It's that time of year again - another year, another birthday.  My in-laws from the UK were kind enough to send me a gift card for Amazon this year. While browsing the Amazon site, I was looking at books and remembered I'd asked my publisher to update the description for my most recent effort (Beginning Information Cards and CardSpace from Novice to Professional). The bad news is that they hadn't. The good news is that I ran across an interesting statistic at the bottom of the page - it looks like readers have chosen it as their favorite on the subject by a ratio of 4:1. Alot of time and effort went into the book, so that news was quite a nice birthday present indeed. As a thank you to readers, I'll be working on some new content I'll make available free via my blog.

If you've just bought my new book and were looking for the completed exercises, I've posted them at the link below:

http://www.marcmercuri.com/downloads/beginningcardspacecode.zip

As some of the code focuses on and/or builds upon code that exists in existing projects (that evolve outside the book), refer to the links in those chapters for links to where the base projects can be found. 

This download should be available on the APress website next week as well.

I was reading James McGovern's blog today and ran across the following question -

I am still awaiting a perspective from Marc Mercuri on his thoughts of when someone presents a personal card to a relying party and it requires a workflow (Kim Cameron's blog requires a lightweight email confirmation) should the relying party integrate into BPEL or SPML and what is the best way for folks to think about this?

Before I answer the question, I want to establish two assumptions I've made, based on my interpretation of the question. The first is that 'personal cards' here is synonymous  to 'self-issued cards', the second is that when referring to workflows, we're discussing workflows whose focus is to perform some process that will validate that the claims presented are accurate and the individual presenting the claims is indeed the person he/she/it claims to be.

If you've seen any of the videos I've done on information cards, you may have picked up on the fact that I'm a big fan of self-issued cards, as they allow an individual to readily share details about him/herself to recieve a a much more pleasant experience on a website or when accessing a web service. Many sites today ask you to sign up with a username and password and ask you to populate forms. With a self-issued information card, the key claims are already on the card, so it makes signing up for a site fast and painless.  Then there's the personalization benefits. You could have a government site that read your postal code and provided a personalized view of "your government" - complete with data ranging from when trash is picked up on your street to legislation that may be impacting your area.  You can log onto the website of an electronics store and present your card to easily get to the details for current sales in your area. There are plenty of great scenarios where a site or service can take an information card and use it - without the need for validation - to provide a better experience.

But 'plenty of great scenarios' does not translate to every scenario.  There are circumstances where you will want to validate the claims that are on the card. Those scenarios are all tied to risk.  And this is typically tied to risk of financial loss or an potential impact to reputation. In these cases, you'll want to take the information provided and evaluate it using a workflow.

Real World Examples

In the real world, I may call a local restaurant to deliver a pizza to my house.  They take my order, my address, and my phone number. For orders below a certain dollar threshold, they'll typically just make the order and deliver it.  However, if I ordered 12 pizzas, there's now more risk. And because there's financial risk that they'll waste time and resources creating 12 pizzas for what could be a prank, they'll undoubtedly call the phone number I provided to confirm that I placed the order.

If you want to publish a letter to the editor in a newspaper, you typically need to provide some evidence that can be used to prove you are who you say are. The New York Times requires that any such letter "must include the writer's address and phone numbers.". Why? Because there's risk to their reputation - as well as to the reputation of the people letter writers could claim to be - if the identity of the writer can not be determined.

Online Examples

If you've ever used Paypal, then you've taken part in a workflow where information that you've self-asserted has been validated. In this case, when you open an account they place a very small deposit (pennies) in a financial account you claim to hold. To validate your identity, you examine your account and provide the amount of the deposit.  This is a very clever workflow, because it leverages an account that you have with an existing financial institution, an account that likely required your identitiy being authenticated in person, using a drivers license, passport, etc.

From a risk of reputation perspective, James pointed out what will become one of the more key scenarios, validating the identity of someone who posts to a blog. To avoid both spam and anonymous comments that could range from libelous to threatening, the owner of the blog will want to make sure you are who you say are. This is really almost identical to the New York Times' Letter to the Editor requirements.

