Now that we've had a chance to get a second round through the system, it's possible to start notice the patterns of what people are really interested in learning about. One of the hot topics that was surprising to me is about building security infrastructure. I've gotten a lot of questions about building your own secure token service for use in federated systems. I have no idea how to do this, but I bet Jan Alexander, who gave two chalk talks today about security, could explain it.

This is from the earlier talk on the Web Service series of standards for security: WS-Security, WS-SecureConversation, WS-Trust, and WS-SecurityPolicy. Actually, if you're interested in learning about building an STS, I've gotten a recommendation for Pablo Cibraro's blog entry on doing exactly this.

My favorite session of the conference so far was this one by Scott Hanselman of Corillian.

ARC310 Dirty SOAP: A Dynamic Endpoint without ASMX - How and Why?

Not every large system in the wild can use .NET 2.0, ASMX and "Indigo". Often the real world isn't very pretty, or formal use of .NET ASMX Web Services doesn't lend itself to a particular solution. Corillian's software handles a quarter of the nation's retail banking online population with .NET. The system is built with a contract-first approach using WSDL and a custom binding to generate in-process service proxies. When it came time for Corillian to present their Operations as SOAP, we created a dynamic endpoint - WITHOUT ASMX. We then extended it to support POX (Plain Old XML). In this session, we discuss the architectural and design ramifications of managing a dynamic endpoint and how this decision will positively or negatively affect our move to WCF.

Scott gave a great history about how they ended up building a service architecture that was almost identical to the WCF model, and how they'll replace that infrastructure with WCF when it comes out.