Come Get Some...Thoughts On Software Technology

Today the MIX Conference in Las Vegas opens its doors and there will be quite some interesting announcements there. I will surely blog about some of them and today I will take a start with the public release of Internet Explorer 8 and one of its new features. This is called Webslices & Activities and is as compelling as it is simple because it easily enables you to extend the IE Browser. Now you might say "piece of cake" can be done for years and not only with IE but with other browsers as well. Yes, that's correct however not entirely because it is not that easy. Well at least not as easy as it is now with Webslices & Activities. But before continuing with the prose let's shortly introduce you to:

• Activities

  
  Activities are services which allow you to access a certain remote service of a website in the context of the site or parts of the site you are visiting. So an example could be that you are on the website of a local dealer and are interested in buying something there. Unfortunately this dealer has no delivery service and also does not have a store locator. So in that case you would usually take the address and get directions using a mapping tool of your choice. Now you could do the same with a mapping activity. But now the big difference is that you can do it in the context of the dealer's webpage. Just mark the address, rightclick and choose the mapping activity of your choice like shown in the screenshot below.
  
  Now what is an activity technically?
  
  Now that's the simple one because it is simply a XML configuration. In this XML configuration you specify the display name, an activity category and an activity action. Now the action is the most interesting part as this is the real meat of the activity. This instructs IE8 what request to send to the target service in order to let the activity do what it is supposed to do. So for the mapping example you would probably configure the URL including all the search parameters whose values are represented by variables like {Selection}, {documentUrl}, etc. So during runtime if you want to use the activity the browser simply opens up a new window and sends the custom request to the target site. Easy, isn't it?
  You can optionally also specify a preview action which is very powerful and is the charming part of IE8 Activities because it allows you to include already the full functionality of the service in a little preview window which is overlaying the website you are actually browsing so there is no redirection and no new windows stealing focus. And the best about those preview windows is the fact that it can utilize full browser functionality including installed plug-ins. So that means you could use Ajax, Silverlight and Flash for your previews.
  
  Below you can see a sample activity configuration which I created to demo Activities using the translation service by leo.org. Unfortunately, as they do not offer a stripped down result page the preview is not really usable for translating inline.
  

<?xml version="1.0" encoding="UTF-8"?>
<openServiceDescription xmlns="http://www.microsoft.com/schemas/openservicedescription/1.0">
    <homepageUrl>http://dict.leo.org/</homepageUrl>
    <display>
        <name>Translate with Leo.org</name>
        <icon>http://dict.leo.org/favicon.ico</icon>
  </display>
  <activity category="Define">
    <activityAction context="selection" >
        <preview action="http://pda.leo.org/ende?lp=ende&amp;lang=de&amp;searchLoc=0&amp;search={selection}&amp;relink=on"/>
        <execute action="http://dict.leo.org/ende">
            <parameter name="search" value="{selection}" />
            <parameter name="lp" value="ende" />
            <parameter name="lang" value="de" />
            <parameter name="searchLoc" value="0" />
            <parameter name="cmpType" value="relaxed" />
            <parameter name="sectHdr" value="on" />
            <parameter name="spellToler" value="on" />
            <parameter name="relink" value="on"/>
        </execute>
    </activityAction>
  </activity>
</openServiceDescription>

So you see the whole magic are two URLs which point to the remote service. The rendering of the response is entirely up to the activity's service provider. The Xml configuration can be provided by the service provider or anyone else. The activities engine only checks that the homepageUrl is from the same domain as the actionUrls. This means however that you need to be careful and only register activities from sites you trust. And finally in order to have IE8 recognize an activity configuration as such you need to provide a link with the href is pointing to a javascript function and so the url must look similar to this: href="javascript:window.external.addService('http://www.level70.de/ie/activities/LeoTransActivity.xml'). So here is how it looks like in action.

• Webslices

  
  Webslices are simply portions of arbitrary websites to which a user can subscribe to. This enables a user to have updates of sites he regularly visits right at his fingertips without navigating to the respective sites. A webslice behaves just like an RSS Feed. The slice itself will be added to the Favorites bar of IE8 when a user subscribes to a webslice. In order to subscribe to a slice it must be discovered. The discovery is quite easy as IE8 will display a special symbol if a page offers a Webslice. There is one in the toolbar where also RSS feeds are marked as available:
  
  
  
  And there is another one at one corner of the webslice protion on the site itself
  
  
   
  If you click on the marker symbol you can subscribe to the slice just as you would do for an RSS feed. After subscribing to the slice it becomes visible in the Favorites bar of IE8:
  
  
  When the content of the site changes the title text of the slice will change its font-weight to bold and it the slice button flickers from time to time. To get information on the slice you can hover over the slice button and you will see the full title and the URL of the slice's source.
  
  
  And finally if you want to view the updated information you can click on the slice and get the the slice portion rendered in a small overlay window.
  
   
  So what is a slice technically? Technically a slice is nothing more than annotated HTML. The annotations are derived from the hAtom microformat. So in order to slice enable a part of your webpage the least you need to define is a container (usually a <div>-Element, a title and the content. In order to give you a hint how this looks like in reality here is a little sample:

  <div id="test" class="hslice" style='width: 280px; font-family: Segoe UI; text-align: center'>
      <div>
          <div class="entry-content">
              <h3>
                  <span class="entry-title">Seattle</span>, WA (98121) Weather
              </h3>
              <img src="images/cloudmoon.png" id="image" style='float: left' height='128' width='128' />
              <div class="entry-title" style='float: none;margin-left:20px'>
                  <p style='margin-top: 0px; margin-bottom: 0px; font-size: 26px; line-height: 32px;font-weight: bold;'>89<br />&deg;F</p>
                  <p style='margin-top: 0px; margin-bottom: 0px'>Drizzle</p>
              </div>
              <div>
                  <p style='font-size: smaller'>
                      <i>All fictional, of course!</i>
                  </p>
              </div>
          </div>
      </div>
      <div>
          <abbr class="updated" title="2007-07-25T20:51:00-05:00" />
          <p>Current conditions as of 10:35 AM</p>
      </div>
  </div>

I marked the important annotations with bold font. So you see that the annotations are encapsulated within class names of the respective HTML elements. So you can note that the container must be defined with a class name of "hslice", the title with the class name "entry-title" and the content with "entry-content". Needless to note that projected back on the screenshots shown earlier the "entry-title" is rendered as the slice button text and the hover text whereas the "entry-content" is rendered in the overlay window. If like in the sample the "entry-content" is enclosing the "entry-title" the title is as well part of the rendered view of the slice.

