Archive for March, 2008

March 31, 2008
Curtain Lifted on Information Card Support in OpenSSO

OpenSSO logo

Congratulations to Gerald Beuchelt of Sun Microsystems and the rest of the OpenSSO team for their release of Information Card support in OpenSSO. As Gerald wrote:

It took quite a while, but by now it is out. Please welcome the Windows CardSpace Information Card extensions for OpenSSO:

When I started working on this last spring, I was not even hoping to see this released in open source and part of the OpenSSO extensions family in less than a year. It took the goodwill and talent of quite a few people to get this off the ground, but with the public release of this code and the upcoming OSIS interop during the RSA conference, OpenSSO is now “speaking ISIP” …

Just in time for the in-person interop testing at RSA!

March 30, 2008
The History of Tomorrow’s Internet

Ryan JanssenI recently encountered Ryan Janssen’s insightful series entitled “The History of Tomorrow’s Internet” and immediately read the whole thing in one sitting. Among other gems, I found in it the clearest explanation of the value and promise of XRI/XDI that I’ve ever read. Great stuff!

The most recent installment detailed his experiences of “how it feels for a regular person to use Cardspace”. In particular, he documented his experience of using CardSpace for the first time to leave a comment on this blog. He introduced his narrative with:

… as someone who’s business it is to build great software, I KNOW how hard good UI is. Believe me, I work with a GREAT product team and we try REALLY hard to make intuitive software and we fail EVERY day. Having said that, this post isn’t going to paint a real pretty picture.

I’ll let each of you read his blow-by-blow narrative yourself. He closes with:

So what’s the final analysis? Well, as I stated in the beginning, the purpose of this post isn’t to bash Microsoft or Cardspace. Like I said, I build software and when I actually see a normal person use it for the first time, I’m inevitably embarrassed at how difficult it is. Software is hard and Cardspace is brand new. Nonetheless, this does show how far the technology has to go before Mom and Dad are going to be using it. Usernames and Passwords are UBIQUITOUS. We’ve been trained on the visual metaphors for at least a decade. Replacing that with ANY other paradigm is going to rough. To have any chance of success, the Cardspace workflow will need to be much improved.

Because I’m a member of the CardSpace team, I can say that as much as the team is understandably proud of what they accomplished in V1, they’re also pragmatic realists who are fully aware of the issues that Ryan documents so well and the vital importance of addressing them in our future releases. It’s exciting participating in that very process on the fifth floor of Microsoft building 40, day in, day out, as the team defines and refines what the next release will contain. Greatly improved usability is certainly one of our highest-priority goals.

I know that Ryan has also motivated Pamela and me to take a look at how the flow on the blog can be improved. PamelaWare for WordPress isn’t even yet a V1 release (it’s at v0.9 currently) and I know Pamela has lots of ideas on how to improve it. Ryan’s experiences will certainly help inform the next release.

Also, I’ll remark on these excellent observations:

Ready to post? Not yet. Since my iCard is self-issued, Mike’s site (yes, the site is called ironically enough) doesn’t trust me and has now decided that I need to verify my email address. This is obviously a little annoying, but it brings up a good use-case for the first Claim Provider–one that has verified my email address, home address, and phone numbers, so I NEVER have to respond to an email or text message like this again.

Asking the user to verify his or her e-mail address is a way of obtaining a backup means of authentication that can be used in the case where user has lost his Information Card. Just like many accounts backed by passwords use e-mail in the “lost password” flow, PamelaWare uses e-mail to the user in the “lost card” flow and verifies ownership of the e-mail address at account creation time. Ryan correctly points out that if I had received a verified e-mail address as a claim there’s several steps we could have skipped. Making this scenario a reality is one of my personal goals for the Identity Layer we’re all building together.

There’s nothing like real user data to inform what needs to happen next. Thanks, Ryan, for taking the time to provide it to all of us. I look forward to reading the next installment of the series!

March 28, 2008
JavaScript Kung Fu Fighting!

Firefox logoThanks and congratulations to Axel for his new release of the Firefox Information Card add-on that tames all that JavaScript Kung Fu with ease! I’ve updated the pertinent OSIS interop results page from “Issues” to “Works”.

March 25, 2008
Interops in Progress

OSIS logoTwo important identity interoperability demonstrations will occur at RSA two weeks from now: the OSIS User-Centric Identity Interop and the Concordia Multi-Protocol Federation Interop. During both you’ll see different projects and vendors publicly showing their identity software working together. But what you won’t see at the conference is what’s happening right now – the engineers behind these implementations working together to refine their deployments and their software to ensure that solutions that should work together in theory actually do in practice.

