It's not quite the end of January, but there's already alot of "new" in my new year.  There's a  new car, some new gadgets, and on the work front a new project and a new team.

As you may have heard, Charles Fitzgerald, left Microsoft to head to a startup. Charles was the GM that my old team, platform incubation, reported into. Charles set the mission for that team, and was the major stakeholder for Tafiti and several other internal facing projects that I worked on. Charles was a great GM, and while this is a loss for MS, I'm confident we haven't heard the last of him.

With Charles' departure, Scott and I will be moving to different roles in the company. I am happy to report that I am now officially part of Simon Guest's team.   

One of the few negatives about my last role in incubation was that it was inherently secretive, as parts of the work could be patented. As a result, after delivering my book on CardSpace I mostly dropped off the public scene, save for promoting Tafiti. With Simon's team having a key focus on talking about architecture with the broader community, this is something that will change, and you'll see me engaging more publicly on architecture related subjects. Simon's team has a big focus on Software+Services, which if you've read the blog for awhile know is something I've been looking at for some time in and outside of Microsoft. Expect to see me blogging more, podcasting/screencasting more, and writing the odd article or two. (No more books for awhile, though. Having written or co-written 3 books in 2 years, I've committed to my wife not to start another one until 2009)

I also mentioned there's a new project. I'll be carrying over a project with me from incubation to Simon's team as well. Nothing I can share at the moment, other than it will be public focused and it's going to be a key focus for me for a good portion of 2008.

While this project is big, there's another project I'll be working on that's even bigger.  This is a longer term project, estimated to last decades with a budget estimated to be in the seven figures. Oh, and it has nothing to do with software. My wife and I are expected our first child, a son, to literally arrive any day now. While there's alot of great 'new's in 2008 already, this will surely be the best.

Here's hoping your 2008 is going well, and I look forward to engaging with the community more broadly once again.  If there's anything you'd like to see me engage on - be it in blog, article, or podcast, let me know. As always, I can be reached at mmercuri@microsoft.com

I wanted to give you an update on Tafiti, Microsoft’s experimental site that explores the intersection between Silverlight and Windows Live Search.  Tafiti, which means "do research" in Swahili, is an experimental search front-end from Microsoft, designed to help people use the Web for research projects that span multiple search queries and sessions by helping visualize, store, and share research results. Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

When the Tafiti.com site went live, I did a couple of interviews where I said that we would make the code public if people were interested. We recieved a fair amount of interest, and linked up with Angus Logan's Windows Live Apps team to do just that.

Today, I'm happy to announce the release of the Tafiti Search Visualization source code to CodePlex which means developers can download, modify, and resell the code (see MS-PL License for all the details).

The CodePlex project provides access to all of the source, which you can use in it's entirety or piece meal based on your needs. The project includes a number of Silverlight controls, code that wraps the Live Search SOAP API, contains code for posting to your Live Space blog, and is also working example of how to incorporate Windows Live ID into your apps. We've also included the code for the tree screensaver that so many people commented on.

Working on an interesting side project this weekend, so pulled another interesting entry from the archives. This was originally posted in December, 2006.

I've had an interesting day today. Checked into the airport this afternoon, and had a debate with the woman at the counter about my reservation. I received my ticket and was surprised to see I wasn't sitting in business class.

The funny thing is, I had an itinerary and record locator that indicated that I was in business class, but our check in clerk claimed I didn't.

A quick call to her supervisor came back with a confirmation that I did not have a business class seat. The options - take a business class seat for another $200 Euros or take a seat in coach. There was some additional discussion on my part, but I was amazed at how uninterested and unhelpful this particular individual was.

Before leaving the desk, I requested that she use my air miles card from a partner airline. Her response, which struck me as a bit odd, was that there was no need, as I was a gold member.

I begrudgingly took the coach seat and made my way to security. While in line I was thinking about her comment about my being a gold member. While I'm gold on other airlines, this (and the partner) weren't one of them.

I rechecked my ticket, and found it had someone else's name on it.  Not sure who Vincent Mercier is, but he sounds a bit more French than this guy who grew up in Tewskbury, MA and knows just enough French to be either polite or offensive. I returned to the desk, pointed out the mistake and  had my business class ticket in hand.

When sitting in the airport lounge a bit later, I thought about what had just transpired.  Air France had asked initially for my passport, to check claims of identity. Those claims were recieved but were not utilized by the requestor, and a secondary claim - my reservation locator - was provided. Again, this wasn't used. Without success, the workflow required an escalation to another service - the supervisor - and again there was a failure. Here it was based on the information provided by the initial requestor.

