Welcome to The Metaverse

And now for something completely different ...

richardt — Mon, 24 Sep 2007 19:08:57 GMT

Once in a while, you need to adjust your career trajectory to ensure that you're on a happy path.

I decided to do this a few weeks ago, culminating in a move from Product Marketing back to Software Development :)

I've also moved to my own blog at: http://www.bitcrazed.com. If you link to me here, please update them to point at my new home on the web.

See you there.

Rich.

LiveID Announces Beta Support For Information Cards & Windows CardSpace

richardt — Tue, 28 Aug 2007 16:25:26 GMT

Well, here's the news that many of you have been waiting for!

Angus Logan, Technical Product Manager in LiveID has just announced that LiveID has launched beta support for information cards and Windows CardSpace.

There's a great webcast and step-by-step instructions on how to associate a personal card with your LiveID account.

We just took one giant leap forward towards a safer internet.

Many congrats to the LiveID and CardSpace teams who worked hard to make this happen.

Dana Epps on RunAs Radio discussing CardSpace

richardt — Tue, 24 Jul 2007 19:32:23 GMT

Just listened in to Scorpion Software's Dana Epps' great interview on RunAs Radio discussing Information Cards, CardSpace and STS', interop and why usernames and password are a pain.

WS-Trust vs. WS-Federation

I do want to correct a small but important error: Identity Selectors in the Identity Metasystem use WS-Trust to request tokens representing the user from Identity Providers, not WS-Federation.

This is an easy mistake to make but it's important to understand the difference between WS-Trust and WS-Federation:

WS-Trust is for scenarios where the user needs to interact with an "identity selector" to decide who they want to be at the beginning of each visit or session. This is a scenario we're all familiar with today when we sign in at our web-based email provider as one user to check our "Friends" mail and then sign out and sign back in to check our "Work" mail, etc. This is why identity selectors in the identity metasystem use WS-Trust
WS-Federation is for scenarios where two organizations wish to closely collaborate and enable users in one organization to access resources within the other organization without having to manually sign-in. Supported by Enterprise-class technologies like Microsoft's ADFS and PingID's PingFederate, WS-Federation enables a user's organization to tell a partner organization who the user is and also convey extra information such as the user's role and rights.

Personal Cards vs. Managed Cards

Dana did a great job of discussing how information cards can be used TODAY instead of using traditional username/password authentication. However, quite some time was spent focusing on managed-card scenarios and I wanted to provide a little perspective on this matter:

Personal Cards

In order for you to sign-in to a given relying party (website or application) with information cards, all you need is an Identity Selector such as Windows CardSpace and an information card that is compatible with the relying party's specified policies.

Since relying parties decide what type of information they want from you in order to sign you into their systems, they get to ask you for a particular type of token and a particular set of claims. A common personal card scenario is associating or linking one or more personal cards with a relying party's existing account:

After logging in with your username and password, the relying party may allow you to register one or more personal cards that you can use to sign-in during subsequent visits. Since the relying party already knows you, they only really need you to provide a personal card with a PPID (unique ID for that card at this site) which they can use to generate a UniqueID that they can store in their DB and use to look you up next time you sign into their site using your information card. This enables you to sign in more safely and easily from one or more machines with three mouse-clicks rather than having to remember your username and password.

These "personal card" scenarios are easy to support today, with little developer effort.

Managed Cards

Managed cards are issued by identity providers who are willing to assert that a particular set of claims about a person do in fact relate to that person. Examples of organizations who might be interested in issuing a managed card to you are your bank, your employer, your government, your favorite hotel chain or airline, etc.

Where managed cards become extremely exciting and powerful is where a relying party needs some form of information about you that has been corroborated by an organization that they trust. For example: An online wine store might want a confirmation from your state government that you are over 21 and so might ask you to provide a state-issued token containing the "Over21" claim.

Another good example of where managed cards provide great value is when a relying party needs some information about you that is likely to change fairly regularly. For example, imagine if you could sign-in to your favorite online store with your credit card company's member rewards card and the site could show you a list of the products that might interest you that are covered by your available points balance. No usernames, no passwords, no awkward redirection - just a plain and simple, easy to use mechanism that gets you into the site and shows you a list of products that you might want that you can afford!

Which type of card to support now!

