Wednesday, December 30, 2009

Cardspace Support for Firefox

During the last week I released new versions of the Mozilla Firefox addon that adds Cardspace support to the browser.

One feature that was reenabled was the ability to get the "value" of the object element using javascript. The value is the security token and thus requesting the value starts the selector. This "feature" was lost in the past and was quite easy to reactivate.

Another change that envolved code changes in many places was the elemination of global variables. Which is a good thing. All global variables were moved into a new namespace org.openinfocard.cs4ff. I hope that this change gets this addon out of the sandbox and it will become an addon that can be installed without the "let me install this" checkbox.

To bad that the Information Card addons are not compatible with each other. You have to make your choice whether you install DigitalMe, Openinfocard, Azigo's selector or Cardspace4Firefox. Or other addons based on the same code base.
Which on the other hand is no problem in the real world. Users will pick their selector and install just one.

Tuesday, December 15, 2009

Avoco RealPay etc

In case you have not done so please have a look at Avoco's Information Card work.

One of their demo sites is a site called RealPay. Here you see the current openinfocard selector at work:





But the above is only the "normal" Information Card scenario.
Much more interesting are their "cloud selector" and their Cardspace based document signing product. The latter can sign Microsoft Office documents and PDFs and if you try to open that document you have to present a valid security token based on an Information Card which might be restricting your access even to your current location. Nice.
Read more here.

Wednesday, November 25, 2009

selector progress

I am making good progress with the selector that supports Information Cards and OpenID (Cards). Maybe it will support username/password too.

Please notice the purple-i in the urlbar left of the site identity icon. Clicking it starts the selector which lets you login using your e.g. OpenID (Card). It "works" with the xmldap.org test page and it nearly works with Andrew Anortt's http://test-id.org/XP/Selector.aspx page. Markus Sabadello's testpage https://openidpad.com/ needs a little more work. The next step is to remember the cards used and display that/them in the urlbar.

I would like to mention that "login" or "connect" (to a site) is not enough. I think that attributes or claims are more important than login.

Sometime not too far in the future we should agree on a standard for this. I prefer the XRDS way to conway the RP's requirements to the selector and we can inline it into the HTML code if a download of the XRDS is not desirable...

Monday, November 23, 2009

New Version of "Cardspace for Firefox" addon

Well, this took quite some time.

Several people reported that there were issues with the IdentitySelector from the Codeplex repository (sometimes called Cardspace for Firefox) on Windows Vista while Windows XP worked. But now, finally, I was able to build a new version on Windows 7 using the Mozilla build system as described here. I tested it with Firefox 3.5.5 and it seems to do what is expected. Although I did not test it on Vista. Please report issues by using the Codeplex issue tracker.

Following are some screen shots from my tests:





The Cardspace version used was 3.0.0.0 as it come with Windows 7.

There is still much work to do like bringing this addon's code to the same maturity of the openinfocard selector.
And keeping it there e.g. by improving the XRDS support.

Later support the OpenID Selector...
And integrate with the work at Mozilla Labs like the "AccountManager"...
Not to forget the design work in the Kantara Universal Login Experience working group...

Tuesday, November 10, 2009

Dancing Elfs

Send your own ElfYourself eCards

Wednesday, October 14, 2009

Trust in Crypto

Some people fear that an encrypted token send through an untrusted operating system is not safe. Well, decrypt this:

<enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><enc:EncryptedKey><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /></enc:EncryptionMethod><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">cInCP+uDfNbevxLZEMnZG3ozidc=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><enc:CipherData><enc:CipherValue>wu7z3ml5LPdisc1F/o2gWP/I/8lgQNnj5PYoRw/CNe6f1kFtvE7Q4zZiNCrqsAJiY115ztR063siJLFiSsyGi9jRTrRuTD3ZZGrlQHedWFbG519UXk14cT6fqqQ3O8b6jXqhVDWpeRn08vKv+K6FS4wI2wKZNH3BUw169VSjz0otC8HSUz5FG8POGhVL0/kkzYmgfhq75jt84iKt2dLVNQEDHvSYraAUOc4GCuMzd0l2TgSqVQ1dJYC9NC9iTyUv0l6GPV8XApdbK/7oKW4e4aNvhhkoyLDP/U6RxLiH/QPD7EEP0vM58LETTWD+R3tViD/A5UMVlVVzF6MMsdRI0Q==</enc:CipherValue></enc:CipherData></enc:EncryptedKey></ds:KeyInfo><enc:CipherData><enc:CipherValue>n4vumLMhKFzn29uSCktg1jEnzBf9yJcgt+OvYa7r3Vi7eLLyL9uGHy3NDIsaAr0qYF/+AyjwIE8aCk0/qMjFiY+O3j/oQLulbU+RHooQm95cesySRs2PlZ6G5nI1lnMDb9SsSFMhSjl2ZTBV6YWJ69kphS8IbQFjuNcnZBW4ARI0A5WGhj36F2zGXAGnJ7BNvVLJLv8zMT3hsmcJ0ZHA2ggN5RJnPEKT56OJkcgNN0mjhhldt35As2qK7NDumv25WB+3BX1DSCFBGkHCiK5pGjKAXu3tudXFt0+ryvDojdVpmbOwypRXjzgqCBZ8gOLMGoyYFVgXINUY59+mqbhv/mIBaOqbmuVV26tCWPWFkvbzMz1jD3fEcws7nKoc69Ceavl1BKWb5Zq+YYr3voHr7g2ZRvBd6me2YTRx6BNIgj8dbplzlD3Bp4HO13tK0rZXpJH1Z2OXfpUd3ZE0T879WJjDA1qcgUswH8F0ER+UG09P2Z2PgK2McFz4ntwTJOSohhipMU0WFRHQr3s+bLr3c78NFZl8FGGZ9rRm/AMhsHPqKuK/WAqmvtMoYdXPTWw5cP5CysgVIdWO+VymKZ4W7LbtZrZRk9hCya6ANmpkckEBSo03p/psqE5X97A43V6XExjP4cQNdwPZw1b8c4UDJzvFFFL69P3HispobxvdlLqI2nxu2tp9M9eyYQDHtqjSdutYjkyolXkrEKoRGAPOoUsUlxnctHd6RmbA825YNywNMG9sXqxIM8ua1BQoEWfRQauFUYxyGQYywqT0MsbVu1N2HSQsc8Dern6kOl0OLd/Z4n1XZI3bMWMCtNe4DrK2OOeG1RY8DPOn8dW+AL/+T2iqVv2d3dNkRXTvkaEl9UXecBe/G6oqtkjjTdSdZ/20ifi9LFejagAtdIQ+crfH12JKyGs5tPVgDtZfJPoAryHAeyqI+0kUsTTVgsJtE1OU/FAXI2naEVCDH26vZOt9QzaXkTgmRAL8X65BaXczJ365QWi/oURNq/q4zSpo/fkRrspIfh9mefhbyssNsGYWHtQO0GOeNzrCfpdRll5f2w8DdEkH3+u0V4c4otf0pMYkhyw007ig1Y7xgY+e1xFP7/fJ0QMa04XDe+NWdgDhT0NJe23ehPgOPFC0Qa4gC5an9V//u1/svnzjrNyKhjfUVQ7ai+xAi7Pla7Irmpr35vX+FjkPzmFyNnfNqRt3+o9rzLHRS4QYTMK00FccP7cirekRK45ni2yLa1wgHBn674owJTje/ugOYsXCdkZEOUbs6LgOMPjUlxUwQpeLj4uw1ycMRNZGNo7zBDHSMZ18ZRxAuP0J2V1s9KiQBLBsodtZ7fyqVYjKQVSeYj7mDlPM6r/4tC+R8k8pEQpnjvQFqhm/MHfZzoaYfO9523J5s5FXMOhO94XK/VdRayvOHNxaK1NV6k2tEpaPXPa4cSorRXBn81yKItis+u1NbE4SBb5CkuTTQnPNJec2/BQQspwWKfbMAs/sptJel4OaZ6x5svyHgijnYTV373V1EcIPDDNzDH/iJGJv/3hhZs0QNP4hO1zU+8RFphDMclM1YtYzruoROL8JW0jMwDC/UyfhKlWLIUSOS8PFE22UCuXpsnbY5ty/Q8CSaIvhNrOodAC8gRKoLGdyEqFt+tk4Fjbty7biuOBgONF8Uh8XeT9jKlRI3FUc4kpC3Pafeg7Os3LuXcxu8CggrRH73Lh4MJQ1Y7IIRsxDPNuJTBzEvsQJdNzPy/t+LA8cNV9OPat5+LXFhd1TH6zwqYC7i3hSCq9NT9spp15cZ0KZJt7FFd8uYwE9AHmy6Jb8NdbAXruwnGIETiiOYvlehGkMcND0aiwx7KIycYwz9quyOh9vYdc0IGvKaBLfbv7TYC89xSuOBqLiiuW4BOLMXxvrdutRPVy5HqLHlfOzaiq+TbljC+dqjJUw3NpViS5pmiP2culW4ZphNROb1Rp+oJLu1E2F6eGUNGBTSlohK6RD7ZaKVvLxU/PH0WNwXqmUY6215MRjH0+yEeKPNR/iq/KOmI9xwN0GB7Qpao1yS71tLnM/Rg6hjOI9X6ynDsTPRiUK+doeDznOfcysObf8Zpjjlp1eRHYCnp9WJNM3IGg/hd53APMUP+qy3wAmsKmLJ88W0qxUefslynIEKZeriARXpjQj46yDGIXYpe9XNBJAVc88+WCA4mIKlolsbtHZwbMccsfVQKiqLqV21Um50IITpLpPY5v1yRwNMf9A9/n72qrolDm8h38xDWPwyrojWs06bz4XMIQF7/lSR2aRE9L78Lp1i5UafNYe3EgnAReZsYWvCAr8Xm7IXyQmgEXh9en28b1t1ZsKNCyvQRRD5IqzSqBswtITRmbjoBfw2EnYcIp0E8vKGAG5zyxphhXCwfjEoRxKuZ7hDPcfGQb++KbPgIl3Ub6sJTX0QoVjBCAYnXvpKaKOQ9zOYN4MVp+lKMcFw0w4j/8IDC8D8O9ZAQhn2Bj6CPjAtEN6mwv4DqQwndNxx3glkOFVvkLBHkRfTvcQRmBcNjeP4RpQyCqMMgIcIRuQFYfQUXy0QxVVbegZHzeYYhe6A5yp3Oz3M87Nn3j5V5puu3kMUtLKIYl0KjKbrBLX8sqtx/BDhd+BuWiFsedmL0kAmRxuh96SoR1E6EzIrIm8s9xLvGRH45oBs5QA9KoSvm/gE2mcYVoe7baZocsrlkWs+xoZDwDAbmPZi16jbnwXxEWfwTBvKQ8vQisIN24O+gJXi7r0dzoRTqIY104yPJmPdIGh0rdGU4AUxtJNhpLujSpteU82M7kAlVhP4IK0UHIfciJ13C4OX0IH8y8shcu4QvZK4Nw98uIBjY3ybjMB9bqZAO2pZM1lk9sdn590L7iA/vjjJ24wAl2Yz2MhgtUKzTfTRzhnje+E10JHKYph/Z+DWO8Ku4vWEgak6m9flfXwrFPkSENTTNHXVKTnvFrdvJtfYAcympLg/tJXmQlrT+kQl2o/jbIcePi6HbtR+YtYWpckkfvU/cvcqWMuiJNHi3ST8vvVoGrypq7aY6MnJPqNTVD1yc3q2ZQxfreevKRktHm8gwGIjyuL7mUOkF4r0dQgWmcpQhS2Ozil5NkVtLdxJmcWeFxv3GZ4Tta2NXIEQexdgjUnAGRQH/CAF/Xi/9fjoM4puZTdlxdx4QRps1Y4DBQ6oCnI67sUdQGtcx7LwCVrLFJc0gKtnVtmEVvYDKPv1E4eIvyPz/6+fjHcYePYmKxPa6dV50g9E6K0832osbdV9klbDsx9AE0B2qkI0akEBuP978Wl5tIUDqC0kMNMp1wt2WTLx7KOrwLQVVUyFx167BGaduxIm/QAj5Jht6tVaAuCrhU3u6qzxZ7GQHtPe9pJCAtEOGNx68TGgaQynIdA0dS2G85XtYAHXI+Yt1D6eoQbQ04sMGiKfdm2E5QRy7lS/lNSQaf3+kNCiTEHmHeaTy4zCpMWvDDaAqtQbM5JNMxa4mkr0mmxOoykIS8CuSkat8+QIzROFEsIc+66qQC4yAJ0bKssZ0tyQ3BQC3D3hAGZoUsg8pUTNcR/i/hT0x5AMCgaU9EMkFFOhFQoVdcUti3tpUSLtpjVheuG5pAHIlGasfnh4iYexWQeF4DDoJRCFUVprFY7VJy4AAvT8qM+3XnraTKbLDncKEx14TDELnXdNgRDYkqt/XKgZ/Y2hNM0zonZHsp/lz8+ISfKJR5LRTjX2Xg+2loHKBIm6ysJ2ukEodwafMhJxPD7KSjJi/qW06WzCG3K1o4D/Q4B6ABjbGY7HXvn+yhz9EdWWECHfN+i2x/Jdh15wRsuS0hRGD0RL7O//mjHtGzJN0w1KqLYJvglUlEVVUtXqKwk/L0NLMW3T8n84kA/LEXL9a1NgQDlpBoP3ZOXqpzFa1rzfZfBkniIgQJT+JaciDpgo0oeo1F4uGRlQ5h5kIL6dXiOchkHEBv7uo0+N4OhRcK6mjHUgzorSwmkocYktW2Szu8gdr8ts6QbtkCM++uNz+v8AP5vO+gUh5b+9I7NWbkWdrqoWAOCw+miT7dPG5jMJ76HYCBFbWJt2iV96cpwiIR4VXH3kMHQBl0E66s75GFmaGUnx51JNXUGavmQASR3vsvrrC8kATb+P/mmTprvikGM7IPgWG1zHTcqLuoHDylVmfGHg0ys9LpqwuUBu7FvFuuftVwl/24RGJrxup3bGjOb3hJ12HSVMJ3NMZxVBIG4FVz7Voi9B8cCi9wPfaacZvc0Vk2itFOJS77nNrKs5XizH80JfWxu1Y/BYYNsMMys42rPpf0Mba/DHUfROLzlH5dg2lKQuuR1aJHLKWZHoQQPKEPu9D/pZKY7Y4T5ImdElXLG</enc:CipherValue></enc:CipherData></enc:EncryptedData>