So that's it for a short introduction on Webslices and Activities coming with Internet Explorer 8. If you want to know more and want to dig deeper in the technical details you can go to the IE Developer Center and find everything you'll need.

If you want to try the activity sample I used in this post you can add it here.

And finally if you want to see how easy it is to have an Silverlight application in the preview window just check this out.

Today is IE8 day - Soon you will now why. And I will start with a short advisory regarding a change in strategy how web standards will be handled in IE8 as default rendering option. But before that I would like to to mention that especially with respect to open web standards compliance IE8 marks another big milestone in the support of those standards such as CSS 2.1. So the IE team needs the feedback of the development community to see if the specs have been implemented flawlessly. Shortly you will have a chance to do so.

Although comprehensive support of web standards is something desirable it can also introduce some issues. In this case it is that pages that were optimized for IE7 rendering will probably not be as expected anymore. To avoid this to render many sites out there useless the IE8 team implemented a IE7 compatibility mode which forces IE8 to render the pages as IE7 used to do.

However unlike announced earlier this will not be the default for the beta release and probably not for the final version. To switch the default from less to more standard conformity for me however was the right step as it puts a little pressure on web developers to create pages as near to the standard as possible and the step taken by the IE team is proof that the announcement of Microsoft becoming more open was not just some empty statement.

In order to enable smooth transition for sites that have optimized markup for IE7 the compatibility mode is still there and can be activated using one of two options.

1. Developers can insert the meta tag below into their pages to tell IE8 to render in IE7 compatibility mode
   
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
2. Developers can send the following HTTP header in the response of their requests to enable IE7 compatibility
   
   X-UA-Compatible: IE=7;

So if you have a site running this is a simple and easy method to ensure correct rendering of your page. No user agent sniffing and separate pages are necessary to have broad IE support with your pages. More details about this can be found in the IE Blog.

Yesterday I held a high level session about S+S at the Basta conference in Frankfurt. After the session I asked some attendees about if the concept (I don't use the term strategy on purpose) became clear. Unfortunately the feedback was mixed. One response I got was even that S+S is not really something relevant for corporations especially for larger ones or enterprises. At this point I realized that I probably did a pretty bad job in explaining the concept as in my opinion it is relevant to everyone using Computers to solve some problem or accomplish certain tasks. This is true especially for organizations. Moreover I would say that most organization are already heavily investing and are implementing aspects of S+S maybe they simply don't know it. This might also be because of the fact that there are many "Services" mentioned in the S+S messaging which are indeed actually targeted at end consumer. So I felt the urge to reflect a bit about all that and try to sum up my thoughts in hopefully easier terms and in a way that the benefits and the conditions under which S+S is relevant to organizations become clearer.
Ok then what is Software plus Services? I think there are basically several statements which lay the foundation of S+S and those are:

• The Client
  
  
  • The fat (smart, rich or whatever you may call it) client is not evil
  • The web with all the attributes and trends around it (social networking, user generated content, etc.) is a truth.
  • Not every application is like the other
    
    So what does all this mean exactly? It does exactly mean that still (or even especially today) a client application that leverages the power and the quality of services of a PC or other client hardware has its well deserved place in the application landscape. It also means that there are application domains where it seems like some kind of raping to implement those using a web client even in the age of Ajax, Flash and Silverlight. Me myself took a long time to realize that as I used to work for IBM quite a while and was also brought onto the trip that the future of Client applications are thin clients (hardware) and web applications. This was accompanied with statements like "Microsoft" is some ancient relict trying to defend it's heritage by all means (Windows, COM) and that .Net, without knowing exactly what it was at this time, was some kind of last resort and "noobish" try to stop the success of the J2EE platform. I have to admit there were some really great products and frameworks available like WebSphere Portal for example that made it easy to accomplish really great things in terms of moving towards application integration and business process centered presentation and task oriented frontends.
    So it was hard to believe that this would not really be the future. The first time I started to have some doubts about all that was when IBM or later the Eclipse Foundation announced the Rich Client Framework (RCP). Could it be that the messaging before about thin clients was because all of those companies (including SUN with the Java SE) didn't have a client story at all besides of web applications?
    Well today it is some kind of obvious. Most of them were probably really envying the story (which was by no means perfect) and impact Microsoft had on the client PCs out there. Think about the latest announcements yourself and what we have seen recently: Adobe AIR (Client pieces and offline capabilities), JavaFX (Revival of WebStart, dynamic languages and offline capabilities), IBM Workplace Technology (Based on Eclipse RCP, a pure fat client framework). Those are the old players in the application markets and now look what happens. Even the new stars of the web era suddenly show their interest in the client realizing that it is more than a dumb HTML renderer and Javascript interpreter. Google is announcing GoogleGears (Offline functionality and local processing), DoJo Offline (AddOn to Google gears). So there must be some magic around the client and it's capabilities.
    
