Friday, February 29, 2008

opensso RP with xmldap code


Superpat posted here that there is now a new opensso extension that enables opensso to be an information card relying party.
Patrick Petit (pictured) who wrote this extension uses the xmldap library to process the xmltoken. Great. Note to self: be carefull when changing the xmldap codebase. Don't break this opensso extension.
Another (simpler) SUN access manager login module is described here. I am glad that Patrick improved my demo-grade login module to opensso quality. Thank you.

Monday, February 25, 2008

OpenID leads to Information Cards


After a long pause you can hear the voice of the master of the identity metasystem again here. Kim Cameron explains why the success of openid leads to the success of CardSpace information cards.

Some sometimes forget that there are "alternative operating systems identity selectors". Examples are of course the openinfocard identity selector or the higgins based identity seletor digitalme. Which Kim mentioned in his post too.

Friday, February 22, 2008

Renew Midlet Signing Certificate

This post is for myself and for others who always forget how this is done.

  1. Go to the Verisign renewal web page and request a renewal of your certificate. Have your order number at hand.
  2. Wait for the new certificate to arrive via email.
    Congratulations! Verisign has issued your Java Object Signing (Class 3) Digital ID. VeriSign has digitally signed your Digital ID which gives you assurance that your Digital ID has not been damaged or changed in any way during its transmission to you.
    ...
    -----BEGIN CERTIFICATE-----
    MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCBRcwggP/oAMC
    AQICEH/ad0XLBRSPic0mS1OhhGQwDQYJKoZIhvcNAQEFBQAwgbQxCzAJBgNVBAYT
    ...
    7UlBkJmcibyvLh3KeCP5HBkPf+tovDLZiDje3D/TibQ/sYKW8aRauu0uJtPefAFu
    AAoApAaSEUgJQPkcGHlnIyTgu9XhUK4b9Q7d4C6BzYCjbFJPkXVViroi8tLqQXWI
    L2NVfR5UWpVZytk0gcBfXvZ6tQAAMQAAAAAAAAA=
    -----END CERTIFICATE-----
  3. Copy the certificate from the email to a text file (let us call it cert2008.pem)
  4. Make a backup of your java keystore (keystore.jks).
  5. Import the new certificate into the keystore.
    $ keytool -keystore keystore.jks -storepass password -import -alias eclipse -file cert2008.pem
  6. Try it out. That is: Regenerate a signed midlet suite and deploy it to a mobile phone.
  7. On the mobile phone navigate to App-Manager and view the application details and the certificate details. This should show the new certificate details.
  8. Done.

Monday, February 18, 2008

Mobile Monday Berlin

This evening I attended the first Mobile Monday event in Berlin. Nokia initiated this; not sure about their intention/agenda. The place was cool: PanAm Lounge in the center of (West-)Berlin. One of the organizers claimed that the event was organized in a Barcamp style. This is not true, I think. Wishful thinking at best. There was just to much marketing talk; no flesh, just bones. But I will attend the next one too, should I get invited again after publishing this post.

Saturday, February 16, 2008

CeBIT 2008: Plastic-free customer loyalty in CardSpace

Found this interesting press release today:

fun communications GmbH from Karlsruhe is the first provider to present a customer loyalty system on the Internet based on the CardSpaceTM technology from Microsoft®. The fun WebCard Loyalty portal creates strong customer loyalty with User Centric Identity Management in a single application.

Karlsruhe, February 7, 2008 Karlsruhe, 7th February 2008. CeBIT 2008, Hannover, 4th - 9th March 2008, Hall 6, Booth E12: fun communications GmbH, the specialist for Identity Management, will be presenting "virtual customer cards", the very first customer loyalty system for the Internet, at the Microsoft® IT Security booth in Hall 6, Booth E12. The fun WebCard Loyalty portal combines User Centric Identity Management and customer loyalty in a core application. Via a public portal, every dealer or portal operator is able to issue its own virtual customer cards, so-called Managed Cards, that are based on the CardSpaceTM technology from Microsoft®. These virtual cards can not only serve as a reliable means of authentication and authorisation, but can also be used for bonus programmes and coupon promotions.

