PamelaProject @ RSA

The Pamela Project officially kicked off on Monday Feb. 4th 2007 at the Liberty Alliance Identity Standards Workshop, with a joint presentation between Mary Ruddy of the Higgins project, Dale Olds of the Bandit project, and myself. The demonstration started off by accessing a resource behind Novell Access Gateway operating as a Liberty Relying Party. When we authenticated to Novell Access Manager operating as a Liberty IdP, we used a managed information card, which received its identity data from a Higgins STS.

After this, we used the same managed card to access non-Liberty (Identity Metasystem) Relying Parties – one of which was PamelaWare for WordPress.

During the demo, we used the same information from the same base repository but passed it in different ways, either in Liberty protocols or in Information Card V1.0 protocols. We demonstrated all of this both on Vista using Windows CardSpace – and on a Linux machine using Chuck Mortimore’s Firefox plugin. It was pretty exciting to see a solid connection between such a diverse set of projects and groups.

The demonstration was a lot of fun, and I was really excited to have the opportunity to kick off the Pamela Project in such style, many thanks to Mary and to Dale for allowing to be part of the demonstration. It is worth checking out all of the presentations from the Liberty Alliance Identity Standards Workshop – they were excellent.

The Pamela Project!

With much ado and fanfare, I would like to introduce you all to The Pamela Project. Some of you have heard of this already — we officially announced the Pamela Project last week as part of the Liberty Alliance Day at RSA. I have more information on that event too, stay tuned.

The Pamela Project is focused on the adoption and use of information cards in the wild.Pamela Project We are working on the creation and maintenance of relying party software that fits into known popular software frameworks — and our goal is that you should not need to be a coder, a web services expert, or even particularly knowledgeable about SSL to enable your website to consume information cards.

To this end, we are now in the beta stage of the first download from the Pamela Project: PamelaWare for WordPress (shortened to PW-wp for obvious reasons). I have taken Kim Cameron’s original PHP relying party code for WordPress and done the following things to it:

  • Turned it into a WordPress Plugin that can be activated & managed from the WordPress Administration console
  • Added an Error Handler & Debug Handler
  • Created Documentation around installation & troubleshooting (plus a community comment capability for the documentation that allows collaborative updates to my initial instructions)
  • Added a full Information Card Configuration Console
    • Including detection of missing prerequisites such as PHP5 or mcrypt.
    • Also including prescriptive tests around HTTPS capability.
  • More details on features are here.
  • Screenshots are here.
  • Try it out at our test blog!

PamelaWare for WordPress is just the first of what I hope to be a long list of framework modules, written initially for the best of breed in PHP software, but eventually for software of all types, in as many languages as possible.

If you are interested in being a beta tester for PW-wp, or if you would like more information about the community we hope to create, or if you think you would like to contribute, please comment here and I will contact you.

Thanks to Kim, Craig and Dale – the founding members of Pamela Project — for their advice, support, marketing prowess and development experience – I feel very honored to get a chance to work with such brilliant people.

Is the WCS Privacy Statement for EV folks only?

Can anyone tell me if the link to a site’s privacy statement from the ‘First time at a site’ CardSpace screen (picture below) can be set by relying parties who don’t have an EV certificate? Finding documentation on this feature is ugly, since most Microsoft -based pages have a link at the bottom of the page entitled ‘privacy statement’ (referring to the site policy) — which horribly dilutes the search pool.

Update:  see the comments for the answer to my question (thanks Mark)

Here’s what I know. The ‘first time’ screen can be shown to a user for (at least) four reasons:

  • It really is the first time that CardSpace has seen the site.
  • If the user selects the “learn more about this site link” during regular use.
  • Any of the certificate details for that site change.
  • If “The site states that it has changed its privacy statement” (reference here).

How does that last bullet work? Does CardSpace detect a change in the privacy statement because the privacy statement is encoded in the EV certificate? If so, it sounds like a maintenance nightmare; do you have to re-install your certificate every time your privacy policy changes? If not, how exactly does a site “state” that it has changed its privacy statement? For that matter, how does a site state that it has one in the first place?

It is worth finding out, because if you as a site owner don’t have anything behind that privacy statement link, a user who clicks on the link will be told:

The site has declined to provide a privacy statement.

I hope there is a way for us peasant-cert types to populate the link – I can’t say that I’m excited about having my (potential) users thinking that I have declined to provide a privacy statement if the case happens to be that I am in reality unable to provide a privacy statement.

