During the last week I released new versions of the Mozilla Firefox addon that adds Cardspace support to the browser.
Another change that envolved code changes in many places was the elemination of global variables. Which is a good thing. All global variables were moved into a new namespace org.openinfocard.cs4ff. I hope that this change gets this addon out of the sandbox and it will become an addon that can be installed without the "let me install this" checkbox.
To bad that the Information Card addons are not compatible with each other. You have to make your choice whether you install DigitalMe, Openinfocard, Azigo's selector or Cardspace4Firefox. Or other addons based on the same code base.
Which on the other hand is no problem in the real world. Users will pick their selector and install just one.
Wednesday, December 30, 2009
During the last week I released new versions of the Mozilla Firefox addon that adds Cardspace support to the browser.
Tuesday, December 15, 2009
In case you have not done so please have a look at Avoco's Information Card work.
One of their demo sites is a site called RealPay. Here you see the current openinfocard selector at work:
But the above is only the "normal" Information Card scenario.
Much more interesting are their "cloud selector" and their Cardspace based document signing product. The latter can sign Microsoft Office documents and PDFs and if you try to open that document you have to present a valid security token based on an Information Card which might be restricting your access even to your current location. Nice.
Read more here.
Wednesday, November 25, 2009
I am making good progress with the selector that supports Information Cards and OpenID (Cards). Maybe it will support username/password too.
Please notice the purple-i in the urlbar left of the site identity icon. Clicking it starts the selector which lets you login using your e.g. OpenID (Card). It "works" with the xmldap.org test page and it nearly works with Andrew Anortt's http://test-id.org/XP/Selector.aspx page. Markus Sabadello's testpage https://openidpad.com/ needs a little more work. The next step is to remember the cards used and display that/them in the urlbar.
I would like to mention that "login" or "connect" (to a site) is not enough. I think that attributes or claims are more important than login.
Sometime not too far in the future we should agree on a standard for this. I prefer the XRDS way to conway the RP's requirements to the selector and we can inline it into the HTML code if a download of the XRDS is not desirable...
Monday, November 23, 2009
Well, this took quite some time.
Several people reported that there were issues with the IdentitySelector from the Codeplex repository (sometimes called Cardspace for Firefox) on Windows Vista while Windows XP worked. But now, finally, I was able to build a new version on Windows 7 using the Mozilla build system as described here. I tested it with Firefox 3.5.5 and it seems to do what is expected. Although I did not test it on Vista. Please report issues by using the Codeplex issue tracker.
Following are some screen shots from my tests:
The Cardspace version used was 18.104.22.168 as it come with Windows 7.
There is still much work to do like bringing this addon's code to the same maturity of the openinfocard selector.
And keeping it there e.g. by improving the XRDS support.
Later support the OpenID Selector...
And integrate with the work at Mozilla Labs like the "AccountManager"...
Not to forget the design work in the Kantara Universal Login Experience working group...
Tuesday, November 10, 2009
Wednesday, October 14, 2009
Some people fear that an encrypted token send through an untrusted operating system is not safe. Well, decrypt this:
If you succeed I'll fetch you a beer at IIW2009b.
Thursday, October 08, 2009
These two are the front and back side of the handout the Information Card Foundation provided at DIDW2009.
Visit Open Identity Solutions for Open Government to learn more how Information Cards are used in Open Identity and join the discussion at the Internet Identity Workshop. Register here!
Wednesday, September 23, 2009
I just uploaded a new version of the openinfocard selector to Google code here.
I changed code that limited self-issued cards to the "well-known" claims. Now I only need to add UI-code to enable the user to specify arbitrary URLs as claim-uris.
This change forced me to change the internal cardstore format for self-issued cards. The related XML now is more similar to the RoamingStore-format for Information Cards. This is good, but existing cards stop to work. Users of the new version have to delete and recreate their self-issued cards. Sorry, although I promise that this will be not the last time ;-) for this kind of changes. I want the internal cardstore format to be exactly like the RoamingStore format (plus legal openinfocard enhancements).