Taking the approach of the "virtual card", which is also visually present to the customer on the desktop, the customer loyalty aspect is emphasised in an extremely cost-effective manner. The bonus cards that are so popular with customers have now moved into the virtual world of the Internet. Registering at an acceptance agency on the Internet is a simple process for the customer and just takes a few clicks; a renewed registration is not necessary here. The self-determined forwarding of personal data (User Centric Identity Management) to the acceptance agency by the customer simplifies and shortens formal processes, for example order processing. The acceptance agencies for the virtual cards on the Internet benefit from the high quality of the data and the wealth of possible marketing measures in conjunction with the card.

The fun WebCard Loyalty Manager developed by fun communications allows everything to be controlled using a standardised interface, beginning with the layout of the virtual card and its structure, over the rollout of the cards to the customers and the administration of the underlying customer base, through to tracking success using a wide range of statistics. The underlying SOA approach ensures that the system can be deployed in a multitude of different scenarios with varying scalability requirement profiles.


fun communications GmbH as a partner of Microsoft Deutschland GmbH at CeBIT 2008: Hall 6 Booth E12

© All the company, product or service names mentioned here can be trademarks or service marks of the corresponding owners

More infos at www.fun.de and www.cebit.de

Tuesday, February 12, 2008

Brown Bag

Today I tested the openinfocard id selector and the xmldap sts against the python relying party.
At first I got the dreaded "does not contain a InclusiveNamespaces element" error/info but this was easily fixed.

Here is a screenshot after I presented a token from a managed card issued by the xmldap STS (a local version; I will upload it soon to xmldap.org) to the python RP:


Here is a screenshot after I presented a token from a self-issued card to the python RP:


While looking at the python code I noticed that it checks whether the InclusiveNamespaces element is present but it does not test whether the PrefixList makes sense. Could somebody please write more about the brown bag attack, how a meaningful security token with InclusiveNamespaces looks like and describe how an attacker might exploit a missing InclusiveNamespaces element in a information card scenario? My guess is that this is more of a theoretical attack because if all connections are protected by SSL than either id selector or STS must be compromised. I guess that you have more troubles than forged signatures when either case it true.

Sunday, February 10, 2008

New DigitalMe License

Three weeks ago the license for the DigitalMe Firefox launcher changed:
bandit logo with cape

$ svn diff IdentitySelector.js -r1209
Index: IdentitySelector.js
===================================================================
--- IdentitySelector.js (revision 1209)
+++ IdentitySelector.js (working copy)
@@ -2,18 +2,18 @@
// Desc:
// Tabs: 3
//
-// Copyright (c) 2007 Novell, Inc. All Rights Reserved.
+// Copyright (c) 2007-2008 Novell, Inc. All Rights Reserved.
//
// This program and the accompanying materials are made available
-// under the terms of the Eclipse Public License v1.0 which
-// accompanies this distribution, and is available at
-// http://www.eclipse.org/legal/epl-v10.html
+// under, alternatively, the terms of: a) the Eclipse Public License v1.0
+// which accompanies this distribution, and is available at
+// http://www.eclipse.org/legal/epl-v10.html; or, b) the Apache License,
+// Version 2.0 which accompanies this distribution as is available at
+// www.opensource.org/licenses/apache2.0.php.
//
// To contact Novell about this file by physical or electronic mail,
-// you may find current contact information at www.novell.com.
+// you may find current contact information at www.novell.com.
//
-// $Id$
-//
// Author: Andrew Hodgkinson
//-----------------------------------------------------------------------------
-

I try to avoid licensing discussions but I guess it is better if I, with my openinfocard hat on, can choose between two alternative licenses.

Friday, February 08, 2008

xmldap relyingparty and glassfish

Here is a description on how to use the xmldap relyingparty with SUN's glassfish application server. It works like a charm.