Thanks in advance to anyone who can help with this :)

Aha, it was a bug

For those of you who haven’t seen the comments to my last blog entry, it turns out that the lack of persistence in the optional claims checkbox was not by design. Bill Barnes from Microsoft responded to my entry to say:

The fact that the checkbox isn’t defaulting to checked in this case is just plain a bug.

As to the placement of the checkbox, one could argue it belongs on the front page, on the details page, and on the edit page. That’s a lot. But it makes sense.

I’m really happy to hear Bill’s response, since I figure this means the problem is more likely to be fixed sooner as a bug than as a request for enhancement. Hopefully this bug has a nice high priority on the list of fixes to stuff into the next update.

Thanks for setting the record straight Bill.

3 clicks for optional claims every time you use them

For all of the time I’ve been playing with CardSpace, I’ve only begun truly using the thing in a manner that I would consider representative of real world usage in the last month or so. For the first time, I am authenticating to the same site with the same card again and again, making changes to data in the card with expectations of those changes being picked up by RPs, attempting to provision accounts with cards, and generally acting like an actual user instead of just pushing buttons.

It is an easy tool to use – with one small exception.

I had understood previously that a user must explicitly choose to send optional claims for CardSpace transactions. I just didn’t realize that you had to do that every single time you wished to send optional data to the site. My testing has shown that the “Include optional data” checkbox lasts for one use and one use only. The next time you use that card at that site, if you just click the “Send” button — only the required claims get sent.

So for every transaction where you wish optional claims to be sent, you will need to:

  1. Click the “Preview” button (even though “send” is right there).
  2. Click the “Include optional data” checkbox.
  3. Click the “Send” button.

It doesn’t sound so bad — until you do it all the time.

It means that as a user, you can’t decide once to include your webpage in the data you send to a site. You have to decide every time. That’s if you remember… if you don’t, the data just doesn’t get sent. That initial “send” button on the beguiling green background is hard to resist if you aren’t paying attention.

As a relying party, it makes for difficulties too. It makes just-in-time (ie not locally stored) receipt of optional data just that little bit less consistent. For sites who are storing optional card elements in a local profile, coders can’t blindly assume that every change to an optional claim should result in a profile update, or profile data will come and go on a daily basis, depending on whether or not the user remembers to hit the magic checkbox that day. If you decide to keep the original data in cases where the optional claims are empty, you have to make sure that your integration code can tell the difference between an empty piece of optional data that is included, and a not-included claim, so that you can blank out the field in the former case, and ignore the latter case. That’s a tough one to educate users on, too.

So this longtime CardSpace fan and user would like to respectfully suggest that it might be worth changing either the position, or the persistence of the “Include optional data” checkbox. My preference would be that the “Include optional data” checkbox be placed on the initial send page, and if I could have it all, I would want the state of the checkbox to default to whatever setting I set it to the last time I sent this card to this site. I would be fine with having the checkbox reset to “off” whenever I made changes to the card. I would even be ok with the box being unselected every time – as long as it was in a place where I would remember to turn it on when I wanted it. I don’t think that this would lead to anyone sending more data than necessary to a site, it would simply make it easier to send the right data to the site.

What do you think Bill? Would you consider it for V2?

Apparently I’m a sucker for punishment

In preparation for some code I’m going to release soon, I want to put up my own domain, which I hope will contain an Identity Metasystem RP.

The question I want answered is — will I be able to use your standard, run-of-the-mill, six-bucks-a-month hosting solution to accept Information Card transactions? If not, what exactly do I need? Can I used Shared SSL? Must I have a dedicated IP address? What happens if I don’t? How will good ol’ cPanel SSL Manager work for me?

I’m not going to dive down this rathole until the new year, but in the meantime, I’m up for guesses, bets, and other opinions on what I will find, or what I should try, or how many web hosting accounts I’ll go through during this process. Let’s hear it for 30-day money back offers!

Obviously the less a webmaster has to do (or pay for) to become an RP, the better… although I do envision a feature description to the effect of “Information Card Readiness” or something like that becoming standard in the future.

I don’t expect this to be pretty – but here’s hoping that my pain can at least be your entertainment :)

When AD Meets IdP

I have been working with the folks over at NetPro on putting together a 1/2 day tutorial on CardSpace, to be taught during the workshop day of the Directory Experts Conference in Las Vegas, on April 22nd, 2007.