Using Workflow

Once you've assed the nature of the risk is financial or reputation related and the specific valuation of that risk, you'll want to identify the type of  workflow that will mitigate that risk for you.

Sometimes, that will be a sequential workflow, and that is typically where you will invoke one or more automated services to validate the claims in real time. For example, given my name, birthdate, home phone number, and website, you might be able to tie into some back end systems to validate the information I provided. In some cases, a workflow may retrieve additional data, which can then be used to challenge the user. This type of interaction happens synchronously and my identity can be validated during my same online session.

In other circumstances, you'll want to use a state machine workflow. This workflow is longer running than it's sequential counterpart. Once information is presented at a site or service, a communication could be made to one of the modes specified in your contact details - this is typically an email, but could just as easily by an automated speech-based service (IVR).  When contacted, the workflow will deliver a code to the user. The user will then go back to the website and provide that code. This is typically accepted as a proof of identity for providing blog comments. Other examples of state machines could include a site performing related checks, for example a dating website could validate your information and then perform a check with other systems to validate that you're not married. In these circumstances, the process could be completed quickly - I could get the email right away and respond in minutes, or it could complete in hours, days, weeks, months even. If John Smith signs up for a site before he goes on vacation, and the validation email doesn't arrive until after he's left, that process could remain in the 'waiting for response from user' state for several weeks.

Back to James' question

So now, back to James' question, "should the relying party integrate into BPEL or SPML and what is the best way for folks to think about this"

I couldn't in good faith tell everyone they should implement this in BPEL. If the whole REST vs WS-* debate has taught me anything, it's that while there is tremendous value in having well thought out standards that are implemented by Enterprises, ISVs, and Infrastructure companies, there is a large segment of folks that won't use it for any number of reasons (learning curve, implementation complexity, required tools/infrastructure, time to implement, etc.).

What I'd do first is identify the workflow itself, specifically what business rules need to be validated and what integration points need to be in place to feel comfortable that the risk has been mitigated. Before we talk technology, what is the type of interactions that need to happen. Do you need to send an email and then wait for a response? Do you need to tie into back end systems to validate the information? If the workflow is based on identity validation, identify what should happen when identity validation is successful, when it is not successful (identity could not be validated) or when it fails (system exception).

Then, look at technology and determine what works best for you.  For some folks this could be Windows Workflow Foundation, for others this could be BPEL, for others it could be BizTalk, and others still it could be C#, Java, Ruby, or PHP libraries that implemented the workflows directly in code. If you're writing this yourself, I'd typically advise taking whatever code you build and make it available with it's own service(s).  This has benefits on a number of fronts.

I will add that there is an opportunity for someone/some group to identify some of the more common patterns (similiar to what was done with the document referenced in my last post) and then to implement and make available those patterns in the form of binaries or services.

I'm just finishing up another project at the moment, once that's out the door, I'll take a look at coding up one or more examples and then throwing the bits over onto CodePlex for people to have at it.

When looking at personalization, there are a couple of concepts that most people assume -

(1) This is primarily of interest in eCommerce Sites

(2) To perform personalization, a site either needs a transaction history (from which to draw inferences/make recommendations) or requires a user to manually fill out a profile.

The reality is that personalization is valuabe across industry verticals, and now with information cards, you have the ability to easily provide personalization on a persons first visit.

Rather than use the expected eCommerce Site example for personalization, I decided to go a different route.  Instead, I dedicated a chapter to building a project I named "Personal Government". Using a self issued  information card, the Personal Government web site can take a single claim - postal code- and retrieve data across multiple data stores for a personalized expereince. The chapter has the user build this public sector mashup with free web services from StrikeIron. If you actually wer ea public sector website, you can imagine how you could extend this with real data - everything from municipal schedules (what day is trash pickup?) to legislation (which legislation tha tis underconsideration would affect my neighborhood?)