If you succeed I'll fetch you a beer at IIW2009b.

Thursday, October 08, 2009

Information Card Handouts from DIDW 2009

These two are the front and back side of the handout the Information Card Foundation provided at DIDW2009.



Visit Open Identity Solutions for Open Government to learn more how Information Cards are used in Open Identity and join the discussion at the Internet Identity Workshop. Register here!

Wednesday, September 23, 2009

New Version Openinfocard

I just uploaded a new version of the openinfocard selector to Google code here.

I changed code that limited self-issued cards to the "well-known" claims. Now I only need to add UI-code to enable the user to specify arbitrary URLs as claim-uris.
This change forced me to change the internal cardstore format for self-issued cards. The related XML now is more similar to the RoamingStore-format for Information Cards. This is good, but existing cards stop to work. Users of the new version have to delete and recreate their self-issued cards. Sorry, although I promise that this will be not the last time ;-) for this kind of changes. I want the internal cardstore format to be exactly like the RoamingStore format (plus legal openinfocard enhancements).

Other changes: - A small change that improves statusbar Information Card icon clicks when an object tag is in the page but no XRDS. This need more work.
- The sidebar code is leaner. This needs more work too, so that only matching cards are displayed and the sidebar window gets updated when the main window changes.
- The preferences javascript code is now in a separate file. I moved it from the XUL page. This seems to make the XBL that implements the preferences page happier.

I am glad that I found some hours to work on my hobby.

Tuesday, August 11, 2009

Open Trust Frameworks for Open Government

OIDF and the Information Card Foundation published a whitepaper titled "Open Trust Frameworks for Open Government".

It speaks for itself so I only add a wordle of that document.


Government accepting non-government id: A big step!

Thursday, July 30, 2009

John Clippinger on i-cards and Google wave

John Clippinger, who directs the Law Lab at Harvard University and who is a co-founder of Parity Communications now Azigo, talks about Information Cards, the wallet and that this will be integrated into Google wave.

This video is from the ideas project:


My hope is that companies like Google will help to put Information Cards into the browser.

Thursday, July 23, 2009

DroidCon and DroidCamp Berlin

DroidCon DroidCamp
DroidCamp BerlinNov 3, 2009

DroidCon BerlinNov 4, 2009

Sponsored by T-Labs!!!

Auth-napping OpenId by Weave

My first feeling was that this is a bit intrusive but then...

Here is a picture of the authnapped OpenId form:

Here is a picture of the original OpenId login:

It is the user's decision to install and use Mozilla Lab's project "weave" or not. And this solves parts of the NASCAR problem. Why should the service provider suggest some OpenId providers using the NASCAR? Well, if he has a whitelist of trusted OPs then yes.
But the OpenId-NASCAR is a cludge anyway.
I think that there should be an XRD description of which authentication methods and providers and token formats and so on a service provider supports or requires. Then a client component - read Browser extension - could help the user to make a good decision and prevent phishing attacks and more.
The user does not care whether the protocol is OpenId or Information Card or if the token format is SAML2 or what not. A unique user experience is desired. Ease of use is required. User consent is required. Security and Privacy need to be protected.

This should be "in the browser"! Secure by default. Privacy protecting by default.
I guess I don't have to repeat that I prefer the Information Card metaphor and UI. A client component is a good thing and it should be ubiquious, build-in but replacable and configurable at the user's choice.

Identification, authentication and claims/attribute transfer is not the primary service provider's interest. Those tasks should be moved outside of the website's code into an authnapping module of the user's browser.

Authnapping is good!

Imaginary Schedule for Catalyst '09

If I could travel to Burton Group Catalyst Conference I would go to this talks:














speakertitle
Bob Blakley2009: Upheaval In The Identity Market
Lori Rowland; Bob Blakley; Mark Diodati;Gerry Gebel;Ian Glazer;Kevin KampmanIdentity Management: No Time Like the Present
Michael Barrett"Two Billionths of a Second after the Big Bang - Where Is Consumer Identity
Bob BlakleyThe Identity Services Market
Bill PeerComing to Grips with Your Inner Cloud
Mary Ruddy; Ron Carpinella; Tom Oscherwitz; Rick Rubin; Denise TayloeThe Age of Identity Oracles
Anne Thomas ManesIn Memory of SOA
Robert AmosEmpower the Business with Identity Management
Richard WatsonService Modeling: Making Sure Your Services Deliver Value
Dharmesh PanchmatiaService Orientation for Success: a Case Study

and more. Listing all interesting talks here takes too much time.
And then there is the Concordia workshop and the ICF Directors Face-to-face meeting...