    It became even more clear to me when I thought about how I use the PC regardless if as a business or a private person. Ok, I'm not the real hardcore web junky but when I look around in my social environment I can state that nobody really is. And so I must admit that I use fat client applications most of the times when using my computer. I use office software for email, correspondence and calculations to know where I stand with my mortgage. Then I use a video editing program for shaping up videos of my family, same for pictures. And I play games, World of Warcraft, Eve-Online, Call of Duty 4, Counter Strike:Source, etc. So those are the applications I really use at home. Pure web is only interesting for news, shopping and partly social networking. If you haven't already really realized, all the applications I summed up already are some sorts of early evidence of Software + Services. Why? Because I play the games mostly online, some of them are even pure online games, and the also almost all provide some sort of online services. Be it online sharing of pictures, picture print services, transition and audio effect acquisition, instant messaging, buddy lists, in-game chat, voice chat and so on.
    
    So you see, the fat client is not evil but it gives some perfect opportunity to create some excellent applications if combined with additional (thin) services and presented in a user friendly way. So in other word to create something like a composite application.
    
    To push it even further, as I realized that on aspect of S+S is the composition of functionality in an application using the best suited client paradigm for the respective functional block it became obvious that to really live this it is necessary to have some sort of architecture that allows you to easily "integrate" those functional blocks dynamically like in a blade center rack where you can dynamically add new blades which then are virtually registering for services of the center like power supply and connectivity via a shared backbone as the blade itself wouldn't be viable alone. Projected back to the software world this "application center" (sorry for the naming) should also provide some horizontal services and registration points so that it is entirely flexible and does not need to know which functional blocks are "plugged-in" and plugged together at some point in the future. Excellent examples of such application centers are really the Eclipse plug-in architecture and the Composite UI Application Block from Microsoft.

• The Aggregation and Composition Enabler
  
  
  • Loose coupling is key whatever you may call it. (be it SOA or Integration Architecture)
  • Standardized interfaces enable
    
    Looking a little bit more behind the facades of the client but not forgetting what we just said it also becomes quite clear that to enable a client framework to easily create those functional blocks it must be easy to let those visuals with their client side application logic easily consume the meat for their processing hunger. So what does this mean. It means that usually something that is going to be processed by a fat functional block in a composite application is probably already pre-processed by some remote functionality or if it's a thin functional block it is entirely remotely processed. And mostly all major players realized this already quite some time ago and pushed those concepts. And to push concepts (don't get me wrong, pushing things is not always a bad thing) effectively it is better to give it a name so the name most of us probably know is the term Service Oriented Architecture (SOA). And why did they push it really? They did it because thy knew that the future really is the composition of software and services (S+S) and that such a composition simply is far easier if there is a common integration pattern available and this integration pattern got absorbed within SOA.
    Thus another term which is especially used by Microsoft in conjunction with S+S is "Integration Architecture" but both terms in the end mean all the same which is the fact that on prerequisite to really live S+S is to segment functionality in sensible junks and to deliver them using standardized protocols and interfaces respecting the tenets of service orientation.
    
    Remembering this and going back some years there was a problem with that. Shortly after the year 2000 there was already the mindset or position to have this kind of "universal" client and for example the WebSphere Portal or SAP Enterprise Portal a little later was depicted as frameworks that could be that universal client however the problem was that wherever you went with those great frameworks, there were no SOAs. Companies were struggling to disentangle their application landscape and enable applications to communicate with each other at least on the lowest levels. So the reality in those portal projects often was to do the integration across applications (not functional blocks as those couldn't be extracted from the applications due to their limited architecture) on the frontend level using IFrames which is near to non integration or with sort of screen scraping and heavy Javascript plumbing (Who again said that thin is key and client side processing was evil?).
    
    Today however the reality is different. There are lots of companies which have at least some of their applications enabled to fit at least into the lower maturity levels and many ISVs that have their applications service enabled. Of course there is still a long way to go for many to reach a level where all surrounding conditions for having a high-end integration architecture with mediation, efficient message routing, governance, etc. have been met however at least the conditions to implement effective composite applications are much better than they were a few years ago. And therefore it is also time to bring the terms SOA or integration architecture in a broader context which again is Software+Services.

• The Business
  
  
  • Not every business needs a self owned software company and IT shop attached to run its business
  • Applications have different attributes and different needs
  • Application assets can eventually be the foundation of new business models
    
    Ok that one is easy. If you look at large enterprises today, most of them run their own comprehensive IT and run most if not all applications on their own and to some extent even develop those applications on their own. If at all some companies outsourced their complete IT to a big outsourcing company however this doesn't change the basic notion of caring completely about applications and application development as well as the runtime and governance aspects including the huge costs related to that regardless on how important the application may be. To make it clear, there's nothing wrong about that and I'm a big advocate of the principle to have full control over the mission critical applications however there are scenarios and conditions where it is super sensible to check if it does make sense to externalize some parts of the application landscape or enrich application with features which cannot easily be provided by the organization on its own.
    If you realize the power of such composite applications combining internal run Software and external services like British Petroleum did with their Hurricane Warning System then you can hardly believe why this has gained momentum only recently. The homework however then is to decide which applications or functions have to stay more on the isolated, fully controlled and fully customized side of the picture and which ones allow lower levels of data separation, control and customization.
    At a certain point a company may even realize that all the efforts that have been put into enabling integration architectures and moving onto approved open standards could lead to new opportunities in terms of market strategy and business models in the sense that certain function blocks could be externalized by the company themselves. Although this might apply mainly for traditional software companies in the short run it might also be applicable to companies from other verticals as well over time.