The video can be found at the link below, or by clicking on the image below.

http://www.marcmercuri.com/book/cardspace/informationcardsandpersonalizationinPublicSector/InformationCardsAndPersonalizationInPublicSector_media/InformationCardsAndPersonalizationInPublicSector.wmv

In a recent post that clarified that a Java RP is covered in my book, Roger responded "Could you talk more about the characteristics of Java RP and all the open source out there?"

One of the most pleasant things about writing this book is that everyone realized that identity on the net was a problem, the metasystem was a sound approach, and we could all work together - even if our implementations were done on different platforms and in different languages. People just want to solve the problem, and help educate people on how to solve it.

One of the areas where I see the biggest opportunity is helping everyday web developers easily become relying parties. Another is showing those same web developers how information cards can be used for much more than just logging in, particularly for personalization.  There are great Java RP's out there, just as there are great RPs in .NET, PHP, and Ruby. I talk alot about them in the book.

So when a question like this comes up, the question is, do I post the book content online (to answer the question) or do I suggest someone buy the book? One thing that I've been toying with is talking with the publisher about potentially open-sourcing the open source related chapters of the book. The thought was that the open source chapters could be introduced in a wiki-style environment and the community could make sure that new projects were identified, updates in projects, etc. When developing the book, that is the chapter that was re-written the most as there were a number of changes between last March and this year.

Before I talk to my publisher, I'm interested in your feedback on two questions:

(a) Do you think folks in the open source community would still buy the book?

(b) Do you think folks in the open source community would participate?

Mike Jones was kind enough to post a mention for my new book recently, and it was great to see comments and other blog posts triggered by that.  One of the blogs that mentioned the book was James McGovern's. In his post he mentioned that it was disappointing that the book didn't cover Java. This is unfortunately not accurate and I wanted to clarify what's covered outside of Microsoft technologies.

Five chapters of the book are implementation agnostic and focus on key topics ranging from authentication and authorization to personalization.  One of those chapters examines the majority of the projects in the open source community.  Another chapter is focused on implementing relying parties - which is what most people will require - in Java and PHP. For Java, this focuses on code provided by Chuck Mortimore (if unfamiliar, he's created a fair amount of information card-related plugins and artifacts).  For the other chapters, the code is written in C#. While this is not Java, the syntax is similiar enough that it can be reviewed for both structure and approach. While Ruby code is not covered in the book, the book does contain links to Ruby resources and open source projects related to information cards.

I've got several screencasts I'll be posting shortly that highlight what's covered in key chapters. Look for these to start popping up online soon.

In case you missed it, Microsoft just released some great new downloads, specifically new versions of VS 2008, Silverlight, and Expression Blend.

As someone who started writing what are now called AJAX apps since 2000, I *really* appreciate how Silverlight and Blend make RIAs much easier to develop.

Links to all the bits-

• Visual Studio 2008 Beta 2
• Visual Studio Extensions for Silverlight
• Silverlight 1.0 SDK / Silverlight 1.1 SDK
• ASP.NET Futures CTP
• Silverlight 1.0 RC1 / Windows (direct link)
• Silverlight 1.0 RC1 / Mac (direct link)
• Silverlight 1.1 Alpha Refresh / Windows (direct link)
• Silverlight 1.1 Alpha Refresh / Mac (direct link)
• Expression Blend August Preview
• Expression Media Encoder Template Updater

When I wrote my new book, Beginning Information Cards and CardSpace: From Novice to Professional, I wanted the reader to go beyond building just 'Hello World' applications that just focused on learning features. Instead, I wanted to have the readers build practical, usable code.

In an effort to let you see what you'll be getting when you buy the book, I thought I'd do some screencasts to highlight what you'll build out.

I'm going to start with Chapter 13, which focuses on automating the issuance of managed cards with Workflow Foundation.

In that chapter, you'll create a number of Workflow Foundation custom activities that can help you automate the issuance of managed cards, complete with email delivery.

Also included is a sample application will calls the workflow and generates a card based on data provided.

Click on the image below to see the video:

Going through my email this morning, I received my official Mix07 confirmation.  Last year, I had a number of customer commitments so was really not in the loop on Mix, this year, though, I've had some overlap with some of the things I've been working on and have had a chance to get involved in various aspects of the event.

