Rohan Pinto

Posts

Most genius business card ever? I think so.

Looking for an awesome iPhone case but aren’t up to the DIY challenge? Check out KEES and design your very own totally unique case online!

April 19, 03:15 PM

soupsoup:

Reuters TV : Tech Tonic

Google Glass is not quite ready for prime time yet, what augmented reality apps are available today?

Got a story you think I should cover on Tech Tonic? Leave a message by reblogging this post or drop it in the notes below.

April 11, 02:28 PM

March 23, 03:18 PM

alternativecompass:

subway ad that speaks the truth.

March 23, 03:13 PM

brit:

Ice Ice Baby: An obvious essential for the Brit kitchen.

March 16, 02:08 PM

designerscomplex:

An Unwashed Vegetable can be a Deadly Weapon

March 16, 02:07 PM

by9:

@work.nerdski.com

March 16, 02:05 PM

austinstatesman:

Traffic around downtown is bad and getting worse, especially with people heading toward Auditorium Shores to catch the free SXSW show with The Shins.

Here’s a map of road closures.

March 16, 02:04 PM

March 16, 02:00 PM

mattsbrickgallery:

Still my favorite after 9,000+ posts. It’s up there.

March 16, 02:00 PM

FREE GAS

-__-

February 02, 12:49 AM

ilovemu:

The World according to Egyptians

December 06, 07:43 PM

scottyiseri:

Wait, Lawrence Lessig is a kickboxer?

This is the first year in a while I haven’t had to do any christmas themed media production…no Xmas Carols, no web series, no TBRS Holiday Spectaculars. But I still love the Creative Commons Christmas Carol from last year.

December 06, 02:28 PM

Animator vs Animation

November 17, 05:03 PM

Bridal Slaves : A 21st Century Evil

November 17, 05:01 PM

schwegler:

laughingsquid:

HEXBUG Larva, The Autonomous Wriggling Robot Bug

This is terrifying.

November 17, 04:40 PM

My Tumblr Blog

Recent tracks

Ave Maria by {u'mbid': u'', u'#text': u'Beyonc\xe9'}

4 months ago
Love Is A Losing Game by {u'mbid': u'dfe9a7c4-8cf2-47f4-9dcb-d233c2b86ec3', u'#text': u'Amy Winehouse'}

4 months ago
Jump by {u'mbid': u'b665b768-0d83-4363-950c-31ed39317c15', u'#text': u'Van Halen'}

4 months ago
White Christmas - Duet With Shania Twain by {u'mbid': u'611700cf-27f0-4dc9-ae80-c513a767853e', u'#text': u'Michael Bubl\xe9'}

4 months ago
Take Care by {u'mbid': u'9fff2f8a-21e6-47de-a2b8-7f449929d43f', u'#text': u'Drake'}

4 months ago
Good Feeling by {u'mbid': u'4593d49a-7f67-46ba-9ec0-126bd676286f', u'#text': u'Flo Rida'}

4 months ago
Pumped Up Kicks by {u'mbid': u'e0e1a584-dd0a-4bd1-88d1-c4c62895039d', u'#text': u'Foster the People'}

4 months ago
Love The Way You Lie by {u'mbid': u'b95ce3ff-3d05-4e87-9e01-c97b66af13d4', u'#text': u'Eminem'}

4 months ago
It Will Rain by {u'mbid': u'afb680f2-b6eb-4cd7-a70b-a63b25c763d5', u'#text': u'Bruno Mars'}

4 months ago
Bed Of Roses by {u'mbid': u'5dcdb5eb-cb72-4e6e-9e63-b7bace604965', u'#text': u'Bon Jovi'}

4 months ago

Top artists

Top tracks

Move Your Body (Telugu) by Johnny Gaddaar

9 plays
Don The Theme by Instrumental

6 plays
Jaane Kyun by Vishal Dadlani

6 plays
Mahi Ve by Atif Aslam

5 plays
Tu Hi Meri Shab Hai (Euro Mix) by K.K.

5 plays
Pehli Nazar Mein by Atif Aslam

5 plays
Falak Tak by Udit Narayan, Mahalaxmi Iyer

5 plays
Dil Cheez by Bally Sagoo

4 plays
Khoon Chala by Mohit Chauhan

4 plays
Kabhi Kabhi Mere Dil Mein by Amitabh Bachchan

4 plays
Teri Deewani by Kailash Kher

4 plays
Mahi Ve (Eternal Mix) by Atif Aslam

4 plays
Om Shanti Om (theme music) by Om Shanti Om

4 plays
Dekho Na by Fanaa Movie

4 plays
Tu Meri Dost Hain by Benny Dayal, Shreya Ghoshal & A R Rahman

4 plays
Here I Go Again by Whitesnake

3 plays
Jogi by Panjabi MC

3 plays
Eso Shyamal Sundar by Asha Bhosle

3 plays
Tu Kaun Hai by Lucky Ali

3 plays
Phir Bhi Dil Hai Hindustani by Udit Narayan

3 plays
Kya Soorat Hai by Bombay Vikings

3 plays
YEH KYA HUA by Kishore Kumar

3 plays
Kuch Kuch Hota Hai by Jatin-Lalit

3 plays
Dekhoon Mai Jahan by Colonial Cousins

3 plays
Kabhi Alvida Na Kehna by Kabhi Alvida Naa Kehna

3 plays
Chal Chale by James

3 plays
Aaj Ki Raat by Alisha Chinoy, Mahalaxmi Iyer, Sonu Nigam

3 plays
Touch Me by Dhoom 2

3 plays
Sajania by Ali Zafar

3 plays
Ek Shaqs by Abhijeet Sawant

3 plays
Zindagi Yeh Dillagi by Shaan

3 plays
Mauja Hi Mauja by Pritam

3 plays
Tum Se Hi by Pritam

3 plays
Hanuman Ji Ki Aarti by Pankaj Udhas

3 plays
Jaane Tu Mera Kya Hai (Aditi) by Runa Rizvi

3 plays
Aaja Milke by Shreya Ghoshal & Shail

3 plays
Desi Girl by Shankar Mahadevan, Sunidhi Chauhan

3 plays
Badmash Launde by Shail Hada, Parthiv Gohil & Rekha Rao

3 plays
Khabar Nahi by Vishal Dadlani, Shreya Goshal, Amanat Ali, Raja Hasan

3 plays
Haan Tu Hain - by Kay Kay

3 plays
03. Kaise Mujhe by Benny Dayal, Shreya Ghoshal

3 plays
Kar Le Kar Le Koi Dhamaal [Dhol Mix] by Ganesh Hegde

3 plays
Bagon Mein Bahar Aye by Lata Mangeshkar & Mohammed Rafi

3 plays
Tera Hone Laga Hoon by Atif Aslam & Alisha Chinoy

3 plays
Jaane Ye Kya Hua by K.K.

3 plays
Rolling In The Deep by Adele

3 plays
Eleanor Rigby by The Beatles

2 plays
Smoke On The Water by Deep Purple

2 plays
The Road by Tenacious D

2 plays
Dreamer by Ozzy Osbourne

2 plays

My Last.fm Music

Posts

November 17, 08:16 AM

Moving On....

It's quite hard to write goodbye blog posts or emails, and here I find myself embarking on such a task. It's always hard to say goodbye, but sometimes it needs to be said just to bring some closure.

It's been a extremely interesting ride for me at Sun over the last 9 years as a contractor and an employee. They say, 'once a unix geek, always a unix geek'. Well, for me it's kinda slightly different, it's "once a sun geek, always a sun geek". The spirit lives on. It's easy to take a geek out of sun, but It would be very hard to take the "sun" outta a geek !

As I type this post with a rock on my chest, I also breathe a sigh of relief. A sigh of relief from the topsy-turvy ride we have all been on for a long long time. I've lived through several RIF's and survived them all... And now I find myself making this bold move of moving out and onwards on my own.

I think it's time for me to take my destiny into my own hands, and carve out my own future. It's high time I pursue my dreams, and am moving on from here to pursue that dream.

I've have had the opportunity to work alongside some of the industry's most brilliant, coolest and fun'est folks, the opportunity to live and learn new technologies, the opportunity to work for a company that had a vision, a true vision ! These moments will be cherished forever.

In the last several months i've been involved in some fascinating projects which span healthcare, banking and telecommunications verticals. The lessons learnt have been simply wonderful (both on a technical and personal note).

I am sure all our paths would cross again, and having said that I'd prefer to not say goodbye but rather use a line from an old Bollywood favorite of mine "DASVIDANIYA" (from the movie Mera Naam Joker), which means "Until We Meet Again".

Now, before any of you jump to any conclusions or concoct any conspiracy theories, the reasons for me moving on are quite simple. I am moving on to carve out my own future. I shall be a continuing my participation on the advisory board of BastionHost. Apart from this, my primary day-job would be quite different from what I've been used to all along. I'm finally switching gears from my telecommute role that Ive been so used to over the years, to work behind a desk and be involved in spearheading the development of SaaS enabled infrastructures for the wealth management sector.

Sometimes in life one comes by opportunities that are rare, and if one does not act upon them regret is all one be left with, and that is something I refuse to live with.

If you would like to continue being in touch, you can follow my ramblings on tumblr. I am always available through Facebook, LinkedIn and twitter. I could also be reached via email at rohan[@]rohanpinto[.]com.

Last but not the least, I'm not gone yet.. ! I would be continuing in my role at Sun until the end of the month. From now on until then I'll be tying up loose ends and enabling transition what I currently have on my plate on to other folks on my team. (and I hope to make the MOST of the time I spend with my colleagues during this time).

For all those folks in the Identity Practice... I will be hanging around this arena of technology for a quite while folks, So Stay Strong, Live Large, and do keep in touch. You will find my continued participation in the OpenSSO and OpenDS Alias's. I am not sure whats gonna happen to these product lines after the Oracle Acquisition, but regardless of the outcome, lets keep the community going and the continue contributing to the project. I know "I Will", I hope you will too...

This blog at Sun Microsystems will no longer be updated.

June 10, 11:27 AM

The Most Important Part of our Body

Writer: Anonymous

My mother used to ask me what the most important part of the body is.
Through the years I would take a guess at what I thought was the correct Answer.

When I was younger, I thought sound was very important to us as humans, so I said, "My ears, Mommy."

She said, "No. Many people are deaf. But you keep thinking about it and I will ask you again soon."

Several years passed before she asked me again. Since making my first attempt, I had contemplated the correct answer.

So this time I told her, "Mommy, sight is very important to everybody, so it must be our eyes."

She looked at me and told me, "You are learning fast, but the answer is not correct because there are many people who are blind."

Stumped again, I continued my quest for knowledge and over the years, Mother asked me a couple more times and always her answer was, "No. But you are getting smarter every year, my child."

Then one year, my grandfather died. Everybody was hurt. Everybody was crying. Even my father cried. I remember that especially because it was only the second time I saw him cry.

My Mom looked at me when it was our turn to say our final good-bye to my Grandfather. She asked me, "Do you know the most important body part yet, my dear?" I was shocked when she asked me this now. I always thought this was a game between her and me.

She saw the confusion on my face and told me, "This question is very important. It shows that you have really lived in your life. For every body part you gave me in the past, I have told you were wrong and I have given you an example why.

But today is the day you need to learn this important lesson."

She looked down at me as only a mother can. I saw her eyes well up with tears. She said, "My dear, the most important body part is your shoulder."

I asked, "Is it because it holds up my head?"

She replied, "No, it is because it can hold the head of a friend or a loved one when they cry. Everybody needs a shoulder to cry on sometime in life, my dear. I only hope that you have enough love and friends that you will always have a shoulder to cry on when you need it."

Then and there I knew the most important body part is not a selfish one.

It is made for others and not for yourself. It is sympathetic to the pain of others.

People will forget what you said. People will forget what you did . But people will NEVER forget how you made them feel.

The origin of this letter is unknown, but it brings a blessing to everyone who passes it on. Good friends are like stars...You don't always see them, but you always know they are there.

I'll take this opportunity to thank you for being there for me whenever I needed you...THANKS A LOT...

January 18, 07:50 AM

JavaCard Reader Drivers

In my effort to have a non vendor specific JavaCard reader application/applet. Here's something else I discovered. Well, this may sound silly The SmartCard/JavaCard reader neds to either be built into your desktops/laptops or you may need to use a external reader. You are free to buy a reader from any vendor and in the process of doing so, you would also receive the necessary PC/SC drivers from the vendor.

but to make life simpler, here's a small list of vendors that you may procure your smartcard reader from.

There may be some of you who may not want to go through he process of buying a reader and a smartcard but would still be interedted in testing the applet/application without shelling out any moolah. Well, I have something for those folks too. I suggest you use the Smart Card Simulator. TSCS is a program for Windows 32 simulating a terminal and a smart card. Neither a smart card nor a smart card terminal is necessary. Just install the software on your PC and start working with smart cards. With this software you can see ¨into¨ the smart card, create files, send commands and receive the response from the smart card.

The Smart Card Simulator offers you a wide variety of possibilities to learn and work with a smart card. It can be used to understand and to learn the principles of a smart card, design and test a smart card application, calculate typical execution times etc.

null

January 17, 04:17 PM

DE-Federated Identity Access (DEAF)

Identity Management, and Identity Federation has been the buzzword in this space for a while now. According to the definition of "Federated Identity" on wikipedia, it has two general meanings:

The virtual reunion, or assembled identity of a person's user information (or principal), stored across multiple distinct identity management systems. Data is joined together by use of the common token, usually the user name.
The process of a user's authentication across multiple IT systems or even organisations.

now, this is great when the Legal Entity has a unique "identity" on each of the disparate systems. But when the Legal Entity who has a identity on a system is provided access to a partner site or system, there is absolutely no "Federation" possible if the Legal Entity has no identity on the partner site or system. I was involved in a brainstorming session related to shibboleth with a few technical folks from a university. What came up was the need to allow students from one university to access resources from another university. The folks I was interacting with were "sold" on the idea of federation, but lacked complete understanding of how federation really worked. Here were my concerns:

The user needed to have a unique identity on either systems.
The user needs to explicitly "federate" his identity. (If he does have a unique identity on each system)
If the users identity gets stolen, well, we have a much bigger issue.

(I thought) What the university really needed was implicit Federation. Whereby when a user who has authenticated himself at one university, when provided access to resources in another, should be granted access even thought the user does not have a unique identity at the other. Here's an example:

University1 and University2 belong to a "defined" Circle of Trust.
Student at University1 authenticates at University1.
Student tries to access resources at University2.
University2 Requests University1 to assert the validity of the user session.
University1 Asserts that the user is "A" authenticated user, but does not actually reveal the users "handle" or "identity" in any form
University2 grants the user access by just knowing that the user is a "authenticated" user at University1, without even knowing who the user actually is. (University2 provides just generic content to the user)
User tries to personalize his "content" or University2 needs to provide the User "specific" content based on role the student has at University1
- University2 would need to prompt the user for "permissions" to derive his "role" from UnIversity1
- User grants permissions by using a digital signature of some sort.
- University2 uses that digital signature to request University1 for the Users roles
- University1 verifies that the digital signature matches that of the Authenticated User and grants University2 the users roles and/or "identity/alias".
- University2 provisions a local "identity/alias" and associates it with the "role" as asserted by University1
University2 can now allow the user to "personalize "content" or provide the user "content" as necessary.

