It's that time of year again - another year, another birthday.  My in-laws from the UK were kind enough to send me a gift card for Amazon this year. While browsing the Amazon site, I was looking at books and remembered I'd asked my publisher to update the description for my most recent effort (Beginning Information Cards and CardSpace from Novice to Professional). The bad news is that they hadn't. The good news is that I ran across an interesting statistic at the bottom of the page - it looks like readers have chosen it as their favorite on the subject by a ratio of 4:1. Alot of time and effort went into the book, so that news was quite a nice birthday present indeed. As a thank you to readers, I'll be working on some new content I'll make available free via my blog.

Nayna and Rob have made it official with their post (http://winliveid.spaces.live.com/Blog/cns!AEE1BB0D86E23AAC!931.entry), Windows LiveID has added beta support for Information Cards and Windows CardSpace.

The way this works is identical to the way I described how to add cards to an existing website in my book. Through a management interface, you associate information cards with your core account, and the user is provided the option of signing in with either their information card or a password (as shown below).

All good stuff, and worthy of checking out.

RSS. Really Simple Syndication.  Great for identifying your available content, great for sharing content that can be consumed by aggregators and readers.

What it's not great at is providing a monetization model. Sure you can use ads on your website, but I think there's a better way.

I put together a screen cast that talks about syndication and the opportunity to leverage information cards and CardSpace to monetize RSS and OPML.

Watch it by clicking on the link below.

http://www.marcmercuri.com/downloads/MonetizingRssWithInformationCards.wmv

If you've just bought my new book and were looking for the completed exercises, I've posted them at the link below:

http://www.marcmercuri.com/downloads/beginningcardspacecode.zip

As some of the code focuses on and/or builds upon code that exists in existing projects (that evolve outside the book), refer to the links in those chapters for links to where the base projects can be found. 

This download should be available on the APress website next week as well.

I was reading James McGovern's blog today and ran across the following question -

I am still awaiting a perspective from Marc Mercuri on his thoughts of when someone presents a personal card to a relying party and it requires a workflow (Kim Cameron's blog requires a lightweight email confirmation) should the relying party integrate into BPEL or SPML and what is the best way for folks to think about this?

Before I answer the question, I want to establish two assumptions I've made, based on my interpretation of the question. The first is that 'personal cards' here is synonymous  to 'self-issued cards', the second is that when referring to workflows, we're discussing workflows whose focus is to perform some process that will validate that the claims presented are accurate and the individual presenting the claims is indeed the person he/she/it claims to be.

If you've seen any of the videos I've done on information cards, you may have picked up on the fact that I'm a big fan of self-issued cards, as they allow an individual to readily share details about him/herself to recieve a a much more pleasant experience on a website or when accessing a web service. Many sites today ask you to sign up with a username and password and ask you to populate forms. With a self-issued information card, the key claims are already on the card, so it makes signing up for a site fast and painless.  Then there's the personalization benefits. You could have a government site that read your postal code and provided a personalized view of "your government" - complete with data ranging from when trash is picked up on your street to legislation that may be impacting your area.  You can log onto the website of an electronics store and present your card to easily get to the details for current sales in your area. There are plenty of great scenarios where a site or service can take an information card and use it - without the need for validation - to provide a better experience.

But 'plenty of great scenarios' does not translate to every scenario.  There are circumstances where you will want to validate the claims that are on the card. Those scenarios are all tied to risk.  And this is typically tied to risk of financial loss or an potential impact to reputation. In these cases, you'll want to take the information provided and evaluate it using a workflow.

Real World Examples

In the real world, I may call a local restaurant to deliver a pizza to my house.  They take my order, my address, and my phone number. For orders below a certain dollar threshold, they'll typically just make the order and deliver it.  However, if I ordered 12 pizzas, there's now more risk. And because there's financial risk that they'll waste time and resources creating 12 pizzas for what could be a prank, they'll undoubtedly call the phone number I provided to confirm that I placed the order.

