Adventures of an Eternal Optimist

Pat Felsted posted this sneak peak on his blog – by george, we might have a new contender in the Identity Selector client department.  I can’t tell you how happy this makes me, we can’t really get serious about this technology until access to it can happen in a dependable way, from anybody’s local computer.   I can’t wait to get the opportunity to push all the buttons and see what busts.   It’s a mark of affection, really it is :)

If you have a McAfee security product on your computer, and you try to use CardSpace to get to a managed card, you might run into trouble.

Actually the problem isn’t really the managed card, it is that McAfee hasn’t got any special rules figured out for CardSpace as a program yet, and I’m reasonably sure that any transaction that uses the fancier authentication model where CardSpace calls out to an endpoint to discover & retrieve policy looks suspicious to McAfee’s default rules. As a result, McAfee silently blocks the transaction, without even sending a verification prompt to the user. The blockage also doesn’t show up in McAfee’s “Recent Events” screen either. I saw this behaviour with managed cards, but it seems likely to me that the same problem would crop up with a Relying Party STS too, and in that case I think it would happen for any kind of card. I don’t know of any RP STS’s out there, so it’s hard to test that hypothesis.

I hope McAfee will get their act together and put a little research time into CardSpace – but until then, there will be people out there who won’t be able to perform some card transactions and will probably have a heck of a time figuring it out.

So – if you are trying to use a card at a site, and you get this message:

Your data could not be retrieved from the managed card provider. Check your network connection and verify that you have supplied the correct authentication credentials.

And you have McAfee, you need to follow these instructions:

• Open up Security Center
• Click on the “Reports & Logs” menu item on the left side
• Click on the “View Log” button
• In the new window that pops up, select “Internet & Network” on the left hand side.
• Select “Outbound Events” under “Internet & Network”.
• You will then (finally) see a log file that will show you that Windows CardSpace was blocked.
• Click the “Grant Access” or “Grant Outbound only access” button to solve the problem.

There is a “Learn More” button on that screen. The “Learn More” button just informs you that McAfee has no clue what Windows CardSpace is. Doesn’t that seem a little embarrassing for a Security company not to have heard of or prepared for something like CardSpace? McAfee does provide an application feedback form for end-users to describe programs to them – perhaps if we were all to fill out that form and describe the issue, they would add CardSpace sooner rather than later. The form is here.

For those who are attending the Directory Experts Conference in Las Vegas NV in April, I had hoped to run a workshop before the start of the conference where people could dive in and explore the technology first-hand. That didn’t work out, so instead I am running a session on Wednesday morning, April 25th, at 9:15am. By the time you get to that session, you will all be Identity Selector experts. Trust me. I have my ways. The session abstract is below.

For those of you who aren’t attending DEC, if you ever wanted to go under the hood of Active Directory (or MIIS), this is where you need to be. Not only will you be party to an unbelievable amount of technical and strategic information, but you get to meet the folks who Know. And getting to talk to the folks who Know is an experience in itself. Just hanging out on the periphery and trying to absorb as much as I can has been an incredible learning experience for me. And just in case you don’t really know what I mean about meeting the folks who Know, you can check out ActiveDir.org, or just meditate on the picture at the bottom of this entry – that’s where the conference is being held. Not too shabby, hey? Those NetPro folks know how to throw a conference, let me tell ya…

CardSpace: The Selector Strikes Back!

P. Dingle, DEC Conference 2007
In the time since DEC 2006, Windows CardSpace has been released as part of the .NET Framework version 3.0, and Microsoft has released the technical specifications surrounding the Information Card profile. Higgins is one of several entities with an STS that can issue managed cards, and all sorts of relying party code is in the works, with more code supporting and consuming information cards every day.

In this session, Pamela will bring attendees up to speed on the current state of the identity metasystem:

• Communities surrounding user-centric identity.
• Where to get the toolkits, libraries and modules available, and what they do.
• Open source and proprietary initiatives.
• Protocol interoperability (playing nice with the neighbours).
• Pain points & barriers to adoption.
• Known successes.

If you are interested in staying informed as information card technology inevitably moves towards an explosion of mainstream adoption, this session should help you to keep the right items on your radar.

Due to serious last-minute site issues, Dale & I ended up pulling an all-nighter (fuelled by a good bottle of port and a LOT of water) the Sunday before RSA, in order to get pamelaproject.com up, running, and stable. I ended up registering with a hastily-chosen web hosting company in the wee hours of the morning. Luckily I did not have to use the account right away, as Dale & I were pursuing parallel possibilities for site hosting, and Dale’s plan materialized before mine did. My heartfelt thanks to the Olds family for letting me hijack their home MythTV linux box for a week, it was a lifesaver :)

Once the demos finished that Friday, I prepared to port my site over to what I hoped to be a long-term home for pamelaproject.com. When I clicked the web hosting administration link from the site email, however, I was *very* surprised to be taken to my administration page without being prompted for the password I’d given when I registered. This is what I saw:

Note the line in the above screen-shot that says:

“Page contain your password and account number – please do not share this page URL and never paste this link in public forums or in instant messages softwares”

So – just to confirm my worst fears, I went to the main page and clicked on the “client login” link — and here’s what I saw:

Yep, I had paid late-night desperation money to a company who uses two static elements to authenticate – username and account number. Not only that, they allow those static elements to be passed as query string elements of a URL, which once accessed, display my FTP account password in CLEAR TEXT!!! If these guys think that keeping such a URL out of IM and public BBs is enough to keep it from being discoverable, they are on crack.