• The Service

• Services need a deployment architecture.
• The more horizontal tasks are taken out of the service and are put into a hosting platform the better are the economies of scale
  
  Here we are again talking about something that has been around as a concept for several years already. It's usually referred to as Software as a Service (SaaS) and is an reshaped descendant of the  Application Service Providing Concept (ASP). But now again the surrounding conditions are different and the drawbacks of the ASP model have been addressed or at least theoretically articulated. Taking the virtues of SaaS seriously and investing some resources into building a powerful service delivery platform with as many shared elements as possible. If you analyze a service in a hosting environment you will see that most of its implementation are things that virtually every service needs to have. So those are pretty good candidates to include them into a service delivery platform and share them across all services.
  Examples for such shared elements are metering, logging, billing, storage, exception handling, etc. This enables economy of scale, and an efficient and easy deployment of new services as they come enabling automation. And just to mention it for completeness this is not only something that is of interest to hosting companies but also for organizations as those in nearly all cases have internal organizational structures which are for the internal line of business units to what the hoster is to the hosting consumer.
  Another aspect that has great impact on economics is the grade of configurability a service provides. So the goal is to deliver a service to a broad audience without having any manual steps in terms of customizing it for the use in the remote customer environment. While it is clear that there must be some compromises the broader the audience gets for a specific service if the service and the delivery platform allow meta-data driven, template based configuration and customizing the fixed cost for the service delivery become lower which has a pretty good impact on the monetarization scheme.

Well now I wrote more text than  intended to initially. So I will sum it up once more. S+S describes the principle of creating value adding composite applications by intelligently combining traditional software, locally running applications and remote services in a frontend which offers a consistent and seamlessly integrated user experience across devices and form factors.  S+S is the sum of three well known architectural concepts or technical and social trends (e.g. the way people interact with software) which are namely SOA, SaaS and Web 2.0.

So now if you take a look into the portfolio of Microsoft today you can identify no less than four roles Microsoft has in the S+S ecosystem:

• Service Enabler (The Microsoft Application Platform)
  
  Server: Windows Server, IIS, .Net Framework ...
  Client: Windows, .Net Framework ...
  Cross-Platform Web: ASP.Net AJAX, Silverlight ...
  


• Software provider
  
  The whole product stack being more and more enabled for S+S in terms of composition (Office Business Applications)
  


• Service provider (from experimental to state of the art SaaS Services with comprehensive SLAs)
  
  Silverlight Streaming
  ADO.Net Data Services Online
  BizTalk Services
  Virtual Earth
  Windows Live ID
  Office Live
  etc.
  


• Guidance Provider
  
  The S+S Architecture Portal
  Architecture Journal
  LitwareHR on Codeplex

Acknowledging all that we see that S+S is the clamp around those principles and we probably can also acknowledge that Microsoft today is the only company that can deliver technology, products, services and guidance for all the disciplines subsumed under S+S. With having the one of the broadest portfolios in the market today for realizing all what was mentioned above it hopefully becomes clear that Microsoft, of all, is coming up with a special term for all that - Software + Services.

Well a lot of text I hope that anyone read so far and even more I hope that anyone was able to follow my thoughts and is now able to better understand the concept and motivation behind S+S. And as a little incentive for those reading to the bottom you can download the slide deck of my Basta Session by clicking on the image link below (sorry folks it's mainly in German).

And finally a little extra disclaimer which adds to the general disclaimer of my blog:

In the text above I mentioned some Microsoft competitors in conjunction with some critical statements. The intention of those are solely for the purpose of giving the reader a better understanding about the evolution of architectural principles and S+S. They are by no means to be understood as competition bashing or as a try to discredit those companies. In contrary I acknowledge that those companies contributed a lot to the software technology landscape as it exists today.

It's again time to post a new blog entry. This time I thought it may be interesting to see how Windows Cardspace can be used together with applications built on top of the Media Center Presentation Layer (WMCPL). So and why do I think that Cardspace can be of very good use especially in a Media Center scenario? The answer is pretty straight forward because Cardspace not only enables you to manage information (claims) about you in an efficient and transparent way it also allows you to do this without necessarily using your keyboard.

No think of Media Center. Media Center is targeted to be used in a living-room in a leaned back scenario to provide what we call a 10-foot experience. So rarely will you have a keyboard at hand when it comes to the use of Media Center applications that require registration or authentication or more broadly spoken any sort of information about you. And when talking to customers we encourage application developers not to rely on the keyboard at all but only on the remote control.

So now I think it becomes clear that Windows Cardspace either with managed cards or even self issued cards could offer a great benefit to the user and the relying parties. So that's why I tried to have Windows Cardspace working in a simple WMCPL application. So here's what I did and what the issues were.

First of all I thought it would all be pretty much straight forward, create a Windows Communication Foundation Service using a Separation with the configuration representing my infrastructure (eg. certificates, etc.), deploy the service, start-up Visual Studio 2008 and use the great feature of "Add a Service Reference" which configures all the client side configuration stuff for you and then wire some UI up to visualize some meaningful data extracted from the security token. Sounds easy however there is on little roadblock in the scenario that doesn't make things that easy and that is that a WMCPL media center application is executed in a special media center runtime container and is deployed as a DLL which is executed by this runtime process called "ehexthost.exe". Therefore you cannot simply provide an app.config file with all the WCF/Cardspace stuff in it with your DLL as it will not be picked up by the runtime. So you better be off providing the configuration in code which is also not very difficult but it is more effort to do. However you could anyway let Visual Studio 2008 create the XML config for you and then you can use this as a template for transferring it into C# or VB.Net code. In my case the relevant code looks like this (without most of the optional binding attributes which are usually in the config when you create the service reference using Visual Studio):

WSFederationHttpBinding binding = new WSFederationHttpBinding(WSFederationHttpSecurityMode.Message);
binding.MessageEncoding = WSMessageEncoding.Text;
binding.TextEncoding = Encoding.UTF8;
binding.Security.Message.AlgorithmSuite = SecurityAlgorithmSuite.Default;
binding.Security.Message.IssuedKeyType = SecurityKeyType.SymmetricKey;
binding.Security.Message.IssuedTokenType = "urn:oasis:names:tc:SAML:1.0:assertion";
binding.Security.Message.NegotiateServiceCredential = false;
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindByThumbprint, "92306aef4808fbe373d745b3b2759e1ae63e7e80", true);
store.Close();