It stresses the potential for a breakdown in an identity valdation scenario which involves a human component. The difference between Vincent Mercier and Marc Mercuri is fairly  obvious, but the check-in clerk may have done some faulty pattern recognition based on seeing MERC in both.

Had this been a machine driven interaction, this would likely have gone flawlessly. A selection of destination city would have been used to limit the number of potential name matches and from that subset, the name would have been valdated either 1:1 or possibly with something along the lines of a Soundex.

What makes this breakdown of 'the system' incredibly alarming is that there was no validation of claims from that point forward - once ticket was in hand, I had free access to the system, boarded the plane, disembarked in Paris and am now in my hotel. 

Sure, I provided the token assigned by the airline (a boarding pass) at security - but there was no requirement/check of my passport.  If I had continued through with my initial, erroneously issued token (the ticket in someone elses name), I would surely still be in Paris eating the French interpretation of Cajun Chicken wings.

In this specific context, an identity breakdown has horrific potential. Suppose the mistaken identity had occured with a guy less interested in connecting systems as in disrupting them -  a terrorist.

There were no further checks for identity (intra-EU flights do not have passport control), so someone who slipped through the system could now be freely traversing France.  Given the political climate here in Paris this week (for those unaware, there have been riots and individuals setting fire to cars in France), it's even more alarming.

With the recent move to self-service kiosks for check in, the mechanisms I mentioned earlier are helping avoid this issue. Introducing some of the technology used there in the human interaction piece (i.e. scanning of passports and system retrieval of information) would help solve the issue, surely.

But that answer begs different questions. We do quality assurance of the software systems, but how do we and how much time do we do testing of the human components in connected systems? And once you've established your test plan, and you go to 'rtm' of the process/workflow, how do your federated users report bugs? In this particular instance we're not talkng about a situation that results in some bizarre behavior in an IDE,  we're talking about international security in the heart of Europe. The clerk surely isn't going to tell her manager, as it points out big mis-step on her part.  There's no contact information on the boarding pass or airline timetable. Going to the Air France web site, I went to the link to their corporate office, which is entirely in French.  I'm on a hotel internet connection at 90 cents per minute, chances are I'm not going to spend an hour navigating their site to let them know about the issue, resulting in an open loophole in a frequently used workflow with potential for failure far, far worse than any blue screen.

In this particular scenario, the issuance of a false token was an 'honest mistake', but suppose that it wasn't.  Imagine if a terrorist cell had someone working behind the ticket counter, what checks are in place to prohibit intentional bad issuance or trust violations?

This isn't just with transportation companies, it spans verticals. For example, if John Smith is caught owing $200,000 in taxes, and the workflow for resolving this dispute is handled by Bill Jones who makes $20,000 per year, what can happen is John pays $50,000 to Bill Jones to make this whole matter disappear. This is not fiction, this really happens. Depending on the country, it happens alot.

These example involved a relatively simple workflow, this obviously gets more complex when dealing with interactons that run multiple partners/parties deep.

If you have a business with a high volume of transactions or high value transactions with consumers or areas with complex workflows , how do you / would you handle these situations? What types of SLAs and legal terms do you have in place to handle scenarios where a human taints the system with a manual violation of trust in a federated scenario?Feel free to speak in the third person and without corporate identities, I'm curious how/if this is being addressed.

I ran across an interesting article tonight over on Techie's blog where he compares eight OpenID providers.

The list includes WordPress, LiveJournal, AOL, Verisign PIP, MyOpenID, GetOpenID, Videntity.org, and ClaimID.

Check it out here - http://ttlnews.blogspot.com/2007/09/eight-top-openid-providers-comparison.html

I'm enjoying the last week of summer, so in lieu of a new post, I'm reposting a 'best of' entry this week. This was originally posted May 13th, 2006.

NOTE: There is a political refernece below, as it is a topical situation that got me thinking about trust communities in search.  This blog is a-political, and the scenario is used as it is the one that sparked the idea. I take no stance on whether the claims made by Mr. Snow are valid/invalid.

I was reading some news sites this week, and was reminded that this was the first week of US President George Bush's new press secretary, Tony Snow. 

Before he gave his first press conference, he did something interesting.  He sent out press releases questioning the validity of comments made by the New York Times, USA Today, and other publications.

