Category: interop

Concordia Slides from RSA

SlideShare | View | Upload your own

Slideshare doesn’t handle animation very well. So here is a run-down on the final demo.

In addition to demonstrate inter-operability with other vendors, I was able to show how to login to Google Apps, using SAML IdP/Infocard RP from Ping, CardSpace from Microsoft and an information card from Sun. In terms of platforms, Sun’s server was running on OpenSolaris, Ping’s on Linux, CardSpace on Windows XP (which in-turn was running on Mac OS X) and Google’s on ‘whatever they run over there’.

Identity at RSA

I’ll be at RSA Conference next week participating in the following events.

Concordia
What: The current goal is to demonstrate that SAML, WS-Fed and Information cards can co-exist and some of use cases where it makes sense. For instance, if you already have a federation setup (using SAML or WS-Fed), you can leverage Information Cards as an authentication mechanism and tighten the security. Similarly if you are planning on authenticating using an Information Card, you can extend the reach (and hence get more value for your investment) by federating using SAML/WS-Fed.
Who: Fugen, Internet2, Microsoft, Oracle, Ping Identity, Sun, Symlabs.
When: April 7th, 9AM-12:30 PM
Where: Red Room 302, Moscone Center North/South, Esplanade level

OSIS
What: This is an interop event where you will get to see most (if not all) of Information Card as well as OpenID providers and consumers. What started off as an informal interop session at IIW, now has 57 participants. A lot of credit for this goes to Mike, Dale and Pam for continuing to encourage (read harass) other participants.
Who: 33 Companies. 24 Projects. 57 Participants.
When: April 8th, 9th. Working session 11AM-4PM. Demos: 4-6PM.
Where: Mezzanine Level Room 220, Moscone Center.

Mix-it-up
What: This has now established itself as a standard event at the main identity conferences. This is where we leave the vendor, customer, big enterprise, small company hats behind and just have a good time. Most end up getting wasted and missing out on their next day appointments.
Who: All available.
When: April 8th. 6-8 PM (it’s not really going to end at 8).
Where: 111 Minna Gallery (Tel: 415.974.1719).

See you there.

Identity Mashup

A while ago Paul and I had a conversation about how the neighborhood kid teases his daughter Ophelia Pauline Edna Nicki Irene Daphne for the lack of certification. And how I was concerned that my son, San Ashish Mator Lester  gets picked since his friends think he is fat and difficult to understand.
It’s refreshing to read that compared to Higgins, San…Lester is considered sexy. It’s about time our kids hook up. In case you are interested,  Inspired by Intellectual Women in December is planning to have a speed dating event. There are couple of other dating services, Open Source Invitation for Singles  as well as Contrasting but Cordial where San…Lester normally shows up.

However, the word on the street is that Ophelia…Daphne doesn’t believe in pair wise relationship or trust. Ours is a conventional family. It’s not like we are asking for exclusivity but at least some kind of white list will be nice.

adult77-502.jpg

Three days more / Interop Zen

Suiwo, the disciple of Hakuin, was a good teacher. During one summer seclusion period, a pupil came to him from a southern island of Japan.

Suiwo gave him the problem: “Hear the sound of one hand.”The pupil remained three years but could not pass the test. One night he came in tears to Suiwo. “I must return south in shame and embarrassment,” he said, “for I cannot solve my problem.”

“Wait one week more and meditate constantly,” advised Suiwo.Still no enlightenment came to the pupil. “Try for another week,” said Suiwo. The pupil obeyed, but in vain.

“Still another week.” Yet this was of no avail.In despair the student begged to be released, but Suiwo requested another meditation of five days. They were without result. Then he said: “Meditate for three days longer, then if you fail to attain enlightenment, you had better kill yourself.”

On the second day the pupil was enlightened.

It’s good to have deadlines and interops every now and then.

Open letter to the CardSpace team

Noticed from Kim’s blog that the CardSpace team is blogging. I’m just back from DIDW where I had some good discussions while presenting our Payment Card Demo. So I figured it might be a good idea to compile a list of the things that I heard and share it with the CardSpace team. If I have missed anything, please let me know and I’ll update the list.