EndpointIdentity identity = EndpointIdentity.CreateX509CertificateIdentity(certs[0]);

binding.HostNameComparisonMode = HostNameComparisonMode.StrongWildcard;
binding.Security.Message.IssuerAddress = new EndpointAddress(new Uri("http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self"), identity);
binding.Security.Message.ClaimTypeRequirements.Add(new System.ServiceModel.Security.Tokens.ClaimTypeRequirement("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", false));
binding.Security.Message.ClaimTypeRequirements.Add(new System.ServiceModel.Security.Tokens.ClaimTypeRequirement("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", false));
binding.Security.Message.ClaimTypeRequirements.Add(new System.ServiceModel.Security.Tokens.ClaimTypeRequirement("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", false));

X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String("AwAAAAEAAAAUAAAAkjBq70gI++Nz10WzsnWeGuY+foAgAAAAAQAAACwEAAAwggQoMIICEKADAgECAgJDmzANBgkqhkiG9w0BAQUFADBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA4MDIxMjA3NDg1MFoXDTEwMDIxMTA3NDg1MFowGTEXMBUGA1UEAxMOd3d3LmxldmVsNzAuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALDqOFljkQXyZWKFJQYlsyxhw2Rh4fzUM+pokB6oPMJxMO7iJ+NywbHHv1HAu8mnDIV2dj+CvFoLuOT8dJs5Kn2WiG3Uv+gJ9yey6WRjkJoqXGRWJUqwzErCiIfee6jImQWd0h06zs0pIipoCncuBY4uhzgEs1rDyF2Xkjx93gNDAgMBAAGjgcIwgb8wDAYDVR0TAQH/BAIwADA0BgNVHSUELTArBggrBgEFBQcDAgYIKwYBBQUHAwEGCWCGSAGG+EIEAQYKKwYBBAGCNwoDAzALBgNVHQ8EBAMCBaAwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzA3BgNVHREEMDAugg53d3cubGV2ZWw3MC5kZaAcBggrBgEFBQcIBaAQDA53d3cubGV2ZWw3MC5kZTANBgkqhkiG9w0BAQUFAAOCAgEAmYo394ooJgOwe+RpYvR/0ouAJWwP4wqK7TkQu9DXHJZuAZ+nWk42jg+WQkzeGNauVQcbh9fOfKv6Jk0w/99r11JUMu9eFNk4wmGxQ4NeX/ad9e3MmUmHjSuTBtBXLrC0jnWEJV6En6tMguSGWpvtDcVuiccp1dHlGW2FnVqiwRtk2+S8ZJUMIGUtqu9ann9zhtp2sxat4C+3YGGlD89PKsyiKmIrK5YMGTSsd32l9MQar8MP03kSjXModysbvukgBWk4GqnfL+zB/AP6tB04u+ftm/PLCKEtWqRKbRkGkBkpfmaMAYNL61OQC4hSfXoh4Id9ijsWMS8XunBPnA6ydqQ3VsexLyndccADEt79i1zFV1ReWV0Q3EpsmSwqDtSmovwuoGhu6AUknA10efWeBv9RQspxuS1QBf67e7pSrh01DStQP09t+r9tHtmQMGEfu/oVDWd87zCoyHnqTl7A+UXnaOQMt8WCLHoDlprSbgyNqh5Lm+dJv+Av/4LQLdqzbCUOU4M/M1xvJTqjLbJ+Y7eJSNleRAruNG6HjnhH8FicTF/PCmOT4fo3ocBMTWTYeM8gz3Q/s2zvURZDax3cPQQpC2NTkEQjxpdT6B28u/G9YcJibyeurV8cM3l+2+SkwrTknTFjHuZ2tICuoUGAKlERKpWpjC0Q3DQPKBfKvfI="));

EndpointIdentity remoteIdentity = EndpointIdentity.CreateX509CertificateIdentity(cert);
EndpointAddress remoteAdress = new EndpointAddress(new Uri("http://www.level70.de/MyService/Service1.svc"), remoteIdentity);

When you have done that you can use the proxy class that you generated with the WCF svcutil.exe to consume the respective service method. The only thing you have to remember is that you have to pass the binding object you created in the step above to the constructor of the proxy.

Service1Client sc = new Service1Client(binding, remoteAdress);

The service response can then be wired up with the UI of your media center application. In my case those are simple Text elements within a ColorFill which are wired up to properties in my application class which is derived from ModelItem to have the UI so that I don't have to care about notifying the UI when the property values change. The wiring is done in a Rule-Section for the respective UI like shown below:

<Rules>
      <Binding Source="[Application.Name]" Target="[Label1.Content]"></Binding>
      <Binding Source="[Application.FirstName]" Target="[Label2.Content]"></Binding>
      <Binding Source="[Application.Mail]" Target="[Label3.Content]"></Binding>
</Rules>

Then you can deploy the application and enjoy using the Vista Media Center with Cardspace.

You can see a Video of my sample application if you click on the image link below.

So you see that it is quite easy to integrate Infocard based authentication, authorization and identity claims exchange in the Vista Media Center which is surely of great benefit. However as tempting such a scenario seems to be there is one major hurdle if you plan to have your application added to the Microsoft Media Center Online Gallery as it will most probably not pass the application audit. And this is because the Cardspace Selector today is a two-foot window which represents a break in user experience in a Media Center 10-foot terms and therefore will most likely lead to a rejection of the app so that you must provide your own distribution strategy.

The only way to solve this issue would be to implement a Card Selector with a 10-foot UI and there are no plans by the Media Center team within Microsoft to do something like this. So you would be left on your own devices. While not impossible since the specs are there and publicly available here it is probably not feasible to do this for a single organization publishing an application. Another thing to mention in concerning this matter is that one of the design goals of Cardspae is to provide a consistent experience to the user when using Infocards and this goal would be pretty much violated if we would have an inflational increase in Card Selectors out there.