I wish I could be there.

Friday, July 03, 2009

iPhone Selector @ xmldap.org


The Higgins Project, namely Markus Sabadello, created an Information Card Selector that runs on the iPhone. Due to Apple's benevolent dictatorship which prevents extensions to the iPhone's webbrowser this selector uses a custom URL-scheme to launch the selector from a web page. Details can be found here.

I adapted the xmldap relying party to output the new URL-scheme when the user-agent contains "iPhone" or "iPod".

Here are some screenshots that Markus provided:





Integrating this into the openinfocard selector is a task for this evening.

Wednesday, June 17, 2009

Firefox 3.5 Release Candidate is ready


Firefox 3.5 Release Candidate is ready. If you don't have the latest and greatest browser please download it here and then the openinfocard selector of course.

Tuesday, June 09, 2009

Google Voice Search on Android

An feature of my G1 that I somehow did not notice until yesterday is a build-in voice search. Please notice the microfone icon next to the Google input box:

If I touch that icon I can speak a search term into the G1's microfon:

The recorded sound is then send to a Google server, I guess.

And the result presented to me. The next image shows the result after I tried to search for "Deutsche Telekom"... Hm! (This is not faked by me)

Other things work better:


Has somebody implemented speaker verification for the G1? This would be soo natural to use the mobile's microfon to verify the user!

Saturday, June 06, 2009

Cyberspace Policy Review

Can you find the word "identity" in the Cyberspace Policy Review wordle? (click to enlarge)


Removing "government" and appendixes:


Hm, "privacy" is a little bit better to see. "identity" still lost in the cloud.
A semantic wordle is needed it seems.

Friday, June 05, 2009

Developer Garden IP Location STS


Deutsche Telekom launched its developer program called developer garden which offers several telecom services by providing APIs.

One of these services is an IP location service that allows to resolve an IP address, if it comes from Deutsche Telekom's access network, to location information. While the retrievable location information is quite coarse it is still useful. My favorite use case is to restrict online banking to the country I live in or to the region or city I live in. This restriction would make online banking a little bit safer, although I know this is no silver bullet.
Anyway, it is a good thing that the location information is not too accurate. I don't want any server to locate me. Viewed from the privacy angle even country or region/city information might be too much already.
What I would like is user-centric location information. The Internet Service Provider should allow me - the user - to retrieve my location information to the accuracy that I accept. I can then hand this information over to the online shop, bank, news site, or whatever...

Today I have put this new IP location service and a security token server together. I wrote an iplocation_sts that offers Information Cards that contain location information. And I wrote an iplocation_rp that extracts this information from the security token. And it works! Yeah! Although I don't expect this to be the killer application which will make me rich or boost my career :-/ ... still I like it nevertheless.

How does it look?
You visit the Identity Provider with your Information Card enabled browser e.g. Firefox 3 with openinfocard. You create an account and an Information Card that you download and install into your selector.

Now you visit the relying party, click on the icon as directed...

... and choose the installed location-card. This sends the token request to the IdP's tokenservice which retrieves the remote-address of the client (or its proxy :-(), generates the SAML assertion, ...

that finally is send to the relyingparty.

Now it is clear that I live in the region "Berlin" and that the country code is "de". Correct.

Currently this is all installed only on my local machine but if Chuck installs the required libs on xmldap.org then you can play with it (if the access provider your ISP uses is Deutsche Telekom).

Deinstalling .NET Framework Assistant 1.0 for Firefox

Microsoft published an update that allows to deinstall the clickonce support for Firefox without twiddling with the registry. Good.

Before installing the patch the dotNet extension is grayed out:

After installing the patch it can now be deinstalled:

Ready:

Android 1.5 Video of Developer Garden hexbug

Yesterday I flashed the firmware of my G1 Android Developer Phone to version 1.5.

Now the G1 can capture videos and upload them to youtube:


The filmed hexbug was a present given to attendies of the Deutsche Telekom Developer Garden launch party. Nice.

Thursday, June 04, 2009

Java SE 6 Update 14 has shipped

Java SE 6 Update 14 has shipped.

"This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2. New features include the G1 garbage collector, plus performance and security enhancements. Get it now!"

Java 5's end of life is only three month away. If you are still running Java 5 make sure that at least this is java5 update 19.

Tuesday, June 02, 2009

IE8, XHTML and xmldap.org

Some time ago I changed the HTML code that the xmldap.org site produces to XHTML.
It seems that IE8 is not happy with it, although I tested all pages with http://validator.w3.org/
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Sad. When I use IE8 and Cardspace to present an Information Card then IE8 offers to store a file to my local disk... When I post that file's content to the validator it verifies that this is valid XHTML 1.0 strict. And the content-type is "application/xhtml+xml". Maybe this is the problem?

