RSS. Really Simple Syndication.  Great for identifying your available content, great for sharing content that can be consumed by aggregators and readers.

What it's not great at is providing a monetization model. Sure you can use ads on your website, but I think there's a better way.

I put together a screen cast that talks about syndication and the opportunity to leverage information cards and CardSpace to monetize RSS and OPML.

Watch it by clicking on the link below.

http://www.marcmercuri.com/downloads/MonetizingRssWithInformationCards.wmv

If you've just bought my new book and were looking for the completed exercises, I've posted them at the link below:

http://www.marcmercuri.com/downloads/beginningcardspacecode.zip

As some of the code focuses on and/or builds upon code that exists in existing projects (that evolve outside the book), refer to the links in those chapters for links to where the base projects can be found. 

This download should be available on the APress website next week as well.

I was reading James McGovern's blog today and ran across the following question -

I am still awaiting a perspective from Marc Mercuri on his thoughts of when someone presents a personal card to a relying party and it requires a workflow (Kim Cameron's blog requires a lightweight email confirmation) should the relying party integrate into BPEL or SPML and what is the best way for folks to think about this?

Before I answer the question, I want to establish two assumptions I've made, based on my interpretation of the question. The first is that 'personal cards' here is synonymous  to 'self-issued cards', the second is that when referring to workflows, we're discussing workflows whose focus is to perform some process that will validate that the claims presented are accurate and the individual presenting the claims is indeed the person he/she/it claims to be.

If you've seen any of the videos I've done on information cards, you may have picked up on the fact that I'm a big fan of self-issued cards, as they allow an individual to readily share details about him/herself to recieve a a much more pleasant experience on a website or when accessing a web service. Many sites today ask you to sign up with a username and password and ask you to populate forms. With a self-issued information card, the key claims are already on the card, so it makes signing up for a site fast and painless.  Then there's the personalization benefits. You could have a government site that read your postal code and provided a personalized view of "your government" - complete with data ranging from when trash is picked up on your street to legislation that may be impacting your area.  You can log onto the website of an electronics store and present your card to easily get to the details for current sales in your area. There are plenty of great scenarios where a site or service can take an information card and use it - without the need for validation - to provide a better experience.

But 'plenty of great scenarios' does not translate to every scenario.  There are circumstances where you will want to validate the claims that are on the card. Those scenarios are all tied to risk.  And this is typically tied to risk of financial loss or an potential impact to reputation. In these cases, you'll want to take the information provided and evaluate it using a workflow.

Real World Examples

In the real world, I may call a local restaurant to deliver a pizza to my house.  They take my order, my address, and my phone number. For orders below a certain dollar threshold, they'll typically just make the order and deliver it.  However, if I ordered 12 pizzas, there's now more risk. And because there's financial risk that they'll waste time and resources creating 12 pizzas for what could be a prank, they'll undoubtedly call the phone number I provided to confirm that I placed the order.

If you want to publish a letter to the editor in a newspaper, you typically need to provide some evidence that can be used to prove you are who you say are. The New York Times requires that any such letter "must include the writer's address and phone numbers.". Why? Because there's risk to their reputation - as well as to the reputation of the people letter writers could claim to be - if the identity of the writer can not be determined.

Online Examples

If you've ever used Paypal, then you've taken part in a workflow where information that you've self-asserted has been validated. In this case, when you open an account they place a very small deposit (pennies) in a financial account you claim to hold. To validate your identity, you examine your account and provide the amount of the deposit.  This is a very clever workflow, because it leverages an account that you have with an existing financial institution, an account that likely required your identitiy being authenticated in person, using a drivers license, passport, etc.

From a risk of reputation perspective, James pointed out what will become one of the more key scenarios, validating the identity of someone who posts to a blog. To avoid both spam and anonymous comments that could range from libelous to threatening, the owner of the blog will want to make sure you are who you say are. This is really almost identical to the New York Times' Letter to the Editor requirements.

Using Workflow

Once you've assed the nature of the risk is financial or reputation related and the specific valuation of that risk, you'll want to identify the type of  workflow that will mitigate that risk for you.

