As you might know, Sun is shutting down their operations during the 4th of July week, so my bloggin will be fairly light over the next couple of days. A few thinks that I intend to spend some thoughts on over this break include:

• Is user-centric identity - as implemented by CardSpace - truly useful for interoperable and privacy-encouraging identity? The obvious interoperability limitation is the somewhat artificial restriction of WCS to WS-Trust. But I think there are other problems with WCS as well: will it be "just another box we have to click away"? If identity information about a user can be transmitted with a single click (by releasing an InfoCard), users might get lured into giving away personal information more easily, effectively having a negative impact on privacy. A good example is the AutoFill function of the Google toolbar: since I am using it, I am a lot less careful about giving away PII - when I still had to enter everything by hand, I was always thinking twice about releasing information.

• How can a CardSpace-like model play well with REST/POX web services? The whole question of lightweight identity enabled web services and application is still quite open.

• Will Germany make it to the Finals? THAT question will be answered on July 4.

This is a interesting research project at Microsoft: Phoenix is the framework for all upcoming compiler and JITer optimizations for the Microsofts platforms. Their goal is to unify opmizations and execuction imrpovements for both managed (i.e. .NET) and unmanaged (i.e. Win32) code. Conceptually it uses a three stage optimization and code generation process, with the Phoenix C2.EXE C++ back end compiler being the centerpiece:

A very nice effect of this research program is that it will allow developers to come up with their very own development language and still use the platform optimizations provided by Phoenix.

The research development kit can be found here.

Here is a way to ruin your day: watch this movie about a simulation of a 500km rock hitting earth (most unfortunately only in Japanese, but the pictures are excellent).

Well - it seems that WinFS returned to the undead for at least another 1-2 operating system releases: Quentin Clark writes in the WinFS group blog, that WinFS is canceled for Vista and XP. They are now moving those parts that are stable enough for productization into SQL server and ADO.NET.

This article effectively ends Microsoft's second push to move to a relational file system. The infamous Cairo OO-OS in 1991 that was supposed to be built on NT, and then WinFS, as one of the pillars of Longhorn in 2002.

My guess is that this whole thing will be completely tabled until after Windows Vienna ships - this would probably make it 2010 until it comes up, add 5-10 years development efforts, so you might have a chance seeing this by 2015.

Well, if Microsoft wants to update their NTFS file system, they can certainly take a look at Solaris' ZFS. Maybe ... ahh, I am dreaming now.

Since last Thursday, I am a happy owner of a Cingular 2125 (HTC Farady) with Windows Mobile 5.0 Smartphone Edition. I have to admit that since my first step with Windows CE (Pocket PC 2002 on an iPaq 3850) they have made some great improvements. Networking is MUCH easier now, and with the EDGE capabilities I get easily about 100+ kbps in my area. This is good enough to listen to a stereo audio stream, which means that I can now listen to my favorite radio stations from Germany (DLF) whereever I am.

Another great feature is the VPN capabilities of the phone itself. Really useful though is the Bluefire Security VPN client that allows me to dial into my corporate network using a SecurID card.

The next steps will - obviously - to start dabbeling with the Mobile 5.0 SDK and the Mobile extensions for NetBeans.

SAML could be used for performing anonymous (more precisely pseudonymous) authorization in the following way:

1. A user contacts a relying party for a particular service.
2. The RP returns a request for a set of attributes that it requires to allow access.
3. The user agent formulates a request to its SAML IdP for a signed attribute statement about that set of attributes.
4. The IdP returns that statement, signed with its key.
5. The client forwards that statement to the RP.
6. The RP verifies the signature against the public key of the issuer.

In this scenario, the IdP does not know anything about the RP, and can not associate the particular user request with the public key request from the RP (unless the IdP is really obscure and serves only a very few users). The RP only knows about the attributes that were asserted in the statement.

The obvious drawback is that the IdP has a lot of knowledge about the user. This issue can be mediated by putting a user trusted-broker between the user and the IdP and the user.

