Adventures of an Eternal Optimist

Hey CNET:

Thanks so much for publishing your “essential guide” to the top 10 girl geeks. I’m really glad that you’ve thought to use your reach in the industry to further the public’s knowledge of the women who have changed the world in geeky ways. It’s great to know that you have the integrity to write such a thoughtful and well-researched piece, and that you have accorded girl geeks the respect that they deserve. Mark my words, you will reap what you’ve sown with this particular article.

I know you’re getting all sorts of flack for ranking Lisa Simpson higher on the list than Marie Curie, but really, isn’t it obvious how much more important Lisa Simpson’s contributions to the fields of science and technology are? Marie Curie’s Nobel prizes are no match for a fictional 8-year-old.

And then there are the inclusions of Daryl Hannah and Paris Hilton on the list. I think your reasons for including these women are completely misunderstood! Sure, they aren’t really geeks, but Darryl plays one on TV, and Paris does, after all, play video games. That’s pretty good for a GIRL.

It sure is a good thing that you pulled our attention away from the Ada Lovelaces and Grace Hoppers of the world. Those women were just plain SCARY smart and we don’t really want to glorify that kind of behaviour.

I am expectantly waiting for your “essential guide” to the top male geeks. I can’t wait to watch Einstein, Galileo, and Copernicus go head to head with Keanu “Neo” Reeves and Weird Al “White & Nerdy” Yankovic. Too bad people like Berners-Lee or Tesla won’t make the list, but hey, them’s the breaks.

Way to go CNET. Your journalistic skills have awed us all.

On Bill Barnes’ new blog, entitled Card Carrying, Bill talks about some very interesting results from usability studies involving authenticating to a Metasystem RP with a hybrid login screen. This is what most information-card-enabled sites have now, a passive page that allows a user to either use an infocard or a username/password combination (and possibly other mechanisms too).

I would rather you go and read what Bill has to say, than to merely see a quote here – so go read it. Personally I think that the extra step of “embracing and extending” that Bill talks about is something that could be put in as an extra step in the username/password registration flow, rather than as part of the username/password authentication flow, just so that people don’t have to see it *every* time they login – but perhaps there is a more sophisticated way to set it up, such as asking each user once, and then setting a flag so that the user subsequently is not subjected to an extra prompt during authentication.

It’s a very interesting topic of debate, and I’d love to see some usability tests done on the changes made as a result of these usability tests.

I really like the idea of Confabb.com – a nice spot to go find out about various conferences that you might want to attend, with reviews and other great stuff built in.

As a first impression, however, I think that they have a ways to go before they are relevant. A search for identity management doesn’t exactly return comprehensive results. A search for “Catalyst” does bring up the Burton Group Catalyst conference — but they seem to think that the conference is about: “Computers and Internet , Computers and Internet, Computers and Internet , Computers , Networking , Firewalls/Security.” Out of their advertised 16,000+ conferences, who wants to guess how many of them are similarly tagged?

But the one that really makes me crack up is this:

Here is Eric’s review of Digital ID World – you can see the conference has a number: 4810. This would say to me that it is registered somewhere. You can also see the review, and the details of the conference:

However even though you can get to it if you go through the review, you can’t search for it by name:

So – Confabb has a little work to do. Or should I say, conference organizers have a little work to do. Confabb has supplied little more than a placeholder — the question is, will organizers care enough to fill the database with relevant data? Here’s hoping they do, and that after they do, the vendor improves their search algorithm enough for the rest of us to actually leverage the information.

Good luck Confabb, I hope people work hard to make you a success :)

Every so often over the last year, I would enthusiastically suggest various CardSpace feature enhancements to whoever on the team I happened to be bending the ear of at that particular moment. They usually very patiently noted that only so much could go into V1, and that other features would have to wait.

The digital ink isn’t even dry on the RTM announcements, but I’m more than ready to get in on the ground floor with round #1 of Pam’s recommendations for CardSpace V2 :)

The first feature suggestion is not really a client feature at all, but I think it is an issue that needs to be addressed. It is IMO important, so I shall leave it in.
Feature 1: Some way to automate Testing & Monitoring

Automated QA testing tools like Mercury LoadRunner and Rational Robot will not work with CardSpace. I predict this will be a major barrier to adoption by any company with a large-scale QA testing infrastructure. Same goes for web-based monitoring programs. The catch-22 is, if a testing tool can automate a CardSpace interaction, so can a bot.