Sometimes, that will be a sequential workflow, and that is typically where you will invoke one or more automated services to validate the claims in real time. For example, given my name, birthdate, home phone number, and website, you might be able to tie into some back end systems to validate the information I provided. In some cases, a workflow may retrieve additional data, which can then be used to challenge the user. This type of interaction happens synchronously and my identity can be validated during my same online session.

In other circumstances, you'll want to use a state machine workflow. This workflow is longer running than it's sequential counterpart. Once information is presented at a site or service, a communication could be made to one of the modes specified in your contact details - this is typically an email, but could just as easily by an automated speech-based service (IVR).  When contacted, the workflow will deliver a code to the user. The user will then go back to the website and provide that code. This is typically accepted as a proof of identity for providing blog comments. Other examples of state machines could include a site performing related checks, for example a dating website could validate your information and then perform a check with other systems to validate that you're not married. In these circumstances, the process could be completed quickly - I could get the email right away and respond in minutes, or it could complete in hours, days, weeks, months even. If John Smith signs up for a site before he goes on vacation, and the validation email doesn't arrive until after he's left, that process could remain in the 'waiting for response from user' state for several weeks.

Back to James' question

So now, back to James' question, "should the relying party integrate into BPEL or SPML and what is the best way for folks to think about this"

I couldn't in good faith tell everyone they should implement this in BPEL. If the whole REST vs WS-* debate has taught me anything, it's that while there is tremendous value in having well thought out standards that are implemented by Enterprises, ISVs, and Infrastructure companies, there is a large segment of folks that won't use it for any number of reasons (learning curve, implementation complexity, required tools/infrastructure, time to implement, etc.).

What I'd do first is identify the workflow itself, specifically what business rules need to be validated and what integration points need to be in place to feel comfortable that the risk has been mitigated. Before we talk technology, what is the type of interactions that need to happen. Do you need to send an email and then wait for a response? Do you need to tie into back end systems to validate the information? If the workflow is based on identity validation, identify what should happen when identity validation is successful, when it is not successful (identity could not be validated) or when it fails (system exception).

Then, look at technology and determine what works best for you.  For some folks this could be Windows Workflow Foundation, for others this could be BPEL, for others it could be BizTalk, and others still it could be C#, Java, Ruby, or PHP libraries that implemented the workflows directly in code. If you're writing this yourself, I'd typically advise taking whatever code you build and make it available with it's own service(s).  This has benefits on a number of fronts.

I will add that there is an opportunity for someone/some group to identify some of the more common patterns (similiar to what was done with the document referenced in my last post) and then to implement and make available those patterns in the form of binaries or services.

I'm just finishing up another project at the moment, once that's out the door, I'll take a look at coding up one or more examples and then throwing the bits over onto CodePlex for people to have at it.

Over the course of writing the book, there were a number of things going on in parallel inside MS, some of which weren't finalized when the book went to press. One of those items was the patterns document that the product group published this month.  I had a chance to sit down with one of it's authors, Bill Barnes, while writing the book, and serve as a reviewer on the initial passes of the doc.

It's an excellent doc and a must read. One thing to note, is that if you look at the chapter on modifying the existing ASP.NET membership controls to support information cards, you'll see that I provide a number of stored procedures to handle additional scenarios mentioned in the doc.

You can get the document here

http://www.identityblog.com/wp-content/resources/information_card_patterns.pdf

When looking at personalization, there are a couple of concepts that most people assume -

(1) This is primarily of interest in eCommerce Sites

(2) To perform personalization, a site either needs a transaction history (from which to draw inferences/make recommendations) or requires a user to manually fill out a profile.

The reality is that personalization is valuabe across industry verticals, and now with information cards, you have the ability to easily provide personalization on a persons first visit.

Rather than use the expected eCommerce Site example for personalization, I decided to go a different route.  Instead, I dedicated a chapter to building a project I named "Personal Government". Using a self issued  information card, the Personal Government web site can take a single claim - postal code- and retrieve data across multiple data stores for a personalized expereince. The chapter has the user build this public sector mashup with free web services from StrikeIron. If you actually wer ea public sector website, you can imagine how you could extend this with real data - everything from municipal schedules (what day is trash pickup?) to legislation (which legislation tha tis underconsideration would affect my neighborhood?)