I believe that with this aproach, even though a student has no "identity" on one system or university (University2 in the example I used) he/She still gets to experience the "magic" of "federation". On second thoughts, If I apply this to the examples widely used in "federation", where a airliner and a car rental company are in a circle of trust, well, I am sure that the car rental company would love to receive a new unidentified user from a "partner airline" and dynamically provision the user and sell him a product !!! it's all about making money in the bargain right ? or is it just making the user experience more enjoyable and easy ? I believe that we'd be kidding ourselves if we say that it's ONLY about "user experience" Now: The user providing his/her "digital signature" to the car rental company is another story altogether.. Comment Away Please... (Comments are active for only 30 days from the date of this posting) UPDATE : Please Read Pat Patterson's response by Clicking Here or by following the link in the 1st Comment/Trackback below.

Ja... Va...

November 18, 09:28 AM

On Control & Consent

I'm not gonna write much on this, But let existing articles that exist out there speak for itself.......

Student shot with Taser by UCPD officers [ Link 1 ]
Call for Probe of UCLA Muslim Student Taser Incident [ Link 2 ]
A third incident, a new video [ Link 3 ]
Please call UCLA about student being taser-ed [ Link 4 ]
UCLA Police repeatedly taser muslim student [ Link 5 ]

Here's the youtube video: (warning: this aint very graphic, but the students screams are horrifying)

Here's what the UCLA Police Department had to say about this incident. [ pdf Link ]

November 15, 01:50 AM

bush bashing

Immigrants arrested in the United States may be held indefinitely on suspicion of terrorism and may not challenge their imprisonment in civilian courts, the Bush administration said Monday, opening a new legal front in the fight over the rights of detainees.

source : AP

are we kidding !!!

patrix has a nice writeup on this issue. So head on over to iPatrix for a read.

November 14, 06:49 AM

I'm back

Hi folks, I'm back to blogdom...

yes after moving away from b.s.c to my own wordpress hosted service which I really got to enjoy for a while, a OS reinstall on my server caused me to loose all data on the server, all blog posts and more importanly "valuable data". But however, like someone had told me before... shit happens, we gotto move on....

I've tried revamping my lost data, but was not successfull in doing so.. and have lost hope in being able to revamp it...

I'm back blogging on b.s.c and hey !! there's not gonna be an OS reinstall here... so stay tuned.. and please update your bookmarks...

note: I would be refraining from blogging about "certain" subject matters from here on forward....

the AMISH massacre

oh god.. as if things werent bad enough… yet another school shooting, this time at a one room amish school in rural Lancaster, Pennsylvania. WHo in the world would have thought that the amish scool would fall victim to this ongoing violence. USATODAY reported that 6 kids were dead. I just cannot understand whats going on with these school shootings increasing in number. The shooter was among the dead too according to an AP report.

The shooter was among the dead, and a number of people were injured, said state police Cpl. Ralph Striebig.
“There are a number of people dead,” Striebig said. “The exact number I do not know yet.”

The county coroner said at least six people were killed in the shooting.

Police surrounded the one-room school late Monday morning, and the Lancaster County 911 website reported that dozens of emergency units were dispatched to a “medical emergency” at 10:45 a.m.

Two hours later, about three dozen people in traditional Amish clothing, hats and bonnets stood near the small school building speaking to one another and to authorities. At least two ambulances had left the scene, and at least one person was taken on a stretcher to a medical helicopter.

The Amish school is in Bart, in southeastern Lancaster County, about 60 miles (97 kilometers) west of Philadelphia. Amish children attend schools until 8th grade (according to the Pennsylvania Dutch Convention & Visitors Bureau’s Web page) There are about 25,000 Amish in Lancaster County (Raber’s 2004 Almanac).

In a rural amish county with such a small population and children who go to school upto the 8th grade, I wonder who’d go so haywire to go on such a rampage.

September 29, 03:59 PM

the 2.0 syndrome (PoC 2.0)

K. I admit, the 2.0 syndrome has hit me too. I have been watching all these 2.0 applications sprout up, and am taken up by it. I have seen numerous applications branded 2.0, and have seen social bookmarking sites like digg, netscape (my very own hac.kers.us), del.icio.us, wikipedia, community driven sites, blogs across multitudes of platforms, blog aggregators like planet identity, etc.

I wondered if all these social 2.0 sites really made any money. I then thought of starting an experiment…. just to see what community involvement really meant. Is is just a bunch of folks who want to be heard, or folks who really involve themselves in the technology that they preach. But being in the identity space, I wanted to come up with a cocktail recipe that had a flavor of wiki’s, aggregation, tags, community commenting, the ability to modify anything, the ability to post anything. So I though of putting up a RSS feed aggregator which enabled folks to not only submit their feeds, but also vote on them, archive them, publish them, comment on individual posts, tag the articles etc… I used pat’s planetidentity’s opml feed for a starting point, and here’s what I came up with. The IDENTITY BlogReGator

Here’s the thought behind it. planetidentity started off as an aggregator for IDENTITY related blogs. But not every blog owner/blogger blogs about identity all the time, there’s numerous posts about cats, dogs, bicycles, airplanes, war, terrorism, saussage and eggs, and even sex. So basically what we end up with is just another aggregator. I wondered on how an aggregator could be setup to filter out the non subject matter related posts. Filtering on tags was one way, filtering on categories was another, but not everybody uses tags and categorizes their posts. I wanted to setup a community driven aggregator, where the community itself would decide on which posts from the aggregated feeds are relevant to the subject matter, the community would tag the posts, publish them, archive them and also edit them and comment on them. Basically this aggregator follows the OPEN DOORS policy where the community would drive the content and it’s visibility without the hassle submitting forms… no login, no authentication… (no infocard, well, if I am to accept any infocard presented, why should I accept any crediential at all, I’m gonna let everybody in) the community itself administers the site.

here’s what you can do… check out the site, play around with the several features that I have embedded into it (I’m in the process of embedding more as time goes by), submit your own feeds if you’d like, publish other posts if you find them relevant, delete posts if you think they are stupid, comment on others posts, edit other comments, and posts… basically let yourself loose and do anything you’d like…

All I want out of this is to see how much this community that cares so much about identity, web2.0 and community driven sites really involve themselves. This is PoC 2.0.

I’m gonna let the results themselves speak for itself. No involvement means nobody really gives a damn. It’s all hogwash… small talk… If the involvement increases, well, I wonder what the point really is ? thats something I would invesi=tigate and learn from later. and if folks simply launch a war by modifying the content of each others feeds/posts, then we are at war a 2.0 war, and if someone deletes everthing from my site, that someone really hates me… show me some love folks, check out the site and let me know what you think of it?

here’s the URL to my PoC 2.0 again : IDENTITYGANG.COM -> make this your planetidentity. Pat can have his planet (just a joke pat, no offense. i’ve been told that you have a great sense of humor.)

April 11, 03:51 AM

Blog Migration In Progress

With Debashish's Help I am moving all posts from this blog on rollerweblogger to wordpress. I hopefuly should complete this migration by this weekend. Once all the posts including comments are migrated over I hope you would continute reading my new wordpress hosted blog.

UPDATE : The reason for migrating the blog over is because I wish to enable yadis/lid/openid/sxore and infocard (PHP & JAVA) authentication on the blog. And it's not possible with a hosted service. So That was my only reason.

April 10, 01:11 PM

Yet Another Infocard Java Based Infocard RP

AH!!! Hellooo world. Java based infocards are taking over... Here's Yet another Java Based Infocard Relying Party Demo. This time It's Ashish Jain's implementation of it. Ashish works for PingIdentity and is also the co-author of J2EE 1.4 Bible & Enterprise SOA (I bet you didnt need that introduction, as you would have known that already.).

His demo is available at pingidentity's Jetty Based demo server. His implementaion however does not use bouncycastle or XOM but is again a Java based RP developed from scratch using XMLBeans and XMLSEC.

It sure is a chweeth Object Oriented world aint it ??

UPDATE : There's one thing for sure that infocard and WS-\* is helping me with. IE: Making new connections and a LOT of new friends.

April 10, 08:11 AM

Redhat to Acquire JBOSS

According to this news report, Red Hat announced that it has entered into a definitive agreement to acquire JBoss Inc. The aquistion was being speculated for a while, But now, I believe that it's time to stop speculating as it's official. Reuters reported the deal to be worth an initial $350 Million.
WOW !!
Red Hat also said that they would pay another $70 Million if performance metrics were met.

Sweeet deal aye ?

Looks like the times of aquisions and mergers are back.. the dot com boom was really a "proof of concept".... And everybody seems to be capitalizing on it now.

I wonder whats gonna happen to JBOSS's user base who are using it especially because it's "Open Source". or maybe another Fedora App Server would be out soon... just so that it stays Open Source.

UPDATE : Links to Market Rumble on this topic available here...

Free INTEROP Pass

Here's a free expo pass a $50 value to INTEROP 2006 Las Vegas, the premier IT event where business and technology converge. After downloading the pass you can register today at: www.interop.com/smart or bring the pass and register onsite at the event.
Priority Code: MLGHNLAW
IMPORTANT: When registering online, enter the Priority Code (MLGHNLAW) in step one of the registration process to receive a FREE Expo Pass
Learn more about this event at www.interop.com.

Attend the Security Conference to gain insight into the key technology and business topics associated with securing an information infrastructure. Learn to identify, understand and measure threats and risks in order to properly design and deploy people, process, tools and technologies. Gain tips for presenting security in a business context where the business implications they represent are clearly understood.

smoni - ReceiveDatagram error 10054

My laptop started behaving weird today. everytime I restart it I get a error window popup with the word "smoni" in the title and the message "ReceiveDatagram error # 10054". A screenshot of the error message is as below:

Does anybody have any idea what this could possible be from ? I'm clueless... I'd appreciate any help I can get to eliminate this error window from popping up on every reboot...

User-Controlled Identity and Changes In My Perception Of it.

Well, I do not wanna say that I buy the concept of User Controlled Identities in it's "entirety" But however I'd like to say that I am trying pretty hard to buy into the "concept". Amartya Sen, The co-author of "Identity and Violence" says that the "freedom to choose one's identity affiliations is the antidote to divisive extremism"

Well. I'd not hesitate to do my part in playing a role to eliminate divisive extremism. And just to add to that I'm buying Kim's concept.. slowly.. very very very very slowly...

However while on the "identity" subject, like the "rest of the world"... I too have a question for Kim. Whats with this symmetric proof key in the SAML assertion? Like me, I bet there are several-several folks out there who are awaiting an answer... Kim Please... Could you ? PLEASE...

Infocard Invoker with Self Signed Server Certificates

A few folks have been having issues using self signed server certificates to invoke the Identity Selector WinFX Component. Here's a short walkthorough on how to use a self signed certificate and save a few $$$'s from having to but a Certificate from a Trusted Authority.

The key is to use the sha1rsa Signature Algorithm instead of using the default md5rsa Signature Algorithm.

openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out server.key
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt
Then copy the server.key and server.crt to your webservers config directory.
cp server.key /etc/httpd/conf/ssl.key/
cp server.crt /etc/httpd/conf/ssl.crt/

Change file access permissions
chmod go-rwx /etc/httpd/conf/ssl.key/server.key

Made a test cert
make testcert

Create a server.pem file as by concatenating the server.key file and the server.crt file as follows:
cat /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt > /etc/httpd/conf/server.pem

restart your webserver.

Your self signed certificate should now invoke the identity selector without any issues...

NOTE : Remember folks. If youre learning anything at all from all of us who are blogging our experiences and processes about getitng infocard to work in all these various platforms and scenarios to PLEASE "pay it forward".

use-er ecc-entric identity

A must read : via Pat's blog :

From fellow Libertyite, Paul Madsen, comes this amusing take on user-centric identity. Many a true word spoken in jest!

Give it a read. The time spent would be well worth it.

Happy Monday.

infocard: Do you want a Girl toy or a Boy toy with that ?

I was chatting with a friend recently about "successful marketing strategies". and I was told that one of the most successfull ones had been the Mc Donalds Happy Meal. Yes, true, the Happy Meal really is one of the best. & then I thought... "infocard"... is this a "stratergy" that microsoft had ?

But InfoCard will only succeed if there are innovative people like you who are willing to take the time to build interesting relying parties and identity providers.
FROM: A First Look at InfoCard

Microsoft is known for it's marketing strategies. They succeeded in making "windows" the defacto standard for desktops. I really dont care how the did it, but the bottom line is that they did it !! Well, I then remembered that "infocard" can be only as successful as it's adoption.

Well, Here's what I think. (my perception)
Microsoft has generated so much interest and buzz in the marketspace with the "Laws of Identity", The "Identity Metasystem" and "infocard" that everybody wanted to know what it was and how to use it. I was one of them....

Microsoft didnt want to make "infocard" implementation a "insert CD..., click next...(a few times), and then click finish..." procedure.. They wanted folks to adopt it. They also wanted the "community" to show that they could do it on their own with Java, PHP, etc... Basically they showed us a "carrot" and made us run for it... Once the "community" showed that they could easily do it, it would make everybody believe that implementing it is not a complex task. It's not expensive and it's do-able. Well, They sure succeeded at that.

PS: Kim, if that was the strategy, Hats off to you. You did it !!!(extremely well planned). Now you know why I idolize you.

Your Thoughts ?

ie7 that works with infocards (Build 7.0.5296.0)

After several email, I thought that it would be best to point folks to a direct download of ie7 Build 7.0.5296.0 (The version that works). So folks. Please stop emailing me for this version. Simply download it from : radpishare.de. If you send me emails, please do not be surprised when I reply with a link to this blog post.

As far as the WinFX components go, download whatever is available from Microsoft's website. It would work.

And as far as the PHP and Java Code release goes (for both the RP and the infocard creator)... Patience my dear Watson, Patience... We've all waited so long for the right folks to release their code.. So Bear with me/us and have a little more patience.

BTW: This infocard crypto stuff is just cool. The ciphers the methods to encrypt/decrypt the tokens are smooth... However Robin Wilton (racingsnake) had a very good question, and I'm awaiting Kim's response.. I hope he does.

OPEN infocard

Chuck Mortimore, has posted the exact steps required to "consume" infocards on his blog (xmldap). I'm not gonna steal the spotlight from him. He deserves more credit for this than anybody else. This is a cross post from Chuck's blog.

Chuck writes:

To get started, you need to get your hands on the XML Token. This should be pretty simple, as your web framework will generally hand back parameters already URL decoded.
Once you’ve got the token, you’ll need to decrypt the token. The token is transmitted as encrypted XML.