Like the previous OSIS Interop, the current one is testing both Information Card and OpenID implementations – sometimes in combination. I’m especially excited about this Interop for three reasons. First, the set of participants has expanded again by over 50% and includes many commercial deployments of these relatively new technologies. Second, much deeper testing is occurring than ever before. Thanks, in part, to significant efforts by Pamela Dingle and the Microsoft Identity Lab team, during this Interop not only are people trying their implementations with one another’s – they’re also systematically testing their support for an important range of protocol features using interop endpoints designed and deployed for this very purpose. Third, this Interop won’t end when the conference ends. Most of the participants plan to leave their endpoints up after the conference is over, enabling new participants to join and test later and for existing participants to re-test their implementations against the others when they deploy new versions. Visit the OSIS Interop demonstrations in person if you can, especially between 4:00-6:00 on both Tuesday and Wednesday during the conference.

Concordia logoThe Concordia Interop is showing the use of Information Cards to sign into both SAML 2.0 and WS-Federation based federations. Both these federations are using SAML 2.0 tokens carrying consistent authentication context information. (I believe that this is the first public demonstration of WS-Federation implementations using SAML 2.0 tokens.) Furthermore, the Concordia Interop demonstrates the ability to bridge between WS-Federation and SAML federations, allowing identities originating in one to be used to authenticate to services in the other. Visit the Concordia workshop during the conference on Monday from 9:00-12:30.

Finally, I’m not the only one excited by these Interops. Axel Nennker, Francis Shanahan, Gerald Beuchelt, Prabath Siriwardena, Scott Kveton, Vittorio Bertocci, and Will Norris have all written about the upcoming OSIS Interop. There’s also a press release from the Concordia project. Hope to see many of you at RSA!

March 24, 2008
Zend PHP Information Card Software

Zend logoThe Zend Framework is an open source object-oriented web application framework for PHP used by parties large and small for building mission-critical web applications. As of release 1.5, the Zend Framework now includes support for accepting Information Cards. Read about it in Chapter 18 of the Zend Framework Programmer’s Reference Guide: Zend_InfoCard.

Furthermore, the Zend Information Card implementation can be used either as part of the Zend Framework or independently. A standalone download is available here.

March 16, 2008
Re: Microsoft’s Open Specification Promise

Ben Laurie wrote:

The Software Freedom Law Centre has published an analysis of the OSP. I don’t really care whether the OSP is compatible with the GPL, but their other points are a concern for everyone relying on the OSP, whether they write free software or not.

The “analysis” tries to insinuate that since Microsoft doesn’t promise that future revisions of specifications covered by the Open Specification Promise will be automatically covered unless Microsoft is involved in developing them, that it’s not safe to rely on the OSP for current versions either. This is of course false, as the OSP is an irrevocable promise that Microsoft will never sue anyone for using any of the covered specifications (unless they sue Microsoft for using the same specification, which is a normal exception in all such non-assertion covenants).

On this point, Gray Knowlton wrote:

It is unusual for promises like the OSP to automatically include every spec or all future versions (IBM’s pledge is exactly like ours). The norm is for new versions to be added to them to be covered. In the case of Sun’s statement new versions are automatically added only when they participate in the development of the new version to the extent that the OASIS IPR rules would then obligate them to provide patent rights under the OASIS IPR Policy. None of these promises include future versions of the specifications without any qualification.

While I normally wouldn’t wade into legal debates, I writing because I’m proud of what Microsoft has enabled for the industry through the OSP, and the “analysis” leaves some very false impressions. Gray does a great job of responding in detail so I won’t do so here. Please read his response before drawing any conclusions. In particular, I believe the OSP and similar promises from other industry leaders have laid a stable foundation for the broad acceptance and adoption of the protocols underlying Information Cards, Web Services, and other important interoperable industry-wide protocols.

I see no cause for concern.

March 6, 2008
Welcoming Credentica’s People and Privacy Technology to Microsoft

Stefan BrandsI’m writing today to publicly welcome Stefan Brands, Christian Paquin, and Greg Thompson, of Credentica to Microsoft’s Identity and Access Group. I’m looking forward to working with them and to us adding their fantastic minimal disclosure technology to our identity products. Like Kim, I’m excited!

I urge people to check out Stefan’s announcement, Kim’s detailed write-up about the significance of this technology (I love the phrase “Need-to-Know Internet”), and Brendon Lynch’s post on Microsoft’s Data Privacy blog.

Welcome to Microsoft!