Earlier this year I went to another web conference(which shall remain nameless), and was so dissapointed I left the conference (and Vegas) a day early. (Me, leaving Vegas early? unheard of, I know). 

Mix, though, is a different story. From what I've seen of the sessions, this is actually an event I'd pay out of pocket to go to. It's got a good mix of folks from MS, as well as from third parties.  I may or may not be delivering a session, that's something that'll get decided in the next month or so, but will be onsite either working in certain areas of the event, or attending sessions.

One of the great things about conferences is that I get a chance to meet up with former colleagues and people I've chatted with via email and blogs. If you're going to be in Vegas the 29th - 2nd and want to chat about WCF, CardSpace, Mashups, or whatever - shoot me an email and we'll make some plans to sync up.

One of the interesting things about writing a book on an emerging technology, is that you rev the chapters several times before they're released.  With the WCF book, this was because we were dealing with CTPS where the object model was changing, with the Information Cards/CardSpace book it's a much better reason. The industry is coming together and collaborating in a most excellent way.

One chapter I'm happy to update this week is the one that looks at information cards outside of Microsoft.

If you haven't heard, some signficant announcements came out of the RSA conference.

#1 JanRain, Microsoft, Sxip and Verisign will collaborate on interop between OpenID and CardSpace

As reported on Kim Cameron's Identity Blog:

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpace™ to make the Internet safer and easier to use. Specifically:

• As part of OpenID’s security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.

• Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure.  Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.

• JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users.  Information Cards, based on the open WS-Trust standard, are available though Windows CardSpace™.

• JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.

• JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.

• Microsoft plans to support OpenID in future Identity server products

• The four companies have agreed to work together on a “Using Information Cards with OpenID” profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Dick Hardt, Sxip Identity
Kim Cameron, Microsoft
Michael Graves, VeriSign
Scott Kveton, JanRain
 

http://www.identityblog.com/?p=668

#2 Ping Identity has released an open source module for Apache:

Ping Identity Corporation today announced the immediate availability of an open source module that allows Apache-hosted applications to use Windows CardSpace Information Cards for authentication. The Apache Authentication Module for CardSpace can be downloaded from http://www.SourceID.org, the open source federated identity management site sponsored by Ping Identity.

The Apache Authentication Module for CardSpace allows applications using an Apache Web server to use Information Cards as an additional authentication mechanism. It allows LAMP-based Web applications written in Perl or PHP to act as CardSpace relying parties (RP) by means of simple configuration. The module is responsible for decrypting the token submitted by the CardSpace identity selector, retrieving the claims and making the claims available for the application’s use.

http://www.pingidentity.com/about/show/165

This is important as it will increase the potential universe of sites secured with phishing-resistant mechanisms and provide a consistent user experience for consumers in CardSpace.

I was just on Amazon and it looks like the follow up to Windows Communication Foundation: Hands On! is now available for pre-order.

This book contains all of the content updated for RTM, plus 200+ more pages than the original. You'll also see that we've got a new co-author, Matt Winkler.

For those unfamiliar with Matt, he's the technical evangelist for Windows Workflow Foundation here in Redmond, and he's added some great WF content to the book.

If you want to get more details, you can find it here:

http://www.amazon.com/Windows-Communication-Foundation-Unleashed-WCF/dp/0672329484/sr=1-3/qid=1170008872/ref=sr_1_3/002-4228351-3336016?ie=UTF8&s=books

Mercuri's "Services SLA Paradox"

Paid services haven't taken off because there aren't SLAs from Service Providers.
There aren't SLAs from Service Providers because people aren't paying for services.

-----------------------

When someone gives you something for free, they have no obligation to you and you have no recourse if something goes wrong. When I was a student, if I was moving to a new apartment, my friends would would help me pack up my old place, load the truck, and unload it at my new apartment.  Sometimes people would show up late, sometimes things would get broken, but hey, they were doing me a favor, so I had no room to complain.