Other changes: - A small change that improves statusbar Information Card icon clicks when an object tag is in the page but no XRDS. This need more work.
- The sidebar code is leaner. This needs more work too, so that only matching cards are displayed and the sidebar window gets updated when the main window changes.
I am glad that I found some hours to work on my hobby.
Monday, August 31, 2009
Tuesday, August 11, 2009
OIDF and the Information Card Foundation published a whitepaper titled "Open Trust Frameworks for Open Government".
It speaks for itself so I only add a wordle of that document.
Government accepting non-government id: A big step!
Thursday, July 30, 2009
John Clippinger, who directs the Law Lab at Harvard University and who is a co-founder of Parity Communications now Azigo, talks about Information Cards, the wallet and that this will be integrated into Google wave.
This video is from the ideas project:
My hope is that companies like Google will help to put Information Cards into the browser.
Friday, July 24, 2009
Thursday, July 23, 2009
My first feeling was that this is a bit intrusive but then...
Here is a picture of the authnapped OpenId form:
Here is a picture of the original OpenId login:
It is the user's decision to install and use Mozilla Lab's project "weave" or not. And this solves parts of the NASCAR problem. Why should the service provider suggest some OpenId providers using the NASCAR? Well, if he has a whitelist of trusted OPs then yes.
But the OpenId-NASCAR is a cludge anyway.
I think that there should be an XRD description of which authentication methods and providers and token formats and so on a service provider supports or requires. Then a client component - read Browser extension - could help the user to make a good decision and prevent phishing attacks and more.
The user does not care whether the protocol is OpenId or Information Card or if the token format is SAML2 or what not. A unique user experience is desired. Ease of use is required. User consent is required. Security and Privacy need to be protected.
This should be "in the browser"! Secure by default. Privacy protecting by default.
I guess I don't have to repeat that I prefer the Information Card metaphor and UI. A client component is a good thing and it should be ubiquious, build-in but replacable and configurable at the user's choice.
Identification, authentication and claims/attribute transfer is not the primary service provider's interest. Those tasks should be moved outside of the website's code into an authnapping module of the user's browser.
Authnapping is good!
If I could travel to Burton Group Catalyst Conference I would go to this talks:
|Bob Blakley||2009: Upheaval In The Identity Market|
|Lori Rowland; Bob Blakley; Mark Diodati;Gerry Gebel;Ian Glazer;Kevin Kampman||Identity Management: No Time Like the Present|
|Michael Barrett||"Two Billionths of a Second after the Big Bang - Where Is Consumer Identity|
|Bob Blakley||The Identity Services Market|
|Bill Peer||Coming to Grips with Your Inner Cloud|
|Mary Ruddy; Ron Carpinella; Tom Oscherwitz; Rick Rubin; Denise Tayloe||The Age of Identity Oracles|
|Anne Thomas Manes||In Memory of SOA|
|Robert Amos||Empower the Business with Identity Management|
|Richard Watson||Service Modeling: Making Sure Your Services Deliver Value|
|Dharmesh Panchmatia||Service Orientation for Success: a Case Study|
and more. Listing all interesting talks here takes too much time.
And then there is the Concordia workshop and the ICF Directors Face-to-face meeting...
I wish I could be there.
Friday, July 03, 2009
The Higgins Project, namely Markus Sabadello, created an Information Card Selector that runs on the iPhone. Due to Apple's benevolent dictatorship which prevents extensions to the iPhone's webbrowser this selector uses a custom URL-scheme to launch the selector from a web page. Details can be found here.
I adapted the xmldap relying party to output the new URL-scheme when the user-agent contains "iPhone" or "iPod".
Here are some screenshots that Markus provided:
Integrating this into the openinfocard selector is a task for this evening.
Wednesday, June 17, 2009
Tuesday, June 09, 2009
An feature of my G1 that I somehow did not notice until yesterday is a build-in voice search. Please notice the microfone icon next to the Google input box:
If I touch that icon I can speak a search term into the G1's microfon:
The recorded sound is then send to a Google server, I guess.