Head On Over to Chuck's Blog to see what the xmlToken would look like
OR look at my previous post on what it looks like. Chuck's Post is "complete". Mine's truncated..
Basically what you have here is an ephemeral symmetric encryption key, which has itself been encrypted with the Public Key of the SSL Cert for the website InfoCard is interacting with. As you can see from the metadata provided in the KeyInfo fragment, the key is encrypted using RSA with OAEP encoding and SHA1, using the certificate identified in the SecurityTokenReference with the provided fingerprint (the fingerprint is a SHA1 hash of the cert bytes)

Your first job is to decrypt that encryption key. Step one : remove the Base64 encoding. Step 2 : you need to write a function which takes the private key for the cert referenced by the fingerprint, along with the data as input, and decrypts in this manner RSA-OAEP

Once you’ve successfully decrypted the key ( it should be 256 bits), you can use it to decrypt the token. As you can see in the XML, you need to use AES with a ChainedBlockCipher. Decrypt the token (Don’t forget to strip the initialization vectors...thanks Gary).

Head On Over to Chuck's Blog to see what the decrypted token would look like
The next step would be to quickly check the validity period on this Assertion to make sure it’s still fresh. You might also want to check the AssertionID against a table of previously seen assertions to prevent replay...depends on your level of paranoia.

On to signature validation...you should follow the steps outlined in XML-DSIG, but to paraphrase, check the digest of the canonicalized assetion against the digest in the SignedInfo block, and then validate the signature of the canonicalized SignedInfo using a PublicKey constructed from the provided KeyInfo.

Now, what’s bugging me is the use for the Symmetric Proof key provided in the Subject of the Assertion. Super Pat and I discussed this for awhile, and since it’s not used immediately in this protocol exchange, our best guess is that it’s used in subsequent interactions with the service, although I must admit the InfoCard docs are a little fuzzy on this subject. If anyone can fill me in, I’d appreciate it!

Finally, if your signature validation worked, extract the claims, enforce any policy you’d like, create a session, set a cookie, etc...

Chuck has also reverse-engineered the infocard token creation and has published a tool that can create a token for you on his demo servers.

Now since "infocard walled garden" has been made not so mystical, Here's are my thoughts.

The OBJECT tag required to invoke the Identity Selector is a cool tool, But on the RP side, the RP is just a listener that received tokens "pushed" to it. One does not really need the use of a InformationCardSignInHelper (ie: icardie.dll for ie7)to invoke the Identity Selector (WinFX CTP). One can easily write a tool, that creates these tokens using random data and start pushing these tokens to RP's. I see this as an extremely simple way to set up a DoS attack.

So are infocards really "secure"?
Would they make the common man's life easier?
Would they make RP's more vulnerable to DoS attacks?

Like I said earlier, I am having a extremely hard time trying to digest the First Law from the "Laws Of Identity". For some reason I tend to lean strongly towards not being able to digest "user control". Hopefully over time, I shall grow out of it and be able to digest the theory.

SO: Higgins folks have a base to work off of for their open source version of "infocard-whatever" (not that they needed it). And I'd like to see if folks credit Chuck for HIS hard work.

March 30, 06:15 AM

infocard xmlToken

nothing special here. This is what the xmlToken that the Identity Selector send across to a Relying Party looks like.

more soon...

March 29, 02:46 PM

Worlds FIRST Java Based infocard RP - LIVE

Chuck Mortimore has just deployed the world first Java Based Infocard Relying Party app. I'm following up soon with a PHP based Relying Party app... (Chuck beat me to it.. even though we've been constantly communicating and collaborating.. Guess Chuck's had the advantage of time... But However, We played tag-team and managed to get it to work !!!) Getting Java to work was easy.. PHP seems to be a bit harder with decoding and parsing encoded XML. I always thought that PHP was easier.. But was proven wrong this time... I'm trying to do exactly the same thing in PHP as the Java code and all I get is garbage. There must be something different in the urldecode / base64_decode functions in PHP and the way in which it handles "special characters".

HOWEVER: Chuck's the one who deserves 100% credit for deploying it first.

Kim, Please publish your code... not the relying party provider (RP) code, We got that already.. We would like to see the WinFx Identity Invoker Code... (please... please... please... please... please...)

For those who appreciate HARD WORK. Take a moment to toast Chuck. Infinite cheers Chuck !!! You ROCK !!!

Open Source rocks !!!..... Kim.. break down those walls. Let East Meet West. Let infocard be really "open". Please do not restrict us to work within those "infocard walled gardens"... please let us open up channels to securing the identity space. & ah !! in-ter-oh-por-ate !!

PS: When I say "us".. I mean "we the people", @the "open source community"....

Next Stop: How to Federate your "infocard" authentication token.

March 28, 09:20 AM

John Doe's Infocard

LOL... had some time to kill..... and so I made a few images that you could use as your infocard image to help you identify the different infocards you create and distinguish between them instead of relying on the infocard super-imposed name.

And here's John Doe's Infocard. Use the password "password" to import the infocard.
This distribution of John Doe's infocard could probably make John Doe a "celebrity" again.

remember to save John Doe's infocard with the extention .crds

I know that most of the sites that would accept this card would also have a "confirm registration" email sent out. Well, I shall soon do something to address that too. The email address registered on this card is john.doe.infocard-AT-gmail-DOT-com. So, what I shall also do is setup gmail forward to forward all emails to a_secret_email_address@blogger.com, and then setup a blog to publish all those emails received. Well, then I could probably write a javascript or any utility to auto-click & confirm all url's in the posts, or to parse the contents of emails received and to a HTTPrequest.get() on all URL's that the blogpost contains. But since that would take some effort, and is not something I am too keen on doing anyway, and also since I currently do not have too much stale time on my hands, I shall do that only if I see the card being used... or I may also decide against it and keep this as "insider" info

Guess I would be wasting too much time on this. so the idea is now officially canned.
ROTFL.

NOTE : This is in no way an attempt to initiate a world-wide attempt to present John Doe's infocard as a mechanism to break all web service's/application's that may someday accept infocard as it's auth medium. I received a few emails and phonecalls to clarify the intent here..
So Here's a public post of the intent. If you see that this can be used as a way in which tens of thousands of folks use a "common" credential (with User Control and Consent) to authenticate, and even deceive the "registration confirmation" system into accepting the credential, then I hope you see the big picture. These AuthN mediums are not for a person to person authentication system but for a "automated" system. I see this as a means in which hackers have a platform to authenticate into systems, initiate a new breed of DoS attacks, Hijack Identities, & misuse the system. Please see this not as an attempt to "attack" but as an attempt to show you that there can be several ways in which a system's stability can be compromised using extremely simple means. It does not require a rocket scientist to do such tasks. & mind you there are several folks "out there" who do this just for the kicks. So when you folks read about infocard and it's capabilities in all its basking glory, please remember not to tie yourselves down to a "infocard walled garden" and think outside of the BOX.
As "W E" work on securing the system/'s even more, the "outsiders" would always find innovative ways of breaking it. Therefore "W E" need to work as a "TE AM" and CO-LAB-OH-RATE!!
Please... Lets not work on "proprietorizing" IDENTITY. We got to have a solution that the industry sees as something that is SECURE, OPEN & more importantly INTER-OPERABLE. Remember it takes 2 to tango.

March 27, 11:44 AM

Hello... Who's Speaking ?

Rick Ross writes:

Not only does it matter greatly "who" the speaker of a statement is, it also matters when, where, how and to whom they are saying it. All of these factors give us context which guides our interpretation at deeply significant levels. I cannot imagine how anyone could suggest that it doesn't matter who the speaker of a statement is, but rather that the only important thing is the words and ideas? The good-hearted drive to feel like Internet egalitarians seems to have eclipsed fundamental judgement.
Just look at the following. The very same words would have different levels of credibility and importance depending on which of the following people was speaking them. This same function is always at work in all human speech, whether in person, on television, or here in the blogging world. I hope nobody will continue to suggest that it makes no difference who is making a statement. It's crystal clear that it does.
Read Rick's entire post @ .....

I'm Trying To Think, But Nuthin' Happens!

Nice One Ross, I just couldnt think of anything more innovative than that !!! That was a masterpiece of a post. I loved it. & thought that it was worth cross-posting. I do not have much to add, or rather, do not want to add anything more as Your post is just simply HILARIOUSLY "COMPLETE".

March 27, 04:25 AM

Internet Explorer 7 Build 5299 5296

UPDATE : Build 5299 did not work. I'm now hunting for Build 5296. Because the Build that works on my desktop is Build 5296. If anybody has a downloaded copy of Build 5296. Please please let me have a copy.....

OK. OK..... I've tried and tried and the march 20th release of ie7 just does not work (Kim had pre warned me/us about it, But I just didnt heed his advise.). The ONLY ie7 release that works with infocards is BUILD 5299 (for now). Now I had a desktop with Build 5299 installed, but unfortunately I had not saved a copy of it. I just finished rebuilding my virtual infocard test environment and was having a extremely hard time trying to download ie7 Build 5299. I desperately wanted Build 5299 for testing purposes. I am aware of all the security flaws that come along with it, but I just dont care about them for now. All I wanted is a browser that worked with infocards. So after much effort, I did find a ie7 Build 5299 download on rapidshare. So in case you would like to use ie7 Build 5299, here are the download links.

WARNING: USE AT YOUR OWN RISK Also read the whole list of ie7 security flaws & vulnerabilities prior to proceeding.

UPDATE : Build 5299 did not work. I'm now hunting for Build 5296. Because the Build that works on my desktop is Build 5296. If anybody has a downloaded copy of Build 5296. Please please let me have a copy.....

March 26, 06:30 AM

infocard: An Expensive Affair

My VMWare Workstation costs US$199, and then another WinXP Pro license was another US$299. And another CD$100 for bribing my wife with a L'Occitane gift pack to entice her to let me spend this money. Whew!!.

I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run.

Now I have a "infocard" ready system in addition to a development environment, and a webserver with me all the time. Hopefully in the coming weeks, (with my new set of ammunition), I should be able to blog more on my discoveries...

So stay tuned...

March 25, 02:36 AM

Google's Online Word Processor

There had been a few rumors floating around about google distributing an online word processor and that they probably would use openoffice. Well, I was also pretty excited to hear the rumors. But unfortunately, as all rumors end up, this rumor has also ended up in the bin. This article in eWeek on "Rumors of Sun-Google Hosted Desktop Suite Quashed" dampened my hopes. Sometimes I wonder why I was hoping for it. I had nothing to gain from it personally, but however I guess it's the whole employer/employee relationship that creates such a strong bond over a period of time, that we assume that anything good for the company is good for us.

Well, besides my personal dampened hopes, the news is that google just aquired writely, which is an online word processor as "THEY" call it. But is it really ?? According to this FAQ on writley, it's just a plain simple online HTML editor. Well, I see it as a rich form editor and not a word processor. Rich FORm Editors are in abundance on the web. One of myy favorites is Rich Editor

It's interesting to see what google has planned for a non beta writley version release.. MSFT has Office Live. This MSFT-GOOG war is gonna be an interesting one to watch...

March 24, 02:51 AM

Planet Sun

Whats up with planetsun ?? The domain seems to have expired... However Planet Sun Can still be accesed via blogs.sun.com/roller/planet.do. Did we ever own that domain ? or was it owned by somebody else altogether and just happened to have the "sun" name associated with it ? or was this a sun thing ? I'm so confused...

UPDATE : It looks like David Edmondson owns the domain. So here's a note. David, could you please renew the domain, I believe that a whole bunch a folks have it bookmarked, and some "squatter" is gonna take over soon... and put all those who have bookmarked it through some painful surprises when the expected does not appear.

In case you are not interested in renewing it, transfer it over to me, and I'll keep it alive forever.. I'm also sure that Pat would be also willing to take over the tab.... He currently runs planetidentity.

March 24, 01:46 AM

User-Centric Identity Webcast

A FYI Reminer & a cross-post from superpatterns. The reason I'm crossposting this is because I believe that this is something important and something that everybody should participate in as the info that this webcast would provide you would prove extremely valuable.

There's a lot of buzz around 'user-centric identity' right now the notion of involving users in the management of their personal information and its use, rather than leaving it to some enterprise or other organization. The folks at the Liberty Alliance have written a whitepaper entitled 'Personal Identity' that shows how Liberty's Identity Federation Framework (ID-FF) and its successor SAML 2.0 can be used to implement user-centric identity for example, a user providing their own identity services via a Liberty-enabled device such as a cellphone. It's a good read. it starts from the basics, so you should be able to follow it even if you're new to Liberty and SAML.
vOn the same topic, John Kemp of Nokia and my esteemed colleague Hubert Le Van Gong will be presenting a webcast on April 12 2006 at 8am Pacific. PLEASE NOTE: Registration is required and limited to the first 100 respondents! The last webcast on the Liberty People Service 'sold out' very quickly, so get in there straight away if you're interested. If you're too late, don't despair - the webcast will be available in archive form after the event. I'll update this entry with the URL once it's online.

To register for the webcast, follow these steps.
Go to http://projectliberty.webex.com
Under the heading Attend a Meeting, click Register
Search for centric
Select User Centric Identity: Success Today and click on the Register Button. (Don't bother clicking on the link - it doesn't lead anywhere useful!)
Fill out the required information and click Register Now at the bottom of the page.
Please email Tricia DeHart of the Liberty Alliance Project with any questions.

My SUN Feed

Posts

November 17, 08:17 AM

Moving OnTo Something New...

It's quite hard to write goodbye blog posts or emails, and here I find myself embarking on such a task. It's always hard to say goodbye, but sometimes it needs to be said just to bring some closure.

I think it's time for me to take my destiny into my own hands, and carve out my own future. It's high time I pursue my dreams, and am moving on from here to pursue that dream.

Sometimes in life one comes by opportunities that are rare, and if one does not act upon them regret is all one be left with, and that is something I refuse to live with.

This blog at Sun Microsystems will no longer be updated.

November 29, 02:34 AM

OpenSSO Complex Deployment

This series of videos are video captures of the course below. There is no sound for now, but this will be added at a later date.

From http://slslabs.sun.com/course/wspl-am-3508-d
Deploying OpenSSO servers in a simple environment is trivially easy. But throw secure sockets layer (SSL), load balancers, multiple servers, session failover, and Policy Agents into the mix, and deployment becomes a little more complex.

The OpenSSO Deployment course - a series of five downloadable, self-paced labs - takes you through a complex OpenSSO deployment. You deploy two Apache Tomcat servers, SSL-enable them, install a software load balancer, install OpenSSO into the environment, and configure OpenSSO for session failover. Then you install an example web server and an example application server, and install Policy Agent software to see how OpenSSO protects web sites and JavaTM 2 Platform, Enterprise Edition (J2EETM) applications.

This course uses OpenSSO Build 4.5, which provides identical functionality to OpenSSO Express Build 5. Other deployment components include Apache Tomcat version 6.0.14, Sun Java System Web Server version 7.0, and GlassFishTM application server version 2.