However, whilst managed cards are exciting, the infrastructure to support them isn't quite there yet. Specifically, you need an STS (Security Token Service) - a service that issues and processes requests for managed identity tokens. Whilst some vendors (such as PingID's PingTrust and Arcot Systems' WebFort) are currently shipping with managed card support, Microsoft, Novell, IBM and many others are currently building STS capabilities into their future product offerings.

Until then, if you want to start making your users' lives easier and safer then we urge you to add support for personal cards.

Supporting personal cards now will also make it much easier for you to support advanced managed card scenarios when the infrastructure becomes available.

Scott Hanselman is now HanselBorg!

richardt — Tue, 24 Jul 2007 00:32:20 GMT

Well, all I can say is that it's about time!

Scott Hanselman's Computer Zen - Blue Badge

People often think of, and complain about, Microsoft being a big company. Actually, Microsoft isn't really a big company at all. It's a collection of businesses, each with their own culture, goals, beliefs (and issues). The thing about Microsoft is the vast expansiveness of Microsoft: If you're interested in any sphere of business, technology, law, accounting, sales, marketing, customer services, manufacturing, etc., then there's likely to be a job you'll love at Microsoft! Yes, even if you hate Microsoft, I'm willing to bet that you'd be able to find a role within the company that would make you drool.

Let's face it, Microsoft is, like any other organization, not without its faults. But there's one thing that each and every business within Microsoft share: unabated passion to solve big gnarly problems for our customers. THIS is primarily why people join the company - they want to be part of making their part of whatever world excites them ... on a global scale.

Which brings me to Scott's news. I love this paragraph from Scott's post announcing his soon-to-be-acquired blue-badge:

If you trust me, you know that I'm not evil, and that I'm going to Microsoft in order to bring additional trust into the relationship between developer and platform. There needs to be a sense of stewardship and a deep valuing of the trust that developers put into their tools.

For me, this beautifully states the kind of feelings that many of us hold sacrosanct in our hearts when we decide to join Microsoft.

Welcome home Scott! :)

Public Hotfix Patch Available for Debugging ASP.NET on IIS7 - ScottGu's Blog

richardt — Tue, 17 Jul 2007 18:18:32 GMT

Ever since the launch of ASP back in the late 90's, I've wanted to have integrated debugging support so that when developing websites and services using Visual Studio, I can hit F5 and walk through my project's code. Getting ASP, IIS and Visual Studio configured juuuuuuust right was a real art-form, particularly back in the IIS4 days.

When I was building the sample for the "How to configure IIS7 to support Information Cards" webcast I recently published, I was a little perplexed to find that IIS7 and ASP.NET didn't seem to support F5 debugging either. While investigating the issue, I stumbled across a support article which highlighted the fact that my site had to be configured to support Windows Integrated Authentication and that I had to wave a sacrificial chicken* over the PC at just the right moment.

Whilst I managed to get debugging configured properly, I always kinda wondered if F5 was ever going to be a well-supported ASP.NET/IIS scenario.

Well, I was much heartened to find a post from Scott Guthrie that announced a hot-fix to resolve this issue and to quickly enable F5 debugging for ASP.NET/IIS apps :) He was also kind enough to discuss why Windows Authn is required by the Visual Studio debugger:

[From: Public Hotfix Patch Available for Debugging ASP.NET on IIS7 - ScottGu's Blog]

People who use VS 2005 to debug ASP.NET applications running in IIS7 on Windows Vista can encounter one of the following error messages when they press F5 to auto-attach the debugger in the IDE:

"An authentication error occurred while communicating with the web server."
"Debugging failed because integrated Windows authentication is not enabled."
"Authentication error occurred while communicating with the web server. Try disabling 'Digest authentication'"

The above errors occur because of the way that VS 2005 looks up the Process ID of the IIS7 worker process that ASP.NET is running within. Specifically, when you use F5 to "auto attach" the debugger with Visual Studio it sends an HTTP request to ASP.NET using Windows Authentication to retrieve the worker process details. This works fine if you have Windows Authentication enabled on your web-server, and are using Windows Authentication as the primary authentication method for your web application. It runs into problems, though, in a couple of circumstances:

If you have forms-auth enabled in ASP.NET and are running in "integrated mode" on the IIS7 web-server. This ends up blocking the process handler.
If you don't have the windows authentication module installed on your web-server (it is now an optional component).
If you are running on Windows Vista Home (which doesn't support the windows authentication module).