Call me crazy, but I consider this kind of protection to be just a wee tad risky. I’m certainly not going to go to all sorts of trouble to build any kind of CardSpace infrastructure on top of this service, what would be the point? Sure, the transactions would be secure, but the foundation it was built on would be just hanging out there, ripe pickings for someone with the right skills. Thinking about all the ways to get hacked makes me feel panicked in general, but for the love of Pete, there’s no point in handing it to them on a silver platter…

As a result, this web hosting service has the dubious honor of becoming the first entry in the Identity X-Files. Nice work…

(BTW, pamelaproject.com has since found a permanent home, and it isn’t at the company above. Just in case you were wondering.)

You know, there are some funny things going on out on that there intarweb. Things that shouldn’t happen, but do anyways. Where such things intersect with identity & access management, I’d like these stories to be linked – because I think that as a body of information, they tell a story that needs to be heard. I’m not interested in pointing fingers at the companies involved (brings to mind images of rocks & glass houses, you know what I mean), but I would like if possible, to start conversations in this area, for the benefit of all.

So I hearby open the “Identity X-Files”. If you find something on the net that scares you from an identity or access perspective, send it to me, I’d love to add it to my collection. Or post it under this tag, and let me know so I can link to it.

The Pamela Project officially kicked off on Monday Feb. 4th 2007 at the Liberty Alliance Identity Standards Workshop, with a joint presentation between Mary Ruddy of the Higgins project, Dale Olds of the Bandit project, and myself. The demonstration started off by accessing a resource behind Novell Access Gateway operating as a Liberty Relying Party. When we authenticated to Novell Access Manager operating as a Liberty IdP, we used a managed information card, which received its identity data from a Higgins STS.

After this, we used the same managed card to access non-Liberty (Identity Metasystem) Relying Parties – one of which was PamelaWare for WordPress.

During the demo, we used the same information from the same base repository but passed it in different ways, either in Liberty protocols or in Information Card V1.0 protocols. We demonstrated all of this both on Vista using Windows CardSpace – and on a Linux machine using Chuck Mortimore’s Firefox plugin. It was pretty exciting to see a solid connection between such a diverse set of projects and groups.

The demonstration was a lot of fun, and I was really excited to have the opportunity to kick off the Pamela Project in such style, many thanks to Mary and to Dale for allowing to be part of the demonstration. It is worth checking out all of the presentations from the Liberty Alliance Identity Standards Workshop – they were excellent.

With much ado and fanfare, I would like to introduce you all to The Pamela Project. Some of you have heard of this already — we officially announced the Pamela Project last week as part of the Liberty Alliance Day at RSA. I have more information on that event too, stay tuned.

The Pamela Project is focused on the adoption and use of information cards in the wild. We are working on the creation and maintenance of relying party software that fits into known popular software frameworks — and our goal is that you should not need to be a coder, a web services expert, or even particularly knowledgeable about SSL to enable your website to consume information cards.

To this end, we are now in the beta stage of the first download from the Pamela Project: PamelaWare for WordPress (shortened to PW-wp for obvious reasons). I have taken Kim Cameron’s original PHP relying party code for WordPress and done the following things to it:

• Turned it into a WordPress Plugin that can be activated & managed from the WordPress Administration console
• Added an Error Handler & Debug Handler
• Created Documentation around installation & troubleshooting (plus a community comment capability for the documentation that allows collaborative updates to my initial instructions)
• Added a full Information Card Configuration Console
  • Including detection of missing prerequisites such as PHP5 or mcrypt.
  • Also including prescriptive tests around HTTPS capability.
• More details on features are here.
• Screenshots are here.
• Try it out at our test blog!

PamelaWare for WordPress is just the first of what I hope to be a long list of framework modules, written initially for the best of breed in PHP software, but eventually for software of all types, in as many languages as possible.

If you are interested in being a beta tester for PW-wp, or if you would like more information about the community we hope to create, or if you think you would like to contribute, please comment here and I will contact you.

Thanks to Kim, Craig and Dale – the founding members of Pamela Project — for their advice, support, marketing prowess and development experience – I feel very honored to get a chance to work with such brilliant people.

Here’s to all the Calgary geeks waiting at the San Francisco International Airport for the last 5 hours. 6:56pm delayed to 11:10pm, 5 gate changes, and multiple pints later, I’m not holding out for an actual arrival of my aircraft, but we’re having a good time in any case :)

If you too are stranded in terminal 3, you should come by the bar @ gate 77A, last call is long gone, but at least you can get in on the tall tales…

Update: ugh, got home just before 4am…

What would you rather have next year at the RSA Conference?

A) Big fancy conference kick off with laser lights and a live dance number.

B) Wireless access that doesn’t suck.

I know where I would prefer my conference fee dollars to go.