Just back from Orlando, here are some takeaways from this year's TechEd 2008 for IT-pros:

• Interoperability with SOAP based web services is progressing: I was part of a panel on interoperability, moderated by Chris Haddad. It was a fairly diverse panel, with speakers from Microsoft, WSO2, Tibco, and Sun. While there was general agreement on the usefulness of the more basic WS-* specifications like WS-Security, opinions differed on where the future lies and how it can be achieved. In my opinion, the relatively high fidelity of interoperability within the WS-SX family of specifications is a direct result of the proper standardization process at OASIS that these specs were subjected to, comparable to that of ebXML or SAML 2.0. Thus, it is my expectation that the WS-RX and WS-TX protocol families will eventually yield similarly good interoperability.
• For the "Demo that almost made it (TM)", we made some serious progress: After talking to Greg Leake of Microsoft and Jonathan Marsh of WSO2, I am quite optimistinc that we can get easily inject a Metro based STS and/or OpenSSO with WS-Trust and CardSpace support into the StockTrader sample application to allow authentication through a SAML token. At the same time, I think that this demo application in particular lends itself quite nicely to showcase the strength of the Liberty framework for web services: you have a web application that needs to interact with the Business Services and the Order Processing Service. Identity has to be preserved across these different tiers, yet privacy protection would be highly desirable.
  
• It was very interesting to see that Microsoft is continuing on the path of interoperability in the systems management area. Three years after we demonstrated MOM 2005 managing and monitoring a Sun v40z with Solaris, Microsofts System Center beta features an open source Solaris management adapter. An interesting question is where this code will be hosted ...

A small note: if you are using Lightning for Thunderbird and you install or upgrade to Ubuntu 8.04 (Hardy), you might run into an issue of you calendars disappearing (probably only when using the build from the Lightning website):

Error: [Exception... "Invalid ClassID or ContractID" nsresult: "0x80570017 (NS_ERROR_XPC_BAD_CID)" ...

.../extensions/%7Be2fda1a4-762b-4020-b5ad-a41df1933103%7D/components/calItemModule.js
Line: 67

This is related to the fact that Hardy upgrade the C++ libraries to libstdc++ 6. In order to fix this, you might want to try installing the 5.x version of libstdc++. 

Another goodie: starting with Lightning 0.8, WCAP support for the Java Calendar Server is now part of the main trunk.

I attended a meeting of the Hartford, CT, chapter of OWASP yesterday - James McGovern was so nice of inviting me there. OWASP is a group focusing on web application security, with a heavy emphasis on "application" (in contrast to "infrastructure"). Most of the attendees were either directly working in the financial industry or closely working with them - at the end of the day, it was Hartford.

To me it was a very interesting event - especially since I have mostly been thinking about platform and infrastrastructure security and not so much about the applications. Some of the emerging standards (like PCI DSS) were rather new to me, but seem interesting enough for me to take a look at.

Some more interesting tools and tidbits:

• WebGoat is a "deliberately insecure JEE application", designed to teach developers how to *not* code a web application. This should be fun to take a look at.
  
• WebScarab is an intercepting HTTP(S) proxy.
  
• The OWASP Top Ten also has some interesting reading.
  

Overall, I am looking forward to staying in touch with this group.

It took quite a while, but by now it is out. Please welcome the Windows CardSpace Information Card extensions for OpenSSO:

https://opensso.dev.java.net/source/browse/opensso/extensions/authnicip/

When I started working on this last spring, I was not even hoping to see this released in open source and part of the OpenSSO extensions family in less than a year. It took the goodwill and talent of quite a few people to get this off the ground, but with the public release of this code and the upcoming OSIS interop during the RSA onference, OpenSSO is now "speaking ISIP" ...

tag: CardSpace, OpenSSO, InfoCards

This is seriously groundbreaking: Clemens (also here) just finished an example of a Metro client accessing Microsoft's BizTalk Services (aka Internet Service Bus). "Well", you might ask, "what is so groundbreaking about this? Isn't this what this whole web services thingy was supposed to achieve? Interoperability?!"

Yes, indeed. However, this is the first time ever (to my knowledge) that Microsoft is releasing JEE code, built with Metro within NetBeans, as part of an SDK. Getting there took quite a while, and was largely enabled by Sun and Microsoft working very closely together in a series of interop-plugfests. The latest installment of these got (especially) WS-Trust interoperability to a point where you can now use the client implementation in Metro to access the STS provided by the .NET Framework.

Congrats to Clemens, but also the Metro team (namely Jiandong and Harold).

tag: Interoperability, WS-Trust, Metro, BizTalk Services

Pat, Ben, and Kim have been talking about the use of password tokens for use with Windows CardSpace. Pat's detailed description of how this could work is quite useful, and can be extended in some interesting ways:

1. Create a single-use password deployment

If we change the default WS-Sec username/password token to not only include the username and the password needed to login, but also a newly IdP generated second password that replaces the old one on the RP, we would get a single-use password. This might be quite useful for improving the security of the system.