And the result presented to me. The next image shows the result after I tried to search for "Deutsche Telekom"... Hm! (This is not faked by me)
Other things work better:
Has somebody implemented speaker verification for the G1? This would be soo natural to use the mobile's microfon to verify the user!
Saturday, June 06, 2009
Can you find the word "identity" in the Cyberspace Policy Review wordle? (click to enlarge)
Removing "government" and appendixes:
Hm, "privacy" is a little bit better to see. "identity" still lost in the cloud.
A semantic wordle is needed it seems.
Friday, June 05, 2009
Deutsche Telekom launched its developer program called developer garden which offers several telecom services by providing APIs.
One of these services is an IP location service that allows to resolve an IP address, if it comes from Deutsche Telekom's access network, to location information. While the retrievable location information is quite coarse it is still useful. My favorite use case is to restrict online banking to the country I live in or to the region or city I live in. This restriction would make online banking a little bit safer, although I know this is no silver bullet.
Anyway, it is a good thing that the location information is not too accurate. I don't want any server to locate me. Viewed from the privacy angle even country or region/city information might be too much already.
What I would like is user-centric location information. The Internet Service Provider should allow me - the user - to retrieve my location information to the accuracy that I accept. I can then hand this information over to the online shop, bank, news site, or whatever...
Today I have put this new IP location service and a security token server together. I wrote an iplocation_sts that offers Information Cards that contain location information. And I wrote an iplocation_rp that extracts this information from the security token. And it works! Yeah! Although I don't expect this to be the killer application which will make me rich or boost my career :-/ ... still I like it nevertheless.
How does it look?
You visit the Identity Provider with your Information Card enabled browser e.g. Firefox 3 with openinfocard. You create an account and an Information Card that you download and install into your selector.
Now you visit the relying party, click on the icon as directed...
... and choose the installed location-card. This sends the token request to the IdP's tokenservice which retrieves the remote-address of the client (or its proxy :-(), generates the SAML assertion, ...
that finally is send to the relyingparty.
Now it is clear that I live in the region "Berlin" and that the country code is "de". Correct.
Currently this is all installed only on my local machine but if Chuck installs the required libs on xmldap.org then you can play with it (if the access provider your ISP uses is Deutsche Telekom).
Microsoft published an update that allows to deinstall the clickonce support for Firefox without twiddling with the registry. Good.
Before installing the patch the dotNet extension is grayed out:
After installing the patch it can now be deinstalled:
Yesterday I flashed the firmware of my G1 Android Developer Phone to version 1.5.
Now the G1 can capture videos and upload them to youtube:
The filmed hexbug was a present given to attendies of the Deutsche Telekom Developer Garden launch party. Nice.
Thursday, June 04, 2009
Java SE 6 Update 14 has shipped.
"This release is Windows 7 support-ready and includes support for Internet Explorer 8, Windows Server 2008 SP2, and Windows Vista SP2. New features include the G1 garbage collector, plus performance and security enhancements. Get it now!"
Java 5's end of life is only three month away. If you are still running Java 5 make sure that at least this is java5 update 19.
Tuesday, June 02, 2009
Some time ago I changed the HTML code that the xmldap.org site produces to XHTML.
It seems that IE8 is not happy with it, although I tested all pages with http://validator.w3.org/
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Sad. When I use IE8 and Cardspace to present an Information Card then IE8 offers to store a file to my local disk... When I post that file's content to the validator it verifies that this is valid XHTML 1.0 strict. And the content-type is "application/xhtml+xml". Maybe this is the problem?
Don't know whether I should care... Google does not consider IE8 to be a suitable browser (taken from here). Firefox is my browser and I assume that the others implement xhtml correctly too.
Anyways, if one IE-enthusiast offers a solution that is standard conform then I am happy to improve the xmldap site.
Normally, before the selector requests a security token from the IdP's tokenservice endpoint it asks the metadata endpoint of the IdP and retrieves that metadata which tells it whether transport-security or symmetric-binding and other things are to be used in the token request.