Patch Download Available

To fix the above cases which block F5 "auto-attaching" from working, we recently released a public hotfix for Visual Studio 2005. It addresses each of the above problem causes. You can download the hotfix patch for free here. Once you install it, your Visual Studio F5 auto-attach behavior will work just fine.
You can read more about the patch and issues it fixes in the KB article here, and the blog posts here and here.

And if you read the comments posted to the above article, yes this QFE has been checked into the Visual Studio 2008 Beta2 source tree so will show up soon in all flavors of VS 2008! :)

For everyone building sites with VS 2005 and who want to develop and test ASP.NET/IIS websites/service more quickly, go download and install this hotfix as it'll give you first-class F5 integrated debugging and save you hours of tedious twiddling with configuration settings etc.

Enjoy! :)

* No chickens were harmed in creating the webcast!

Vista power management & CPU frequency

richardt — Wed, 11 Jul 2007 22:35:56 GMT

For those that have taken the leap and moved to Windows Vista, you might have noticed that when you click the battery icon in your start bar, you now have three batter profiles to choose from: Balanced, Power saver and High performance.

Whilst you can explore the different settings that let you control when the PC turns off your screen, your hard drives or puts your computer to sleep, for example, it might not be quite as apparent how your machine's CPU is affected by these different profiles.

If you open the Power Options dialog and hit "Change plan settings" for any of the plans and then hit "Change advanced power settings", you'll see a number of knobs you can tweak.

One of these settings in particular is the Processor power management item. If you expand out the "Processor power management" settings, you'll see values similar to the following:

According to my "High performance" power profile, the CPU is pegged at 100% (except when it's on battery).
In the "Balanced" profile, however, the CPU is allowed to range between 5% and 100% of its maximum frequency whether it's plugged in or running on battery.
Interestingly though, for my "Power saver" profile, the CPU is limited to only operate between 5% and 50% of its maximum frequency.

But how does this map out in the real world? Does Vista REALLY enforce these limits in the CPU? Let's take a look. First of all, I open up the Resource Monitor. Then, I set the power profile to "High performance" - here's the CPU chart (note - the blue line shows you the CPU frequency - the green line shows you CPU utilization):

As you can see, my CPU's frequency is indeed pegged at 100% even though the CPU utilization is only averaging around 27%. This is because I am plugged in - what happens when I unplug the power? You can see that Vista automatically enters a state where it varies the CPU's operating frequency based on CPU utilization and that the operating frequency pretty closely tracks the CPU utilization.

Now, this behavior should be pretty close to what happens with "Balanced" mode, right? Absolutely! In the chart below, we can see that the CPU's frequency tracks the CPU's utilization, never dropping when the CPU is doing more work:

Note that this chart was captured from my machine whilst it was plugged in, and operates within the frequency tolerances dictated in settings we saw earlier.

But what happens when we go into "Power saving mode"?

Well, as we can see - Vista caps the operating frequency of the CPU to a maximum of 40% regardless of how busy the CPU might be.

This clearly shows that Vista's power management works a treat. Tips: if you're doing anything fairly CPU intensive note that your CPU will take longer to complete the task if on "Power saver" mode. If you need your machine to work as quickly and as responsively as possible, use "High performance" mode, and if you want the best of both worlds, choose "Balanced"!

Duh! ;)

Oh, and don't forget - you can, if you should so wish, go tweak your power profiles to give you the best performance when plugged into the power and to back off when on battery ... take it from me - this comes in real handy when trying to resuscitate a machine whose battery is on its last legs!

Firefox 3.0 (likely) to support Windows CardSpace

richardt — Wed, 11 Jul 2007 17:07:36 GMT

In case you missed it, Mozilla's Percy Cabello has just announced the list of features it's planning on including in Firefox 3.0. Among these features are integrated support for identity selectors such as Windows CardSpace :)

This is awesome news and I am delighted to see the Mozilla community supporting information cards to help users better manage and control their digital identities online.

As readers of my blog will know, following a meeting with several members of the Mozilla team last fall, we were delighted to announce Kevin Miller's "Perpetual-Motion" - a CardSpace extension for Firefox 2.x (source here). Whilst Perpetual-Motion adds seamless support for Windows CardSpace to Firefox, it is an additional download that users have to go find and install.