If you want to publish a letter to the editor in a newspaper, you typically need to provide some evidence that can be used to prove you are who you say are. The New York Times requires that any such letter "must include the writer's address and phone numbers.". Why? Because there's risk to their reputation - as well as to the reputation of the people letter writers could claim to be - if the identity of the writer can not be determined.

Online Examples

If you've ever used Paypal, then you've taken part in a workflow where information that you've self-asserted has been validated. In this case, when you open an account they place a very small deposit (pennies) in a financial account you claim to hold. To validate your identity, you examine your account and provide the amount of the deposit.  This is a very clever workflow, because it leverages an account that you have with an existing financial institution, an account that likely required your identitiy being authenticated in person, using a drivers license, passport, etc.

From a risk of reputation perspective, James pointed out what will become one of the more key scenarios, validating the identity of someone who posts to a blog. To avoid both spam and anonymous comments that could range from libelous to threatening, the owner of the blog will want to make sure you are who you say are. This is really almost identical to the New York Times' Letter to the Editor requirements.

Using Workflow

Once you've assed the nature of the risk is financial or reputation related and the specific valuation of that risk, you'll want to identify the type of  workflow that will mitigate that risk for you.

Sometimes, that will be a sequential workflow, and that is typically where you will invoke one or more automated services to validate the claims in real time. For example, given my name, birthdate, home phone number, and website, you might be able to tie into some back end systems to validate the information I provided. In some cases, a workflow may retrieve additional data, which can then be used to challenge the user. This type of interaction happens synchronously and my identity can be validated during my same online session.

In other circumstances, you'll want to use a state machine workflow. This workflow is longer running than it's sequential counterpart. Once information is presented at a site or service, a communication could be made to one of the modes specified in your contact details - this is typically an email, but could just as easily by an automated speech-based service (IVR).  When contacted, the workflow will deliver a code to the user. The user will then go back to the website and provide that code. This is typically accepted as a proof of identity for providing blog comments. Other examples of state machines could include a site performing related checks, for example a dating website could validate your information and then perform a check with other systems to validate that you're not married. In these circumstances, the process could be completed quickly - I could get the email right away and respond in minutes, or it could complete in hours, days, weeks, months even. If John Smith signs up for a site before he goes on vacation, and the validation email doesn't arrive until after he's left, that process could remain in the 'waiting for response from user' state for several weeks.

Back to James' question

So now, back to James' question, "should the relying party integrate into BPEL or SPML and what is the best way for folks to think about this"

I couldn't in good faith tell everyone they should implement this in BPEL. If the whole REST vs WS-* debate has taught me anything, it's that while there is tremendous value in having well thought out standards that are implemented by Enterprises, ISVs, and Infrastructure companies, there is a large segment of folks that won't use it for any number of reasons (learning curve, implementation complexity, required tools/infrastructure, time to implement, etc.).

What I'd do first is identify the workflow itself, specifically what business rules need to be validated and what integration points need to be in place to feel comfortable that the risk has been mitigated. Before we talk technology, what is the type of interactions that need to happen. Do you need to send an email and then wait for a response? Do you need to tie into back end systems to validate the information? If the workflow is based on identity validation, identify what should happen when identity validation is successful, when it is not successful (identity could not be validated) or when it fails (system exception).

Then, look at technology and determine what works best for you.  For some folks this could be Windows Workflow Foundation, for others this could be BPEL, for others it could be BizTalk, and others still it could be C#, Java, Ruby, or PHP libraries that implemented the workflows directly in code. If you're writing this yourself, I'd typically advise taking whatever code you build and make it available with it's own service(s).  This has benefits on a number of fronts.

I will add that there is an opportunity for someone/some group to identify some of the more common patterns (similiar to what was done with the document referenced in my last post) and then to implement and make available those patterns in the form of binaries or services.

I'm just finishing up another project at the moment, once that's out the door, I'll take a look at coding up one or more examples and then throwing the bits over onto CodePlex for people to have at it.

Over the course of writing the book, there were a number of things going on in parallel inside MS, some of which weren't finalized when the book went to press. One of those items was the patterns document that the product group published this month.  I had a chance to sit down with one of it's authors, Bill Barnes, while writing the book, and serve as a reviewer on the initial passes of the doc.

