I have just configured dasBlog to use cross posts. Let's see if this post makes it to my old blogs.sun.com blog.

For those reading this on blogs.sun.com: my new blog is at http://beuchelt.blogdns.net:8080/.

Hmm - 2nd try.

Please find the PDF slide deck for my presentation at XML 2005 here:

XML 2005 - Using SAML for Platform Security

The paper for this talk will be - as far as I understand - available for public download some time later this year or early next year from the conference Web Site.

The open document discussion is also raging within the halls of the European institutions. Please see for a report and some industry responses here.

On that page, you will also find a letter from Jonathan Schwartz of Sun Microssystems, Inc. on the report by the Commision.

Now, here is an interesting talking point: XML Encryption (XMLEnc) is bad.

"Why?", you might ask. Well, in their lack of infinite wisdom, the XML encryption community left out a very important concept: Authenticated Encryption, i.e. combining signatures and encryption to produce ciphertext that maintains confidentiality and can be associated with a key (i.e. a subject/identity/principal/whatever). Section 6.1 in XMLEnc-Core reads:

"The application of both encryption and digital signatures over portions of an XML document can make subsequent decryption and signature verification difficult."

and

"[...] the interaction of encryption and signing is an application issue and out of scope of the specification."

So, essentially, AE is left as an exercise to the reader. This is not good, particular since AE is not too complex, and - in fact - quite well understood. See RFC 3961 (Kerberos) or "Authenticated Encryption ..." by M. Bellare et al.

Without AE, XML encryption is not complete and - for many real security applications - useless.

Yesterday, we had our first day at the booth here at XML 2005. We were able to attract a fairly large crowd, talking about the Identity products, StarOffice, the XML Registry, JWSDP and Open Solaris. Up there is a picture of the booth prior to opening the showfloor.

Living in Massachusetts, I strongly support the state's move to migrate their publications and documents to a truely open format (i.e. OASIS Open Document).

Now I recently ran across a public petition to the German Parliament to enact a similar regulation for the German authorities.

Now: if you are German and feel like this is a good idea, please go here: http://itc.napier.ac.uk/e-Petition/bundestag/view_petition.asp?PetitionID=11

Due to very limited internet connection, I have to be brief. Here are some of the result of my trip to IETF 64:

• There is definitively a fairly broad interest in using SAML within the GSS-API framework.
• A small group is currently discussing feasibility and scope of such a approach

Originally, we proposed three major modes of combining SAML with GSS:

• An internal decoration approach: SAML assertions could be used WITHIN existing mechanisms (such as e.g. Kerberos) to carry addtional attributes associated with the principal.
• An external decoration approach: Similar, but instead of using pre-existing extension points, use the stackable mechnism approach instead (see www.ietf.org, kitten WG). This approach would have the clear benefit of being composable with mechnisms that do not have extension points (e.g. Username/Password).
• A native mechnanism: A SAML AuthN statement is exclusively used. While - IMHO - most promising, this approch will be technically most challenging: first, there is no key exchange defined, second, the only crypto related XML standards (XMLDSig, XMLEnc) are - at best - poor

I will post more after XML 2005.

Well, I have to admit, it is a lot easier than it used to be. A few caveats, though:

• I prefer to configure after the installation manually. I had one nasty failure during install at some time when I was using automatic configuration during install (This was actually because I installed JES on an AD domain controller, so port TCP/389 was bound, so the LDAP configuration would fail, and (almost) all other configuration after that depends on the availability of the config server).
• When configuring the directory server, please edit the directory server properties file before running DSConfig.bat. The README doesn't say so, but I had a much better time when I did.

When uninstalling JES, you might end up with a case where the Directory Server Windows Service was not unconfigured. In that case, you must go to HKLM\System\CCS\Services and delete the keys for slapd-(your server identifier here).

... is a no-go. Please read Rob's blog entry about WinFX not being supported on the October 05 CTP release of Vista.

I truly love Offline Files (client side caching - CSC) on Windows machines, particularly in combination with Folder Redirection and DFS: in my setup, I have My Documents redirected to a DFS domain root and cache all the documents I typically need, when working disconnected.

Recently, however, Offline Files was quite unpredictable and would not cache any new files. There were mostly two error messages, one complaining about the system being in last-known-good configuration (system error code 1074, ERROR_ALREADY_RUNNING_LKG) and another complaining about the file not existing.

I looked around, but found not too much help, except a link describing csccmd.exe (from the Server Support Tools) and a recommendation to do all kinds of nasty things to your Offline Files configuration.

What I did was this:

1. I removed all local copies - there was one broken link that could not get removed.

2. I first disabled Offline Files with  csccmd.exe /disable

3. Reboot into Safe Mode and delete all content under %SystemRoot%\CSC

4. Reboot again and re-enable Offline Files.

After this, you need to re-initialize your Offline Files configuration, but at least all errors were gone.

Longhorn Server is a strange beast:

• I was just starting to play with AD on Longhorn server (PDC, Build 5219) and wanted to startup my favorite AD tool, ntdsutil.exe to poke around in the AD settings .. it's gone (so far).
• The install directory would have been a nice place to look for the compressed version, right? Wrong: seems like the most of LH Server install sources is now contained in a 1GB .WIM file ... anybody knows how to open that up?
• Unless I am totally off, there is no IPv6 stack.
• What happend to the Castle Service in the early LH client builds?
• There is a new NGEN service that seems to auto-compile .NET assemblies to native code. Interesting, particularly since Don Box and Chris Sells explained  that this is not necessarily the best of all ideas, since:
• In-memory size of the native assemblies is significantly bigger, leading to bloated applications,
• Changes in the contract are identified through the MVID - as such, a re-compilation might be necessary.

Looks like there are a lot of changes ...

I was getting a little interested in learning more about how the Indigo/WCF transport listener architecture works. This is what I found so far:

The center of this is the TransportListenerFactory. Its inheritance tree can be found on MSDN but here is a quick overview:

System.Object
   System.ServiceModel.Channels.CommunicationObject
      System.ServiceModel.Channels.ChannelManagerBase
         System.ServiceModel.Channels.ListenerFactoryBase
            System.ServiceModel.Channels.TransportListenerFactory
               System.ServiceModel.Channels.ConnectionOrientedTransportListenerFactory
                  System.ServiceModel.Channels.NamedPipeListenerFactory
                  System.ServiceModel.Channels.TcpListenerFactory
               System.ServiceModel.Channels.HttpListenerFactory
               System.ServiceModel.Channels.MsmqListenerFactoryBase
               System.ServiceModel.Channels.PeerListenerFactory

Now let's look at a self-hosted example: You first create your ServiceHost and then decorate it with the endpoint and binding information. Custom bindings are most interesting, since you can see a little of what's going on under the cover. Encoding and Transport Channels are required, and you need to add your transport binding last. Also you MUST properly configure the EndpointListener; in particular you need to select the right transport protocol prefix (e.g. http:// for HTTP or net.tcp:// for SOAP over TCP). The EndpointListeners themselves point (Factory property) to the transport factory.

It seems reasonable to assume that the relevant optimizations (e.g. connection multiplexing, pooling) are implemented in the TransportListenerFactory class which is abstract.

Another guess on my part is that I expect that the HTTP listener factory has some special implementation, since it needs to address IIS6 hosting and self-hosted environments.