So this got me thinking.  Playing devils advocate, suppose that he's right. If I trust Tony Snow (based on his historical record of trust worthiness), I may now discount results from these media outlets in favor of others.  But for me to discount these sources when searching, I can't. Even if I cease to trust them (or trust them less), they show up in the the rankings per Google or Microsofts opinion of their relevance.

The search engines from Google, MSN, and Yahoo have their own algorithms to consider relevancy. One of the things these search engines do provide is a level of filitering for “safe content“, blocking out material that may be considered objectional (i.e. these block pornography results). 

What they don't do is consider in the rankings is the levels of trust of an individual or of community. What I want to see is something that goes to the next level, don't just block what's objectionable, show me the results that are relevant to me based on trust.

Perhaps one of the media outlets Mr. Snow referenced, let's pick a fictional name, say MakeBelieveReporting, Inc., is regularly mis-reporting information or is slanting stories towards a particular political viewpoint.  I may cease to trust that organization to provide news to me, and would like to rank them lower in my personal results when searching for news, if not remove them altogether.

When I search for news, perhaps there are certain stations / periodicals I trust - for example the Wall Street Journal, the Financial Times, CNBC, and my friends John Smiths blog. These are entities - regardless of web site traffic or the opinion of the search engine I'm using -that *I* trust to be accurate and provide me information.  I do not, however, want results from news outlets that are part of MakeBelieveReporting, Inc. as I have ceased to trust them.

What I'm thinking of isn't based on assumed trustworthiness based on click traffic, this is based on trust relationships.  Even if I visit a site twice per year, it could be far more relevant to me than a site that is viewed more regularly by others.

And my community of trustworthy providers could be extended based on the feedback of those people I trust. 

There's the concept that if person A trusts person B, and person B trusts third party C, that person A shoud likely trust Corporation C based on the fact that he trusted person B's judgement.

In the previous example, I trust my friend John Smith who writes a blog.  If John trusts the Crosby Herald, and I trust John, then I too could trust the Crosby Herald and have it included in my community of trust that is reflected in my search results.

Think about the days before Axciom, TRW, and credit reports. People vouched for other people to get jobs, apartments, loans, etc.

When you sign for a loan and you are not a known entity, you need a co-signer or guarantor. The bank says, I don't know if I can trust this person, but I trust the co-signer.  The co-signer also trusts the loan recipient to pay the money back.

If someone co-signs for a loan for me and I decide not to pay it, there are financial responsibilities that are then taken on by the co-signer. The co-signer will trust the recipient less, as a result of mis-placed trust, the bank may stop trusting the co-signer's ability to identify a trustworthy loan recipient.

In another example, suppose you make plans to go out to dinner with your spouse on Friday night, and when you ask her where they'd like to go, she says “you pick - I trust you.“  If you're new to the area, you may ask a colleague - whom you trust - for a recommendation of a local restaurant. If you go to the recommended restuarant and you end up getting food poisoning from the meal, you probably will not look to your colleague for advice on restaurants in the future - and you - who vouched for the restaurant -will likely end up at a restaurant of your spouse's choosing next time around.

Your spouse trusted you, you trusted the colleague and when the information relayed turned out to be bad, two things happen. You cease to trust the advice of the colleague (atleast in the context of cousine), and your spouse trusts you less as the broker of the information.

Once you start adding in trust, you also need to be able to trust in context.  That same colleague from work may not be someone I trust on picking restaurants, but may be someone I look to as a source on technology subjects.

What we need is search that includes both consideration of these communities of trust, where we as participants in the web determine who is trusted and who is not, and provide the ability to apply trust in context.

By introducing contextual trust as a first-class citizen in search, it has the opportunity to both provide results more relevant *to me*, and as trust=traffic=revenue, provides a financial incentive for providers to be trustworthy.

That's my two cents  - what do you think?

Nayna and Rob have made it official with their post (http://winliveid.spaces.live.com/Blog/cns!AEE1BB0D86E23AAC!931.entry), Windows LiveID has added beta support for Information Cards and Windows CardSpace.

The way this works is identical to the way I described how to add cards to an existing website in my book. Through a management interface, you associate information cards with your core account, and the user is provided the option of signing in with either their information card or a password (as shown below).

All good stuff, and worthy of checking out.