Don't know whether I should care... Google does not consider IE8 to be a suitable browser (taken from here). Firefox is my browser and I assume that the others implement xhtml correctly too.
Anyways, if one IE-enthusiast offers a solution that is standard conform then I am happy to improve the xmldap site.

Information Card Simple Profile

Normally, before the selector requests a security token from the IdP's tokenservice endpoint it asks the metadata endpoint of the IdP and retrieves that metadata which tells it whether transport-security or symmetric-binding and other things are to be used in the token request.

I suggest that we define a simple-profile that basically skips the metadata retrievel step and replace it with default data.

The IdP that wants the simple-profile to be used just issues Information Cards that do not contain the metadata endpoint information.

Instead of:
 <ic:TokenService>
    <wsa:EndpointReference>
      <wsa:Address>https://contoso.com/sts/pwd</wsa:Address>
      <wsa:Metadata>
        <wsx:Metadata>
          <wsx:MetadataSection
              Dialect="https://schemas.xmlsoap.org/ws/2004/09/mex">
            <wsx:MetadataReference>
              <wsa:Address>https://contoso.com/sts/pwd/mex</wsa:Address>
            </wsx:MetadataReference>
          </wsx:MetadataSection>
        </wsx:Metadata>
      </wsa:Metadata>
    </wsa:EndpointReference>
    <ic:UserCredential>
      <ic:UsernamePasswordCredential>
        <ic:Username>Zoe</ic:Username>
      </ic:UsernamePasswordCredential>
    </ic:UserCredential>
  </ic:TokenService>
</ic:TokenServiceList>

the Information Card would contain just:
 <ic:TokenService>
    <wsa:EndpointReference>
      <wsa:Address>https://contoso.com/sts/pwd</wsa:Address>
    </wsa:EndpointReference>
    <ic:UserCredential>
      <ic:UsernamePasswordCredential>
        <ic:Username>Zoe</ic:Username>
      </ic:UsernamePasswordCredential>
    </ic:UserCredential>
  </ic:TokenService>
</ic:TokenServiceList>

What are the default values of the metadata that the selector assumes?:

  • Transport Security must be used; the IdP tokenservice uses SSL/TLS.
  • We might assume that the Information Card signing certificate is the same as the security tokenservice certificate; IFF the issuer does not use WS-AddressingAndIdentity to specify the STS certificate...

Maybe there are other assumptions that I just can not remember now? What are the security implications?
Please help to make the Identity Metasystem as simple as possible (but not simpler).

Saturday, May 30, 2009

Uninstalling Microsoft's Clickonce Support for Firefox

Just learned how to uninstall Microsoft's Clickonce support for Firefox.

When you are a Microsoft customer by using e.g. Windows XP like me; and you update regularly then you might have wondered some time ago that a new addon misteriously appeared in Firefox.

This Microsoft explains some of it and how you can tweak the registry to get rid of it again. Yig.

This is too much customer care for my taste. Or too less when you have to edit the registry to clean your computer from unwanted helpers. Not good.

Tuesday, May 26, 2009

Your search - cardspace site:microsoft.de - did not match any documents.

http://www.google.de/search?q=cardspace+site%3Amicrosoft.de yields:

Not good! It seems that the German Microsoft site is not searched by Google. Strange.
Ahh. Searching for German language content on microsoft.com yields results...
Still...

Searching for Cardspace at search.microsoft.com results in an interesting suggestion: "Meinten Sie vielleicht: cards pace" (did you mean 'cards pace'). It seems that search.microsoft.com does not know Microsoft products.

Monday, May 25, 2009

J2SE 5.0 is in its Java Technology End of Life (EOL) transition period

"J2SE 5.0 is in its Java Technology End of Life (EOL) transition period. The EOL transition period began April 8th, 2008 and will complete October 30th, 2009, when J2SE 5.0 will have reached its End of Service Life (EOSL)."

While playing around with some SUN developement kit and trying to build the samples I got the error message that the version of the class files do not match. One gets this error message when some jar file was generated with another version of Java... Some time ago I deinstalled all old versions of Java from my computer keeping only the Java 6u13 JDK. It turns out that I need Java 5 to build the samples. Not good.

I downloaded java 5 and succeeded to build the samples... But anyway SUN should see to it that this does NOT happen. Especially with its own SDKs.

I already deinstalled java 5 again, but will keep the installer on disk for future incidents like this.

Migrate to java6 now!

Another pain point: What about J2ME? Are there any plans to update this java-1.3-ish language to java6? Android has java 6 but that is another league.

Tuesday, May 19, 2009

who is jvsmith.pip.verisignlabs.com

Just wanted to try Facebook as an OpenID consumer. So I undusted that Facebook account and added my verisignlabs openid ignisvulpis.pip.verisignlabs.com to my profile.
When I come back from verisignlabs Facebook presents my updated profile.

My openid is presented to me as: jvsmith.pip.verisignlabs.com which points to the correct openid. What is going on here?