Feature 2: Addition of “Identity Selector” as Windows Software Client type

I would like to see MS work towards adding a new entry for an Identity Selector in this screen:

It may be tough to make the case for adding this, when there are no competing products out – but if you wait until those clients exist, you won’t have it ready in time. You need to put it in now, in order for it to work through the MS monolith (after all, what’s the ETA for v2?).

Feature 3: Logging of card backups and restores.

I hate the fact that, that should there be an opportunity to get into your windows account, somebody could export all of your cards, and the next time you run CardSpace, you wouldn’t be able to tell. Sure, the thief shouldn’t get that much, as managed cards still require separate authentication to the IdP, and I can pin-lock my personal cards if I’m paranoid – but still, I want a way to know what happens to my precious cards in my absence, even if it only ends up being for forensic purposes. If I could have anything, I would prefer that the user be challenged to re-authenticate to the domain any time they attempt to make a card backup, but I understand that’s very difficult to do, so this is a compromise.

Feature 4: Alterable Card Size

I know this is a frou frou request, but it is near & dear to my heart. I want to be able to resize my cards so that I can fit more or less of them on the screen at one time. This way people with vision problems can make them bigger and easier to see, and power users can make them tiny so they can see many cards at once.

Feature 5: One Time Password Support for Managed Cards

I think the first and most obvious candidate for an IdP is a token provider. You could offer a service that (a) is far more secure than what people have now, (b) would be accepted at any site which supports Information Cards without any specialized integration at the RP, and (c) uses a physical product that could be branded and used to build product loyalty. Imagine replacing everything from your gmail login to your bank login with a token interaction from the same token. I would certainly use such a product, especially if the IdP was a non-auditing IdP.

There are more, but I’ll save them for Round #2. What features would you folks add?

I am right now downloading the official, not-a-release-candidate, gone live version of .NET Framework 3.0.

Get it while it’s hot!!

Congratulations to all the folks who have worked on the InfoCard project. It has been a lot of fun watching this product take shape, and I can’t wait to see where it goes next…

I spent a chunk of time recently trying to figure out how a web developer could pre-test a user’s browser configuration to determine whether some kind of identity selector client or plugin will pick up on the embedded HTML object and give the user a little infocard-love, if you know what I mean :)

It’s a little messy. Ok it’s a lot messy.

The CardSpace team has given us a way to test whether their client is installed (which I really appreciate), but sadly, the way that they have given us can only be evaluated using a scripting language that runs on one brand of browser. What we all really need is a way to tell if *any* identity selector is installed or, in a future perfect world, *which* identity selector is installed, in a vendor-agnostic way.

Sadly, the browser wars have completely derailed ease and simplicity in determining capabilities for embedded content. It’s hard for me, looking back, to imagine what possible reason the IE6 team might have had for choosing to populate only part of the ‘navigator’ object in Javascript. Why would they choose to populate navigator.appName and navigator.platform, but leave things like navigator.plugins and navigator.mimetypes blank? And why would they choose the worst *possible* way not to support it, by returning a valid but empty array every time, making it impossible to tell the difference between a call to a supporting browser that happens to have a negative result, and a call to an nonsupporting browser that may still actually have the plugin you want installed? Sadly, this functionality appears to not have changed for IE7 either.

In my wildest happiest dreams, I would test once to see if the ‘application/x-InformationCard’ mime type is registered. If it isn’t registered, I would test no further, and send the user to a “getting an Identity Selector” help page.

If the mime type does exist, I would (in my happy dream) find out what plugin is registered to the the above mimetype. I might also check the plugins list to find out whether there were any other known identity selector plugins that were installed but either disabled or not the default. I could then tell the user exactly what plugin it is that is handling their identity selector needs. Wouldn’t that be a nice and user-friendly? Instead, I’m stuck trying to jump through the same nasty hoops that the people trying to detect Flash versions go through.

Don’t believe me? Look at the scripts that are written to accomplish what should really be a simple task.

After all this angst, I can only report varied results. It is obvious to me that this is not a piece of code that you can write and walk away from, because it can’t possibly be vendor-agnostic. The identity selector detection script will have to be tweaked and coddled and monitored forevermore, just like the flash detection scripts.