The publication of Vittorio's book "Understanding Windows Cardspace" about which I wrote a post only yesterday I realize that there is more and more demand for information about topics around identity. And from my experience it is not only people working in IT or have a great affinity to technology who are interested in this area but also the common internet user. This is a very positive trend and encourages me to further blog about identity and Windows Cardspace in particular. So here's part 3 in the series about things you wanted to know about Windows Cardspace.
 
Q: Is there a possibility for a service provider to differentiate between required and optional claims?
A: Yes, Cardspace exposes the possibility to a service provider to ask for required claims and optional claims as a response to a service request of a user. This means that the user needs to provide the required claims to gain access to the service of the service provider and can or cannot provide the optional claims information in order to give the service provider the change to improve service quality. This can technically be done by setting the "Optional" attribute on the respective "ic:ClaimType" like this:

<ic:ClaimType Uri=”xs:anyURI” Optional="xs:boolean"? />

The Cardspace Card Selector surfaces this by explicitly marking the claims which are optionally requested. At this time the optional claims can be send or not only as a single block which means that the user has no change to selectively choose individual optional claims to send. This means either all optional claims are send or none.

Q: Are the cards secured on my PC?
A: The cards itself are stored encrypted on the user's PC which gives a fair amount of security if the PC on which the cards reside is handled with a sense of responsibility. The second layer of security is that a managed card only caries metadata and the real identity information payload is stored at the identity provider. So for most of the very sensitive data that one needs in online transactions such as credit card data, etc. will never be stored on the user's PC anyway at least not in the context of Windows Cardspace. In order to use a managed card and have a security token carrying the payload data created by the identity provider proper authentication must be performed like outlined in Part 1.

Q: Is a service provider able to influence the order in which valid Cards are shown in the Card Selector?
A: I do not know of any way to influence the order if there is more than one card that provides the required information. I also doubt that this will be possible at all even in future versions of Windows Cardspace because this wouldn't respect the user centered approach reaping some degree of control from the user to another party in the identity ecosystem. However there is a simple trick to make a certain card the only card that shows up in the card selector as valid and in full color and that is to add a custom claim type to the request which can only be satisfied by the card the service provider prefers. However of course this only works as long as there is only one card that can provide this custom card.

Q: Can I use Windows Cardspace Infocards also if I don't use Windows or the .Net Framework 3.0?
A: Yes definately you can and the answer to this question although it may seem a little bit complex can always be reduced to the topic openness. This said I make it clear from the beginning: Windows Cardspace and the underlying concepts completely rely on open web-services standards and standardized encryption standards and the protocol is well documented. The implication of that is quite obvious. This means that anyone can implement own implementations of any component needed or involved in a Windows Cardspace trust relationship scenario. And there already quite some parties that actively develop components leveraging the Cardspace Idea and enable other platforms (browser or OS) for the use of Microsoft Infocards. A few examples are:

• A card selector for use with Firefox maintained on CodePlex

• A Java based card selector for Firefox maintained at XMLdap.org and Google which also runs on Linux

• DigitalMe including a CardSelector implementations for Suse, Fedora Core and Mac OS X as well as a browser add-on for Firefox all maintained by the Bandit-Project backed through Novell.

Q: What is the roadmap of Windows Cardspace, how does the technology evolve and what are the areas of focus?
A: Short answer is:"I don't really know". There is not yet an officially announced roadmap for Cardspace Vnext. However from informal discussions and feedback from customers and the community there are certainly some areas of improvement or extension that may be covered by a future version. These may include:

• Enhancements to support payments and customer loyalty programs
• Multifactor Authentication enabling an identity provider to enforce multiple authentication schemes to further increase security
• Improve tool support and developer experience (Will be released as the Identity Framework)
• Further hardening of the Card Selector
• Roaming support

Well, that's it once more. Hope there was some valuable information for you in this blog which you can reuse. Wether or not stay tuned as there might be a next part coming soon.

Two days ago I found a small parcel in my office mailbox which contained a copy of a new book written by one of my architect evangelist colleagues Vittorio Bertocci together with Garret Serack and Caleb Baker. Its title is:"Understanding Windows Cardspace". And although you my dear reader probably already have a quite good understanding of Windows Cardspace by just following my blogposts regarding Cardspace now and then it is surely worth to have a look at this book.

Usually I do not often recommend other colleague's books as I don't want to degrade my blog to an advertising platform. However in this case I really see a big value for those who want to know a little more about Windows Cardspace. An not only about Cardspace alone but also especially about the context in which Windows Cardspace was created which means reviewing the complete history of digital identities and the evolution of digital crime. I haven't gone through the whole book yet but the first part already was a real highlight as it tells the story about the problems and challenges of identity in the digital world in a very entertaining manner and a non technical language.
After setting the context the book makes an excursion into cryptography to then reiterate the seven laws of identity introduced by Kim Cameron the father of identity at Microsoft who by the way wrote the foreword of the book. After that there is an in detail look at Windows Cardspace as it exists today and its technological foundations such as some of the official web services standards such as WS-Policy, WS-Addressing, WS-Trust  and of course WS-Security.

So I'm excitedly looking forward to enjoying the remaining chapters and hope that they are as entertaining as the first chapters. At this point I also want to thank Vittorio very much for sending me the copy and kudos for the excellent work. If you want to check out a sample of the book you can do so free of charge as the complete second chapter is published on CodeProject as a courtesy of the publisher which is very cool.

As you might have noticed it has been quiet on my blog for quite a while. And of course this has had its reason and that is that for the last couple of weeks my main occupation changed from consulting to diaper changing ;). I'm very proud to say that my daughter Annika was born in the beginning of January and therefore I took some time off.

However now I'm back to work and so I hope you stay tuned and I promise if you do you can expect another, eventually interesting new blog post in the very near future.

