I just wanted to step back and thank my collegue Lauren Wood for her superb efforts organizing the XML conference (for the 5th year!). As a speaker, as well as an attendee, this was a most pleasant and interesting conference.

Once more, Microsoft is targeting ECMA as the consortium to sign of on their technology. Just as a few years ago, when they submitted parts of the CLR and C#. This time it is the Office '12' formats, which have become quite a burden under the current plans of the Commonwealth of Massachusetts, the E.U. and the Country of Denmark: All these three governmental bodies decided to require an open file format for all future forms and documents.

For the longest time, the license that came with the Office XML formats was far less than open - bottomline was: you can look, but you cannot really implement.

Now Microsoft promises that this will change under the ECMA process.

For all attendees of XML 2005: I just updated my paper on Using SAML for Platform Security. Please check http://2005.xmlconference.org/proceedings for the updated version.

All non-attendees: The proceedings will be made publicly available by Nov 30, this year. I will also publish the paper here.

I have just configured dasBlog to use cross posts. Let's see if this post makes it to my old blogs.sun.com blog.

For those reading this on blogs.sun.com: my new blog is at http://beuchelt.blogdns.net:8080/.

Hmm - 2nd try.

Please find the PDF slide deck for my presentation at XML 2005 here:

XML 2005 - Using SAML for Platform Security

The paper for this talk will be - as far as I understand - available for public download some time later this year or early next year from the conference Web Site.

The open document discussion is also raging within the halls of the European institutions. Please see for a report and some industry responses here.

On that page, you will also find a letter from Jonathan Schwartz of Sun Microssystems, Inc. on the report by the Commision.

Now, here is an interesting talking point: XML Encryption (XMLEnc) is bad.

"Why?", you might ask. Well, in their lack of infinite wisdom, the XML encryption community left out a very important concept: Authenticated Encryption, i.e. combining signatures and encryption to produce ciphertext that maintains confidentiality and can be associated with a key (i.e. a subject/identity/principal/whatever). Section 6.1 in XMLEnc-Core reads:

"The application of both encryption and digital signatures over portions of an XML document can make subsequent decryption and signature verification difficult."

and

"[...] the interaction of encryption and signing is an application issue and out of scope of the specification."

So, essentially, AE is left as an exercise to the reader. This is not good, particular since AE is not too complex, and - in fact - quite well understood. See RFC 3961 (Kerberos) or "Authenticated Encryption ..." by M. Bellare et al.

Without AE, XML encryption is not complete and - for many real security applications - useless.

Yesterday, we had our first day at the booth here at XML 2005. We were able to attract a fairly large crowd, talking about the Identity products, StarOffice, the XML Registry, JWSDP and Open Solaris. Up there is a picture of the booth prior to opening the showfloor.

Living in Massachusetts, I strongly support the state's move to migrate their publications and documents to a truely open format (i.e. OASIS Open Document).

Now I recently ran across a public petition to the German Parliament to enact a similar regulation for the German authorities.

Now: if you are German and feel like this is a good idea, please go here: http://itc.napier.ac.uk/e-Petition/bundestag/view_petition.asp?PetitionID=11

Due to very limited internet connection, I have to be brief. Here are some of the result of my trip to IETF 64:

• There is definitively a fairly broad interest in using SAML within the GSS-API framework.
• A small group is currently discussing feasibility and scope of such a approach

Originally, we proposed three major modes of combining SAML with GSS:

• An internal decoration approach: SAML assertions could be used WITHIN existing mechanisms (such as e.g. Kerberos) to carry addtional attributes associated with the principal.
• An external decoration approach: Similar, but instead of using pre-existing extension points, use the stackable mechnism approach instead (see www.ietf.org, kitten WG). This approach would have the clear benefit of being composable with mechnisms that do not have extension points (e.g. Username/Password).
• A native mechnanism: A SAML AuthN statement is exclusively used. While - IMHO - most promising, this approch will be technically most challenging: first, there is no key exchange defined, second, the only crypto related XML standards (XMLDSig, XMLEnc) are - at best - poor

I will post more after XML 2005.

Well, I have to admit, it is a lot easier than it used to be. A few caveats, though:

• I prefer to configure after the installation manually. I had one nasty failure during install at some time when I was using automatic configuration during install (This was actually because I installed JES on an AD domain controller, so port TCP/389 was bound, so the LDAP configuration would fail, and (almost) all other configuration after that depends on the availability of the config server).
• When configuring the directory server, please edit the directory server properties file before running DSConfig.bat. The README doesn't say so, but I had a much better time when I did.

When uninstalling JES, you might end up with a case where the Directory Server Windows Service was not unconfigured. In that case, you must go to HKLM\System\CCS\Services and delete the keys for slapd-(your server identifier here).

... is a no-go. Please read Rob's blog entry about WinFX not being supported on the October 05 CTP release of Vista.

I truly love Offline Files (client side caching - CSC) on Windows machines, particularly in combination with Folder Redirection and DFS: in my setup, I have My Documents redirected to a DFS domain root and cache all the documents I typically need, when working disconnected.

Recently, however, Offline Files was quite unpredictable and would not cache any new files. There were mostly two error messages, one complaining about the system being in last-known-good configuration (system error code 1074, ERROR_ALREADY_RUNNING_LKG) and another complaining about the file not existing.

I looked around, but found not too much help, except a link describing csccmd.exe (from the Server Support Tools) and a recommendation to do all kinds of nasty things to your Offline Files configuration.

What I did was this:

1. I removed all local copies - there was one broken link that could not get removed.

2. I first disabled Offline Files with  csccmd.exe /disable

3. Reboot into Safe Mode and delete all content under %SystemRoot%\CSC

4. Reboot again and re-enable Offline Files.

After this, you need to re-initialize your Offline Files configuration, but at least all errors were gone.