OpenSSO Complex Deployment Lab 1 Exercise 1

OpenSSO Complex Deployment Lab 1 Exercise 2

OpenSSO Complex Deployment Lab 1 Exercise 3

source: SysAdminGear

November 14, 01:25 AM

Layoffs = Change ?

with this announcement : http://www.sun.com/aboutsun/pr/2008-11/sunflash.20081114.1.xml
- we take yet another step towards "change".

Do I see any change ? yes! of course I do. and here's what I see.

As part of today's actions, Sun's Board of Directors has approved a restructuring plan aimed at reducing costs by approximately $700 to $800 million annually. The plan includes a reduction of approximately 5,000 to 6,000 employees, representing approximately 15% to 18% of the Company's global workforce.

"reducing costs by approximately $700 to $800 million annually"

Sun expects to incur total charges in the range of $500 to $600 million over the next twelve months in connection with the plan, of which it expects to incur approximately $375 to $450 million within its current fiscal year 2009.

"Sun expects to incur total charges in the range of $500 to $600 million over the next twelve months"

- so... Am I reading this right ? or have i missed something ? Sometimes all of us see what we wanna see and tend to ignore the bigger picture. Like every other human being, I'm trying to see the bigger picture myself. Yet; however my blindfolds compel me to see what I wanna see. I guess It's time to take those blindfolds off as see the "bigger" picture :

Sun's new software alignments include the formation of two new business groups and a new group within Sun's existing Systems business:
Application Platform Software: Executive Vice President, Anil Gadre, will move from his position as Chief Marketing Officer to lead this newly formed group. Charged with creating the highest value modern software business in the industry, the unit will build on Sun's open source leadership position to capitalize on the global market's demand for open application platforms for everything from databases to business integration services on servers, desktops and handheld devices. This includes the entirety of Sun's Java technology franchise, MySQL open source database products, as well as Software Infrastructure including the widely adopted GlassFish Application Server and leading Identity management products. This group will also include the Sun Learning Services organization.
Systems Platforms: Under the leadership of Executive Vice President, John Fowler, Sun's Solaris, Virtualization (including xVM and VirtualBox), and Systems Management Software teams join the Systems organization to deliver highly differentiated and optimized computing, storage and networking systems. Unlike any other technology provider on earth, Sun will be uniquely positioned to leverage its open OS leadership and virtualization portfolio to create durable competitive advantage for Sun's systems business, and category-shifting innovations for customers. The recently announced 7000-series of Open Storage products, leveraging open source ZFS technology, DTrace analytics, superior management capability, and unique storage engineering are only the beginning of this deep systems roadmap.
Cloud Computing & Developer Platforms: Working across all of Sun, Senior Vice President, Dave Douglas, will lead the Company's efforts to capitalize on two trends: the increasing shift of customer and developer focus to web-based cloud services and Sun's already established leadership position in the space through Network.com, the NetBeans developer platform, and the StarOffice portfolio. The unit will build upon Sun's existing online developer community - one of the world's largest - to firmly establish the company as a leader in cloud computing and grow this area into a significant driver of future revenues.

October 29, 02:59 AM

WS-Federation is adopting SAML v2 metadata

WS-Federation is adopting SAML 2.0 metadata when it releases WS-Federation 1.2. OpenSSO uses WS-Fed 1.1 metadata which is now deprecated. Expect to see an openSSO release soon that will adopt WS-Fed 1.2

http://identity-des.com/2008/10/28/harmonized-federation-metadata-for-ws-federation-and-saml

October 16, 09:52 AM

Security Awareness Requirement for Web Application Developers

“Secure web application development has become imperative due to the new PCI-DSS mandate. Companies who choose to adopt the form of training offered by SCIPP will benefit from a trustworthy yet cost-effective security awareness program.”
~Howard A. Schmidt, former CISO for Microsoft and ebay, SCIPP Advisory Board Member

A free webinar on "Security Awareness Requirement for Web Application Developers"

WHEN: Wednesday, October 22, 2008

TIME: 1:30pm - 2:00pm EST

TOPIC: "PCI-DSS ALERT: Complying with the NEW Mandatory Security Awareness Requirement for Web Application Developers"

PRESENTER: Dow Williamson, CISSP, Executive Director.

CHANNEL: IT Certification and Training

Webinar: http://www.brighttalk.com/webcasts/1220/attend

How Important is Security ?

Estimates Put T.J. Maxx Security Fiasco At $4.5 Billion

The security Breach at TJX Companies Inc. could cost the company $100 per lost record, or a total of $4.5 billion, according to the calculations of a database security company.

NY Bank ‘loses’ 4.5M unencrypted customer records

In yet another unbelievable story of data irresponsibility, the Bank of New York (BNY) Mellon lost two sets of unencrypted backup tapes containing private data belonging to 4.5 million individuals. Third-party vendors misplaced the tapes during transport to off-site locations. According to the bank, the tapes "included shareowner and plan participant account information, such as name, mailing address, social security number, and transaction activity."

Save the Date attend the webinar on the 10th of October 2008 @ 1:30 PM EST.

October 13, 08:02 AM

OpenDS in under 3 minutes

Nick Wooler the product line manager for the directory services team has posted a screencast on installing OpenDS in under 3 minutes !!! This screencast is a must watch.

watch the simplicity of the entire installation process. It's simply awesome. The entire install including pre-populating OpenDS with 2000 simulated/sample entries was done in under 3 minutes in 5 extremely simple steps. (it takes longer to boil an egg)

User Experience DOES matter.

... and if you liked the soundtrack used in the screencast.. it's "Light & Day / Reach for the Sun" by The Polyphonic Spree feel free to download it from iTunes. (thanks shazam). And for pine-apples... here's the YouTube full length video (which is also under 3 minutes) :

October 12, 05:34 AM

XACML - Declarative Access Control

Web applications need access control. I'm not gonna justify that fact. All web applications have the ability where you can restrict access to the resources that reside on it by simply modifying the deployment descriptors (web.xml). This method is called declarative security or declarative access control. Well, but does this really suffice ?

Well, say hello to XACML. XACML stands for eXtensible Access Control Markup Language.

It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.

If you had followed what Daniel Raskins had said from a long time ago, about supporting XACML, well, here it is. OpenSSO now has XACML support.

Support for XACML allows our customers to share access control policies across corporate boundaries and offers more dynamic standards-based tools for creating federated mashups. As a result, our customers can continue to expand their business reach while using open-standards to enforce security decisions and minimize security risk.

The OpenSSO codebase also has a XACML client sample which you could download, compile and run in a few clicks.

Please Note: This is NOT sunxacml. sunxacml is implementation of XACML 2.0 specifications from sun labs. This does not have support for SAML2.0 profile of XACML 2.0 and is not part of OpenSSO.

OpenSSO XACML implements SAML2.0 Profile of XACML2.0 - supporting XACMLAuthzDecisionQuery and XACMLAuthzDecisionStatement. PEP makes XAML2.0/SAML2.0/SOAP request to PDP and gets response. The OpenSSO XACML client sample is a remote client library that could be used by an application to make XACML calls to PDP.

The returned XACMLAuthzDecisionStatement has XACML Response, Result, Decision and so forth. The OpenSSO XACML implementation leverages SAML2.0 capability of OpenSSO to manage SAML2 metadata of PDP and PEP and exchange SAML messages.

Here's a simple 5 step guide to running the XACML client and testing it with opensso.

get the OpenSSO.zip, extract and get the opensso-client.zip under samples directory
extract the opensso-client.zip, and goto "sdk" subdirectory
follow the README file to setup the samples
follow the instruction in scripts/run-xacml-client-sample.sh to setup the XACML.

I hope this post has been helpful. Cheers and enjoy building applications that use XACML !! interoperability rocks!!

October 12, 04:52 AM

fun@sun

Well, a lot of folks ask me often if I have fun @ sun. Well, there's TONS of reasons why I love this place. and one small reason being the fun!!. Our execs don't stop at just making sun a fun place to work at, in addition to the fun@sun perks ! they go all out !!! Here's video about Jonathan Schwartz getting "pwned" !!!

We sure know how to have fun @ sun !!!! and we LOVE IT !!!

~if you love what you do, everything is fun !

October 12, 04:32 AM

A Googly MySQL Cluster Talk

Here's a video about mySQL ndbcluster presented during google tech talk. The presenter is Stewart Smith who works for MySQL AB as a software engineer working on MySQL Cluster. He is an active member of the free and open source software community, especially in Australia.

ABSTRACT
Part 1 - Introduction to MySQL Cluster The NDB storage engine (MySQL Cluster) is a high-availability storage engine for MySQL. It provides synchronous replication between storage nodes and many mysql servers having a consistent view of the database. In 4.1 and 5.0 it's a main memory database, but in 5.1 non-indexed attributes can be stored on disk. NDB also provides a lot of determinism in system resource usage. I'll talk a bit about that.

October 11, 08:40 AM

What is Identity Management?

Explore how Sun can help you manage, audit, protect, share, and store identity data.

Click here to watch the webcast

October 11, 03:51 AM

OpenSSO WebServices REST interfaces

OpenSSO has an "extended" set of webservices (REST) interfaces that enables applications to interface with openSSO a piece of cake. The following table lists the REST URL's and their operations and parameters:

The following code snippet shows how you can authenticate against openSSO using the REST interface and obtain an openSSO token for a user.

<%
    url = "http://localhost:8080/opensso/identity/authenticate";
    String username = "rpinto";
    String password = "testpass";
    java.net.URL iurl = new java.net.URL(url);
    java.net.URLConnection connection = iurl.openConnection();
    connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
    // Send POST output.
    connection.setRequestMethod("POST");
    java.io.DataOutputStream printout = new java.io.DataOutputStream(connection.getOutputStream ());
    String content = "username=" + java.net.URLEncoder.encode (username) +
	"&password=" + java.net.URLEncoder.encode (password);
    printout.writeBytes (content);
    printout.flush (); printout.close ();
    java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(
	(java.io.InputStream) connection.getContent()));
    out.println("<h2>Successful Authentication using REST</h2>");
    String line;
    while ((line = reader.readLine()) != null) {
	out.println(line + "<br>");
	int index = line.indexOf("token");
	if (index != -1) {
	    token = line.substring(9);
	}
    }
%>

This code opens an HTTP URL connection and performs a POST operation with the user name and password before displaying the response in the browser.

The request on the wire reads as follows:

POST /opensso/authenticate HTTP/1.1
Host: localhost
User-Agent: Mozilla/4.0
Content-Length: 27
Content-Type: application/x-www-form-urlencoded

username=rpinto&password=testpass

And the response would be—

token.id=AQIC5wM2LY4SfcykUxffyyVGC6k9vHhe7JcyrhHbmlpVZPI=@AAJTSQACMDE=#f

January 17, 04:42 PM

smoni - ReceiveDatagram error 10054

Does anybody have any idea what this could possible be from ? I'm clueless... I'd appreciate any help I can get to eliminate this error window from popping up on every reboot...

January 17, 04:36 PM

AM SSO FILTER

Back to normal programming. No more infocard stuff here. With a typical Access Manager deployment atop a webserver or appserver, there are many instances where apart from the Access Manager services deployed, one may deploy other applications on the same server instance and may need to "protect" them. The right way of going about it is to deploy a policy agent on the same server instance. I noticed that in some cases folks choose not to deploy an agent but "embed" code in every page of their webapp to check for the validity of the SSOToken issues by AM and enable access to thise pages that they need "protected". Well, if all one needs is to protect a few URI's that reside on the same server instance as AM, one could also use a Servlet Filter to do the same without having to embed code in every page of their application to check for it. This is a simple SSO only method and not a replacement for a policy agent. Here's what one needs to do to enable this. Declare the [filter] element in your web application deployment descriptor. For Sun's Webserver it would be the default-web.xml file. Map the filter to a servlet by defining a <filter-mapping> element in the deployment descriptor. This element maps a filter name to a servlet by name or by URL pattern. Add the URL's you would like to "protect" to the url-pattern tag element.

Now compile the attached code, build a jar file and add it to your servers classpath.

for some reason I just cannot post code on this blog. No matter what I try, the code gets converted over to HTML. I did follow Pat's advise, but that didnt help. So I'm uploading the NNAgent.java file and providing you a link to download it instead of posting code as inline text

Restart your webserver.

Try accessing the "protected" URL without authentication.
Try accessing the "protected" URL with authentication.

You'd see the difference... NOTE: This is NOT a replacement for a Policy Agent. This is just an FYI/example of how one could achieve SSO only using a Filter.

January 17, 04:35 PM

Higgins On RollerWebLogger

No. This is not the long tailed Mouse "Higgins" you may be thinking about. I just could not resist posting this: Bill Higgins from IBM just blogged about IBM developerWorks community changing their backend weblog engine over to rollerweblogger, the same engine that powers blogs.sun.com.

January 17, 04:34 PM

Mount (ISO files) Without Burning Them Onto a CD

I've always wanted to have the ability to extract a few files from an iso file for development. The approach I used to take to obtain the files was to download the .iso image of the distribution, and then use my CD Burner to burn a CD using the .iso image and then extract the file from that image. Well, a friend of mine just pointed me to this excellently cool utility. and hey !! It's Microsoft's own utility (though unsupported) and it's FREE !! and has a extremely small footprint (60kb). Here's the download link: WinXP Virtual CD Control Panel. Here's the readme:

Readme for Virtual CD-ROM Control Panel v2.0.1.1 THIS TOOL IS UNSUPPORT BY MICROSOFT PRODUCT SUPPORT SERVICES System Requirements =================== - Windows XP Home or Windows XP Professional Installation instructions =========================
Copy VCdRom.sys to your %systemroot%\\system32\\drivers folder.
Execute VCdControlTool.exe
Click "Driver control"
If the "Install Driver" button is available, click it. Navigate to the %systemroot%\\system32\\drivers folder, select VCdRom.sys, and click Open.
Click "Start"
Click OK
Click "Add Drive" to add a drive to the drive list. Ensure that the drive added is not a local drive. If it is, continue to click "Add Drive" until an unused drive letter is available.
Select an unused drive letter from the drive list and click "Mount".
Navigate to the image file, select it, and click "OK". UNC naming conventions should not be used, however mapped network drives should be OK.
You may now use the drive letter as if it were a local CD-ROM device. When you are finished you may unmount, stop, and remove the driver from memory using the driver control.

I never thought I'd be publicly saying this. But here goes anyway: Thanks Microsoft. (It wouldnt hurt to be honest and thank someone, would it ?)

January 17, 04:33 PM

SmartCard Reader Applet - LowDown

I was almost a quarter past ways devloping the smartcard applet which theoretically could read the info from the smartcaard and use the digital certificate from the smartcard to authenticate you to Access Manager. Here's the low-down on the effort. Smartcard readers are vendor specific. I used the ActivCard SDK for building the applet with some amout of minor hacking. So now; I have come to realize that the smartcard reader and the applet are vendor specific. whew !! what a painstaking effort. But nevertheless a good learning experience. So Now; I'm invesigating musclecard; and hope to learn that the applet that I develop is not vendor specific... If anybody has any info on developing a non vendor specific (smartcard reader manufacturer specific) applet, please, please please do "SHARE" the info. I wish everybody adopts the OpenSC Framework. Identity Alliance has a product called ID Alley.