I suggest that we define a simple-profile that basically skips the metadata retrievel step and replace it with default data.
The IdP that wants the simple-profile to be used just issues Information Cards that do not contain the metadata endpoint information.
the Information Card would contain just:
What are the default values of the metadata that the selector assumes?:
- Transport Security must be used; the IdP tokenservice uses SSL/TLS.
- We might assume that the Information Card signing certificate is the same as the security tokenservice certificate; IFF the issuer does not use WS-AddressingAndIdentity to specify the STS certificate...
Maybe there are other assumptions that I just can not remember now? What are the security implications?
Please help to make the Identity Metasystem as simple as possible (but not simpler).
Saturday, May 30, 2009
Just learned how to uninstall Microsoft's Clickonce support for Firefox.
When you are a Microsoft customer by using e.g. Windows XP like me; and you update regularly then you might have wondered some time ago that a new addon misteriously appeared in Firefox.
This Microsoft explains some of it and how you can tweak the registry to get rid of it again. Yig.
This is too much customer care for my taste. Or too less when you have to edit the registry to clean your computer from unwanted helpers. Not good.
Tuesday, May 26, 2009
Not good! It seems that the German Microsoft site is not searched by Google. Strange.
Ahh. Searching for German language content on microsoft.com yields results...
Searching for Cardspace at search.microsoft.com results in an interesting suggestion: "Meinten Sie vielleicht: cards pace" (did you mean 'cards pace'). It seems that search.microsoft.com does not know Microsoft products.
Monday, May 25, 2009
"J2SE 5.0 is in its Java Technology End of Life (EOL) transition period. The EOL transition period began April 8th, 2008 and will complete October 30th, 2009, when J2SE 5.0 will have reached its End of Service Life (EOSL)."
While playing around with some SUN developement kit and trying to build the samples I got the error message that the version of the class files do not match. One gets this error message when some jar file was generated with another version of Java... Some time ago I deinstalled all old versions of Java from my computer keeping only the Java 6u13 JDK. It turns out that I need Java 5 to build the samples. Not good.
I downloaded java 5 and succeeded to build the samples... But anyway SUN should see to it that this does NOT happen. Especially with its own SDKs.
I already deinstalled java 5 again, but will keep the installer on disk for future incidents like this.
Migrate to java6 now!
Another pain point: What about J2ME? Are there any plans to update this java-1.3-ish language to java6? Android has java 6 but that is another league.
Tuesday, May 19, 2009
Just wanted to try Facebook as an OpenID consumer. So I undusted that Facebook account and added my verisignlabs openid ignisvulpis.pip.verisignlabs.com to my profile.
When I come back from verisignlabs Facebook presents my updated profile.
My openid is presented to me as: jvsmith.pip.verisignlabs.com which points to the correct openid. What is going on here?
I quick search reveals that others have the same problem... Strange.
Normally I do not blog about my employer but this time I would like to make an exception.
Deutsche Telekom launched its developer platform called "Developer Garden". This is great. Currently you can send SMS, start telephone calls and resolve IP addresses to locations. Nice. I wish I had time to start another opensource project for this that uses Information Cards and the IP Location service. Or my employer would give me the time to do this...
Two things come to mind.
- create an STS that issues IP location cards. When the user uses this card at a relying party the IP location STS resolves the IP Location and puts the location information into a SAML assertion. Easy.
- create a Firefox 3.x (x>0) location provider that uses the IP location service in the browser. I guess that raises some location provider and browser location GUI issues. Doable.
Although not everything must be done with an Information Card. Providing location information through a card is not widely accepted in the Internet user population ;-)
Anyway. I do believe that relying parties want location information and that Information Cards are a good way to provide claims about a user with the user's consent.
This again raises the issue that we need security tokens that hold claims values assured by multiple sources (IdPs). But maybe this does not really matter. The user does not know about all the underlying technology and he should not need to care about it. I am thinking about a UI where the cards (and the claims) are presented to the user, who then drags the cards or only some claims from several cards to the relying party. The selector then fetches the security tokens from the multiple IdPs and sends the multiple security tokens to the relying party.