1) Download GlassFish

http://www.java.net/download/javaee5/v2ur1/promoted/SunOS/glassfish-installer-v2ur1-b09d-sunos-ml.jar

2) Run the installer/unpacker
java -Xmx256m -jar glassfish-installer-v2ur1-b09d-windows-ml.jar

3)
cd glassfish 
lib\ant\bin\ant -f setup.xml

4) Add D:\Programme\glassfish\bin to the PATH variable
echo %PATH%

OK
5) Started glassfish
asadmin start-domain domain1

Verified this by using Firefox on
https://w4de3esy0069028.gdc-bln01.t-systems.com:8181/



6) stop glassfish
asadmin stop-domain domain1

7) edit websrc/xmldap_rp/WEB-INF/rp.properties
keystore=D:\\Programme\\glassfish\\domains\\domain1\\config\\keystore.jks
keystore-password=changeit
key=s1as
key-password=changeit
privacyStatement.text/plain=/WEB-INF/privacy.txt
privacyStatement.text/html=/WEB-INF/privacy.html
privacyStatement.text/pdf=/WEB-INF/privacy.pdf
requiredClaims=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressoptionalClaims=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress ttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country ttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender

8)
cd openinfocard/ant; ant; 

9)
cp ../build/xmldap.org/relyingparty.war cygdrive/d/Programme/glassfish/domains/domain1/autodeploy/

10) Start glassfish again
asadmin start-domain domain1

11) Use Firefox to open
https://w4de3esy0069028.gdc-bln01.t-systems.com:8181/relyingparty/


looks like the xmldap relyingparty. Fine.
12) login using dottie's information card
The openinfocard id selector version is 0.9.9.20080118



Valid Signature: true
Valid Conditions: true
Confirmation method: urn:oasis:names:tc:SAML:1.0:cm:bearer
Audience is restricted to: https://w4de3esy0069028.gdc-bln01.t-systems.com:8181/relyingparty/
No Certificate in Token
You provided the following claims:

givenname: Dorothy Mae

surname: Murphy Mortimore

privatepersonalidentifier: TFJmTjJIUlVyNG8yTGR3NmQySHp1Y3JOU0VHYit5NXErTDNZQkdRZk40ST0=
Your user agent is

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11


The java verion is jdk1.6.0_04.
Enjoy.

Friday, February 01, 2008

Yahoo Information Card?

It has a long tradition to put question marks after the headling in big letter newspapers...
I was just reading that Microsoft is offering to buy Yahoo. And after much tataa for Yahoo's OpenId initiative I am wondering when Yahoo will support information cards. But even Microsoft is not very fast with supporting information cards at e.g. MSDN, MSN or liveid...

tataa = "Probably onomatopoetically for the sound of trumpets announcing someone's appearance or a circus stunt or whatever."

Information Card ASN.1


Currently I am looking for a more compact format for information card .crd files.
Because I am working in a telco environment for 10 years now ASN.1 comes to (my) mind.

So I tried to feed identity.xsd to an xsd-to-ASN.1 translator.
First by uploading just the identity.xsd file. -> no luck here.
The translator does not revolve the urls of the required other schema definitions.


Because of this I put all these files into one zip archive and upload it to the translator.
Again, no luck. There are conflicting definitions for wsa (schemas.xmlsoap.org/ws/2004/08/) in identity.xsd and ws-trust.xsd and the translator does not like that. Don't know whether this is an error in the ws-trust or identity schema definitions... Mike is checking on this. I am sure he knows (as always) the right person to answer information card deep-dive questions. Maybe the translator has an error?

To produce information card ASN.1 I tweaked ws-trust.xsd to use the same definition for wsa as identity.xsd. This time the translator likes the input and produces ASN.1 files. These are not for the faint of heart. But actually no human wants to read ASN.1, right?!

Next step: Feed the ASN.1 files into an asn1 to java compiler/translator.
OSS Nokalva has a nice trial version for this task.
I produced a bunch of java classes which nearly all compile nicely. There is one small glitch with xs:unsigned_long's max value but this is easy to fix.

Why am I doing this? Because I am working on information card support on mobile phones and network speed and computing power in this area are not funny. Have to see where this ASN.1 road leads to... Probably to nowhere because the midlet size exploded after integrating the generated java files. And the obfuscator (ProGuard 4.1) blew up too. So back to square one...