ID Ally provides everything you need to begin deploying and using smart cards for security purposes. It provides the necessary software components to enable your smart card with a variety of applications and purposes such as:
Email Signing / Encryption using Outlook
Web Authentication using Internet Explorer
Signing and Encryption using Adobe Acrobat
Password wallet for secure password storage
Enrollment using Windows 2003 CA
Certificate Auto-Enrollment Options
Digital ID (certificate) Self-Enrollment Tool
Mozilla/Firefox Email, Web Authentication
Caching for convenience and speed
Utility for viewing certs and changing pin and unblocking
Card applet management capability
Easy to Use Installer and Documentation
ID Alleyis FREE for personal use, and has a 30 day free trial for professional use so you can trial the software before choosing whether to license it. Using Windows 2000 or XP, you can use the provided installer to install all the components and documentation needed to begin.
Download ID Ally

In order to use ID Alley, You need to do the following:

Download ID Alley
Unpack ID Alley
double click on the msi file to install it
start regedt32
change HKEY_LOCAL_MACHINE\\SOFTWARE\\Identity Alliance\\AuthShim\\PKCS11BaseModule to "opensc-pkcs11.dll"
change HKEY_LOCAL_MACHINE\\SOFTWARE\\Identity Alliance\\AuthShim\\PKCS11Module to "opensc-pkcs11.dll"
change HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Identity Alliance CSP\\PKCS11Module to "opensc-pkcs11.dll"
close regedt32
run "ID Alley Card Manager"
enter PIN
urn off virtual slots in opensc.conf

Test it by visiting some ssl client certificate protected web site with Internet Explorer AH !! you need to also use a PC/SC compliant smartcard reader FROM ANY VENDOR. And if you do this my SmartCard applet would work... So help me please...

January 17, 04:32 PM

infocard: An Expensive Affair

This " - night - Graveyard-shift " infocard project of mine is working out to be an expensive affair for me, in the $$ terms. I travel around so much (every mon-fri) that in order to work on it at nights, I needed to have WinXP with SP2 and ie7 on it. There's no way I would risk putting my endeared Ferarri through the BSoD (Blue Screen of Death) trauma. Well There was no way for me to carry all my desktops around when I travel. So came VMware to the rescue. My VMWare Workstation costs US$199, and then another WinXP Pro license was another US$299. And another CD$100 for bribing my wife with a L'Occitane gift pack to entice her to let me spend this money. Whew!!. I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run. Now I have a "infocard" ready system in addition to a development environment, and a webserver with me all the time. Hopefully in the coming weeks, (with my new set of ammunition), I should be able to blog more on my discoveries... So stay tuned...

January 17, 04:31 PM

InfoCard or JavaCard

Kim had posted a nice article on A simple managed payment card example a while ago. So basicaly what happens with a "issued" infocard is that the infocard only contains a pointer to where the user information is to be obtained from (in this case as per Kim's example the issuer happens to be Bank Of America, and the requestor is amazon.com). Well, Kapil had a nicer post on Smartcards and Federated Identity. Kapil quotes

Smartcards are the actually the real enabler of biggest network of identity federations world has known till date i.e GSM. [...] various standards like SAML, Liberty, InfoCard/WS-Trust, WS-Federation etc for identity federation respect and understand the usefulness of security devices like Smartcards. All these standards propose the solution to same set of problems in _almost_ same way and differ mostly in wire protocols used. SAML and Liberty has a profiles ECP (Enhanced client proxy) and LECP (Liberty enabled client or proxy) respectively which enables a Smartcard based authentication where as InfoCard (a profile of WS-Trust) treats Smartcard as another Security token service which can generate self issued security tokens.

nice... I see the light at the end of the tunnel. infocard treats a smartcard as a personal security token service (PSTS) which can issue security token in form of SAML assertions. and so i thought... or rather... continue to think... Whats the difference between the long existent JavaCard/Liberty vs InfoCard/WS-Federation ? I remember sometime back I had read an article on Microsoft Employees Get Carded" by Karen Epper Hoffman via Kapil's Blog. Well, Scott made us use these along from a long time ago... And Microsoft's views on smartcards are no different. Hubert has put together a nice demo of how a using Liberty’s ID-WSF protocols, we can create a module that greatly helps the user in dealing with his digital identities. Currently laptops, sunray 1g, sunray 170 and desktops ARE available with builtin smartcard readers. and hence my dilema...

January 17, 04:30 PM

Microsoft Infocard & my realtime discoveries

Yes (to all those who were wondering on who is working on porting infocard to Solaris/Linux, I currently am working on integrating infocard with access manager and my next move would be to port infocard to Solaris/Linux. The process of porting infocard over is not a 1 week task. It may take me longer as i'm overloaded with work and hardly have time to spare for this development. But with me assigning an hour or two everyday I hopefully would complete this shortly. In the meantine I shall also blog my experiences in the process. and here's my first run at it. infocard in it's current form can be used on Window XP desktops which have SP2 installed, Windows 2003 Server with SP1 installed and Windows Vista (February CTP). It require WinFX Runtime Components (for x86 or for x64). I currently am playing around with infocard on Window XP with SP2 and Windows 2003 Server with SP1. As soon as the WinFX CTP is installed on the system, the infocard components also get installed. You would also notice that your control panel would now have a "Digital Identities" component installed. This is the core component from which you can create, edit, import or delete your infocard's.

You can create as many "Identities" as you choose. but what Bugs me is that I can create "any" Identity of my choosing. The screenshot below shows how I created Identities with Myself, Kim, Pat and Bill Gates as the "identities" "I" wish to be recognized as.
click to enlarge Here's the issue that bugs me. This issue has been bugging me for a while since the time "user-controlled" identities became the talk of the ~~town~~ oops web. The term "identity management" I believed was a step forward in preventing "identity theft" (someone, please correct me If i'm wrong here). With the volume of identity theives who exists on the web today, the ability of creating "identities" just faciliatates the process. I agree that the "identity" may be of no good is nobody accepts the identity. But however, Microsoft would succeed to enabling organization in adopting infocard and it's usage participation would rise. For Organizations (participants) who have their head over their shoulders, the organizations ("issuers") would issue users their "infocard"/"identities" which could be used to access a service. Users could import the "issued" infocard onto their desktops using the "Install a provider card" as in the screenshot below.
click to enlarge Here's my biased opinion. If the only infocard's that MATTER are the ones that are issued by a provider, What makes it different from "Liberty"? Liberty is built on the "identity-given" framework/concept. The ability of enabling a user to create his own "infocard" may sound appealing, but how does it help? Well, for a novice user, it may sound cool, because he/she can create several "infocards" of themselves and choose which one to provide a "requestor" based on the information he/she would want to provide a particular web service/application. But for the miscreants, it's a toolkit to spoof identities. Another issue is that the "infocard's" are stored on a users desktop (porting them from one system to another "may" be a pain to a novice user). Now, this makes it even worse. anybody who has access to the users machine has the ability to delete the infocard's that one may have created. What IF my son deletes my infocard'S intentionally or accidentally ? What If my infocard gets stolen ? If the infocard's are not protected, they could be exported from one machine to the other with ease. The only way to secure it it by password protecting it. (So where does no passwords required play a picture in this ?) One can come up (makeup) with numerous issues with this model. But whats important is the fact that the "only" infocard's that matter would be the ones that are issued by a service provider/identity provider. Well, we have another issue now, IF each IDP/SP would start issuing infocard's to their users, the user ends up having tens of hundreds of infocard's to manage. How different is that from tens of hundreds of username/password combinations? As a infocard user am I supposed to store all my infocard's on a USB drive and carry it along with me just to enable me to use a service from any desktop? (the desktop additionally should be infocard enabled !!). AH!! I'm tired right now. I shall follow up on this again soon.. as my thoughts keep formulating and changing. PS: I personally like JavaCards. Please read Hubert's post on Liberty à la InfoCard. And think... "JavaCards and Liberty". You be the judge. So you decide for yourselves. UPDATE : This does not mean that I am not working on porting infocard to \*nix and integrating it with AM. I am working on that too. Shall keep you posted on developments at my end periodically. UPDATE 2 : I am NOT against infocard. I'm just thinking out loud as I keep discovering new stuff. And thought processes change periodically. The only thing that has been constant in my discoveries so far has been "change"

January 17, 04:29 PM

Kim's Infocard Demo

As a taste of upcoming MIX06 sessions, Kim Cameron presents a thumbnail sketch of how InfoCards bring an architecture for identity to the Internet, a demo of how it works and a peek at how you integrate it into a Web page.
20060209InfoCardKC.EXE
20060209InfoCardKCDemo.EXE
source : MSDN TV See Kim's full session on this topic at the MIX06 conference. UPDATE 1 : Also read Johannes Ernst's blog on "There are lots of things that are right about Microsoft InfoCard. After seeing the infocard demo, I feel that infocard really is a nice thing. I do not want to comment on the "open source or closed source" part as there are several of us in this field who are debating that topic. So I leave that upto those who better understand it and fight for it in the open source community. Here's my take. Sun has the Sun Java Systems Access Manager. This product really has extremely good visibility and usage in the real world, especially in the corporate sector. Individuals who care about secure identity and those who (by choice or otherwise) use a microsoft windows desktop as the client would end up using infocard for authentication in the future as microsoft plans to use infocard for building what they call a fundamentally secure platform. Now having said that I dont see the entire world not using windows as the desktop client. yep; true; mac's, linux, and solaris have a long way to go to becoming the defacto standard desktop for end users. So. All said and done, I thought of a small project that I would embark on in my free time. I would try to develop a InfoCard Authentication Plugin (using the Microsoft Federated Identity and Access Resource Kit and JAAS) for the Sun Java Systems Access Manager. Well; this may not be a good idea, but I guess it would be well worth my free time. As soon as I finish the module (hopefully soon, especially with Kim's & Kapil's help), I shall distribute the entire codebase and procedure for enabling you to deploy the infocard authentication plugin on Access Manager soon. (This may make for a good demo given that most users happen to have a windows desktop). One main reason for me to embark on this is because I see a strong similarity between this effort and nFactor Authentication (which I had blogged about a long tiem ago). After all SUN and Microsoft have joined hands for the inter-operability of Liberty and WS-Federation and the results of which have led to the Web Single Sign-On Interoperability Profile & the Web Single Sign-On Metadata Exchange Protocol (which have just been released). UPDATE 2 : Also read "Microsoft Employees Get Carded" (an old post) by Karen Epper Hoffman

January 17, 04:28 PM

Next Generation Web (definitely not 2.0)

I had posted a reference to the term "Web 2.0" a little while ago on my blog. But while I got absorbed in the term 2.0, there were others who were way ahead:

WOW !! the google search results for terms like "web 2.0","web 3.0","web 4.0","web 5.0","web 6.0","web 7.0","web 8.0","web 9.0" all yield several results. I guess it's all about an effort to get recognition by associating the terms with product releases just to say that the products are way ahead of the game... the silliest strategy I have ever seen. I wonder what the end version would be : Web n.OH ! ?

January 17, 04:27 PM

Replace Microsoft Exchange as well as Microsoft Windows Server

This PR NewsWire report published earlier this PM, announcing the Samba OXtender which enables the replacement of Microsoft Exchange as well as Microsoft Windows Server was the nicest article I read today. It was really worth a mention here and so... here goes...

New Open-Xchange 'OXtender' Enables Replacement of Windows Server : giving customers the option to fully replace Microsoft Exchange as well as Microsoft Windows Server.
[ Read More... ]

New Open-Xchange 'OXtender' Enables Replacement of Windows Server
Yahoo! News (press release)
Open-Xchange offers Microsoft Exchange/Windows Server alternative
ComputerWeekly.com
New Open-Xchange "OXtender" Enables Replacement of Windows Server
Linux PR (press release)

January 17, 04:26 PM

Oscars of the Software Industry

The Readers' Choice Awards for SOA, Java, Linux, .NET, ColdFusion and XML Technologies was just published by SYS-CON. It's just a great feeleing to see Sun listed as number #1 on the Best Web Services Platform, Best Framework for SOA and Web Services, Best SOA IDE, Best XML Parser, Best XML Utility, Best SOA or XML Training, Best SOA or XML Site, Best SOA Security Solution, Best SOA Portal Platform, Best SOA Book, Best Java Training, Best Java Virtual Machine, & Best Java Application Development Framework.

Also known as the "Oscars of the Software Industry" the winners were chosen by more than 17,000 SYS-CON readers

January 17, 04:25 PM

Web 2.0 - The Race Is On !!

while the entire industry harps on google and it's stock price, Yahoo is way ahead of the game with web 2.0. check them out and decide for yourselves. Comments welcome!! Tim O’Reilly writes :

If Netscape was the standard bearer for Web 1.0, Google is most certainly the standard bearer for Web 2.0, if only because their respective IPOs were defining events for each era.

Google doesn’t have the image of being the most out-spoken company. Especially because of the what I associate with term “web 2.0”. Therefore i'd have to say; "sorry Tim your'e wrong" (at least this time). Google sure has made huge strides in the right direction by recently embracing blogging, rss aggregation, video on demand, DRM etc... but we tend to forget all about YAHOO. Yahoo IS taking the appropriate steps in making web 2.0 a reality. Believe me. they really are. Whats really intersting though is that a google search for the term web 2.0 lists yahoo as ranked number 2; and if you know about google ranking technologies, thay do have a pretty good algorithm (just kidding) for it. Much of the 1.0 is (or was) Google. Web 2.0 is gonna be yahoo, and I bet my lucky dollar on it. Another good comparision link is Google Labs vs Yahoo Research. mad money prediction : (after a couple of beers) :: as contrary to Jim Cramer; Boo Yaaahhh YHOO. sell sell sell; sell sell sell GOOG. AND hey !! I'm no expert in the NY stock market. Get ready to loose all your money if you wanna follow my ADVISE... I guess you can judge for yourselves. You know better right ? The older the better.... and this old article speaks volumes ;-) knock knock !! ?

UPDATE : Did you see the google stock price today (ie: January 18th 2006) ?? I'm getting good at predictions.... (just kidding) here's a screenshot of GOOG just 9 hours after this post ;-). Guess I should start my own TV show. Please do me a favor and do not compare it to YHOO today.... I'm gonna loose my chances of hosting my own TV show if you do ;-)

UPDATE 2 :

January 17, 04:24 PM

Microsoft Hailstorm

Microsoft Passport has been around for a while. This article describes the Risks of the Passport Single Signon Protocol extensively. Contrary to my personal preferences and beliefs; I myself have been using passport for quite a while just because of the large list of participating sites that I frequent. However the frequent presentation of the following screenshot is compelling me to believe that someone needs to get their act together and also give other alternatives a shot... This is a very good example of how a single point of failure can cause serious impact on business processes.