Over the course of writing the book, there were a number of things going on in parallel inside MS, some of which weren't finalized when the book went to press. One of those items was the patterns document that the product group published this month.  I had a chance to sit down with one of it's authors, Bill Barnes, while writing the book, and serve as a reviewer on the initial passes of the doc.

It's an excellent doc and a must read. One thing to note, is that if you look at the chapter on modifying the existing ASP.NET membership controls to support information cards, you'll see that I provide a number of stored procedures to handle additional scenarios mentioned in the doc.

You can get the document here

http://www.identityblog.com/wp-content/resources/information_card_patterns.pdf

In a recent post that clarified that a Java RP is covered in my book, Roger responded "Could you talk more about the characteristics of Java RP and all the open source out there?"

One of the most pleasant things about writing this book is that everyone realized that identity on the net was a problem, the metasystem was a sound approach, and we could all work together - even if our implementations were done on different platforms and in different languages. People just want to solve the problem, and help educate people on how to solve it.

One of the areas where I see the biggest opportunity is helping everyday web developers easily become relying parties. Another is showing those same web developers how information cards can be used for much more than just logging in, particularly for personalization.  There are great Java RP's out there, just as there are great RPs in .NET, PHP, and Ruby. I talk alot about them in the book.

So when a question like this comes up, the question is, do I post the book content online (to answer the question) or do I suggest someone buy the book? One thing that I've been toying with is talking with the publisher about potentially open-sourcing the open source related chapters of the book. The thought was that the open source chapters could be introduced in a wiki-style environment and the community could make sure that new projects were identified, updates in projects, etc. When developing the book, that is the chapter that was re-written the most as there were a number of changes between last March and this year.

Before I talk to my publisher, I'm interested in your feedback on two questions:

(a) Do you think folks in the open source community would still buy the book?

(b) Do you think folks in the open source community would participate?

When I wrote my new book, Beginning Information Cards and CardSpace: From Novice to Professional, I wanted the reader to go beyond building just 'Hello World' applications that just focused on learning features. Instead, I wanted to have the readers build practical, usable code.

In an effort to let you see what you'll be getting when you buy the book, I thought I'd do some screencasts to highlight what you'll build out.

I'm going to start with Chapter 13, which focuses on automating the issuance of managed cards with Workflow Foundation.

In that chapter, you'll create a number of Workflow Foundation custom activities that can help you automate the issuance of managed cards, complete with email delivery.

Also included is a sample application will calls the workflow and generates a card based on data provided.

Click on the image below to see the video:

Richard Turner has posted a couple of information card / Windows CardSpace videos on his blog.

If you've kinda/sorta heard about CardSpace and information cards and want to get a quality intro with a demo and a description of what's happening behind the scenes, check out the first one.

http://blogs.msdn.com/richardt/archive/2007/03/18/cardspace-simple-demo-screencast-on-channel9.aspx

If you're looking to develop a site on IIS7 (meaning Windows Vista or Longhorn Server), and were curious about how to configure the site to support information cards. That video steps through how to configure your IIS7 server for sites that will accept information cards.

http://blogs.msdn.com/richardt/archive/2007/03/28/new-screencast-how-to-configure-iis7-for-windows-cardspace-sites.aspx

Chapter Three of my upcoming book focuses on the work being done with information cards and in the identity metasystem by people outside of Microsoft. The chapter covers third parties and open source projects,  focusing primarily on the folks building identity selectors and security token servers.  In the process of researching that chapter, I ,of course, ran across the work of Chuck Mortimore. If not famliar with his work, Chuck has built out a Java Relying Party, an identity selector plug-in for FireFox, and his site ( http://www.xmldap.org) issues managed cards.  His identity selector has even been enhanced to handle interop with OpenID (see screenshot below).

Needless to say, I was impressed with his work, and reached out to him about including screenshots of his work in that chapter. He was very gracious and gave his approval. As I was wrapping up the book, one of the readers of this blog asked if we were going to have support for Java in the book. Initially, for relying parties, I'd only committed to the publisher for ASP.NET and PHP. In the pre-.NET world, I actually was an early adopter of Java  (heck, I even hired Gary Cornell, of Core Java fame, to come to Boston and train my team on Java), so I thought what the hell, and decided to  have a go at it. As I was dusting off my core-java books to write the sample, I thought to myself, if I was a java guy, who would I want a sample from? A Microsoft guy who hasn't written any Java code in awhile? Probably not

I thought of who - if I was a reader - I'd like to see the Java sample come from. A big fan of his work over at xmldap.org, I reached out to Chuck and asked if he'd be interested in contributing a java sample for the chapter. I am really pleased to announce that not only did he agree, he's already sent me the code. If you've not done so already, definately check out his site, he's doing some great work.