It's an excellent doc and a must read. One thing to note, is that if you look at the chapter on modifying the existing ASP.NET membership controls to support information cards, you'll see that I provide a number of stored procedures to handle additional scenarios mentioned in the doc.

You can get the document here

http://www.identityblog.com/wp-content/resources/information_card_patterns.pdf

When looking at personalization, there are a couple of concepts that most people assume -

(1) This is primarily of interest in eCommerce Sites

(2) To perform personalization, a site either needs a transaction history (from which to draw inferences/make recommendations) or requires a user to manually fill out a profile.

The reality is that personalization is valuabe across industry verticals, and now with information cards, you have the ability to easily provide personalization on a persons first visit.

Rather than use the expected eCommerce Site example for personalization, I decided to go a different route.  Instead, I dedicated a chapter to building a project I named "Personal Government". Using a self issued  information card, the Personal Government web site can take a single claim - postal code- and retrieve data across multiple data stores for a personalized expereince. The chapter has the user build this public sector mashup with free web services from StrikeIron. If you actually wer ea public sector website, you can imagine how you could extend this with real data - everything from municipal schedules (what day is trash pickup?) to legislation (which legislation tha tis underconsideration would affect my neighborhood?)

The video can be found at the link below, or by clicking on the image below.

http://www.marcmercuri.com/book/cardspace/informationcardsandpersonalizationinPublicSector/InformationCardsAndPersonalizationInPublicSector_media/InformationCardsAndPersonalizationInPublicSector.wmv

The book contains a chapter on automating the issuance of information cards with Windows Workflow Foundation.

I've posted a screencast that highlights the approach and what you will build as part of the chapter.

http://www.marcmercuri.com/book/cardspace/cardspaceworkflow/cardspaceworkflow_media/CardSpaceWorkflow.wmv

During the editing process for the book, it was pointed out that the purple and white information card logo hadn't officially 'cleared' the related legal checks (i.e. making sure the logo didn't resemble an existing piece of work by a third party) When I was writing the book, the draft that went to the editor actually included the purple and white icon. As the book went to press, the icon still hadn't cleared legal, so we decided to play it safe and use the unofficial icon that had been adopted by the community.

The good news is the purple and white information card logo has cleared legal, as Mike posted earlier in the summer. The goal is tha this icon will be as ubiquitous as the orange and white rss logo on sites, and a consistent marker to identify that information cards are accepted on your site. Below I've re-posted the icon in a multitude of sizes.

The guidelines for the use of the icon, a frequently asked questions document, a set of png images of the icon rendered in a range of sizes, and the original artwork in Adobe Illustrator format are all available together in a download package.

I recieved my authors copies of the book on Friday, and a quick look on Amazon and Barnes and Noble indicate the books are now 'in stock'. If you pre-ordered, your books should be making their way to you now.

In a recent post that clarified that a Java RP is covered in my book, Roger responded "Could you talk more about the characteristics of Java RP and all the open source out there?"

One of the most pleasant things about writing this book is that everyone realized that identity on the net was a problem, the metasystem was a sound approach, and we could all work together - even if our implementations were done on different platforms and in different languages. People just want to solve the problem, and help educate people on how to solve it.

One of the areas where I see the biggest opportunity is helping everyday web developers easily become relying parties. Another is showing those same web developers how information cards can be used for much more than just logging in, particularly for personalization.  There are great Java RP's out there, just as there are great RPs in .NET, PHP, and Ruby. I talk alot about them in the book.

So when a question like this comes up, the question is, do I post the book content online (to answer the question) or do I suggest someone buy the book? One thing that I've been toying with is talking with the publisher about potentially open-sourcing the open source related chapters of the book. The thought was that the open source chapters could be introduced in a wiki-style environment and the community could make sure that new projects were identified, updates in projects, etc. When developing the book, that is the chapter that was re-written the most as there were a number of changes between last March and this year.