By including support for identity selectors such as Windows CardSpace, Mozilla has put a very definite stake in the ground, making it clear that they, along with much of the rest of the industry, believe that information cards offer users an opportunity to enjoy a far safer and simpler online experience.

Congratulations guys - look forward to seeing the release of Firefox 3.0! :)

Why don't Microsoft's own sites support CardSpace?

richardt — Tue, 10 Jul 2007 22:02:45 GMT

This is a question I am hearing with increasing frequency as I talk to people about why, how and when they might support information cards. Essentially, it comes down to three reasons:

History
Perceptions
Timing

Alas, some of Microsoft's prior forays into the world of online identity (e.g. Passport, Hailstorm, Wallet, etc) are encumbered (rightly or wrongly) with negative perception issues.

Whilst LiveID (formerly Passport) is an enormously successful online authentication engine that performs in excess of a billion authentications each and every day (and yes, that's not a typo - more than a billion a day!), the world made it clear that it doesn't want ONE authentication authority - it wants MANY. Why? Essentially, it comes down to trust.

If you had to store all your identity information in one place, who would you trust with that data? Microsoft? Google? Your bank? Your Government? There is no clear answer here.

It's this one core issue that has led to the creation of identity selectors such as Windows CardSpace and the Identity Metasystem (IDMS) which permits identities federated across a number of identity providers to be managed and exchanged under the user's explicit control.

One of the decisions we made early in 2006 was to NOT have LiveID support CardSpace at the outset! We did this deliberately to allow us to clearly demonstrate that CardSpace and LiveID were separate but complementary - just as CardSpace and your bank or CardSpace and your government, etc., are. We wanted to ensure that people could examine and explore CardSpace unencumbered by any negative (and incorrect) preconceptions.

However, this is not to say that we've been sitting idly by. Of course, we knew that once it was clearly established that CardSpace is in no way related to or reliant upon LiveID, the next inevitable question would be "so, when are Microsoft's sites going to support CardSpace?"

Both Kim and yours truly pointed out some time ago, LiveID will (in the future) support Information Cards. In fact, we've spent the last several months working closely with our friends over in the LiveID team to support them in building support for information cards into LiveID. When they're done with their implementation and ready to announce, you'll read it here or on Kim's blog within seconds of sign-off! :)

Identity discussion on Run As Radio

richardt — Tue, 03 Jul 2007 18:07:00 GMT

A couple of weeks ago at TechEd 2007, I was invited to discuss the world of identity with Richard Campbell and Greg Hughes for RunAs Radio - the Internet audio talk show for IT Professionals.

Greg just announced that the interview is now live for your listening pleasure.

Greg & Rich: Thanks for the opportunity to talk with you guys - looking forward to doing it again soon :)

Enjoy!

Announcing the Information Card Icon

richardt — Mon, 25 Jun 2007 16:44:11 GMT

[Update: 6/25/2007 @ 13:40 PST]
Please note: This icon is NOT a Windows CardSpace Icon. It's an icon to symbolize that a site or application supports Information Cards, regardless of the identity selector used to submit an Information Token associated with any Information Card.

Ever since announcing Windows CardSpace and introducing the world to the benefits of Information Cards, we’ve been asked repeatedly when there would be a visual icon that could be used by sites and applications that accept Information Cards …

We’re delighted to announce the immediate availability of the Information Card Icon. You’re free to use this icon (in accordance with the accompanying guidelines) to provide a clear, consistent visual cue to your users that your sites and applications support Information Cards. This will make it easier for users to recognize how and where to sign-in to your site and enjoy the ease-of-use and safety of Information Cards.

We encourage you to replace any temporary icons you might have used on your existing sites and demos with an appropriately sized version of the Information Card icon to increase consistency and recognition of your support of Information Cards.

Please download the Information Card Icon package which contains usage guidelines, FAQ, and a series of pre-rendered PNG images in different sizes along with the master Illustrator artwork.

"Phishing Resistant" OpenID spec published

richardt — Sun, 24 Jun 2007 22:48:32 GMT

Mike Jones has just posted news that VeriSign's David Recordon has just published a proposed "OpenID Provider Authentication Policy Extension 1.0" spec.

This spec is essentially the culmination of several months of effort by OpenID community to deliver upon what was promised at RSA 2007 back in February, namely, the introduction of technologies such as Information Cards as a mechanism to protect users from phishing and other identity related attacks.