January 17, 04:23 PM

Please Read : Identity Management Monitor

PS : no time to blog details, and the above list of things were what I thought were worth bloggin on.. and since I had no time to blog (have to catch a flight. gotto rush) I thought that a linked list was a better choice.

January 17, 04:22 PM

Identity Nightmares

REMINDER : Here's a good example of how identity theft can give you nightmares.

In the early 1990's, someone ran amok, using Mr. Lorenzo's identity. It was used to rack up tens of thousands of dollars in fraudulent credit card debt. It was given to the police after various traffic violations. And a man even used the name Raymond Lorenzo when he was arrested and indicted in 1991 in Suffolk County, N.Y., for, among other things, burglary, forgery and criminal possession of a weapon.
Read More...

PS: Identity Management needs to be given importance. More importance than anything else.

January 17, 04:22 PM

Photo Identity Cards

tee hee...; Remember my old post on RFID; Here's a new spin to it; tee hee...

In order to conduct a scientific survey of the tiger population this year, Wildlife Institute of India (WII) would soon be issuing photo identity cards to all the tigers of the country. WII scientists have also proposed three new scientific techniques to have a more accurate count of the tigers living in the wild. As per the proposal, the three techniques are namely computerised pugmarks, camera traps and DNA tests. All the three techniques would be used in the tiger survey starting in the country from January 15.
Read More...

January 17, 04:21 PM

Enterprise Identity - my 2.0 cents

After James McGovern, kicked off the discussions around Identity Federation, Pat's response was quite a detail. Johannes Ernst, Shekar Jha, Tom Gordon, Radovan Semančík & Mark Dixon and a lot more chimed in with their perspectives, and I thought that my 2.0 cents on the subject was worth posting.

Identity Bloggers pretend that notions such as Sarbanes Oxley don't exist (or at least never mention them).

Well, I believe that all bloggers who speak on identity management are very well aware of SOX and it's likes. Why in this day and age do we believe that compliance is not critical. I think that it would be foolish to believe that identity bloggers ignore SOX.

SAML 2.0 is a good move to increase interoperability and should be implemented in all security oriented products. Maybe you can tell us why within the enterprise we should use SAML 2.0 between say Active Directory and RACF vs. sticking with tried and true approaches such as Kerberos?

I'd like to re-iterate Pats' comment once again here : You use the appropriate tool for the job. Where there is a tried and true approach then use it. What more could I add to it ??

Do you think that enterprises are well-served by consolidating identity stores vs keeping them spread all over the place and doing SAML?

There was a time period where the entire industry was thinking in terms of consolidating the disparate authentication systems into one huge repository for authentication data. Well, it was not a easy task. Consolidation has it's own pro's and cons. I guess I'm missing out on something here. Consolidation between user identities that are owned by 2 seperate organizations ?? Aint federation the topic of discussion here ? OR is James referring to a "passport" structure ?

If you want corporations to embrace the notion of federated identity, wouldn't it require more than simple "look at me" interoperability demos and for all the vendors in this space to create some publicly available notion of "reference architecture" above and beyond what exists in Project Liberty?

I believe that there was more than just a "look at me" kind of a demo done by Gartner sometime ago. But hey ! I believe that this would be a great opportunity for me to utilize my resources and contacts to put together a real live network of federated systems that use various dispare systems like sxip, netmesh, shibboleth, Sun Federation Manager and throw a live federated infrastructure out there.

How should we think about SmartCards within our own infrastructure and how it plays with federated identity? I know MS is doing this for their own employees.

I'm surprised that James mentioned MS and forgot all about JavaCards. Mary Has one too ;-)

How come pretty much all of the identity bloggers don't support trackback in their blogs? Is it because they haven't yet figured out how to protect their own identity or that of others?

C'Mon James, You didnt need Pat to tell you about trackback spam. Guess we all have a long way to go. But hey !! here's a thought. While we all think in terms of authenticating user identities, we forget that authenticating devices (device identities) is as critical as user identities. IP address and MAC addresses can be spoofed easily. But by embedding a unique security key in a device (something that cannot be spoofed) we could embark on authenticating and authorizing a device prior to letting the device on any network. I liked it when in the good old days, an IP address was granted to a device AFTER the fact that authN was succesful. In todays world regardless of authentication; a device is granted an IP and is placed onto a network. Well, we've made the life of a unauthorized person a lot more easier by letting him in. If we could authenticate and authorize devices prior to granting IP addresses or placing devices on a trusted subnet by using some form of secure key identifier, we'd be closer to being in a more secure environment. I have done some work on this forefront; but poor me, I'm not a sales guy and am having a hard time selling the thought. maybe someday

January 17, 04:20 PM

Open Source Identity Management

OK... here's my prediction for the new year and the oncoming... Identity Management would be the CORE for WEB 2.0-The next generation Web. Having said that I thought that it would be good to list out a few open source Identity Management products that are out there that one would need to keep a keen eye on... PS: Do feel free to add to this list by leaving your comments.

Sun Interoperability Prototype for Liberty : Interoperability Prototype for Liberty is the first open-source implementation of the Liberty Alliance Version 1.0 specification based on Java technology. IPL consists of sample Java source code libraries, implementing the Liberty version 1.0 specification, and is not designed for commercial deployment. IPL is licensed as open source under the Sun Microsystems Open Source License.
SourceID : Open Source Federated Identity Management Liberty Alliance, SAML, and WS-Federation. Royalty free commercial use if used on fewer than 100 computers per company
Shibboleth : Shibboleth is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. Key concepts within Shibboleth include: Federated Administration, Access Control Based On Attributes, Active Management of Privacy and used OpenSAML.
OpenSAML : OpenSAML is a set of open source Java and C++ libraries that are fully consistent with the SAML 1.0 and 1.1 CR specifications.
Yale CAS : The Central Authentication Server (CAS) is designed as a standalone web application. It is currently implemented as several Java servlets and runs through a HTTPS server.
Atlassian Seraph : Seraph is a very simple, pluggable J2EE web application security framework.
OpenSPML : The toolkit offers an easy-to-use interface for configuring, issuing and interpreting standards-compliant provisioning requests across diverse identity infrastructures.
Novell Nsure UDDI Server : Nsure is a UDDI 2.0 registry built on Directory Services technology. It offers a secure access to the registry contents (authentication and authorization), unified account management, and distribution of the registry by leveraging Directory Services. It works with any LDAP(V3) based directory backend.
OpenPrivacy : A reference implementation of the Reputation Management Framework (RMF). OpenPrivacy's core project is designed to ease the process of creating community with reputation enhanced pseudonymous entities. The RMF is primarily a set of four interfaces: Nym Manager, Communications Manager, Storage Manager and Reputation Calculation Engine (RCE).
NSF Middleware Initiative : NMI-EDIT: Identity and Access Management for Collaborative Applications.
jSai : jSai (pronounced "Jay-Say") is iPOV's home grown Servlet Authentication Implementation. jSai is implemented completely using J2SE + Servlet technology; no J2EE "Application Server" needed. jSai supports basic JDBC and XML backed user stores, as well as an LDAP user store. jSai provides developers with the application level security they want and need for small and medium size web applications; avoiding the complex setup in other security implementations that are aimed at large "enterprise" applications.
Acegi Security System for Spring : Comprehensive security services for The Spring Framework.
Gabriel : Gabriel is a security framework for Java. By using access control lists and permissions, Gabriel enables components to check access to actions. On top of that Gabriel protects methods like EJB does but without the overhead. It distinguishes itself from other frameworks by the ease of use with a small API and by mapping method access to permissions instead of persons. This way the same permissions can be used to protect method access and to check which GUI elements to show based on user permissions.
JOSSO : JOSSO, or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication. The Pluggable framework allows to implement and combine multiple authentication schemes with credential stores.
Kasai : The goal of Kasai is to provide a simple-to-use-yet-powerful security environment for multi-user applications. Unlike JAAS, Kasai provides a much higher security abstraction. Additionally, Kasai includes a very powerful and performing auditing system that records all users activity on a relational database.
JPAM : JPAM is a Java-PAM bridge. PAM, or Pluggable Authentication Modules, is a standard security architecture used on Unix, Linux and Mac OS X systems. JPAM permits the use of PAM authentication facilities by Java applications running on those platforms.
CAS Generic Handler : CAS Generic Handler is a plugin giving CAS (Central Authentication Service) the ability to authenticate users with different methods (LDAP, database, files, NIS, ...).
SunXACML : This project provides complete support for all the mandatory features of XACML as well as a number of optional features. Specifically, there is full support for parsing both policy and request/response documents, determining applicability of policies, and evaluating requests against policies. All of the standard attribute types, functions, and combining algorithms are supported, and there are APIs for adding new functionality as needed. There are also APIs for writing new retrieval mechanisms used for finding things like policies and attributes.
Shaj : Shaj (Simple Host Authentication for Java) is a simple library that allows your Java app to verify users with the underlying operating system. Shaj also allows you to check group membership. Shaj is not a competitor for full featured authentication API's but rather a complimentary way to piggyback on system accounts on any platforms. Shaj is used in FishEye for local account authentication, hence it is in use on most flavours of Windows and \*NIX.
Open Web SSO : The Open Web SSO project provides core identity services to facilitate the implementation of transparent single sign on as an infrastructure security component. The goal of Open Web SSO project is to provide an extensible implementation of identity services infrastructure that will facilitate single sign on for web applications hosted on web and application serversThis project is based on the code base of Sun Java(tm) System Access Manager product.
Cosign : Support Global Logout by visiting a link Support GSSAPI authentication Written in C and support MS ISAPI (IIS), Apache 1.3/2.0, Servlet and Java/J2EE
Links Courtesy: Carlos E. Perez

UPDATE: another comprehensive list at http://safehaus.org/map/nov05.html. Link Courtesy : Shekhar Jha UPDATE 2: Shekar Jha has also compiled a very nice list of Identity & Access Management vendors. boy!! how could I have missed that one ?

My IDEAS Feed

Posts

November 17, 08:18 AM

DASVIDANIYA

It's quite hard to write goodbye blog posts or emails, and here I find myself embarking on such a task. It's always hard to say goodbye, but sometimes it needs to be said just to bring some closure.

I think it's time for me to take my destiny into my own hands, and carve out my own future. It's high time I pursue my dreams, and am moving on from here to pursue that dream.

Sometimes in life one comes by opportunities that are rare, and if one does not act upon them regret is all one be left with, and that is something I refuse to live with.

This blog at Sun Microsystems will no longer be updated.

April 11, 07:58 AM

rollerweblogger 2 wordpress

April 10, 01:11 PM

Yet Another Infocard Java Based Infocard RP

It sure is a chweeth Object Oriented world aint it ??

UPDATE : There's one thing for sure that infocard and WS-\* is helping me with. IE: Making new connections and a LOT of new friends.

User-Controlled Identity and Changes In My Perception Of it.

Well. I'd not hesitate to do my part in playing a role to eliminate divisive extremism. And just to add to that I'm buying Kim's concept.. slowly.. very very very very slowly...

Infocard Invoker with Self Signed Server Certificates

The key is to use the sha1rsa Signature Algorithm instead of using the default md5rsa Signature Algorithm.

openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out server.key
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt
Then copy the server.key and server.crt to your webservers config directory.
cp server.key /etc/httpd/conf/ssl.key/
cp server.crt /etc/httpd/conf/ssl.crt/

Change file access permissions
chmod go-rwx /etc/httpd/conf/ssl.key/server.key

Made a test cert
make testcert

Create a server.pem file as by concatenating the server.key file and the server.crt file as follows:
cat /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt > /etc/httpd/conf/server.pem

restart your webserver.

Your self signed certificate should now invoke the identity selector without any issues...

use-er ecc-entric identity

A must read : via Pat's blog :

From fellow Libertyite, Paul Madsen, comes this amusing take on user-centric identity. Many a true word spoken in jest!

Give it a read. The time spent would be well worth it.

Happy Monday.

infocard: Do you want a Girl toy or a Boy toy with that ?

But InfoCard will only succeed if there are innovative people like you who are willing to take the time to build interesting relying parties and identity providers.
FROM: A First Look at InfoCard

PS: Kim, if that was the strategy, Hats off to you. You did it !!!(extremely well planned). Now you know why I idolize you.

Your Thoughts ?

ie7 that works with infocards (Build 7.0.5296.0)

As far as the WinFX components go, download whatever is available from Microsoft's website. It would work.

And as far as the PHP and Java Code release goes (for both the RP and the infocard creator)... Patience my dear Watson, Patience... We've all waited so long for the right folks to release their code.. So Bear with me/us and have a little more patience.

OPEN infocard

Chuck writes:

To get started, you need to get your hands on the XML Token. This should be pretty simple, as your web framework will generally hand back parameters already URL decoded.
Once you’ve got the token, you’ll need to decrypt the token. The token is transmitted as encrypted XML.

Head On Over to Chuck's Blog to see what the xmlToken would look like
OR look at my previous post on what it looks like. Chuck's Post is "complete". Mine's truncated..
Basically what you have here is an ephemeral symmetric encryption key, which has itself been encrypted with the Public Key of the SSL Cert for the website InfoCard is interacting with. As you can see from the metadata provided in the KeyInfo fragment, the key is encrypted using RSA with OAEP encoding and SHA1, using the certificate identified in the SecurityTokenReference with the provided fingerprint (the fingerprint is a SHA1 hash of the cert bytes)

Your first job is to decrypt that encryption key. Step one : remove the Base64 encoding. Step 2 : you need to write a function which takes the private key for the cert referenced by the fingerprint, along with the data as input, and decrypts in this manner RSA-OAEP

Once you’ve successfully decrypted the key ( it should be 256 bits), you can use it to decrypt the token. As you can see in the XML, you need to use AES with a ChainedBlockCipher. Decrypt the token (Don’t forget to strip the initialization vectors...thanks Gary).

Head On Over to Chuck's Blog to see what the decrypted token would look like
The next step would be to quickly check the validity period on this Assertion to make sure it’s still fresh. You might also want to check the AssertionID against a table of previously seen assertions to prevent replay...depends on your level of paranoia.

On to signature validation...you should follow the steps outlined in XML-DSIG, but to paraphrase, check the digest of the canonicalized assetion against the digest in the SignedInfo block, and then validate the signature of the canonicalized SignedInfo using a PublicKey constructed from the provided KeyInfo.

Now, what’s bugging me is the use for the Symmetric Proof key provided in the Subject of the Assertion. Super Pat and I discussed this for awhile, and since it’s not used immediately in this protocol exchange, our best guess is that it’s used in subsequent interactions with the service, although I must admit the InfoCard docs are a little fuzzy on this subject. If anyone can fill me in, I’d appreciate it!

Finally, if your signature validation worked, extract the claims, enforce any policy you’d like, create a session, set a cookie, etc...

Chuck has also reverse-engineered the infocard token creation and has published a tool that can create a token for you on his demo servers.

Now since "infocard walled garden" has been made not so mystical, Here's are my thoughts.

So are infocards really "secure"?
Would they make the common man's life easier?
Would they make RP's more vulnerable to DoS attacks?