Before I talk to my publisher, I'm interested in your feedback on two questions:

(a) Do you think folks in the open source community would still buy the book?

(b) Do you think folks in the open source community would participate?

Mike Jones was kind enough to post a mention for my new book recently, and it was great to see comments and other blog posts triggered by that.  One of the blogs that mentioned the book was James McGovern's. In his post he mentioned that it was disappointing that the book didn't cover Java. This is unfortunately not accurate and I wanted to clarify what's covered outside of Microsoft technologies.

Five chapters of the book are implementation agnostic and focus on key topics ranging from authentication and authorization to personalization.  One of those chapters examines the majority of the projects in the open source community.  Another chapter is focused on implementing relying parties - which is what most people will require - in Java and PHP. For Java, this focuses on code provided by Chuck Mortimore (if unfamiliar, he's created a fair amount of information card-related plugins and artifacts).  For the other chapters, the code is written in C#. While this is not Java, the syntax is similiar enough that it can be reviewed for both structure and approach. While Ruby code is not covered in the book, the book does contain links to Ruby resources and open source projects related to information cards.

I've got several screencasts I'll be posting shortly that highlight what's covered in key chapters. Look for these to start popping up online soon.

In case you missed it, Microsoft just released some great new downloads, specifically new versions of VS 2008, Silverlight, and Expression Blend.

As someone who started writing what are now called AJAX apps since 2000, I *really* appreciate how Silverlight and Blend make RIAs much easier to develop.

Links to all the bits-

• Visual Studio 2008 Beta 2
• Visual Studio Extensions for Silverlight
• Silverlight 1.0 SDK / Silverlight 1.1 SDK
• ASP.NET Futures CTP
• Silverlight 1.0 RC1 / Windows (direct link)
• Silverlight 1.0 RC1 / Mac (direct link)
• Silverlight 1.1 Alpha Refresh / Windows (direct link)
• Silverlight 1.1 Alpha Refresh / Mac (direct link)
• Expression Blend August Preview
• Expression Media Encoder Template Updater

When I wrote my new book, Beginning Information Cards and CardSpace: From Novice to Professional, I wanted the reader to go beyond building just 'Hello World' applications that just focused on learning features. Instead, I wanted to have the readers build practical, usable code.

In an effort to let you see what you'll be getting when you buy the book, I thought I'd do some screencasts to highlight what you'll build out.

I'm going to start with Chapter 13, which focuses on automating the issuance of managed cards with Workflow Foundation.

In that chapter, you'll create a number of Workflow Foundation custom activities that can help you automate the issuance of managed cards, complete with email delivery.

Also included is a sample application will calls the workflow and generates a card based on data provided.

Click on the image below to see the video:

After a very long hiatus, I am very happy to report my return to regular blogging. The book is now done, some of my major projects are either completed or winding down, and I'll have time to write, post and add screencasts.

So what have I been doing for the past year? Last summer, I took on a new role as an Architect in DPE Platform Incubation Team. I've spent the last year working on solving difficult problems and working on interesting projects. This has hands down been my most intellectually rewarding year in the company. While you won't hear publicly about alot of my work, there are some things I've contributed to that have been entering the public view recently.

I've been doing alot of work with teams in the company doing mashups and mashup events. Last December I wrote 5 'blocks' for a product we had in development that's now been launched over at http://www.popfly.com.  I believe it's still on an invite only basis. If you've been on the site, you know it's pretty cool stuff. If you haven't, I believe it's still in an 'invite only' mode. If it is, let me know, as I've got a couple of invites I can share.

In addition, I ended up modifying the dasBlog engine and starting another site.  That site http://www.mashupguy.com, is something you may have seen at various conferences this year.  I wrote a number of labs that show how to work with various Live APIs, checked out a number of third party services, found some videos, and brought them altogether on that site.  It's been used as a resource for everything from the MVP Summit to Mix07 to the Web2Open at O'Reilly's Web 2.0 Conference earlier this year. I've been pretty quiet about the site outside of those events, and plan to migrate it over to silverlight when I get back from Europe later this summer.