One of the issues (it seems) around identity is that there is a lack of highly trusted digital identity sources. Do I trust a (fairly anonymous) Yahoo ID or don't I?

I would like to argue that if we had a reliable way of transfering real-world identity claims (like e.g. a Passport, a credit card, or a driver's license) to the digital world, the trust in these identity sources would be fairly high. So the problem gets down to the point of transfering the real-world identity to the virtual world - with user consent. The technologies are pretty much all available: for example, a driver's license authority could easily offer a web site that allows to generate a digital token (like a cert or a SAML assertion) based on information that is typically associated with the real-world token which would include the name, address, license number and SSN. The same place could also be used to revoke a particular token.

What would this do for the digital identity landscape? We would get a number of highly trusted "dTokens" that could easily be used for the same type of transactions that the corresponding real-world tokens are typically used for: dPassports (digital Passports) for aquiring Visas, dCreditCards for purchases and dDriversLicenses for age verification. With a user centric store for these dTokens, the users would be empowered to perform the same things in their digital life that tehy are accustomed to in the real world.

The Bandit Project is the latest in a wave of Identity Metasystems (components?) to attract the interest of the community. It is deeply tied into the Higgins Identity API system, and could (will?) use Liberty and Windows CardSpace as providers.

What I am struggeling with so far (not having immersed myself in Bandit) is the benefit it offers over Higgins.

The DIX identity protocol in its latest draft form now uses parts of the SAML 2.0 token format. Ah, interesting times...

Microsoft Live has a STS for Windows Live ID (aka Passport) running here. Now this is really interesting, particularly in the context of Microsoft's recent move to get the Infocard selector to many platforms. So what is the rationale behind this? Here is my take on this:

ADFS will be the Microsoft implementation of the Enterprise STS. If it advertises iteself now as a ADFS Federation Partner (i.e. a 'trustable' resource for your enterprise AD), you will be able to provide SSO for your customers to log into your extranet. Now the really interesting question is: will Microsoft allow the Passport STS (by explicit business contract) to trust ADFS deployments (maybe for really large cutomers only), thus enabling your enterprise users to SSO into Passport sites?

I talked about Atlas pains in the last entry - here is an innovative approach how to get this across to the developers at Microsoft. Kudos to those who can make fun of themselves. Enjoy!

Microsoft's Atlas framework for AJaX got some harsh comments from Microsoft's partner Wintellect about the lack of cross-browser interoperability. At the end of the day, AJaX really came up because tht different component frameworks and client capabilities are so disjoints, that for a long time there was no way you could build a rich Web UI. With Atlas only supporting IE (for the interesteing parts, at the very least), the benefits of AJaX go away.

So if Microsoft is truley serious about making Atlas a usable AJaX framework, they will have to support Firefox and Safari, at the very least.

Nicholas Allen shot a photo of Kirill and myself during our chalk talk yesterday.



Nice to have you met in person and thanks for the photo, Nicholas!

This is really good news for all SAML fans: Sun released a non-assertion covenant (NAC) for SAML v2, similar to the one that covers the Open Document Format since last year. This means that the last (and as far as I know) only hurdle for vendors (like e.g. Microsoft) to implement SAML v2 is gone. It will be really interesting to see when and - more importantly - who will pick up on this offer.

Kirill's and my chalk talk session this afternoon went prretty well: we had an interested (and interesting) audience of about 20 people that attended. Kirill started off with introducing the Sun/Microsoft relationship and some of the achievements of the past year.

I then gave a fairly technical introduction of FIFI and a detailed code demo. Kirill finished with the WSIT/WCF interoperability scenario from JavaOne, including a demo.

I will post the slides here soon.

Kirill posted his session schedule for TechEd. Just as a final reminder, FIFI s on:

CONTLC37 - Enterprise Web Services Interoperability between .NET and Java Using WCF and Sun's GlassFish

Connected Systems Theater 2, Blue Arena in TLC, Wed June 14th, 14:00 - 15:15

 

The FIFI segment of his talk should be particularly interesting for you if you want to learn more about writing your own MessageEncoder and XmlWriter and XmlReader. There will be some discussion on the architecture of the encoding layer and the serialization as well.
We will also talk about WS-ReliableMessaging interoperability and Infocard identity interoperability between the NetFX stack and Java.