SO: Higgins folks have a base to work off of for their open source version of "infocard-whatever" (not that they needed it). And I'd like to see if folks credit Chuck for HIS hard work.

March 30, 06:15 AM

infocard xmlToken

nothing special here. This is what the xmlToken that the Identity Selector send across to a Relying Party looks like.

more soon...

March 29, 02:46 PM

Worlds FIRST Java Based infocard RP - LIVE

HOWEVER: Chuck's the one who deserves 100% credit for deploying it first.

For those who appreciate HARD WORK. Take a moment to toast Chuck. Infinite cheers Chuck !!! You ROCK !!!

PS: When I say "us".. I mean "we the people", @the "open source community"....

Next Stop: How to Federate your "infocard" authentication token.

March 28, 09:20 AM

John Doe's Infocard

And here's John Doe's Infocard. Use the password "password" to import the infocard.
This distribution of John Doe's infocard could probably make John Doe a "celebrity" again.

remember to save John Doe's infocard with the extention .crds

Guess I would be wasting too much time on this. so the idea is now officially canned.
ROTFL.

NOTE : This is in no way an attempt to initiate a world-wide attempt to present John Doe's infocard as a mechanism to break all web service's/application's that may someday accept infocard as it's auth medium. I received a few emails and phonecalls to clarify the intent here..
So Here's a public post of the intent. If you see that this can be used as a way in which tens of thousands of folks use a "common" credential (with User Control and Consent) to authenticate, and even deceive the "registration confirmation" system into accepting the credential, then I hope you see the big picture. These AuthN mediums are not for a person to person authentication system but for a "automated" system. I see this as a means in which hackers have a platform to authenticate into systems, initiate a new breed of DoS attacks, Hijack Identities, & misuse the system. Please see this not as an attempt to "attack" but as an attempt to show you that there can be several ways in which a system's stability can be compromised using extremely simple means. It does not require a rocket scientist to do such tasks. & mind you there are several folks "out there" who do this just for the kicks. So when you folks read about infocard and it's capabilities in all its basking glory, please remember not to tie yourselves down to a "infocard walled garden" and think outside of the BOX.
As "W E" work on securing the system/'s even more, the "outsiders" would always find innovative ways of breaking it. Therefore "W E" need to work as a "TE AM" and CO-LAB-OH-RATE!!
Please... Lets not work on "proprietorizing" IDENTITY. We got to have a solution that the industry sees as something that is SECURE, OPEN & more importantly INTER-OPERABLE. Remember it takes 2 to tango.

March 27, 04:25 AM

Internet Explorer 7 Build 5299 5296

UPDATE : Build 5299 did not work. I'm now hunting for Build 5296. Because the Build that works on my desktop is Build 5296. If anybody has a downloaded copy of Build 5296. Please please let me have a copy.....

WARNING: USE AT YOUR OWN RISK Also read the whole list of ie7 security flaws & vulnerabilities prior to proceeding.

UPDATE : Build 5299 did not work. I'm now hunting for Build 5296. Because the Build that works on my desktop is Build 5296. If anybody has a downloaded copy of Build 5296. Please please let me have a copy.....

March 26, 06:30 AM

infocard: An Expensive Affair

I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run.

So stay tuned...

March 24, 01:46 AM

User-Centric Identity Webcast

There's a lot of buzz around 'user-centric identity' right now the notion of involving users in the management of their personal information and its use, rather than leaving it to some enterprise or other organization. The folks at the Liberty Alliance have written a whitepaper entitled 'Personal Identity' that shows how Liberty's Identity Federation Framework (ID-FF) and its successor SAML 2.0 can be used to implement user-centric identity for example, a user providing their own identity services via a Liberty-enabled device such as a cellphone. It's a good read. it starts from the basics, so you should be able to follow it even if you're new to Liberty and SAML.
vOn the same topic, John Kemp of Nokia and my esteemed colleague Hubert Le Van Gong will be presenting a webcast on April 12 2006 at 8am Pacific. PLEASE NOTE: Registration is required and limited to the first 100 respondents! The last webcast on the Liberty People Service 'sold out' very quickly, so get in there straight away if you're interested. If you're too late, don't despair - the webcast will be available in archive form after the event. I'll update this entry with the URL once it's online.

To register for the webcast, follow these steps.
Go to http://projectliberty.webex.com
Under the heading Attend a Meeting, click Register
Search for centric
Select User Centric Identity: Success Today and click on the Register Button. (Don't bother clicking on the link - it doesn't lead anywhere useful!)
Fill out the required information and click Register Now at the bottom of the page.
Please email Tricia DeHart of the Liberty Alliance Project with any questions.

March 23, 05:24 AM

claims with infocards

Self issued information cards support only a select number of claims. Each of these claims is associated with an URI that one could use to look up the claim inside the token.

The claims that are supported are:

Given Name = "http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname";
Email Address = "http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress";
Surname = "http://schemas.microsoft.com/ws/2005/05/identity/claims/surname";
Street Address = "http://schemas.microsoft.com/ws/2005/05/identity/claims/streetaddress";
Locality = "http://schemas.microsoft.com/ws/2005/05/identity/claims/locality";
State/Province = "http://schemas.microsoft.com/ws/2005/05/identity/claims/stateorprovince";
Postal Code = "http://schemas.microsoft.com/ws/2005/05/identity/claims/postalcode";
Country = "http://schemas.microsoft.com/ws/2005/05/identity/claims/country";
Home Phone = "http://schemas.microsoft.com/ws/2005/05/identity/claims/homephone";
Other Phone = "http://schemas.microsoft.com/ws/2005/05/identity/claims/otherphone";
Mobile Phone = "http://schemas.microsoft.com/ws/2005/05/identity/claims/mobilephone";
Date of Birth = "http://schemas.microsoft.com/ws/2005/05/identity/claims/dateofbirth";
Gender = "http://schemas.microsoft.com/ws/2005/05/identity/claims/gender";
PPID = "http://schemas.microsoft.com/ws/2005/05/identity/claims/privatepersonalidentifier";

One could use the URIs with the TokenHelper class to extract out the values for the claims.

..... more later.....

March 22, 12:48 PM

User Controlled Identities - MYVIEW (for the strong hearted only)

Here are a few thoughts on "authentication" and "authorization" in my own words.... (I hope you can understand what I am trying to say or imply). Please read this if you know how to differentiate between jokes and serious stuff....

I am Rohan Pinto, also known as "rohan" to some, by an "employee ID number" to my employer (you wish I published that number, didnt you ?), "ldapguru" according to folks who use my website, "Mr. Pinto" to those who look up to me (no kidding.. there are a few... a very few...), "Sir" (to the world, If I ever get to do better in life than Sir, Richard Branson), "baby" to my wife, "daddy" to my kids, "thengdi" to some, "ron" according to a few, "kramer" to some, "attacker" according to Kim, "hey you" to others who just dont care...

Anyway, the point is, I have several identites, each for a "specific" use-case
Now, my wife would never accept the credential "daddy", nor would my kids accept anything other than "daddy". Similarly, others too have their own criteria for whats accepted and whats not.

The "criteria" is NOT something set or asserted by me. It's something that the "Relying Party" sets for themselves.

I probably do have the ability of presenting another credential to my "Relying Party", But would the "Relying Party" BUY THAT ?

Nothing stops me from presenting my "self asserted identity" to any of the "Relying Parties". I being a "human-component" have the ability to understand and know the (sometimes partially, and sometimes everything: based on how much info I have about the "Relying Party") criteria for acceptance by these "relying parties". Based on that info, I could establish an identity that closely matches the "acceptance criteria" of my "Relying Party", and probably get my "Relying Party" to open doors and welcome me in.

Hey, this whole exercise about "identity management" is to make the world a better/safer/secure place, aint it ?. I think that providing a platform whereby "identities" can be spoofed, and "created" is just silly. Who are we really helping? "ourselves" or "somebody else" ?

The way I look at it is, that the "Relying Party" has this box of treasure. I would like to see that treasure and claim my share.... In order to do so, the "Relying Party" has their own set of criteria of acceptance. If "my authenticated & authroized identity credentials match their criteria, I am given a key. I can use that key and open the treasure box anytime, however many times I want to". The point is, that the key is "GIVEN" to me after the fact that I have "successfully" authenticated and also "authorized" myself in a one step or a multi step process. (usually a multi step process). However even If I have a "pre-authenticated/pre-authorized" "key", I still need to present it to the "keeper" of the treasure and authenticate myself again every time I need to gain access. Even after authenticating myself all over, the "keeper" would still need to "authorize" me every single time.

The first step is gonna be to ensure that the "identity" is who he/she or even an "it" really is. There's no way that the "Relying Party" is gonna take the "presented secure identity token" and rely on it. One may say that the "secure token presented" can be validated against a specific set of criteria, But hey thats "authorization". Why would the "Relying Party" take the pain of "authorizing" a fake to begin with... If the "Relying Party" has assurance that the "identity" is valid, then the "authorization" step begins....

One not only needs to ensure that the "identity" is not a "fake" but also needs to ensure that the "identity" is stepping in from the front door, and then also have the ability to validate the "identities" other unique "characteristics" prior to even cross checking if the acceptance criteria matches the "identities" profile.

Am I selling something her... maybe... maybe I am....
Have you heard of nFactor Authentication yet ?? Well, if not, you will... soon... (I'm in the process of patenting and trademarking it) Trust me. you will hear from me.....

Anyway, back to the topic on hand... USER-CONTROLLED-IDENTITES.
I personally think that it's not a good thing. But I cannot force everybody to agree with my views. Like I have a right to my own view, you have your rights too. So all said and done, I see that the industry is making this huge "noise" about user-controlled-identities. Why fight it, I'll flow with it....

But in the process...., instead of just accepting the fact, I thought of making user controlled identites a wee bit more secure... and easier to implement and use. So I've comeup with my own "ANTI Laws of Identites" explanations...(No Offense Kim, I'm having fun with terminology. It's been a long hard day today...)

User Control and Consent: The user sure can consent, but control NO !!!. I meet my wife, she recognizes my "pre-authenticated" characteristics and "identity" and says, Hi "baby". I only consent my saying "yes love".
LOL... I'm having fun today.. aint I ??
Minimal Disclosure for a Constrained Use: Minimal Disclosure NO !!!. With my wife there's no "minimal disclosure". I'm not sure if your's does.
Justifiable Parties: True Very Very True. I Concur. Both me and my wife need to constantly justify our commitment to each other. Trust me. We really really do. no kidding honest.... Dont you ? It's not because we distrust each other, it's reassurance. Just like folks like to reassure themselves about how good they look by repeatedly asking for opinions...
Directed Identity: In my case (example) the "identity" assertion is a two-way street. Not only would the "identity" need to assure itself of the authenticity of the "Relying Party", but the "Relying pArty" also needs assurance that the "identity" is a "trustWORTHY" "Identity".
Pluralism of Operators and Technologies: If I see myself as the "Relying Party" I need to not only recognize an identity called a "wife" but also recognize and know the difference in characteristics between identites like "daughter", "son" "employer", "mom", "dad", "friend" etc...
Human Integration: I Disagree than human Intervention needs to be a Law. Human intervention is necessary but not always. My coffee maker can brew only coffee and not make chicken soup. If I try to add chicken strips and water, I do not get coffee. My coffee maker is intelligent enough to know the difference between coffe beans/powder (the 2 characteristics of a presented identity that it can relate to, and is in it's list of criteriea to brew good coffee).
Consistent Experience Across Contexts: emmm.. how do I go about this one.. This is a hard one... Lets see.... How usable would today’s computers be had we not invented icons and lists that consistently represent folders and documents. Hey I really do not care about icons. I live in a "shell". Even though i'm not "Born Again" I live in a shell, a "Bourne shell". In my world, there are no "icons". However I am classified as an "attacker". How could you relate to me, and prevent me from doing what I (probably) could do, If I didnt care about "icons". You need to relate to me... the "threat". And if you succeed in doing so, that would be a HUGE step forward in making the world a better/safer/secure place.

that was fun... I just hope and pray that Kim takes this as a joke in good stride... This is plain old "food for thought" with a humourous twist. (it's sounds humorous to me at least. If it's not; maybe my taste in jokes is real bad...)

Next topic is "Secure User Controlled Digital Identities" and my version of enabling it's usage without having to implement or assert the adoption of a new "proprietary" standard or protocol. (if not the immediate next blog post, it would be a topic that I would soon post something on)

March 21, 02:28 PM

Kim Said that I was wrong...

Kim said that I was wrong on the cookie phenomena when "infocard" authentication was used...

well, I'm not too sure about that.. Here's my exercise details to crosscheck if I really was wrong.

I cleared by browser cache, cookies..... everything to start with a clean slate...
The following screenshot shows the existing cookie list from my browser.. (note: no identityblog.com cookies)

Then I logged into identityblog using my "infocard" ID, And tried to post a comment. The screenshot below shows that the comment form was not filled out with my info.... However after the comment posted, it showed that the comment was posted by me... using the info that my "infocard" had...

The following screenshot shows the cookie list in my browser AFTER infocard auth. Notice that the cookie name is wordpressuser_MYSESSIONID & wordpresspass_MYSESSIONID

Then I logged out and the cookies disappeared... Neat stuff. Kim was right, the cookies get established when one logs in and then destroyed when one logs out.... or closes the browser, which is a nice thing because it was session based... usually the cookies exist for a period of time till the session timeout value exceeds the set limit. But in this case the session was immediately destroyed regardless of whetherI logged out or closed my browser... nice... really nice... IMPRESSIVE....

Then I posted a comment without authentication, and by filling out info in the comment form. The following screenshot shows what I did.

Actually I made a small error at this point.. I had posted a comment without logging out. I simply forgot to hit the "logout" button in the process of ALT-TABBing between this blog post and his blog. So I Hit the logout button and THEN posted the following comment:

As soon as I did that, I noticed that Kim's blog server set 3 cookies as the following screenshot depicts: (note the cookie names, they start with comment_author_MYSESSIONID, comment_author_email_MYSESSIONID, comment_author_url_MYSESSIONID.

Now I login with infocard again... and post a comment as the following screenshot shows:

I checked my cookie list and saw that in addition to the cookies priorly set without infocard auth, there were 2 more cookies... The following screenchot shows that....

...In short, Once a user uses the forms to post comments, the regardless of the "infocard" auth, the cookies persist in the browser....
However the form gets posted by the "authenticated user" regardless of the info one fills in the comment form.... But after the user logs out, he still can post comments without authentication and the persistent cookies take precedence....

INFERENCE: Kim's wrong 50%, I am wrong 50%. We are both 50% wrong.... ROTFL...

AH! with these screenshots, I do not think I need to explain more, You dear readers of my blog/s, can be better judges of what works and what does not

Cheers for now. That was a fun exercise...

update/note : Please refrain from sending me emails that the cookie list screenshots were not from using ie7, but were from Firefox. Do not ask me how I did it (not right now), I shall announce how to use Firefox to authenticate using infocards in due time... when the time is right...