I also had a chance to do some work with the folks over at Windows Live and worked with Koji Kato to get LiveInABox published. Specifically, I wrote some workflow activities that wrapped Live Expo and Live Search and generated an aggregate RSS feed and RSS client for them.  In addition to being on CodePlex, we've managed to get VPCs hosted in the cloud for folks to try out.

I did have a chance to work with another one of our online properties as well, and expect to see some impact from one of our projects before the year is out.

In addition to cutting back on blogging, I also cut back my public speaking engagements this year, with just one exception. I had worked with the great folks over at Dollar Thrifty Auto Group last year and one of their architects asked if I'd be interested in coming to deliver a keynote at the Tulsa code camp, so I flew out to Tulsa for the day (an interesting route from Seattle) and had a chance to talk about CardSpace. For private speaking engagements, I was pretty engaged at a number of our internal events, and recently was interviewed for some of our internal videos for Engineering Excellence and Innovation. 

My largest project, you won't hear anything about anytime soon, but I was honored to find out recently that I was nominated for 2 awards for it, Microsoft's Circle of Excellence Award and the Customer Partner Experience Award.

And then there's the book... with my change in role last year, I ended up spending much more time outside the office working on the research and writing of the book. The book, initially targeted for March, was pushed to June when content grew from the 300 pages I committed to, to almost twice that. Expect to hear (and see) more about the book over the next week or so.

So blogging will resume starting today, the blog will likely go through a site redesign later in the month, using the new template I created for mashupguy.com, and I'll be expanding the scope beyond framework 3.0, where things have been for the past year and a half or so. 

Glad to be back, and happy to have you reading,

Marc

Richard Turner has posted a couple of information card / Windows CardSpace videos on his blog.

If you've kinda/sorta heard about CardSpace and information cards and want to get a quality intro with a demo and a description of what's happening behind the scenes, check out the first one.

http://blogs.msdn.com/richardt/archive/2007/03/18/cardspace-simple-demo-screencast-on-channel9.aspx

If you're looking to develop a site on IIS7 (meaning Windows Vista or Longhorn Server), and were curious about how to configure the site to support information cards. That video steps through how to configure your IIS7 server for sites that will accept information cards.

http://blogs.msdn.com/richardt/archive/2007/03/28/new-screencast-how-to-configure-iis7-for-windows-cardspace-sites.aspx

Chapter Three of my upcoming book focuses on the work being done with information cards and in the identity metasystem by people outside of Microsoft. The chapter covers third parties and open source projects,  focusing primarily on the folks building identity selectors and security token servers.  In the process of researching that chapter, I ,of course, ran across the work of Chuck Mortimore. If not famliar with his work, Chuck has built out a Java Relying Party, an identity selector plug-in for FireFox, and his site ( http://www.xmldap.org) issues managed cards.  His identity selector has even been enhanced to handle interop with OpenID (see screenshot below).

Needless to say, I was impressed with his work, and reached out to him about including screenshots of his work in that chapter. He was very gracious and gave his approval. As I was wrapping up the book, one of the readers of this blog asked if we were going to have support for Java in the book. Initially, for relying parties, I'd only committed to the publisher for ASP.NET and PHP. In the pre-.NET world, I actually was an early adopter of Java  (heck, I even hired Gary Cornell, of Core Java fame, to come to Boston and train my team on Java), so I thought what the hell, and decided to  have a go at it. As I was dusting off my core-java books to write the sample, I thought to myself, if I was a java guy, who would I want a sample from? A Microsoft guy who hasn't written any Java code in awhile? Probably not

I thought of who - if I was a reader - I'd like to see the Java sample come from. A big fan of his work over at xmldap.org, I reached out to Chuck and asked if he'd be interested in contributing a java sample for the chapter. I am really pleased to announce that not only did he agree, he's already sent me the code. If you've not done so already, definately check out his site, he's doing some great work.

I'm pleased to announce that my book now has a new technical editor, Steven Woodward. Steven leads the Identity and Access Management team in Microsoft's Developer & Platform Evangelism Group. Steve works very closely with our top customers looking at the adoption of Information Cards and Windows CardSpace, and he's a regular fixture at a number of major conferences. I had the good fortune to work with Steven last year when we were both members of the Windows Server evangelism team, and am super excited to have Steve onboard.

