Since last Thursday, I am a happy owner of a Cingular 2125 (HTC Farady) with Windows Mobile 5.0 Smartphone Edition. I have to admit that since my first step with Windows CE (Pocket PC 2002 on an iPaq 3850) they have made some great improvements. Networking is MUCH easier now, and with the EDGE capabilities I get easily about 100+ kbps in my area. This is good enough to listen to a stereo audio stream, which means that I can now listen to my favorite radio stations from Germany (DLF) whereever I am.

Another great feature is the VPN capabilities of the phone itself. Really useful though is the Bluefire Security VPN client that allows me to dial into my corporate network using a SecurID card.

The next steps will - obviously - to start dabbeling with the Mobile 5.0 SDK and the Mobile extensions for NetBeans.

SAML could be used for performing anonymous (more precisely pseudonymous) authorization in the following way:

1. A user contacts a relying party for a particular service.
2. The RP returns a request for a set of attributes that it requires to allow access.
3. The user agent formulates a request to its SAML IdP for a signed attribute statement about that set of attributes.
4. The IdP returns that statement, signed with its key.
5. The client forwards that statement to the RP.
6. The RP verifies the signature against the public key of the issuer.

In this scenario, the IdP does not know anything about the RP, and can not associate the particular user request with the public key request from the RP (unless the IdP is really obscure and serves only a very few users). The RP only knows about the attributes that were asserted in the statement.

The obvious drawback is that the IdP has a lot of knowledge about the user. This issue can be mediated by putting a user trusted-broker between the user and the IdP and the user.

One of the issues (it seems) around identity is that there is a lack of highly trusted digital identity sources. Do I trust a (fairly anonymous) Yahoo ID or don't I?

I would like to argue that if we had a reliable way of transfering real-world identity claims (like e.g. a Passport, a credit card, or a driver's license) to the digital world, the trust in these identity sources would be fairly high. So the problem gets down to the point of transfering the real-world identity to the virtual world - with user consent. The technologies are pretty much all available: for example, a driver's license authority could easily offer a web site that allows to generate a digital token (like a cert or a SAML assertion) based on information that is typically associated with the real-world token which would include the name, address, license number and SSN. The same place could also be used to revoke a particular token.

What would this do for the digital identity landscape? We would get a number of highly trusted "dTokens" that could easily be used for the same type of transactions that the corresponding real-world tokens are typically used for: dPassports (digital Passports) for aquiring Visas, dCreditCards for purchases and dDriversLicenses for age verification. With a user centric store for these dTokens, the users would be empowered to perform the same things in their digital life that tehy are accustomed to in the real world.

The Bandit Project is the latest in a wave of Identity Metasystems (components?) to attract the interest of the community. It is deeply tied into the Higgins Identity API system, and could (will?) use Liberty and Windows CardSpace as providers.

What I am struggeling with so far (not having immersed myself in Bandit) is the benefit it offers over Higgins.

The DIX identity protocol in its latest draft form now uses parts of the SAML 2.0 token format. Ah, interesting times...

Microsoft Live has a STS for Windows Live ID (aka Passport) running here. Now this is really interesting, particularly in the context of Microsoft's recent move to get the Infocard selector to many platforms. So what is the rationale behind this? Here is my take on this:

ADFS will be the Microsoft implementation of the Enterprise STS. If it advertises iteself now as a ADFS Federation Partner (i.e. a 'trustable' resource for your enterprise AD), you will be able to provide SSO for your customers to log into your extranet. Now the really interesting question is: will Microsoft allow the Passport STS (by explicit business contract) to trust ADFS deployments (maybe for really large cutomers only), thus enabling your enterprise users to SSO into Passport sites?

I talked about Atlas pains in the last entry - here is an innovative approach how to get this across to the developers at Microsoft. Kudos to those who can make fun of themselves. Enjoy!

Microsoft's Atlas framework for AJaX got some harsh comments from Microsoft's partner Wintellect about the lack of cross-browser interoperability. At the end of the day, AJaX really came up because tht different component frameworks and client capabilities are so disjoints, that for a long time there was no way you could build a rich Web UI. With Atlas only supporting IE (for the interesteing parts, at the very least), the benefits of AJaX go away.

So if Microsoft is truley serious about making Atlas a usable AJaX framework, they will have to support Firefox and Safari, at the very least.

Nicholas Allen shot a photo of Kirill and myself during our chalk talk yesterday.



Nice to have you met in person and thanks for the photo, Nicholas!

This is really good news for all SAML fans: Sun released a non-assertion covenant (NAC) for SAML v2, similar to the one that covers the Open Document Format since last year. This means that the last (and as far as I know) only hurdle for vendors (like e.g. Microsoft) to implement SAML v2 is gone. It will be really interesting to see when and - more importantly - who will pick up on this offer.

Kirill's and my chalk talk session this afternoon went prretty well: we had an interested (and interesting) audience of about 20 people that attended. Kirill started off with introducing the Sun/Microsoft relationship and some of the achievements of the past year.

I then gave a fairly technical introduction of FIFI and a detailed code demo. Kirill finished with the WSIT/WCF interoperability scenario from JavaOne, including a demo.