When I move now, I hire a moving company. Why? Because my time is more valuable to me than it was 15 years ago, and I also have much more expensive stuff.  If I was scheduled to move out of a house on the 31st, and the mover's truck broke down, I'd want to make sure the company could swap in another truck from their lot. If my $4,000 television is dropped, I want someone who's insured and who's going to make it right.

Today, we have a number of people giving away services - Google, Yahoo, Flickr, Amazon, StrikeIron, etc.  While there are exceptions like Amazon and StrikeIron that are doing some good work in the utility services space, where they're doing metered usage, I've had a hard time finding SLAs anywhere else. People are doing interesting mash-ups with 'free stuff', but is anyone willing to put free stuff in their application for any key piece of functionality? If you do, and you don't have SLAs, you're a gambler, and for your sake, I hope you're very lucky.

At the Web Builder 2.0 conference held earlier in the month, Day 1's keynote had a speaker who talked about Ajax and mashups, using his company's product as an example.  At the end of the presentation, he opened up the floor for Q&A, at which point I asked him two questions - "what about SLAs" and "what about federated identity".  The answers? 

SLAs: These services are free, so there are no SLAs.

Identity: These services (Yahoo) are free, so that's not an issue.

I find it amazing that people don't pro-actively address the SLA and Identity issues, and I find it borderline irresponsible that 'experts' ignore or wave off these questions when raised. The need for SLAs should not be such a surprise, people who've spent time looking at the space at this have written about it, myself having done so back in 2001  ("14 Best Practices for Selecting a Web Service Provider", 2001, .NET Magazine, Fawcette) Yes, it's cool to include maps, search, and images in my application but if the service code go down - or disappear entirely - at any time, for many scenarios they're a non-option.

If you want to use services for anything real - and by real I mean something you'd use in a key area of an Enterprise or Commercial Software/WebSite - you need to have a Service Level Agreement. Using a service effectively moves a third party from being a vendor to being a business partner. The service provider controls the hardware, the bandwidth, the support, etc. but the service interactions are exposed through your application, with your brand, and your reputation attached to it.

With today's lack of SLAs, if the service goes down for an hour on Thursday, it goes down for an hour on Thursday. Moreover, there's no guarantee that the service is going to be around for a week, a month, a year, etc.  Google just announced (http://news.com.com/2061-10812_3-6145053.html) that they're no longer taking on new customers for the SOAP API they'd been offering. They're moving new customers to an AJAX API. If you were evaluating this and building this functionality into a spec for a smart client application you were developing, and now it's gone, sorry charlie. What were you expecting? You're not paying for it, so you can't complain. Without an SLA, no promises are ever made  made by the provider, so there are no promises to break.

My argument is that SLAs are late to the game, because people aren't paying for services and people aren't paying for services because there are no SLA's. Something I've shamelessly named 'Mercuri's Services SLA Paradox'.  There are some positive movements in the right direction - Amazon and StrikeIron come to mind - but they are definately the exception and not the rule.

If you're like me, you'd like to be able to leverage and mashup services that you can depend on. If we collectively don't stand up and insist on these, we're stifling innovation. I challenge you to ask the providers - at conferences, in forums, online and in person - "What is your SLA for your services and what will it take/cost for you to offer me this service in a dependable fashion?"

If you've read the blog for awhile, you'll know that I moved over to the incubation team in Microsoft's Platform Strategy Group back in August.

My old team is still looking for my replacement, and they're now expanding their search. if you're passionate about CardSpace, Windows Communication Foundation, and Workflow Foundation and working with large Enterprise customers you might be interested in this.

In addition to working with some great technologies, you'll be surrounded by a great group of folks on the Longhorn Server evangelism team, many of whom are authors (or authoring) books on .NETFX 3 or other topics.

James has the full scoop on his blog, check out the link below for details:

http://blogs.msdn.com/jamescon/archive/2006/09/19/761696.aspx

Looking for another one stop shop for your WCF, WF, WPF, and CardSpace (formerly InfoCard) needs?

http://netfx3.com/ was launched with the rebranding of winfx to netfx3, and now you can find info, demos, and forums on CardSpace and all your favorite foundation technologies there.  This site consolidates what was windowsworkflow.net and windowscommunication.net.