He's provided some great insights and comments that have already added value to the book. 

Welcome Steven!

Just about a year or so ago, I was down in Tulsa working with the good folks at Dollar Thrifty Auto Group, who were doing some great stuff with WF and WCF.  If it sounds familiar, I chatted about what they were doing in an ARCast wit Ron Jacobs, and Ron also did an interview with them from Tulsa. (both recordings are available over on http://channel9.msdn.com or http://www.skyscrapr.net.)

Earlier in the week I was talking to Jim Arrowood, a friend and architect at Dollar, and he asked how I'd like a free trip to Tulsa.  A s I told him, there are no free lunches in life, and I'm sure no free trips to Tulsa.  It turns out there's a CodeCamp event coming up (http://www.tulsacodecamp.com) and was curious if I might be interested in speaking. 

A couple hours later I had a ticket to Tulsa and was slotted in for two sessions, an hour in the afternoon and the closing keynote. 

I'm looking forward to it, as codecamp is focused much more on code. Last year ,when I was speaking at events, I had to spend a good amount of my sessions doing intro stuff. With the framework having been released for awhile now, I'll be able to dive right in and show some cool stuff I've been working on. If you've seen my previous sessions, expect all new content for this.

The timing of the event is literally days before the release of the updated WCF: Unleashed and I should be wrapping up the Understanding CardSpace and Information Cards book.

If you're going to be in Tulsa and there are particular aspects you're interested in, let me know and we'll see if we can squeeze it into the sessions.

Going through my email this morning, I received my official Mix07 confirmation.  Last year, I had a number of customer commitments so was really not in the loop on Mix, this year, though, I've had some overlap with some of the things I've been working on and have had a chance to get involved in various aspects of the event.

Earlier this year I went to another web conference(which shall remain nameless), and was so dissapointed I left the conference (and Vegas) a day early. (Me, leaving Vegas early? unheard of, I know). 

Mix, though, is a different story. From what I've seen of the sessions, this is actually an event I'd pay out of pocket to go to. It's got a good mix of folks from MS, as well as from third parties.  I may or may not be delivering a session, that's something that'll get decided in the next month or so, but will be onsite either working in certain areas of the event, or attending sessions.

One of the great things about conferences is that I get a chance to meet up with former colleagues and people I've chatted with via email and blogs. If you're going to be in Vegas the 29th - 2nd and want to chat about WCF, CardSpace, Mashups, or whatever - shoot me an email and we'll make some plans to sync up.

When the first version of the WCF book was posted up on Amazon for pre-sale, the title was different than agreed to and there were some concerns about the editorial text. They were shortly fixed, and the real title 'Windows Communication Foundation: Hands On (Beta Edition)' and appropriate text was posted.

A few weeks back, I announced that Windows Communication Foundation: Hands On (Beta Edition) was being renamed (and over 200 pages added) as Windows Communication Foundation: Unleashed.

I've been talking for awhile now about a book I've been working on related to CardSpace and information cards.  Like with the first book, the title posted to Amazon was different than what I'd initially agreed to do and the 'about the author' was written when I proposed the book (while working on another team at MS) last year. 

Thus, I've not really said much about it, other than referring to it as the 'CardSpace book'.  CardSpace is the client-side technology that provides the identity selector and personal sts.  While the book covers CardSpace, a large focus is also on the information cards used there. From creating cards, to consuming cards on the web, integrating card-support into ASP.NET membership, consuming cards or requesting them via services, to a simple card issuance system, the book is more than just CardSpace. Fortunately, after talking with my publisher, we've reached an agreement on the new title "Beginning CardSpace and Information Cards: From Novice to Professional". 

This book was written by a guy who buys alot of books, and the structure of the book reflects that.  When I buy a book, I'm either

(a) Investigating - I'm interested in a high level overview and examination of a technology, the rationale for that technology and the competitive landscape. Ideally, this is at a level where the content is accessible to my team - be they architect, dev, or manager.