I quick search reveals that others have the same problem... Strange.

developer garden


Normally I do not blog about my employer but this time I would like to make an exception.

Deutsche Telekom launched its developer platform called "Developer Garden". This is great. Currently you can send SMS, start telephone calls and resolve IP addresses to locations. Nice. I wish I had time to start another opensource project for this that uses Information Cards and the IP Location service. Or my employer would give me the time to do this...

Two things come to mind.
- create an STS that issues IP location cards. When the user uses this card at a relying party the IP location STS resolves the IP Location and puts the location information into a SAML assertion. Easy.
- create a Firefox 3.x (x>0) location provider that uses the IP location service in the browser. I guess that raises some location provider and browser location GUI issues. Doable.

Although not everything must be done with an Information Card. Providing location information through a card is not widely accepted in the Internet user population ;-)
Anyway. I do believe that relying parties want location information and that Information Cards are a good way to provide claims about a user with the user's consent.

This again raises the issue that we need security tokens that hold claims values assured by multiple sources (IdPs). But maybe this does not really matter. The user does not know about all the underlying technology and he should not need to care about it. I am thinking about a UI where the cards (and the claims) are presented to the user, who then drags the cards or only some claims from several cards to the relying party. The selector then fetches the security tokens from the multiple IdPs and sends the multiple security tokens to the relying party.
How does the selector know about where to post what claims? Through XRD.

Monday, May 18, 2009

Internet Identity Workshop & openinfocard

The Internet Identity Workshop seems to inspire me to work more on the openinfocard selector again. I just uploaded a new version. Drag and Drop of Information Cards works again. You can open the sidebar using shift-alt-ctrl-i and then drag one of your cards to the main window (relying party).

The selector then opens and the dragged card is choosen. You just need to hit the "send" button or select some optional claims first.
You should look at the details of this particular relying party (http://pamelaproject.com/wptest091/). Pamela implemented the use of XRD/S for information cards for her wordpress plugin. If you add something like
<meta http-equiv="X-XRDS-Location" content="http://pamelaproject.com/wptest091/?xrds"/>
to your site and you use openinfocard then you can use Information Cards without the "object"-HTMLElement.

Tuesday, May 05, 2009

ICF D-A-CH Chapter @ EIC


Today at the European Identity Conference we had a workshop on forming a local chapter of the Information Card Foundation. We intend this to be a local chapter for Switzerland, Austria and Germany. We want to provide helpful information about Information Cards in the German language, we want to be a neutral body and an open organization, we want to organize and participate in events and workshops, we want to identify local requirements and local legislation related to Information Card Applications and we want to solve or to help solve challenges related to those local requirements and restrictions.

In our first workshop today we had many interesting presentations from very different companies and organizations. I won't repeat them here other then to note that probably all aspects of the Identity Metasystem were covered. That kind of surprised me, but it was a good surprise because it reminded me that there are more aspects to this other than the projects I work on. I thought that my openinfocard project and the Cardspace4Firefox project cover the selector part, that my divers work projects cover consumer, enterprise and mobile devices parts of the systems and the interoperability and standards aspects and that this is most of the "world" but of this of course not true. I was remembered that there is even more than this already huge field. That is good.

Thursday, April 30, 2009

openinfocard new version

I just uploaded a new version of the openinfocard selector to http://code.google.com/p/openinfocard/downloads/list.
Please give it a try.

The changes are mainly internal but huge and important. After over a year of despair caused by several java plugin2 hiccups and a lingering "stale reference to a java vm"-error I think that I now have improved the code so that development of new features makes much more sense then before. I had the feeling that SUN and Mozilla are pulling away the ground under my feet, but now I think this period is over.

Some improvements are "visible" when you try the selector with "complicated" IdP's. I improved the metadata parsing through hefty use of E4X. The OSIS endpoints do not fall into this category but if you test this openinfocard version e.g. with a Geneva server you might see what I mean. We have set up Geneva servers in our lab and openinfocard immediately failed. I fixed this; although I am sure that there are WS-* variants that still cause the selector to flip.
BTW: By fixing some of these faults I "improved" the internal cardstore format. This causes old cardstores to become unusable. Sorry, please remove the cards from your current cardstore and reimport them. There is no automatic conversion...

Jave6 u12 or newer is now a requirement. I have only tested it on Windows XP SP3 32bit but I am quite confident that this selector runs everywhere where Firefox 3 and java6 is available.

Next steps:
- code cleanup. Throw away now unused code.
- XRDS support for X-XRDS-Location meta tag (nearly ready)
- phone selector integration

Friday, April 24, 2009

user-agent pollution .NET CLR 3.5.30729

Don't know when this started but currently the Firefox user-agent string is polluted by new a new addition "(.NET CLR 3.5.30729)".

Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 (.NET CLR 3.5.30729)

Maybe the new add-on "Microsoft .NET Framework Assistant" is to blame.