How does the selector know about where to post what claims? Through XRD.
Posted by Axel Nennker at 9:36 AM
Monday, May 18, 2009
The Internet Identity Workshop seems to inspire me to work more on the openinfocard selector again. I just uploaded a new version. Drag and Drop of Information Cards works again. You can open the sidebar using shift-alt-ctrl-i and then drag one of your cards to the main window (relying party).
The selector then opens and the dragged card is choosen. You just need to hit the "send" button or select some optional claims first.
You should look at the details of this particular relying party (http://pamelaproject.com/wptest091/). Pamela implemented the use of XRD/S for information cards for her wordpress plugin. If you add something like
<meta http-equiv="X-XRDS-Location" content="http://pamelaproject.com/wptest091/?xrds"/>
to your site and you use openinfocard then you can use Information Cards without the "object"-HTMLElement.
Tuesday, May 05, 2009
Today at the European Identity Conference we had a workshop on forming a local chapter of the Information Card Foundation. We intend this to be a local chapter for Switzerland, Austria and Germany. We want to provide helpful information about Information Cards in the German language, we want to be a neutral body and an open organization, we want to organize and participate in events and workshops, we want to identify local requirements and local legislation related to Information Card Applications and we want to solve or to help solve challenges related to those local requirements and restrictions.
In our first workshop today we had many interesting presentations from very different companies and organizations. I won't repeat them here other then to note that probably all aspects of the Identity Metasystem were covered. That kind of surprised me, but it was a good surprise because it reminded me that there are more aspects to this other than the projects I work on. I thought that my openinfocard project and the Cardspace4Firefox project cover the selector part, that my divers work projects cover consumer, enterprise and mobile devices parts of the systems and the interoperability and standards aspects and that this is most of the "world" but of this of course not true. I was remembered that there is even more than this already huge field. That is good.
Thursday, April 30, 2009
I just uploaded a new version of the openinfocard selector to http://code.google.com/p/openinfocard/downloads/list.
Please give it a try.
The changes are mainly internal but huge and important. After over a year of despair caused by several java plugin2 hiccups and a lingering "stale reference to a java vm"-error I think that I now have improved the code so that development of new features makes much more sense then before. I had the feeling that SUN and Mozilla are pulling away the ground under my feet, but now I think this period is over.
Some improvements are "visible" when you try the selector with "complicated" IdP's. I improved the metadata parsing through hefty use of E4X. The OSIS endpoints do not fall into this category but if you test this openinfocard version e.g. with a Geneva server you might see what I mean. We have set up Geneva servers in our lab and openinfocard immediately failed. I fixed this; although I am sure that there are WS-* variants that still cause the selector to flip.
BTW: By fixing some of these faults I "improved" the internal cardstore format. This causes old cardstores to become unusable. Sorry, please remove the cards from your current cardstore and reimport them. There is no automatic conversion...
Jave6 u12 or newer is now a requirement. I have only tested it on Windows XP SP3 32bit but I am quite confident that this selector runs everywhere where Firefox 3 and java6 is available.
- code cleanup. Throw away now unused code.
- XRDS support for X-XRDS-Location meta tag (nearly ready)
- phone selector integration
Friday, April 24, 2009
Don't know when this started but currently the Firefox user-agent string is polluted by new a new addition "(.NET CLR 3.5.30729)".
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:22.214.171.124) Gecko/2009040821 Firefox/3.0.9 (.NET CLR 3.5.30729)
Maybe the new add-on "Microsoft .NET Framework Assistant" is to blame.
But although I disabled it the user-agent string was not reverted to normal.
Who gave Microsoft the right to blurt about the fact that .NET3.5 is installed on my computer?! Well, others are not better: If the Azigo Selector is installed then it adds itself to the user-agent string too.
Maybe SUN should add the installed Java version and whether OpenOffice is installed, and Adobe the installed Acrobat Reader version and the Flash version, and Apple the Quicktime and iTunes version and ...