(b) Topic Learn By Doing - Just as with the 'Hands On' book, I think there's value in not just reading and then doing simple samples. Let me roll up my sleeves and do some coding and learn by doing.

(c) Prototype Acquisition - A book may have a functional prototype of something (i.e. workflow activities for card creation) that I either want for a demo or to build for real. For $30-$50, the book is a steal to get that.

So that's what I wrote. It's been a long process, but it's due out in April.  While the title's not updated on Amazon yet, it is now available for pre-order here: http://www.amazon.com/Beginning-Windows-CardSpace-Novice-Professional/dp/1590598075/sr=8-1/qid=1170952106/ref=pd_bbs_sr_1/103-5507602-4763836?ie=UTF8&s=books

One of the interesting things about writing a book on an emerging technology, is that you rev the chapters several times before they're released.  With the WCF book, this was because we were dealing with CTPS where the object model was changing, with the Information Cards/CardSpace book it's a much better reason. The industry is coming together and collaborating in a most excellent way.

One chapter I'm happy to update this week is the one that looks at information cards outside of Microsoft.

If you haven't heard, some signficant announcements came out of the RSA conference.

#1 JanRain, Microsoft, Sxip and Verisign will collaborate on interop between OpenID and CardSpace

As reported on Kim Cameron's Identity Blog:

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpace™ to make the Internet safer and easier to use. Specifically:

• As part of OpenID’s security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.

• Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure.  Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.

• JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users.  Information Cards, based on the open WS-Trust standard, are available though Windows CardSpace™.

• JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.

• JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.

• Microsoft plans to support OpenID in future Identity server products

• The four companies have agreed to work together on a “Using Information Cards with OpenID” profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Dick Hardt, Sxip Identity
Kim Cameron, Microsoft
Michael Graves, VeriSign
Scott Kveton, JanRain
 

http://www.identityblog.com/?p=668

#2 Ping Identity has released an open source module for Apache:

Ping Identity Corporation today announced the immediate availability of an open source module that allows Apache-hosted applications to use Windows CardSpace Information Cards for authentication. The Apache Authentication Module for CardSpace can be downloaded from http://www.SourceID.org, the open source federated identity management site sponsored by Ping Identity.

The Apache Authentication Module for CardSpace allows applications using an Apache Web server to use Information Cards as an additional authentication mechanism. It allows LAMP-based Web applications written in Perl or PHP to act as CardSpace relying parties (RP) by means of simple configuration. The module is responsible for decrypting the token submitted by the CardSpace identity selector, retrieving the claims and making the claims available for the application’s use.

http://www.pingidentity.com/about/show/165

This is important as it will increase the potential universe of sites secured with phishing-resistant mechanisms and provide a consistent user experience for consumers in CardSpace.

I was just on Amazon and it looks like the follow up to Windows Communication Foundation: Hands On! is now available for pre-order.

This book contains all of the content updated for RTM, plus 200+ more pages than the original. You'll also see that we've got a new co-author, Matt Winkler.

For those unfamiliar with Matt, he's the technical evangelist for Windows Workflow Foundation here in Redmond, and he's added some great WF content to the book.

If you want to get more details, you can find it here:

http://www.amazon.com/Windows-Communication-Foundation-Unleashed-WCF/dp/0672329484/sr=1-3/qid=1170008872/ref=sr_1_3/002-4228351-3336016?ie=UTF8&s=books

Mercuri's "Services SLA Paradox"

Paid services haven't taken off because there aren't SLAs from Service Providers.
There aren't SLAs from Service Providers because people aren't paying for services.

-----------------------

When someone gives you something for free, they have no obligation to you and you have no recourse if something goes wrong. When I was a student, if I was moving to a new apartment, my friends would would help me pack up my old place, load the truck, and unload it at my new apartment.  Sometimes people would show up late, sometimes things would get broken, but hey, they were doing me a favor, so I had no room to complain.