For the rest of this article, I will call such a token "Extended Username/Password token" (EUPT).

2. Creating an account at the RP

One of the issues that Kim has an issue with is that for bootstraping into a CardSpace password manager setup, the user would be required to enter the initial password into a web form. I agree that this *is* bad, but an extended username/password token could help here, too:
When the user does not yet have an account at the RP, he will need to login at a special URL. That URL accepts cards that support EUPTs. When the user creates the account, the RP will accept an EUPT with *any* values. These initial values (username AND password) are randomly generated at the IdP. Upon receipt of the EUPT, the RP stores the username and the initial password and associates it with the newly created account.

--

Time permitting, I will work with Pat to get this done, at least on the IdP side.

tag: Identity, CardSpace, OpenSSO

I had a SunBlade 1000 (UltraSPARC III based) system available, so I started on a Friday afternoon project of getting Ubuntu installed on this box. Here is what I did to get a running system, including a Gnome desktop:

1. Get the Gutsy ISO image from http://ubuntu.com/ and burn it. You must select the UltraSPARC version, which is - unfortunately - only available for Ubuntu server (more about this below).

2. Run the installer from the CD. THis should be fairly straightforward, but different if you are only used to the desktop edition of Ubuntu. For starters, there is no Live CD with X windows functionality included.

3. You should have a running Ubuntu server system by now. Now in order to get the windowing environment, you need to login and get the entire desktop:
    user@host:~> sudo apt-get install ubuntu-desktop
This should work for the kunbuntu, xubuntu, etc. desktop as well. Good luck trying.

4. During the install, you will likely be prompted to configure Xorg. If this fails for any reason, you can reconfigure X by
    user@host:~> sudo dpkg-reconfigure xserver-xorg
or even
    user@host:~> sudo Xorg -configure

5. By now you should be able to start a naked Xorg server, e.g. by running
    user@host:~> Xorg & sleep 15 ; killall Xorg
This command will kill the X server after 15 seconds, in case the keyboard mapping does not support <Ctrl> <Alt> F1 console switching (try it out).

6. My system has and Elite3D graphics board (sunffb), and even through Xorg would start just fine by itself, when starting X through the gdm, the X server would die after a split-second. To overcome this, I added an option to the gdm.conf file:
Locate the command=/usr/bin/X line in the [server] section of gdm.conf. You need to add the following option at the end of this line:
    +XINERAMA
Apparently, gdm probes for Xinerama support, and the Xorg server for the sunffb will die when being probed without enabling this.

7. After rebooting, the login screen should appear now.

tag: Ubuntu, Gutsy Gibbon, Sparc, Xorg

There are quite a few indications that the hopes for an industry backed, ad-supported music exchange were - at the least - too early. Maybe it's a scam, maybe it is just a test-balloon, but in a world of iTunes hating music companies, this scheme did make some sense...

tag: qtrax, iPod, music

Maybe, maybe: there are signs on the horizon that the content industry will finally come to grips with the harsh reality that their old models just do not work anymore the way they used to: enter Qtrax, a free, ad-supported P2P network that claims to have the blessings from a bunch of major labels, including Sony/BMG and EMI. Qtrax will lauch tonight, so soon we will know more.

Overall, this might be a sign that the RIAA monopoly is finally understanding that suing their customers is not a good way of advertising your goods. And while MP3s are not exactly the encoding that HiFi fans' dreams are made out of, it is still an interesting start into a hopefully much brighter future.

There are a few things that really interest me:

• They are using the Mozilla rendering engine. That is a good thing. Period.

• They promise iPod compatibility. Hmm.. this sounds odd, since the iPod is quite capable of playing back MP3s. Now - assuming for the moment that they are using MP3s - why would you need to make the iPod compatible? Unless there is some sort of DRM or platform lock-in included ... we will see in about 3.5 hours

• Who will be the ad source, ie. which advertising seller will get the opportunity to get access to a potentially gigantic market. While I have absolutely no idea, I'd be surprised if the name of that company started with a 'G'.

• How will Apple and the market react? At the end of the day, this whole thing is a thinly-veiled attack against Apples extremely strong position with the iPod and iTunes. If Qtrax can offer a similar level of ease-of-use, Mr. Jobs will have to do some very creative thinking.

• What is their Linux story? Or - to rephrase the question in a more interesting way: What is their open source/open specification story? I can see that they are not particularly interested in opening up their platform, as this would directly undercut their ad-based business model. But will they allow ports or make the engine at least reasonably portable to other OSes, including Linux, but also Symbian or other cell-phone OSes (and - of course - OpenSolaris)?

We will see ... soon.

tag: iPod, apple, audio, music, qtrax