March 21, 12:32 PM

XAMPP - LAMP in a box

With the infocard buzz going around..., and the possible opensourcing of it's components and code that enable users to easily deploy infocard, I thought that it would be nice if there could be more folks from the community who could actually try it out from a "deployment" perspective rather than from a "user's" to better understand how the whole thing works. But unlike me, not everybody has access to servers, and other necessary resources to deploy such a solution.

I thought of making it easier for those who do not have servers but just a desktop and/or a laptop to install a webserver (ie: Apache), php, perl, sendmail, mysql DB, a FTP server (ie: filezilla), a mail server (ie: mercurymail), webdav, a mysql DB administrator (ie: phpmyadmin), a weblog analyzer (ie: webalizer), OpenSSL, etc.. at the click of a button..

No, No, I didnt develop anything new, but am pointing you to something that exists out there that would enable you to do ALL OF THE ABOVE.

introducing: XAAMP from Apache Friends.

The philosophy behind XAMPP is to build an easy to install distribution for developers to get into the world of Apache. To make it convenient for developers XAMPP is configured with all features turned on.
The default configuration is not good from a securtiy point of view and it's not secure enough for a production environment : please don't use XAMPP in such environment.

Since LAMPP 0.9.5 you can make your XAMPP installation secure by calling »/opt/lampp/lampp security«

XAMPP for Linux
The distribution for Linux systems (tested for SuSE, RedHat, Mandrake and Debian) contains: Apache, MySQL, PHP & PEAR, Perl, ProFTPD, phpMyAdmin, OpenSSL, GD, Freetype2, libjpeg, libpng, gdbm, zlib, expat, Sablotron, libxml, Ming, Webalizer, pdf class, ncurses, mod_perl, FreeTDS, gettext, mcrypt, mhash, eAccelerator, SQLite and IMAP C-Client.

XAMPP for Windows
The distribution for Windows 98, NT, 2000 and XP. This version contains: Apache, MySQL, PHP & PEAR, Perl, mod_php, mod_perl, mod_ssl, OpenSSL, phpMyAdmin, Webalizer, Mercury Mail Transport System for Win32 and NetWare Systems v3.32, JpGraph, FileZilla FTP Server, mcrypt, eAccelerator, SQLite, and WEB DAV & mod_auth_mysql.

XAMPP for Mac OS X
The distribution for Mac OS X contains: Apache, MySQL, PHP & PEAR, SQLite, Perl, ProFTPD, phpMyAdmin, OpenSSL, GD, Freetype2, libjpeg, libpng, zlib, Ming, Webalizer, mod_perl, eAccelerator, phpSQLiteAdmin.
WARNING: This version of XAMPPis still in the first steps of development. Use at you own risk!

XAMPP for Solaris
The distribution for Solaris (developed and tested with Solaris 8, tested with Solaris 9) contains: Apache, MySQL, PHP & PEAR, Perl, ProFTPD, phpMyAdmin, OpenSSL, Freetype2, libjpeg, libpng, zlib, expat, Ming, Webalizer, pdf class.
WARNING: This version of XAMPP is still in the first steps of development. Use at you own risk!

XAMPP is free of charge
We don't like overpriced commercial software and XAMPP is our attempt to do something that shows free software doesn't have to be bad.

Easy installation and deinstallation
To install XAMPP you only need to download and extract XAMPP, that's all. There are no changes to the Windows registry (not true if you use the Windows installer version of XAMPP ) and it's not necessary to edit any configuration files. It couldn't be easier!
To check that XAMPP is working some sample programs are included, there is a small CD collection program (written in PHP using MySQL) and a small guest book software (written in Perl) and several other demonstration utilities.

If you decide that XAMPP isn't needed any more just delete the XAMPP directory and it's completely removed from your system.

If you use the Windows installer version of XAMPP it's recommended to use the uninstall feature. As every installer do the installer will make registry entries to remember the install.

The license
XAMPP is a compilation of free software (comparable to a Linux distribution), it's free of charge and it's free to copy under the terms of the GNU General Public License. But it is only the compilation of XAMPP that is published under GPL. Please check every single license of the contained products to get an overview of what is, and what isn't, allowed.

In the case of commercial use please take a look at the product licenses (especially MySQL), from the XAMPP point of view commercial use is also free.

Happy LAMP... oops... XAMPPing.

March 20, 02:49 PM

XML Decoding Help Required...

Hi Everybody. Here's a request. I'm trying to decipher a file with the header a follows:

The body of this XML file has a tag block as follows:

If anybody knows anything about this, please let me know... by either posting a comnent here ( which obviously is as good as telling the world ) or by emailing me -AT- myFIRSTname.myLASTname@sun-DOT-com

Anybody ???

March 18, 02:54 AM

infocard for Wordpress (pre-release)

pursuant to my prior post on Kim's php code release, I predicted that the php code would be no magic. The real "magic" is in the browsers capability of invoking the "identity Selector" and passing data packets back and forth between the infocard enabled website using the OBJECT tag and the "Identity Selector". More on the browser side later. This post is about what Kim's php code "may" look like.

Please Read Update 2 at the bottom of this post

First and foremost, infocard requires SSL. So What Kim may have done on the serverside is force SSL usage on his admin pages. This "probably" is accomplished by seting up Rewrite Rules on the "insecure" host.

In the .htaccess or virtual host stanza in httpd.conf www.identityblog.com, Kim may have the rewrite rule to automatically go to the secure host when you browse to http://www.identityblog.com/wp-admin/. It's pretty evident because it does just that.

RewriteRule \^wp-admin/(.\*) https://www.identityblog.com/wp-admin/$1 [C]

If Kim is using permalink rewrite rules, this line would probably appear before RewriteRule \^.\*$ - [S=40]

I also noticed that Kim does not restrict access to the "public" www.identityblog.com over SSL. But if he chooses, he could restrict access to the secure site only to administrators, and force the public site to be served over non SSL.

Well, his httpd.conf file may look something like the following:

It is probably a good idea to utilize SSL for user logins and registrations apart from administration. I hope Kim consider's the following substitute RewriteRules. He currently does not do that.

Insecure
RewriteRule \^wp-(admin|login|register)(.\*) https://www.identityblog.com/wp-$1$2 [C]
Secure
RewriteRule !\^/wp-(admin|login|register)(.\*) - [C]

Now as far as the php code goes: Here's what I believe has been done.

He's enabled External Auth. (ie: not MYSQL, but infocard auth)
Modified the following Files:
1. infocard/\* : Contains all the infocard functionality
2. wp-login.php : Contains the infocard authentication code and modified cookie content
3. wp-admin/auth.php : This is modified to take account of the infocard cookie marker
4. wp-config.php : Contains some infocard definitions
wp-includes/functions.php:wp_login() : modified to do infocard authentication and check for the infocard marker in the cookie
wp-includes/functions.php:wp_setcookie() : modified to set the infocard marker instead of the password in the cookie

NOTE: The directory /infocard is not really called infocard. I have no idea what the directory name is. I assume that it's infocard. I cannot crosscheck it because He probably has a .htaccess file there that does not allow directory listing. So for all you know the directory may be called "unknowndirectory".

The file wp-config.php probably contains an "infocard" switch define(’INFOCARD_ENABLED’, true);. Setting INFOCARD_ENABLED to TRUE turns on "infocard" authentication. Setting it to FALSE turns it off and normal WordPress authentication takes over.

NOTE : I'm trying this on my own test box and not directly on www.identityblog.com. And since I have my own private network, and am doing this on my own boxes (offline). I edited the file contents to "identityblog" to relate to what kim's doing on his site.

Thats all for now. I gotto run, My daughter (my everything) just had a fall and is bleeding... I'll follow up on this later...

I shall post PHP code itself shortly. Please note: I am not stealing Kim's code; nor have I obtained it from him in any form so far. I am doing something similar to what Kim "may" have done. and am posting that code here.

Since the code's distributed across several files and directories I shall post a link to a tar file download and installation instructions. If you would like to "infocard" enable YOUR "wordpress" installation you could just follow the instructions in the tar file and use it.

Also Note that This is not generic php. It's specific to wordpress.

The reason i'm doing this, is because the market coverage for this php code is so so much that it suprises me that folks do not realize that php aint magic. The code release I would like to really see is the "browser" bit.

releasing php code for wordpress does not make infocard opensource.

UPDATE: I'd be very curious to find out how closely my code would resemble Kim's actual code. Kim: If youre reading this could you give me an indication if i'm going down the wrong path ?

UPDATE 2: I tested this approach over and over... The php code DOES HAVE "some" magic in it. It needs to understand the MetaData and obtain the xml token that the "Identity Selector" sends across... more investigations underway... Will keep you posted..SORRY Kim, Sorry for saying there's no magic

March 17, 06:28 PM

Infocard browser restriction

Just an FYI discovery of the moment.. Infocard authentication (as I had blogged about earlier this week) currently works on Windows XP with WinFX CTP installed and with Internet Explorer 7 Beta 2 Preview only. I tried to install ie7 Beta 2 Preview on Windows Server 2003. But got an "installation" error as ie7 Beta 2 Preview is currently not supported on Windows Server 2003.

ie7 Beta 2 Preview release notes can be found here.

If anybody out there has been successful in installing ie7 Beta 2 Preview on Windows Server 2003, please let me know how you did it or if it was possible.

March 16, 01:05 PM

Infocard without WinFX CTP

I have just completed a basic infocard plugin for firefox. Currently with my plugin, you can create infocards and save them. yeah... A hellava lot of work has gotten into it already...

Please remember, I have a day job too and this is my effort on a "time restrained" basis...

Some folks mentioned to me just yesterday that I am burning myself with "infocard". I want to put on record that this effort of mine is outside the boundaries of my day job. Well, if you think that I'm lagging in my "official work", your DEAD wrong. My utilization is in excess of 100% and hey !! I'm a revenue engine for my employer. (I just hope that they are aware of it and appreciate it) ~just kidding...

There are folks who go clubing, skiing, surfing, sailing, etc... for recreation. Well, I code for recreation... So.. All's good... I hope..

Well, the next step is to enable the HTML-OBJECT (enable the browser to recognize the application type "infocard") tag to invoke my "plugin" to enable the user to select an infocard (identity) and pass the security token representing the digital identity from the Security Token Service (STS) onto the requesting site using the HTTP(s)/POST operation.

I am not sure how the website would validate the token, but however I guess I shall find out shortly..

Screenshots of my Firefox Plugin are shown below:

Firefox Extension Installer/Update:

Firefox Infocard Options:

Firefox Infocard Editor:

PS: The plugin is in "alpha" right now. I shall keep you posted developments from my end.

UPDATE: I should have said, PRE-alpha rather than alpha. The plugin is way from close to completion. Please remember I just started working on this and it would take me time to complete it. (especially when i'm doing this after hours) I shall post updates periodically as functional modules get added.. And as soon as i have a "working" instance, I shall make it available for download both from here and also the mozilla downloads directory.

March 16, 05:10 AM

Browser Infocard Support Code

I just wanted to share with you the "browser" requirements for "browsers" to have the ability to invoke the Infocard Identity Selector (WinFX CTP Component).

For now, I know what the "browsers" should do. Would they do it... is another story altogether...

The browser InfoCard support code invokes the InfoCard identity selector, passing it parameter values supplied by the InfoCard HTML tag supplied by the site.
The user then uses the identity selector to choose an InfoCard, which represents a digital identity that can be used to authenticate at that site.
The Identity Selector uses the Identity Metasystem protocols to retrieve a security token representing the digital identity selected by the user from the STS at the identity provider for that identity.
The browser should post the token obtained back to the web site using a HTTP(S)/POST.
The web site validates the token, completing the user’s InfoCard-based authentication to the web site.
Following authentication, the web site would typically then write a client-side browser cookie and redirect the browser back to the protected page.

AH!! authentication, see... Infocard addresses "authentication" and NOT "authorization". I believe that my assumption is true. Could someone correct me if i'm wrong?

March 16, 01:25 AM

Infocard for Wordpress Cramped

Though Kim's placeholder for publishing the php code for wordpress integration is still "on hold" Kim has just blogged about the wordpress version differences betwen his "test" box and the "production" blog. He also mentioned that "a bunch" of people have been using the infocard client on his site... Well, I sure am one of them. However i'd like to meet the others... SO if there are others out there trying to use learn more about infocards, introduce yourself. Well, I did log into Kim's site with an infocard, but I informed Kim about my moves... I'm not doing anything behind his back... So I'd suggest you folks who are trying to log into identityblog, to introduce yourselves... Well, we can start a "support group".

I'm not too worried about the "php" part as the php code for WordPress I predict would be an extremely simple thing... Here's my prediction...

All the code would do is, "provision" the "authenticated" user info mysql, and establish a WordPress session. (Correct me if i'm wrong Kim, but infocard addresses a specific usecase. ie: Authentication and not Authorization). Additionally, the user may be associated with a "role" that would enable the "user" to comment on the blog... nothing more... The php stuff aint magic... The "REAL" magic is the browsers capability to invoke the "Identity Selector"... Now, Kim, if your'e reading this... could you share "THAT" code ?

Now, I may get a response in the form of ... Just embed an OBJECT tag in your HTML code and that would do it.. But hey !! that aint it. Embedding an OBJECT tag in HTML just does not do it. There's more to it than just an OBJECT tag. There's some relationship between the browsers capability of identifying the application type "infocard" and having the ability to invoke the Identity Selectior thats installed on the desktop. I know that ie7 Can do it as I blogged about that earlier. Kim mentioned that he "had" a plugin for ie6. Well, apart from me trying to develop a open source version of the "Identity Selector" in Java ( which has nothing to do with HIGGINS ), I also am trying to develop a plugin/addon for Firefox/Mozilla. And If Kim shares that "plugin" code for ie6, it would make life so simple.... (at least mine...)

PS: In order to get a "browser" to "invoke" the installed WCF Identity Selector, the browser needs to recognize "specific" HTML extenstions. I do have a doc that describes those extentions, but am currently unclear on it's workflow; as I got my local browser (firefox) to recognize "those" extentions, but was unable to invoke the WinFX Component from my HTML page with an embedded OBJECT tag.

I've got a lot more to learn..... and I shall share as I roll along... Will you ?

March 15, 08:10 AM

Integrating with infocard

Reference Links :

A guide to Integrating with Infocard V 1.0
Infocard Godfathers :
- Kim Cameron
- Mike Jones
Design Rationale behind the Identity Metasystem infrastructure
Microsofts vision of a Identity Metasystem
The Law's of Identity ( microsofts version )
A technical reference for infocards 1.0
WinFX Developer Center

March 15, 07:48 AM

Welcome

Pursuant to my post on my "non-infocard" blog, I would like to take this opportunity to welcome you to my "infocard-blog". I shall not be cross-posting information between the two blogs; nor will I be moving old posts from "a twisted world" to this blog. So If you want to read any of my old posts, head on over to my "other blog"

I hope to make this a group blog and would invite other folks to join me here. Hopefully in due time it would be more than just me blogging here....

My INFOCARD Feed

bio: DEGRADABLE