  • Too many clicks
    In our demo, we showed how can you use a card to make an online purchase with a merchant e.g. Amazon. Once I have my profile setup at Amazon, it takes “1” click to make the payment. With Information cards, it takes “5” clicks. Everytime.
  • UI too techie
    The whole CardSpace UI is too techie especially the error messages. Messages like “Personal Card is encyrpted…” and when to ‘retreive’, ‘preview’ or ‘send’ a card are all technically correct… but explain that to my grandmother in Omaha. (My grandmother doesn’t live in Omaha nor do I think that people from Omaha are dumb…but you get my point).
  • Too slow
    This is my personal pain point. Since launching SignOn.com in July, I haven’t used the username/password option while logging on to SignOn.com. However, the CardSpace client is too slow (especially during the first invocation). At times, I wonder if I clicked it or if the site crashed. The auto-form-filled username/password option is so much more convenient.
  • CardSpace Distribution
    Relying parites see no reason to support CardSpace at this time, since there is hardly any user adoption. “<grin>I’ll implement it when more than 5% of my user base can use it</grin>” is the standard response from the application providers. From the user perspective, “<chuckle>I’ll install it when there are more than 2 websites where I can use it.</chuckle>”. It’s a Catch 22 but someone has to bootstrap the process. Vista adoption has been slow. One can download it for XP, but the download is over 50MB and there is no reason for an average user to go through this. My suggestion ( talk is cheap :-) ) is to break the CardSpace component out of the .NET 3.0 framework and then push it down to the user’s desktop via Windows update. I know this is probably wrong and breaks a few of the identity laws (user consent etc) but it’s not like you haven’t done something similar to this in the past. Plus it’s for the user’s own good. They just don’t know it yet.
  • Submit it to a standards body
    You have done a great job in opening up the specifications. Other identity selectors like xmldap and DigitalMe are proof that you can have an end-to-end deployment without any Microsoft technologies. However, the CardSpace profile (I don’t know if this is the right term. It was used by one of the attendees) on how the selector gets invoked and how the message gets encrypted, the 14 self-issued claims are still under your control and it will be nice to submit it to a standards body and let others collaborate/contribute.
  • Open up your road map / bug list
    I understand that you have a lot on your plate and you are working as hard as you can to get the next version out. However, it will be nice to get some transparency into your roadmap / bug list on what and when you are planning to release. I’m not asking for an exact date for the CardSpace 2.0 release, but it will be nice to get what month/quarter do you plan to release and what are the top 5 features that we can expect. If you can open up you backlog/bug list to the public, that would be awesome.
  • Get some awareness
    Something on the likes of spreadfirefox.com. The OpenID foundation did a great thing by starting the bounty program. Native plugins for Joomla, Drupal, WordPress and the likes will really make it easy for the site owners/deployers. I understand some of this is in progress. The Catalyst event in June and the one coming up in Barcelona are a step in that direction. But it will be nice to get the ‘13 year old army’ (learned this term while attending a Boulder Barcamp) behind you. BTW…last time I checked spreadcardspace.com is still available.
  • Open/Free RP toolkits
    This relates to the previous point. It takes a weekend to get an OpenID library, deploy it and test it. It takes over a week to understand the specs around Information Cards. Some drag and drop library where the installer/deployer doesn’t really need to know the inner workings will really help.
  • Cards Portability
    This issue has to be addressed (if not resolved) before calling CardSpace a real, production-ready, mature, ready for mass deployment technology. I know that cards can be exported and imported but it’s not practical. A way to carry my selector on a USB key or a smart card based selector or a mobile based solution or a service in the cloud with one click sync.
  • Get the terminology right
    I understand the difference between CardSpace, Information Cards, Infocard, Idenitity Selector, Identity Agent, Digital Me etc, but it causes confusion. When building SignOn.com FAQ, we looked around for an official definition for ‘Information Card” and found none. Our tech writers eventually came up with this. Have an official one page to explain the terminology and then heavily reference that page everywhere.
  • Features
    This is at the bottom of the list. You can always add features and still have some more to add. I don’t think it’s the features that’s hindering the adoption. All of the below items will be good to have but some real world deployments even with limited use cases should be higher priority. Here is a partial list of the features that came up:

    • Allow for mutiple issuers for the RP.
    • Allow for RPs to transfer information to the IdP at runtime. I know this can hacked a bit by setting ‘RequireAppliesTo’, but I would like to be able to pass proper data structures both ways.
    • Ability to either modify or extend the CardSpace GUI.
    • Ability to allow for other type of authentication methods e.g. OTP.
    • Allow the user to shut-off the cardspace invocation on a per RP basis. I agree with the user consent et all but it does get annoying on frequent use.

I strongly believe that CardSpace/Information Card is a great technology. Kim, Mike and the rest of the Microsoft folks have been very open and supportive in sharing information and resources. Most of the people I talked to, shared the same sentiment. We even had a round table on CardSpace/OpenID during our User group session after DIDW and everyone can see the potential. I hope we all will be around to see that happen :-) .

Identity MetaSystem….or not

Bob provides an excellent summary of the Catalyst user-centric interop. Provides a great overview of the state of user centric/information card technology.

Paul , Robin and Gerald argue over the definition of identity metasystem.

  • In theory…the information card flow/protocol is token agnostic and hence worthy of being referred to as an “identity metasystem”. The event demonstrated different components (IdP, RP, Selector) from different vendors interoperating with each other. The event then should be qualified as an identity metasystem interop.
  • In theory…Project Concordia addresses information card as well as OpenID, SAML and WS-Fed. And hence an “identity metaystem”.
  • In theory….another identity metasytem is required that not only addresses the above protocols but Siteminder, Oblix, Sun Access Manager, App server specific tokens etc.

By the time, we are done defining the super uber identity metasystem, there will be another identity protocol that will warrant us to start over.

mutitool21.jpg

My 0.2 cents

  • It was a great event that brought together a lot of vendors and provided a reality check to all of us. Bob and Gerry deserve full credit for that.
  • Everyone agrees that OpenID, SAML, WS-Fed should be part of the interop scenarios in future events. Even though I would argue that use cases I have seen so far demand for a mash-up and not an inteorp.

Image | WordPress Themes