But although I disabled it the user-agent string was not reverted to normal.

Who gave Microsoft the right to blurt about the fact that .NET3.5 is installed on my computer?! Well, others are not better: If the Azigo Selector is installed then it adds itself to the user-agent string too.

Maybe SUN should add the installed Java version and whether OpenOffice is installed, and Adobe the installed Acrobat Reader version and the Flash version, and Apple the Quicktime and iTunes version and ...

Wednesday, April 22, 2009

Oracle Identitymanagement 20% off

the book price as seen in the RSA conference bookstore today.

I am sure this has nothing to do with the current aquisition of opensso by Oracle from SUN, or has it?!

Another book of probably only historical value:
contains everything about the past of identitymanagement and authentication on Unix and Windows systems but nothing that is newer than - let's say - three years. What is that good for? A door stopper or a lesson in what does not scale and is inflexible?!

Tuesday, April 21, 2009

Kantara, Standards, Open Source Projects

Please pardon the crude title of this post...

On Monday, April 20, 2009 the Kantara Initiative (the server is currently down...) was launched. Although I subscribe to the goals of the initiative I still know too little to make a reasonable decision about it. My feeling is that it is too big. While it certainly helps to have an organisation and most of the legal (IPR, bylaws, etc) stuff is already handled for a new Kantara working group e.g. openFOO/BAR/BAZ I fear that the influence of the big companies might be unhealthy for openFOO. Sure it helps to have supports from experts in e.g. protocol design and standardization to make the openFOO protocol consistent, sound, complete, modular and extensible and everything a protocol or data format should be; but Liberty Alliance, Microsoft, IBM and the other big companies have a tendency to create complex beasts that the normal open source project can not tame.

If some enthusiasts come together, join forces to solve a problem and to make the Internet "suck less" then the outcome is sometimes simple, not modular, not extensible or whatnot but if it solves the problem, well...

A counter example: Yesterday I awoke a 1am (jet lag) and tried the openinfocard selector "against" an IdP that is based on Microsoft Geneva. I imported the Information Card that was issued by that server and boom: openinfocard could not handle it. So I fixed this small problem. (Although this fix will lead to a changed internal format of the openinfocard cardstore and will break existing cardstores. Hm. Sorry). Now I try to use the card and boom: the retrieved WS-Metadata is so complex that the openinfocard selector can not handle it; So I fixed this not so small problem and learned a lot about several of the friendly members of the WS-* family...; and of Mozilla’s E4X implementation. This introduces a new level of complexity to the openinfocard code that surely will lead to trouble in the future.

What does this have to do with Kantara? Well, sure the designers of WS-* are not all members of Kantara but the Liberty Alliance Project has created similar complex specifications (This server is down too; in fact it turns out it is the same server 74.124.198.86).
Now consider you want to implement a cool program on a mobile phone and have to use these standards. Good luck with e.g. ID-WSF and e.g. kxml2. Doable, but this takes probably more than half an hour.

So I am sceptical for small, fast, just-doit openFOO groups.

Monday, April 20, 2009

Oracle will buy SUN

Living in interessting times... (still).

http://www.sun.com/third-party/global/oracle/index.jsp

This raises many questions regarding e.g. mysql etc but most notably I am very curious what this means for opensso and SUN's access manager and ...

This merger will be a hot topic for the identity people here at RSA conference too, I am sure. Can't wait to hear what e.g. Uppili and Pat say.

Friday, April 17, 2009

Waiting for CardSpace Geneva



I wanted this video to loop forever but could not find how this is possible.
Maybe Microsoft should open source CardSpace Geneva; then we could help to bring it into the world.

Monday, April 06, 2009

xmldap.org is down

I am sorry that xmldap.org is down.

Nulli Secundus, the former employer of Pamela Dingle, hosted xmldap.org until now. A big thank you for that.

Chuck and I have not found an alternative until now.
But I am an ethernal optimist too ;-)

similar people at quillp

Today I tried a new social network quillp that claims to help to establish a new cosmos for me by knowing how I like or not-like books I have read.

They have a subservice that offers a list of books of people similar to me:

I seems I am special and not many readers are similar to me.
Or they don't have their database and algorithms straight.
Well, about every ten click leads to a .NET error like: "table 0 not found".

What I do not like about Quillp: Somebody must explain oauth to them now!

Anyway: I subscribe to the mantra "publish early, publish often" too. And "if your not embarassed by your first version then you published to late".
Quillp has some work to do but I like the idea and happily divulge my bookshelve to them but not my password to other sites.

Wednesday, April 01, 2009

Mozilla weave and Information Cards

Mozilla labs just announced that they released version 0.3 of weave. I think Information Cards should be added to the weave cloud:

And maybe passwords should be stored as Information Cards to leverage THE SELECTOR's anti-phishing capabilities to protect username/password credentials.