Congratulations to the OpenID community on this landmark spec.

Did the chicken really come first?

richardt — Thu, 21 Jun 2007 22:06:05 GMT

Someone who I'll keep anonymous just mailed me in relation to my post yesterday:

I know you didn't ask (nor was it your point) -- but the Egg came first. It was laid by some animal that was really, really genetically close to a chicken.

I have to say, I'm not sure I agree. Didn't the creature that gave birth to the first egg have to exist before the egg it laid?

But then, come to think of it, maybe the egg from which the first chicken came was laid by something that was not a chicken and was perhaps formed in some other way than the usual egg 'n' sperm method? Which would mean it would have come first, no?

Q.E.D. the chicken (or other lifeform) came first! ;)

The Chicken and the Egg

richardt — Wed, 20 Jun 2007 22:05:38 GMT

You all know the age old question: "who came first, the chicken or the egg". Well, there's been some considerable discussion of late on the subject of how to help foster the growth of adoption of Information Cards and identity selectors such as Windows CardSpace and up-coming selectors such as Bandit.

in one recent discussion I commented that we're in a kind of chicken and egg situation right now - whilst everyone agrees that identity selectors and information cards are a good thing, it's taking some time for people to evaluate the concepts and ideas behind the Identity Metasystem and to look into actually supporting information cards at their sites. Many relying parties we've spoken to say they'll look into adding support to their sites once there are enough people to warrant doing so (and once there's an identity selector for non-Microsoft platforms, and once ...). Then there are the identity providers - many of whom want us to tell them how they can make money on this thing. Finally, we have users like my Mum & Dad - we can't turn the volume up for this audience until there are places to use their cards and identity providers willing to issue cards.

Keith Brown just posted my comments on his blog and goes on to say:

In my opinion, somebody (Microsoft?) needs to break this holding pattern fast. I agree that things aren't going to take off until there are more relying parties.

We're doing all we can to break this pattern. We were the first (through Kim) to espouse the principles of the 7 laws and articulate the need for and design of an Identity Metasystem. We were the first to release a viable identity selector - Windows CardSpace - and continue to invest heavily in future versions and supporting technologies. We're educating our field and providing them (and partners) with the resources they need to learn and then tell this story. We are working with a very large number of web-site operators and related businesses to take this fledgling concept and technology and help it grow and flourish into the magnificent creature that it promises to be.

But we can't do it all, and we can't do it all ourselves. In fact, we've already tried doing it all and only doing it ourselves, and the world said "no".

We are just part of this story - our many partners and compatriots in this space (IBM, Novell, PingID, VeriSign, OpenID, sxip, BMC, Sun and many, many others) are all busily beavering away, building support for information cards for a variety of platforms, technologies and products. But all our work is in vein unless there are sites that accept cards and identity providers to issue managed cards.

This is where we welcome you, dear reader, to investigate the principles, the design and the implementation of this Identity Metasystem and, if you believe that it's a "good thing", then take action. Join us and add support for information cards to your sites, systems and app's.

The time for nodding in appreciation but standing by and doing nothing is past. While the industry pontificates about the Identity Metasystem being a "good thing", our users (and that includes ourselves) are continuing to suffer from password fatigue at best and phishing attacks at worst.

Together, we can all help stop the rot.

Just joined Technorati

richardt — Wed, 20 Jun 2007 20:37:40 GMT

I've been asked several times recently where my profile is on Technorati and finally bowed to the pressure ;) You'll find my Technorati Profile here.

Dominick going CardSpace crazy!

richardt — Tue, 19 Jun 2007 00:24:51 GMT

Y'know, sometimes you meet someone who needs a life, but is clearly having so much fun and churning out useful things that you're kinda glad they don't! Dominick is one such guy! ;)

Over the last couple of weeks, Dominick has churned out not just an updated ASP.NET control for Windows CardSpace (and other identity selectors when they start to become available) but has also just published a wrapper for the GetToken() method on the CardSpaceSelector object. This wrapper lets you easily use CardSpace from within your own WinForms apps, and elsewhere in order to integrate CardSpace support into your apps and systems.

Awesome stuff! Now, just make sure you don't barrage Dom with email - we don't want to distract him from his next project now do we? ;) :)