Originally I had envisioned a blow-through of all the bits of the Identity Metasystem, demonstrating cross-platform abilities of multiple identity selectors, relying parties, and IdPs. The problem with this, is that such a tutorial does not necessarily align with the typical job description of the attendees of DEC; DEC attendees are deep subject matter experts in Active Directory & MIIS. They are not necessarily the people who will architect or implement authentication or SSO solutions – yet they are intimately concerned with how their identity data is used throughout the Enterprises they represent, and also how that data is communicated to third parties.

Perhaps the initial approach would be interesting from a pure geek viewpoint to many DEC Attendees – but the thing about a tutorial is that the tutorial day costs extra to attend, and I think that most attendees would not be comfortable spending corporate $$ if they can’t see a direct benefit to their Enterprise.

It literally took me until today to see the light — today I finally realized that these folks primarily need to be concerned with one particular part of the Identity Metasystem, because they are the future Identity Providers of the corporate world!

Luckily, the DEC folks are very flexible and accomodating, and in fact Gil (NetPro’s CTO) has created a wiki for people to review sessions, give feedback, and generally be involved in the DEC 2007 organization process. Gil wasn’t originally sure about my initial plan on CardSpace for the reasons I’ve mentioned above, he’s waiting to see if there is interest on the part of his attendees — I’m hoping that the revised plan I’ve got below will be more applicable and will constitute worthwhile business value that attendees can take back to their employers.

So on that note, if you have attended or will be attending DEC, or if you are interested in any way at all, check out my plan below, and check out the CardSpace Tutorial wiki page to give us feedback, indicate interest (or lack thereof), or offer suggestions as to how we could improve this plan! I really do think that it would be informative and useful to DEC Attendees to understand this technology, and I hope we can inspire the interest of enough people to keep this workshop on the roster!

When AD meets IdP:

What it Means to be a User-Centric Identity Provider in an Active Directory Driven Enterprise

With Microsoft’s release of Windows CardSpace, forward-looking enterprises will begin analyzing how user-centric technologies can be used to solve authentication problems both within and outside the Enterprise. In order to implement these technologies, information stored within AD (and other data repositories) will be accessed and distributed by a service layer referred to as an “Identity Provider”.

This tutorial aims to help Active Directory Administrators understand what user-centric identity is from the Identity Provider perspective, and how this service can be architected to both conform to and complement already existing AD policies and data.

Questions to be answered during the course of the tutorial:

  • What is an IdP and why would an Enterprise want to stand one up?
  • What kind of control will Identity Provider administrators have over the data passed?
  • How will admins know who is asking for what data?
  • What kind of business problems could be solved?
  • What audit capabilities exist?
  • How will this service work with provisioning efforts?
  • How will this service integrate with what may be already implemented?
  • What is the status of IdP efforts in this space, and when will popular adoption come?
  • What are the liability factors to take into account?
  • What are the necessary steps in standing up an IdP Service that rests on AD?
  • What AD-specific data could or should be passed?

Sign up for Pamela Dingle’s CardSpace tutorial at Dec 2007, and find out about how this new industry direction could affect you!

Well? What do you think? We need active conversation to know whether or not this is the right way to go…

IIW 2006b – Content

Here are the things that I want to remember about IIW 2006b in Mountain View CA – meeting all sorts of brilliant people, trying to make Kaliya’s massive unconference schedule stick to the wall so that the lines matched between sheets, ordering larb gai at dinner PET PET, strategizing over lattes, impromtu demos and work sessions, suggesting new voices for TomTom (ya hoser), and late night life philosophy trading… Yeah, we had fun.

And now for the geeky bits:

1) OSIS update: This was one of the first sessions of the day, and I found it fascinating. Session notes are here.

My takeaways (FWIW as an outside observer):

  • We won’t see any release of an Identity Selector by a vendor until certain things are ironed out on the IP front. Who knows how long that will take. What a bummer.
  • I find that there is a disconnect between how insiders see OSIS and how outsiders see OSIS, which seems to results in the need for constant expectation adjustment at these public meetings. The insiders grok all the history, how it evolved, how this group and that group blended & merged to form today’s OSIS working group, and what they hope to accomplish. Perfectly logical, but inwards facing. Outsiders don’t see that stuff. They see an entity that calls itself a system, and which seems to offer an opportunity to rationalize a whole bunch of separate efforts into a more easily understood whole — in other words, an outwards facing project. As far as I can tell, the current OSIS goals are primarily about making sure the vendors get it all ironed out between themselves. It is a critical function. At the same time, however, the rest of us are already clamoring to build on that foundation. The external rationalization needs to come, one way or another. Perhaps OSIS will start a second committee – after all, it is a logical place for this work to occur, and also, this is where all the thought leaders are. If not — well I guess we’ll have to wait and see who picks up that particular torch.