Wednesday, April 22, 2009
the book price as seen in the RSA conference bookstore today.
I am sure this has nothing to do with the current aquisition of opensso by Oracle from SUN, or has it?!
Another book of probably only historical value:
contains everything about the past of identitymanagement and authentication on Unix and Windows systems but nothing that is newer than - let's say - three years. What is that good for? A door stopper or a lesson in what does not scale and is inflexible?!
Tuesday, April 21, 2009
Please pardon the crude title of this post...
On Monday, April 20, 2009 the Kantara Initiative (the server is currently down...) was launched. Although I subscribe to the goals of the initiative I still know too little to make a reasonable decision about it. My feeling is that it is too big. While it certainly helps to have an organisation and most of the legal (IPR, bylaws, etc) stuff is already handled for a new Kantara working group e.g. openFOO/BAR/BAZ I fear that the influence of the big companies might be unhealthy for openFOO. Sure it helps to have supports from experts in e.g. protocol design and standardization to make the openFOO protocol consistent, sound, complete, modular and extensible and everything a protocol or data format should be; but Liberty Alliance, Microsoft, IBM and the other big companies have a tendency to create complex beasts that the normal open source project can not tame.
If some enthusiasts come together, join forces to solve a problem and to make the Internet "suck less" then the outcome is sometimes simple, not modular, not extensible or whatnot but if it solves the problem, well...
A counter example: Yesterday I awoke a 1am (jet lag) and tried the openinfocard selector "against" an IdP that is based on Microsoft Geneva. I imported the Information Card that was issued by that server and boom: openinfocard could not handle it. So I fixed this small problem. (Although this fix will lead to a changed internal format of the openinfocard cardstore and will break existing cardstores. Hm. Sorry). Now I try to use the card and boom: the retrieved WS-Metadata is so complex that the openinfocard selector can not handle it; So I fixed this not so small problem and learned a lot about several of the friendly members of the WS-* family...; and of Mozilla’s E4X implementation. This introduces a new level of complexity to the openinfocard code that surely will lead to trouble in the future.
What does this have to do with Kantara? Well, sure the designers of WS-* are not all members of Kantara but the Liberty Alliance Project has created similar complex specifications (This server is down too; in fact it turns out it is the same server 126.96.36.199).
Now consider you want to implement a cool program on a mobile phone and have to use these standards. Good luck with e.g. ID-WSF and e.g. kxml2. Doable, but this takes probably more than half an hour.
So I am sceptical for small, fast, just-doit openFOO groups.
Monday, April 20, 2009
Living in interessting times... (still).
This raises many questions regarding e.g. mysql etc but most notably I am very curious what this means for opensso and SUN's access manager and ...
This merger will be a hot topic for the identity people here at RSA conference too, I am sure. Can't wait to hear what e.g. Uppili and Pat say.
Friday, April 17, 2009
Monday, April 06, 2009
I am sorry that xmldap.org is down.
Nulli Secundus, the former employer of Pamela Dingle, hosted xmldap.org until now. A big thank you for that.
Chuck and I have not found an alternative until now.
But I am an ethernal optimist too ;-)
Today I tried a new social network quillp that claims to help to establish a new cosmos for me by knowing how I like or not-like books I have read.
They have a subservice that offers a list of books of people similar to me:
I seems I am special and not many readers are similar to me.
Or they don't have their database and algorithms straight.
Well, about every ten click leads to a .NET error like: "table 0 not found".
What I do not like about Quillp: Somebody must explain oauth to them now!
Anyway: I subscribe to the mantra "publish early, publish often" too. And "if your not embarassed by your first version then you published to late".
Quillp has some work to do but I like the idea and happily divulge my bookshelve to them but not my password to other sites.
Wednesday, April 01, 2009
Mozilla labs just announced that they released version 0.3 of weave. I think Information Cards should be added to the weave cloud:
And maybe passwords should be stored as Information Cards to leverage THE SELECTOR's anti-phishing capabilities to protect username/password credentials.