NOTE: Do not do this to any of your production machines - you will make then unusuable!

So here is a way that should work for getting the Vista BootMgr to load Linux or Solaris. Note that I did not yet get this working - this is very much work in progress:

Essentially you install both OSes and boot into Linux. You then start GRUB and install the loader into the partition where Linux lives:

grub
> root (hd1,0)
> setup (hd1,0)

After that, you need to get a copy of the bootsector. Following these instructions from O'Reilly, you need to do this:

dd if=/dev/hdb1 of=/tmp/grub.bin bs=512 count=1

Take the grub.bin and move it to your Vista partition (eg. by USB stick).

---

On Vista, start a CMD shell (remember to run as administrator!) and copy ntldr, ntconfig.exe, and grub.bin into your C:\ root directory.

You need then to edit boot.ini to reference grub.bin - again, take a look at the O'Reilly article for details.

After this, you need to tell BCD to use the legacy loader and include it in the boot menu:

bcdedit /displayorder {current} {ntldr}

At this point, the Vista boot manager should be able to load Linux. For me, it does not work yet. If you get this to work, please tell me how... Otherwise stay tuned for more.


For some more information on the bootsector, see:

http://www.bcpl.net/~dbryan/ntfs-dual-boot.html

This is an update for an earlier article I wrote on getting Vista and Linux to dual boot. I received some feedback about that article, particularly that the solution I outlined was not working for some people. So today I tried it again - this time with Vista Beta 2 and Ubuntu 6.06 on a VMWare platform, emulating 2 IDE drives and a x32 platform.

To my surprise, everything worked right out of the box:

1. Install Vista on the first drive. Note that I did not hae the second drive installed at that time, so Vista did not have any opportunity to modify the MBR of that drive.
   
2. Install Ubuntu from the Live CD. Ubuntu will automatically install GRUB on the MBR for the first drive, but since GRUB cannot figure out the file system type for the Vista partition, it will simply not create any entries.
   
3. Reboot after the Ubuntu installation and edit the /boot/grub/menu.lst file. For your reference, here is what you need to add:
   
   title          Windows Vista (Beta 2)
   root           (hd0,0)
   makeactive
   chainloader    +1
   
   I also recommend changing the default timeout from 3 seconds to something more reasonable (maybe 15 seconds?).
   

Interestingly enough, even though GRUB was not able to identify the Vista partition, Linux mounts it with no problems (although I have not really tested this functionality - but you can definitively see your files).

After that, all should work. If you run into any problem, please drop me a line at work at beuchelt dot com.

Here is the link for the Chalk Talk sessions at TechEd:

http://wcf.netfx3.com/content/TechEd2006ChalkTalkSchedule.aspx

Note the FIFI session at about two-thirds of the page: it is on Wednesday at 2pm in theater CON2.

Andre Durand is blogging today about his demo at the upcoing Catalyst conference: an Infocard Server that can connect to any federation source and 'translate' this into Infocard. Kim Cameron has a few things to say about as well. Now what exactly is the current public availability of the Infocard protocols?

Here is the poster from Ping:

David Chappell made some interesting remarks on Java and NetFX during his TechEd session and on his blog. He compares the creation of SCA by IBM, BEA and some others to the creation of the .NET Framework in 2000.

I would put this somewhat differently: .NET in 2000 was a (somewhat late) reaction to the success of the Java platform. As .NET evolved, itwent - essentially - through the same issues as Java: 1.0 was essentially unusuable, 1.1 kinda worked, and 2.0 (or 1.2 in Java) is/was the first truely usable platform. In this sense, SCA is comparable to the announcement of the Longhorn pillars, at best.