Right now I have three possible clients to detect. If I want to detect the CardSpace client without using VBscript, it seems reasonable to assume that if I parse navigator.appVersion and see both “MSIE 7.0″ and “.NET CLR 3″, life is probably good, good enough to know that at least one identity selector is installed. If, in the future, the user had both CardSpace and the OSIS identity selector installed, I’m not sure how you could determine which one was active. Chances are you could use VBscript for that, but then you would have to do something in the case that VBscript is disabled…

In trying to detect Ian Brown’s Safari plugin, I’ve found that navigator.mimetypes shows that the “application/x-Informationcard” mimetype is registered, but I can’t derive an enabled plugin from navigator.mimeTypes["application/x-informationCard"].enabledPlugin, I’m not sure why. I will keep working on this and let you know.

I can’t detect Chuck’s Firefox plugin at all, because it isn’t a plugin, it’s an extension, and extensions are considered private by the browser. I can’t even tell that the “application/x-informationcard” mimetype is registered. I don’t think there is any fix for this, except perhaps asking Chuck very nicely if he could look into what it would take to move away from an extension and towards a plugin.

Well, that’s the report from the trenches. Pete, you may be right, perhaps all we can do is to let the user fail, and then try to explain it to them after the fact. The sad thing about being forced to be reactive instead of proactive, is that when the html object is invoked but no token is returned, there can be a number of root causes. Trying to explain them all to the user will make their head spin around — which leads me to another little thing I’m working on, you’ll hear about that pretty soon :)

If you haven’t already heard, Oracle Access Manager (as it is now called) has rearchitected their web agents (known as webgates) for the first full version to come out since Oracle acquired Oblix.

This is critical information for anyone who is currently running version 6 or version 7 of the Oblix codebase, or who is considering a version 6 to version 7 upgrade. I believe that most clients have been notified of this change, but just in case it hasn’t filtered down to the people actually running the systems, I thought I’d highlight the importance of the changes.

One of the toughest challenges of an Access Management system is certification of the many permutations of web server platforms that must be protected. The matrix defining which web server software is supported on which operating system platform for what version of COREid has in the past been made easier by the fact that webgates are forwards and backwards compatible between versions. What this means, is that if a web server & platform combination is certified for any version of COREid, you can use it in your single sign-on environment, regardless of which version of the Access System you are on. The result of this policy is that there are a huge number of supported web server versions & platforms, giving clients a lot of freedom to implement their environments as they see fit.

This policy has changed for the newest version, Oracle Access Manager 10.1.4 . Version 10.1.4 webgates will NOT work on a version 6 or version 7 Access System. Note that version 6 and 7 webgates will work on a 10.1.4 Access System, just not the other way around.

If you are on version 10.1.4 or are going to version 10.1.4, life really won’t change much, other than the fact that during the migration, you lose the freedom to upgrade your webgates at any time before or after the Access Server is migrated — you will have no choice but to upgrade your webgates afterwards.

If you are on version 6, you may be anxious because of the ‘End-Of-Life’ for that version. I’ve just learned that Oracle has extended their support for version 6 until December of 2007. I suggest using this time to modify your migration plans so that you skip version 7 and go straight to OAM 10.1.4 – for reasons I will describe below.

If you are on version 7 — you are not where you want to be. Although version 7 is a supported version, future web server and OS platform certifications will happen for version 10.1.4 — which means they can’t connect to your Access System. Backporting webgates for version 7 is an expensive and time-consuming process, and it isn’t going to happen unless there is a proven critical demand. As a result, the chances the exact web server you want to use will be there waiting for you in the supported platforms matrix whenever you decide to look for it are slim. For example, there is a 10.1.4 webgate for web servers on Red Hat 4, but only certifications for Red Hat 3 on 7.0.4. If you want to run your web servers on RH4, and you have a version 7.0.4 access system, there is nothing that you can do except to upgrade the access system or downgrade the web server OS. If you have a critical need to support a future web platform on version 7, you had better be negotiating with your Oracle Account Manager far far in advance of the point in time when you need to start using it.

The moral of this story is: Even though the version numbers look minor (10.1.2 to 10.1.4), the changes made by Oracle since acquiring Oblix are worthy of a MAJOR version number change. OAM 10.1.4 is the first step in Oracle’s post-Oblix strategic vision for access management, and it will be in every client’s best interests to align with that vision as soon as possible. Support is one thing, but progress is something very different. Trust me, if you can, you want to go for progress :)