2) Lightbulb: Pat’s code is always fun to see in action, but what excited me was the integration he showed with the Sun Access Manager product. That opens up a whole raft of possibilities… Now that I’ve seen it, I might have to take a shot at OpenID-enabling our company mail server, just for fun :-D

3) Sxipper Demo: Sxip showed off their new service, which lives at sxipper.com. The goal is to simplify online interactions with both registration and login forms. It looked purty, definitely worth trying out.

4) Speed-Geeking: This was the highlight of the conference for me. I was able to get a quick glimpse of many different development efforts, a number of which I’m sure I would have missed had they been only in a full-time conference session. Since my primary focus is on the CardSpace stuff, I hadn’t been attending as many of the OpenID-facing sessions, but some of the OpenID demos really opened my eyes. I think the most fascinating demo was the one that was given by Avery Glasser – but I’ll save my thoughts on that topic for another entire entry :)

5) Kim’s Code: Kim showed off PHP code that utilized new XML security libraries that I can’t wait to get my grubby little paws on.

6) The Ruby on Rails guys: After Kim’s talk, 3 guys decided to take fate into their own hands and code an RP in Ruby on Rails. Justin, Trenton, and Devlin worked into the night figuring all of this out from scratch, and they made a significant dent in the code, too. It was really really fun to watch them work. I hope we get to see the fruits of these efforts at the next speed-geeking session!

7) OSIS in Action: It was great to see Dale Olds and Mary Ruddy demonstrate RP & IdP interactions using an open source stack. Talk about a wonderful milestone to hit – it was obvious that some serious love and care had gone into the making of this demo. During the session, there was an interesting discussion around ways in which an RP can deal with mid-session elevation of privileges that I think is just the tip of the iceberg, and which demonstrates the massive body of best practices that need to emerge surrounding information card based user interactions. The scenario at hand was as follows: a user needs one set of claims to have read access to the site, and should they wish to write to the site, they need a single extra claim. If the RP asks for the extra claim as an optional claim at initial login, they need to somehow communicate to the user (a) That the optional claim exists (since it isn’t particularly obvious in the CardSpace GUI), and (b) in what exact context the optional claim is meaningful. These are critical conversations to have, and I enjoyed taking part.

Ha, well there you go, more opinion than you ever wanted on IIW 2006b…

A Different Kind of Firefox Extension

If you haven’t seen Garrett Serack‘s announcement, Kevin Miller has just released an extension for Firefox that will trigger the CardSpace client directly from the browser in all the same circumstances that IE7 would trigger CardSpace to start.

I’ve downloaded it and tried it with the resources immediately available to me, and it seems to work beautifully! There isn’t much to see, you install the .xpi and if you have the .NET framework installed, everything else works beautifully. In the case where the .NET framework isn’t or can’t be installed, it appears that the plugin just falls through.

I understand that in fact, the plugin is not hard-coded only to start CardSpace, but instead to start the identity selector of choice – this is a critical future feature, and I can’t wait to find out more about the mechanism used.

Garrett has already rewritten his detection script as well, so no worries on that front.

Beautiful work Kevin, my hat is off to you! I may never start IE7 again…

One note, if you download the add-on instead of directly installing, it may save as a .xpi.zip file. Don’t try to extract it – just rename it to .xpi and it will work. Er, not that I was caught out by such a simple thing… no not at all…

Style Notes for Infocard RP Developers

On Bill Barnes’ new blog, entitled Card Carrying, Bill talks about some very interesting results from usability studies involving authenticating to a Metasystem RP with a hybrid login screen. This is what most information-card-enabled sites have now, a passive page that allows a user to either use an infocard or a username/password combination (and possibly other mechanisms too).

I would rather you go and read what Bill has to say, than to merely see a quote here – so go read it. Personally I think that the extra step of “embracing and extending” that Bill talks about is something that could be put in as an extra step in the username/password registration flow, rather than as part of the username/password authentication flow, just so that people don’t have to see it *every* time they login – but perhaps there is a more sophisticated way to set it up, such as asking each user once, and then setting a flag so that the user subsequently is not subjected to an extra prompt during authentication.

It’s a very interesting topic of debate, and I’d love to see some usability tests done on the changes made as a result of these usability tests.