The video can be found at the link below, or by clicking on the image below.

http://www.marcmercuri.com/book/cardspace/informationcardsandpersonalizationinPublicSector/InformationCardsAndPersonalizationInPublicSector_media/InformationCardsAndPersonalizationInPublicSector.wmv

The book contains a chapter on automating the issuance of information cards with Windows Workflow Foundation.

I've posted a screencast that highlights the approach and what you will build as part of the chapter.

http://www.marcmercuri.com/book/cardspace/cardspaceworkflow/cardspaceworkflow_media/CardSpaceWorkflow.wmv

During the editing process for the book, it was pointed out that the purple and white information card logo hadn't officially 'cleared' the related legal checks (i.e. making sure the logo didn't resemble an existing piece of work by a third party) When I was writing the book, the draft that went to the editor actually included the purple and white icon. As the book went to press, the icon still hadn't cleared legal, so we decided to play it safe and use the unofficial icon that had been adopted by the community.

The good news is the purple and white information card logo has cleared legal, as Mike posted earlier in the summer. The goal is tha this icon will be as ubiquitous as the orange and white rss logo on sites, and a consistent marker to identify that information cards are accepted on your site. Below I've re-posted the icon in a multitude of sizes.

The guidelines for the use of the icon, a frequently asked questions document, a set of png images of the icon rendered in a range of sizes, and the original artwork in Adobe Illustrator format are all available together in a download package.

I recieved my authors copies of the book on Friday, and a quick look on Amazon and Barnes and Noble indicate the books are now 'in stock'. If you pre-ordered, your books should be making their way to you now.

In a recent post that clarified that a Java RP is covered in my book, Roger responded "Could you talk more about the characteristics of Java RP and all the open source out there?"

One of the most pleasant things about writing this book is that everyone realized that identity on the net was a problem, the metasystem was a sound approach, and we could all work together - even if our implementations were done on different platforms and in different languages. People just want to solve the problem, and help educate people on how to solve it.

One of the areas where I see the biggest opportunity is helping everyday web developers easily become relying parties. Another is showing those same web developers how information cards can be used for much more than just logging in, particularly for personalization.  There are great Java RP's out there, just as there are great RPs in .NET, PHP, and Ruby. I talk alot about them in the book.

So when a question like this comes up, the question is, do I post the book content online (to answer the question) or do I suggest someone buy the book? One thing that I've been toying with is talking with the publisher about potentially open-sourcing the open source related chapters of the book. The thought was that the open source chapters could be introduced in a wiki-style environment and the community could make sure that new projects were identified, updates in projects, etc. When developing the book, that is the chapter that was re-written the most as there were a number of changes between last March and this year.

Before I talk to my publisher, I'm interested in your feedback on two questions:

(a) Do you think folks in the open source community would still buy the book?

(b) Do you think folks in the open source community would participate?

Mike Jones was kind enough to post a mention for my new book recently, and it was great to see comments and other blog posts triggered by that.  One of the blogs that mentioned the book was James McGovern's. In his post he mentioned that it was disappointing that the book didn't cover Java. This is unfortunately not accurate and I wanted to clarify what's covered outside of Microsoft technologies.

Five chapters of the book are implementation agnostic and focus on key topics ranging from authentication and authorization to personalization.  One of those chapters examines the majority of the projects in the open source community.  Another chapter is focused on implementing relying parties - which is what most people will require - in Java and PHP. For Java, this focuses on code provided by Chuck Mortimore (if unfamiliar, he's created a fair amount of information card-related plugins and artifacts).  For the other chapters, the code is written in C#. While this is not Java, the syntax is similiar enough that it can be reviewed for both structure and approach. While Ruby code is not covered in the book, the book does contain links to Ruby resources and open source projects related to information cards.

I've got several screencasts I'll be posting shortly that highlight what's covered in key chapters. Look for these to start popping up online soon.