Recently we had an engagement at a cutomer with a department responsible for knowledge management. They were looking for a way to visualize some of their knowledge data in a intuitive way and make content related to that data acessible to all relevant people in that company. The underlying data model of the knowledge system was quite straight forward as there are nodes which represent knowledge keywords such as "Basel II" and connectros which represent relations between such keywords so that a related node would count as an edge of the previous node such as "Policies". Until now one might think that this would end up in a simple tree however there are some extensions to the model as such that a keyword may not have any relations and therefore would stand alone. So a simple graph for such data could look like seen on the following picture.

Another relation that all those keywords have are content assets like powerpoint slides. So the requirements of the customer for the system to be built were:

• To have the possibility to create the knowledge data (keywords, relations and metadata, content) through an application suitable for business users.
• To be able to visualize the nodes and their relations in an innovative way.
• To be able to navigate the whole knowledge graph
• To be able to search within the visualization component to even be able to visualize isolated nodes
• To be able to have multilayer visualization of endnodes that only have unidirectional relations (!?!)
• To be able to search, retrieve and view the content related to a specific node out of a content library.

So in a proof of concept we (MCS, my colleague Jörg and me) built a system which basically met all the requirements and consisted of the following components and technologies.

• Visio 2007 with an add-on provided by Semtalk.
• Powerpoint 2007 for content creation enforcing the attributes of the specially defined content type in MOSS 2007.
• Microsoft Office Sharepoint Server 2007 as main frontend, content repository and search engine.
• A Silverlight application in a WebPart as knowledge data visualizer based on Silverlight 1.1 (sorry folks, I know that 1.1 does have some drawbacks at this time however the codebase was built on top of 1.1)

So the overall high-level architecture was like shown below.

Some of the features of the Silverlight visualizer are:

• It displays only the first to levels of nodes and edges-
• You can navigate from node to node by cklicking on a respective node.
• You can drag the nodes around (the drag surface is quite small, so it might not work out every time).
• A history that allows you to go back and forward within your navigation steps.
• Home function to go to the initial screen.
• Search function to search within the nodes to directly navigate to a specific node which gives you a list with links if more than one results are available (not the same as the global, MOSS based search).
• Integration of the MOSS based search WebPart via an Java Script function (called from managed code btw. thanks for the initial hint on that by my colleague Dave Relyea). At this time as there is now MOSS 2007 environment available it only prints the value of the node's title into the second search field and if you click on the search button will trigger a live search.
• If you navigate to a node that has unidirectional relation from a parent then the system will display this node and all nodes which have the node in focus defined as one of their relations (edges).

The Visualizer is based on code created by Jeff Powers and which is available on http://fluxcapacity.net/

The data has been made anonymous and therefore is a bit boring but if you want to try the search. Try to enter "Software" in the search field and click the button "Search Node in Graph". The "Office Software" edge can be navigated further and displays some more differentiated data there.

And now finally to see the result click on the picture or the link below.

http://www.level70.de/silverlight/knowledge/Default.html

If you would like to get the source code just drop me a note and I can send it over to you.

Q: Can a card be marked as "not exportable"?
A: No this is not possible at the moment. After a card has been installed in the card-selector the card can always be exported using the standard facilities of the card selector. This allows easy tranportation of cards and use of the cards on several devices/PCs. If the security requirements of an identity provider or a relying party demand that the card should not be usable on another device the provider can issue the card with a certificate as the token credential type. This certificate can either be a soft or a hard certificate. In case of a soft certificate it will be installed into the local certificate store and this certificate can be marked as non exportable. This ensures that the mnanaged card, although it can be exported and imported, can only be used on the device where the certificate has been installed. 

Q: Can an identity provider create a managed card which uses the self issued toke credential type and the corresponding self issued card remotely and automatically?
A: Well while it may be possible to create those cards at all at the identity provider it cannot be done automatically. The reason for this is that the self issued card is encrypted by the Self-issued Identity Provider (SIP) where the card is transferred in a transportable format in a two step process:

1. Transformation of card metadata and/or claim information ito a pre-encryption format.
2. Transformation of the pre-encryption into a post-encryption format using key derived from a user provided password.

However this cannot be done automatically as the SIP does not provide a API to automate this process.
Another reason that this is not possible is that this may be a major violation of one of the basic principles of the Cardspace identity metasystem. Remember, unlike a managed card, a self issued card does contain the private claim information. The identity provider first of all needs the data and the consent of the user to use this data for the creation of a self issued card and then the further process does raise three issues where the user may loose control.

1. The user needs to specify a password or the provider needs to compute a password (PIN) to protect the cardspace store which means the password could become potentially unsafe.
2. The card needs to be imported into the card-selector. However during import the card-selector does not display the claim information carried by the card for verification before importing. So there are chances that there are claim informations stored on the card which are wrong or which have been altered



 

3. In order to create a managed card which uses the self-issued token credential type the private personal identifier (PPID) needs to available to create the managed card. The PPID however uniquely identifies a card towards a specific relying party and the PPID is generated using a relying party identifier (PR Identifier) and a card id. So in order to generate this PPID the card has virtually to be used once on behalf of the user.

While it is probably a good idea to provide the user a card which can be used with the least possible efforts by the user (e.g. install a certificate, create a self-issued card for as authentication instance for a managed card etc.). It is probably not a good idea to create both cards altogether through a identity provider.

Q: Will it be possible for an identity provider to display custom error messages in the card-selector?
A: Yes this is definitely something planned for the selector component available with the .Net Framework 3.5. The identity provider can then simply return a SOAP Fault element with a message. The message can even be localized however it is only possible to display plain text messages. More information regarding this can be found in the cardspace blog here.

