace" is now available for free online , on the pages of Code Project (takes some time to load from my connection, don't give up). That's a very big chapter, for architects and business decision makers, focused on showing how the identity laws and the identity metasystem are addressing many of the challenges presented in chapter 1. It also shows the role played by WS-Trust & friends . There's not much of Windows CardSpace in this chapter, apart from its positioning as the identity selector that comes with Windows: in fact I like to think that the same text could have been used in a book about Higgins or any of the of the projects in this space. (BTW, Paul says extremely kind things about the book here . Thank you Paul !). Many of the topics in the chapter do not have a natural order of presentation, but they all sort of depend from one another in a way which was pretty difficult to disentangle. Furthermore it is important to introduce all the new concepts in the right context, in a coherent discussion, without forgetting anything important just because you approached the matter form one angle rather than another. To give you an idea of the planning effort it required, I fished from my archives one of my mindmaps for this chapter: Pretty wide, eh? I just *love* MindManager ! See, that's the essence of a discussion I had almost one year ago with my good friend Gianpaolo . We were discussing Read More...
|
-
Last week Caleb and I have been surprised in my office by Charles "Carlo" Torre and his camera. The result is an impromptu interview about CardSpace , which is currently on the front page of Channel9 (direct link here ). If you have time, take a look… we laugh a lot, but we manage to make some serious point here and there :-) and of course we mention the book , which is even on the "front frame". I have to remark that I am *always* amazed by Carlo 's skills as interviewer. He provides a fresh perspective, making the right questions, and yet he discreetly blends giving space to who is interviewed to make his point with his own personal style. And he's not afraid to put you in the spot and ask tough questions... he really takes the part of the audience. Carlo, it's always a pleasure to chat with you :-) Read More...
|
-
It turns out that the channel9 video on ws-trust was down for (quite?) some time. I am pretty surprised by the number of people that is still checking out that clip! Now it works again, provided that you view it by clicking the download button (which, by the way, points to here ) as shown in the screenshot below. The embedded video control is still not working. Thanks to everybody who raised the issue ( Adlai , now I understand your comment about the video... sorry for not getting it earlier) and to Charles who fixed the problem at record speed. Read More...
|
-
On the Paris-Seattle flight, coming back after 2 weeks spent stuffing myself with all sorts of food with the excuse "after all, you can't find this in USA" :) Before hurling myself back in the vortex of daily work, and celebrate the end of the year with something crazy, I want to take some time writing down some hallucinatory (=vision without execution) thoughts about omnidirectional identities . Be warned, this may be just pointless rambling at this point. Few weeks ago I chatted about this in front of a microphone with John Udell , digressing along a crazy tangent instead of answering his questions about the book (I eventually came back to Earth and answered properly :)). I don't know if he'll deem those fragments publication worthy, but just in case I'll make a brain dump here. It's not that there's much more to do in this small seat anyway (just finished the latest Eco . He didn't mention underbite at all, I'm happy). Looking back at the activities related to identity in the past year, I am glad to report that amazing progress has been done. Something that makes 2007 very different from 2006 is the kind of work that was made: in 2007 the accent was on execution. The vision behind the metasystem is still being explored, sure, like Kim's series on linkage or the discussions about display token and first law demonstrate; and I feel that conjugating the metasystem and claims in enterprise environment is an area that still need focus (especially in fighting old forma mentis that Read More...
|
|
|
|