Definately worth checking out, particularly as there were a number of new samples and demos uploaded that weren't on the old sites.

.NET Framework 3.0 - June CTP has been released and can be found here.

InfoCard has officially been renamed this week.  It is now Microsoft CardSpace (WCS).  As with the rebranding of Indigo to Windows Communication Foundation or for old schoolers like Thunder to Visual Basic, this is nothing to be concerned about.

This is just a natural transition from an internal, pre-release codename to a the official product name.

WCF and WF in Public Sector.PPT (2.16 MB)

I did a webcast today on WCF, WF, and Infocard in Public Sector today.  For the Retail and Fin Serv webcasts I'd done previously, I'd had great scores (>8/9 in some cases), but there were always requests for additional vertical content after the fact.

I tried switching it up today for the pub sector session (more vertical, less core wcf/wf/identity), but the presentation just didn't click. I think I'll re-record and post a link to it when it's available, I'm pleased with the InfoCard demo, though, as I think it provides additional value. 

I've attached my deck to the start of this post, as I wanted people to see the legacy empowerment section that we didn't get to review.

If you're new to the blog, I wanted to point you to some of the demos I've got online, including:

http://www.marcmercuri.com/ct.ashx?id=d0cffe95-b683-4f7c-b883-44feeb0afd43&url=http%3a%2f%2fwww.marcmercuri.com%2fDownloads%2fFinServDevCon.zip

As well as a syllabus for learning InfoCard:

http://www.marcmercuri.com/PermaLink.aspx?guid=eae5a6ef-a12e-4cfd-bd65-56fdf0b103f4

Cheers,

Marc

Nigel Watling, one of the co-authors of “Windows Communication Foundation: Hands On!” has just published a video on Infocard over at Channel 9.

In the video, Nigel leads an in depth discussion of how InfoCard works, how it's designed (and why) and how it will evolve in the future with InfoCard chief Architect Arun Nanda and Software Developer Ruchi Bhargava

Check it out here.

So now that you've got the new bits, the next question is - “What's changed?”

The list of breaking changes for WCF and Infocard have been posted here.

Keith Brown has just published a good article on Infocard over at MSDN.  I'd definately recommend checking it out.

Find it here:

http://msdn.microsoft.com/msdnmag/issues/06/05/SecurityBriefs/default.aspx

I'm happy to report that the Windows Communication Foundation: Hands On book will be out in just a couple of weeks, and that I've just signed on to do another one.  This next book is tentatively titled “Understanding Infocard“ and will be written for APress. This will hit bookstores in Q1 of next year, most likely in January.

If you want more info on Windows Communication Foundation: Hands On, it is now available for pre-order on Amazon, Barnes&Nobles, and others.

I'm happy to report that the Windows Communication Foundation: Hands On book will be out in just a couple of weeks, and that I've just signed on to do another one.  This next book is tentatively titled “Understanding Infocard“ and will be written for APress. This will hit bookstores in Q1 of next year, most likely in January.

If you want more info on Windows Communication Foundation: Hands On, it is now available for pre-order on Amazon, Barnes&Nobles, and others.

If you're like me and wanted to go but missed it - good news.  The sessions have just been posted online for free view/download.

Sessions here: http://sessions.mix06.com/

NGW034 - From "Username and Password" to InfoCard

DIS003 - Today's Identity Crisis, and the Identity Metasystem

For those unfamiliar with MIX, here's the pitch -

“If you do business on the Web today, it's likely that more than 90% of your customers reach you via Microsoft® Internet Explorer and/or Microsoft Windows®. Come to MIX and learn how the next versions of these products, due later this year, are going to dramatically improve your customers' experience. Explore a wide range of new Web technologies that Microsoft is delivering to help you unlock new revenue opportunities and lower development costs. Learn about the future of Internet Explorer and join us in a discussion about how we can build the ideal Web surfing platform to meet your needs and those of your customers.

“