This week the German Designer Conference held by Microsoft took place in Berlin. I wrote a blog entry about it quite a while ago. The event is called Xtopia and it was the first event of a reoccurring series. I held a session there about a Microsoft technology you are also a little bit familiar with if you follow my blog regularly as I already wrote some introductory words about it.
So I take the opportunity of this session to give you a short update on Astoria and to give you the chance to download the slide deck and the source code of my compelling demos ;) (I announced them as probably the demos with the ugliest user interfaces of the whole conference - and I was right).

So what's new about Astoria? There are two major improvements available from the Astoria homepage which are:

• A CTP Refresh which allows you now to create data services with the current Beta 2 release of Visual Studio Codename "Orcas". And this allows you also, as an update to the ADO.Net Entity Data Model and Astoria leveraging EDM to integrate database views and stored procedures into the data model.
• A client library for Silverlight that enables you to easily consume Astoria data services from a Silverlight application. One of my demos is a Silverlight demo that shows the basic usage.

So I encourage you again to check out Astoria and give Feedback to the team and feel free to download my slides (unfortunately only in German) and the demos attached to this blog entry.

Since the Identity Metasystem and Microsoft Cardspace is quite a complex topic but is a great means to enable the user to have better control how and when identity information and login credentials are used I felt that there needs to be some more clarification about certain aspects of Microsoft Cardspace. Therefore I will start a series of FAQs. And here's the first part. I hope you will find this helpful.

Q: Can a managed card be used without typing a user name and a password?

A: The direct answer to this question is yes, that's definitely possible. However does this also mean that a managed card can be used without authentication? To this question the answer is a definite no. This means that a user always has to provide some sort of authentication credentials to have the identity provider create a security token with the user’s claims in it. But there are several ways for providing those authentication credentials and it is up to the identity provider to decide on which option is required.

1. UserNamePassword: the user is prompted for a username and password before when the Request Security Token (RST) is sent.
2. KerberosAuth: when this option is used the windows login credentials are transferred as a Kerberos token which makes it not the preferred option for internet scenarios.
3. SelfIssuedAuth: in this case a Private Personal Identifier (PPID) generated for a self issued card is used to authenticate the use of the managed card. If the card is not available on the system authentication will fail.
4. Smartcard: in this case an X509 certificate is used to authenticate. This can also be a soft certificate.

The option to use will be encoded in the card itself which means the decision has to be made before the card is created and it is not dynamically changeable. For the sample card creation application available from Microsoft the authentication process must be specified in the [CARD] section of the initialization file.

[CARD]
; type is one of UserNamePassword,KerberosAuth,SelfIssuedAuth,SmartCard,
TYPE=SelfIssuedAuth

Q: How does an identity provider provision a card to the user?

A: The card is a physical file which carries a file extension of .crd. This physical file has to be transferred to the user. There are no restrictions on what channels are used for the transfer. This can range from e-mail or download or even a floppy disk or CD sent via normal mail. After the user received the card file it needs to be installed into the card selector on the target PC. In this context it is worth mentioning that a card file of a managed card does not include any personal information of the user but only the metadata on how to retrieve the actual, card specific set of claim information in form of a security token from the respective identity provider.

Q: Can a service provider decide on the identity providers he accepts managed cards from?

A: Yes the service provider can specify one or a set of identity providers which he accepts cards from via his policy. This means the service provider must provide valid, WS-Addressing compliant issuer endpoints in his policy within a sp:IssuedToken/sp:Issuer section. In this case the card selector should only highlight cards which

1. Are issued by one of the specified issuers
2. Can provide the set of claims requested by the service provider

If no such card is available in the card store the card selector will display a corresponding message to the user. In order to have matching endpoint information for this selection of issuers the identity provider must specify a corresponding endpoint/logical name in the ic:Issuer field of the initialization file for the card creator.

Q: Can an identity provider decide on with which services or service providers his card can be used?

A: Yes this is possible. There are two modes in which the RST can occur. Those are:

1. Non-auditing which is the default will not include information about the service provider in the request for a security token.
2. Auditing. In auditing mode the request will include endpoint information of the service provided by the relying party.

As non-auditing is the default no action has to be taken to enable this mode. However if the identity provider wants to operate in auditing mode. The <ic:RequiresAppliesTo /> element needs to be included in the identity provider's policy. However it is worth noting that as Cardspace and the principles of the identity metasystem are based on full control of the user the identity provider should inform the user about gathering information about the usage of the card in his privacy statement.

Q: Does the identity provider get information about when his card is used?

A: This is related to the question right before and can be answered accordingly. The identity provider can always collect information about when the card is used as the card itself doesn't contain any claim information and whenever the card is used a RST is sent to the identity provider who then generates a security token. However if the identity provider uses the default non-auditing mode then the provider does know when and how often a card was used but not for which services or service providers.

... to be continued soon.

More information can also be found here:

Kim Cameron's Identity Blog

As I work with many customers from the media and entertainment sector which naturally have a high affinity to Windows Media Center and Silverlight technologies I'm frequently asked the question on where the overlaps are between Media Center and Silverlight when it comes to supported Video and Audio formats. And this question is obvious as it directly impacts the cost of content preparation for those customers that want to target both technical platforms. So I took some time and scanned the documentation and infos available from the product teams in order to give a short overview on the formats supported and where the overlaps are which you can leverage in order to do one proper encoding for both platforms. I won't touch all the profiles and combinations of Audio & Video since there are quite a few but I try to give you a basic overview which help you focus down on a few potential target encodings on which to base your final tests, which you should do in either case.

So to start with Silverlight and Media Center do support Windows Media Video Versions 7,8 and 9(VC-1). With respect to the last both also support up to 1080p formats which is rarely mentioned especially in the context of Silverlight as it would take quite a beefy machine in order to display such content with acceptable performance not to speak of the bandwith requirements. Interlaced formats which are also part of the Windows Media Specification are not supported in neither Silverlight nor Media Center. Besides WMV Media Center also supports MPEG-2 playback which is only natural as MCE is a platform where DVD playback is a core feature. So as you can see there are not many differences between Silverlight and Med