When I move now, I hire a moving company. Why? Because my time is more valuable to me than it was 15 years ago, and I also have much more expensive stuff.  If I was scheduled to move out of a house on the 31st, and the mover's truck broke down, I'd want to make sure the company could swap in another truck from their lot. If my $4,000 television is dropped, I want someone who's insured and who's going to make it right.

Today, we have a number of people giving away services - Google, Yahoo, Flickr, Amazon, StrikeIron, etc.  While there are exceptions like Amazon and StrikeIron that are doing some good work in the utility services space, where they're doing metered usage, I've had a hard time finding SLAs anywhere else. People are doing interesting mash-ups with 'free stuff', but is anyone willing to put free stuff in their application for any key piece of functionality? If you do, and you don't have SLAs, you're a gambler, and for your sake, I hope you're very lucky.

At the Web Builder 2.0 conference held earlier in the month, Day 1's keynote had a speaker who talked about Ajax and mashups, using his company's product as an example.  At the end of the presentation, he opened up the floor for Q&A, at which point I asked him two questions - "what about SLAs" and "what about federated identity".  The answers? 

SLAs: These services are free, so there are no SLAs.

Identity: These services (Yahoo) are free, so that's not an issue.

I find it amazing that people don't pro-actively address the SLA and Identity issues, and I find it borderline irresponsible that 'experts' ignore or wave off these questions when raised. The need for SLAs should not be such a surprise, people who've spent time looking at the space at this have written about it, myself having done so back in 2001  ("14 Best Practices for Selecting a Web Service Provider", 2001, .NET Magazine, Fawcette) Yes, it's cool to include maps, search, and images in my application but if the service code go down - or disappear entirely - at any time, for many scenarios they're a non-option.

If you want to use services for anything real - and by real I mean something you'd use in a key area of an Enterprise or Commercial Software/WebSite - you need to have a Service Level Agreement. Using a service effectively moves a third party from being a vendor to being a business partner. The service provider controls the hardware, the bandwidth, the support, etc. but the service interactions are exposed through your application, with your brand, and your reputation attached to it.

With today's lack of SLAs, if the service goes down for an hour on Thursday, it goes down for an hour on Thursday. Moreover, there's no guarantee that the service is going to be around for a week, a month, a year, etc.  Google just announced (http://news.com.com/2061-10812_3-6145053.html) that they're no longer taking on new customers for the SOAP API they'd been offering. They're moving new customers to an AJAX API. If you were evaluating this and building this functionality into a spec for a smart client application you were developing, and now it's gone, sorry charlie. What were you expecting? You're not paying for it, so you can't complain. Without an SLA, no promises are ever made  made by the provider, so there are no promises to break.

My argument is that SLAs are late to the game, because people aren't paying for services and people aren't paying for services because there are no SLA's. Something I've shamelessly named 'Mercuri's Services SLA Paradox'.  There are some positive movements in the right direction - Amazon and StrikeIron come to mind - but they are definately the exception and not the rule.

If you're like me, you'd like to be able to leverage and mashup services that you can depend on. If we collectively don't stand up and insist on these, we're stifling innovation. I challenge you to ask the providers - at conferences, in forums, online and in person - "What is your SLA for your services and what will it take/cost for you to offer me this service in a dependable fashion?"

If you've read the blog for awhile, you'll know that I moved over to the incubation team in Microsoft's Platform Strategy Group back in August.

My old team is still looking for my replacement, and they're now expanding their search. if you're passionate about CardSpace, Windows Communication Foundation, and Workflow Foundation and working with large Enterprise customers you might be interested in this.

In addition to working with some great technologies, you'll be surrounded by a great group of folks on the Longhorn Server evangelism team, many of whom are authors (or authoring) books on .NETFX 3 or other topics.

James has the full scoop on his blog, check out the link below for details:

http://blogs.msdn.com/jamescon/archive/2006/09/19/761696.aspx

Some people have asked for a consolidated file with all of the updates for our book, Windows Communication Foundation: Hands On!

You can get the full set of samples here:

http://www.marcmercuri.com/Downloads/junectpupdate.zip