In his TechEd session this morning, David was trying to compare SCA with WCF. He noted that while WCF is in its final beta stages, SCA is just starting with the definition. This is certainly true. However, there are other simplifying APIs (such as EJB3, JBI/OpenESB, WSIT) that have a similar architectural scope as WCF and are in final beta as well. I strongly recommend reading the comment section of David's blog article as well, since it contains a lot of interesting pointers.

Finally - the confusion is complete: WinFX is now NetFX. Huh?

The (likely) final name for the collection of .NET APIs formerly know as WinFX 3.0 (aka Avalon, Indigo and Workflow, but NOT WinFS) have a new name and community portal: They are now called NetFX and hosted at http://netfx3.com/, with Indigo/WCF being located at http://wcf.netfx3.com/.

I have finally come around to summarize some of the architectural ideas around FastInfoset For Indigo. You can find the initial version on my Wiki.

I will continue to update this article and also put the various presentations there. This should be a good primer for my Chalk Talk next week at TechEd in Boston.

Francois Orsini is working on JavaDB, a derivant of the Apache Derby RDBMS. In one of his recent articles he is talking about the possibility of using JavaDB for offline AJaX. This is - as far as I am concerned - a very promising step in the right direction: We all love the rich UI that AJaX can provide - the problem is only when we are offline, all those applications do not work anymore. By caching the various requests on the client and synchronizing them upon reconnect, you can make web applications into real applications. As Francois points out, this can be achieved by simply modifying the client side call behavior (check if connected -> synchronize -> use local copy).

I would have a whole bunch of applications that would be useful:

• Calendar
• Email
• Spreadsheet & Word Processing
• Bloging
  

Actually, with these four applications I could do about 60% of my work offline - as long as I have a browser that is AJaX and JavaDB enabled.

Seldom have I seen somebody less honest than Mike McCurry: His claim that the discussion around Net Neutrality is 'left' vs. 'center' and/or corporation bashing could not be much further from the truth. As many have already pointed out, Net Neutrality is about enabling markets and even more so, limiting the power that a fairly small oligolpoly (in some more rural areas even monopoly) has.

The barrier for entry into the high-speed internet provider market is quite high (next to getting your backbone going, you need to reach out to your customers, which you only really can if you get into some contractual relationship with the very few owners of the 'last mile'). If people like McCurry actually pretend that there is something like market dynamics (let alone be a free one) playing here they are either (i) dellusional or (ii) liers.

If there was real competition and the chance for new competitors to actually enter the market, I would be in full support of letting the market play it out. But this is simply not the case.

I am a big fan of electronic calendars: no paper to loose, you an copy the data anywhere, great integration with other electronic collaboration tools, etc. One of the problems I had with the Sun Calendar Srever so far was that it is really designed around being on-line all the time. It has a reasonable (but aging) web interface and that's pretty much it. There is really no good support for disconnected clients like a laptop.

Thunderbird (particularly with the Mozilla Calendar extension) on the other side has great potential to become a strong contender in the collaboration client business. Getting those two products to work together was something I was looking for in a long time.

Today, I found a small perl script by John Littell, that runs as a daemon and translates from WebDAV to the WCAP protocol that Sun Calendar Server uses.

So finally, I can use the Mozilla Calendar extension and read and write to my corporate SCS based calendar. The setup is almost trivial: you start the perl script, point your Mozilla Calendar to the daemon (e.g. http://localhost:7080/beuchelt/) and it will translate your client's WebDAV requests into WCAP commands. This is just awesome.

UPDATE: Ah, I forgot to mention this: this script also works with Apple's iCal client.

After J#, X# and some more abberations, Microsoft is now fiddeling with the idea of Script#. This is a code generation tool for JavaScript - you start with a C# class, run the ssc.exe compiler and get JavaScript from the C# source, instead of IL. He also has some integration with Visual Studio working at this point. The obvious target for Script# is the AJaX world.

I haven't quite made up my mind if I like this approach or not. It definitively seems intriguing for developers that do not (yet) have a solid understanding of UI-side development.