I will post the slides here soon.

Kirill posted his session schedule for TechEd. Just as a final reminder, FIFI s on:

CONTLC37 - Enterprise Web Services Interoperability between .NET and Java Using WCF and Sun's GlassFish

Connected Systems Theater 2, Blue Arena in TLC, Wed June 14th, 14:00 - 15:15

 

The FIFI segment of his talk should be particularly interesting for you if you want to learn more about writing your own MessageEncoder and XmlWriter and XmlReader. There will be some discussion on the architecture of the encoding layer and the serialization as well.
We will also talk about WS-ReliableMessaging interoperability and Infocard identity interoperability between the NetFX stack and Java.

NOTE: Do not do this to any of your production machines - you will make then unusuable!

So here is a way that should work for getting the Vista BootMgr to load Linux or Solaris. Note that I did not yet get this working - this is very much work in progress:

Essentially you install both OSes and boot into Linux. You then start GRUB and install the loader into the partition where Linux lives:

grub
> root (hd1,0)
> setup (hd1,0)

After that, you need to get a copy of the bootsector. Following these instructions from O'Reilly, you need to do this:

dd if=/dev/hdb1 of=/tmp/grub.bin bs=512 count=1

Take the grub.bin and move it to your Vista partition (eg. by USB stick).

---

On Vista, start a CMD shell (remember to run as administrator!) and copy ntldr, ntconfig.exe, and grub.bin into your C:\ root directory.

You need then to edit boot.ini to reference grub.bin - again, take a look at the O'Reilly article for details.

After this, you need to tell BCD to use the legacy loader and include it in the boot menu:

bcdedit /displayorder {current} {ntldr}

At this point, the Vista boot manager should be able to load Linux. For me, it does not work yet. If you get this to work, please tell me how... Otherwise stay tuned for more.


For some more information on the bootsector, see:

http://www.bcpl.net/~dbryan/ntfs-dual-boot.html

This is an update for an earlier article I wrote on getting Vista and Linux to dual boot. I received some feedback about that article, particularly that the solution I outlined was not working for some people. So today I tried it again - this time with Vista Beta 2 and Ubuntu 6.06 on a VMWare platform, emulating 2 IDE drives and a x32 platform.

To my surprise, everything worked right out of the box:

1. Install Vista on the first drive. Note that I did not hae the second drive installed at that time, so Vista did not have any opportunity to modify the MBR of that drive.
   
2. Install Ubuntu from the Live CD. Ubuntu will automatically install GRUB on the MBR for the first drive, but since GRUB cannot figure out the file system type for the Vista partition, it will simply not create any entries.
   
3. Reboot after the Ubuntu installation and edit the /boot/grub/menu.lst file. For your reference, here is what you need to add:
   
   title          Windows Vista (Beta 2)
   root           (hd0,0)
   makeactive
   chainloader    +1
   
   I also recommend changing the default timeout from 3 seconds to something more reasonable (maybe 15 seconds?).
   

Interestingly enough, even though GRUB was not able to identify the Vista partition, Linux mounts it with no problems (although I have not really tested this functionality - but you can definitively see your files).

After that, all should work. If you run into any problem, please drop me a line at work at beuchelt dot com.

Here is the link for the Chalk Talk sessions at TechEd:

http://wcf.netfx3.com/content/TechEd2006ChalkTalkSchedule.aspx

Note the FIFI session at about two-thirds of the page: it is on Wednesday at 2pm in theater CON2.

Andre Durand is blogging today about his demo at the upcoing Catalyst conference: an Infocard Server that can connect to any federation source and 'translate' this into Infocard. Kim Cameron has a few things to say about as well. Now what exactly is the current public availability of the Infocard protocols?

Here is the poster from Ping:

David Chappell made some interesting remarks on Java and NetFX during his TechEd session and on his blog. He compares the creation of SCA by IBM, BEA and some others to the creation of the .NET Framework in 2000.

I would put this somewhat differently: .NET in 2000 was a (somewhat late) reaction to the success of the Java platform. As .NET evolved, itwent - essentially - through the same issues as Java: 1.0 was essentially unusuable, 1.1 kinda worked, and 2.0 (or 1.2 in Java) is/was the first truely usable platform. In this sense, SCA is comparable to the announcement of the Longhorn pillars, at best.

In his TechEd session this morning, David was trying to compare SCA with WCF. He noted that while WCF is in its final beta stages, SCA is just starting with the definition. This is certainly true. However, there are other simplifying APIs (such as EJB3, JBI/OpenESB, WSIT) that have a similar architectural scope as WCF and are in final beta as well. I strongly recommend reading the comment section of David's blog article as well, since it contains a lot of interesting pointers.

Finally - the confusion is complete: WinFX is now NetFX. Huh?

The (likely) final name for the collection of .NET APIs formerly know as WinFX 3.0 (aka Avalon, Indigo and Workflow, but NOT WinFS) have a new name and community portal: They are now called NetFX and hosted at http://netfx3.com/, with Indigo/WCF being located at http://wcf.netfx3.com/.