I'm pleased to announce that my book now has a new technical editor, Steven Woodward. Steven leads the Identity and Access Management team in Microsoft's Developer & Platform Evangelism Group. Steve works very closely with our top customers looking at the adoption of Information Cards and Windows CardSpace, and he's a regular fixture at a number of major conferences. I had the good fortune to work with Steven last year when we were both members of the Windows Server evangelism team, and am super excited to have Steve onboard.

He's provided some great insights and comments that have already added value to the book. 

Welcome Steven!

Going through my email this morning, I received my official Mix07 confirmation.  Last year, I had a number of customer commitments so was really not in the loop on Mix, this year, though, I've had some overlap with some of the things I've been working on and have had a chance to get involved in various aspects of the event.

Earlier this year I went to another web conference(which shall remain nameless), and was so dissapointed I left the conference (and Vegas) a day early. (Me, leaving Vegas early? unheard of, I know). 

Mix, though, is a different story. From what I've seen of the sessions, this is actually an event I'd pay out of pocket to go to. It's got a good mix of folks from MS, as well as from third parties.  I may or may not be delivering a session, that's something that'll get decided in the next month or so, but will be onsite either working in certain areas of the event, or attending sessions.

One of the great things about conferences is that I get a chance to meet up with former colleagues and people I've chatted with via email and blogs. If you're going to be in Vegas the 29th - 2nd and want to chat about WCF, CardSpace, Mashups, or whatever - shoot me an email and we'll make some plans to sync up.

When the first version of the WCF book was posted up on Amazon for pre-sale, the title was different than agreed to and there were some concerns about the editorial text. They were shortly fixed, and the real title 'Windows Communication Foundation: Hands On (Beta Edition)' and appropriate text was posted.

A few weeks back, I announced that Windows Communication Foundation: Hands On (Beta Edition) was being renamed (and over 200 pages added) as Windows Communication Foundation: Unleashed.

I've been talking for awhile now about a book I've been working on related to CardSpace and information cards.  Like with the first book, the title posted to Amazon was different than what I'd initially agreed to do and the 'about the author' was written when I proposed the book (while working on another team at MS) last year. 

Thus, I've not really said much about it, other than referring to it as the 'CardSpace book'.  CardSpace is the client-side technology that provides the identity selector and personal sts.  While the book covers CardSpace, a large focus is also on the information cards used there. From creating cards, to consuming cards on the web, integrating card-support into ASP.NET membership, consuming cards or requesting them via services, to a simple card issuance system, the book is more than just CardSpace. Fortunately, after talking with my publisher, we've reached an agreement on the new title "Beginning CardSpace and Information Cards: From Novice to Professional". 

This book was written by a guy who buys alot of books, and the structure of the book reflects that.  When I buy a book, I'm either

(a) Investigating - I'm interested in a high level overview and examination of a technology, the rationale for that technology and the competitive landscape. Ideally, this is at a level where the content is accessible to my team - be they architect, dev, or manager.

(b) Topic Learn By Doing - Just as with the 'Hands On' book, I think there's value in not just reading and then doing simple samples. Let me roll up my sleeves and do some coding and learn by doing.

(c) Prototype Acquisition - A book may have a functional prototype of something (i.e. workflow activities for card creation) that I either want for a demo or to build for real. For $30-$50, the book is a steal to get that.

So that's what I wrote. It's been a long process, but it's due out in April.  While the title's not updated on Amazon yet, it is now available for pre-order here: http://www.amazon.com/Beginning-Windows-CardSpace-Novice-Professional/dp/1590598075/sr=8-1/qid=1170952106/ref=pd_bbs_sr_1/103-5507602-4763836?ie=UTF8&s=books

One of the interesting things about writing a book on an emerging technology, is that you rev the chapters several times before they're released.  With the WCF book, this was because we were dealing with CTPS where the object model was changing, with the Information Cards/CardSpace book it's a much better reason. The industry is coming together and collaborating in a most excellent way.

One chapter I'm happy to update this week is the one that looks at information cards outside of Microsoft.

If you haven't heard, some signficant announcements came out of the RSA conference.

#1 JanRain, Microsoft, Sxip and Verisign will collaborate on interop between OpenID and CardSpace

As reported on Kim Cameron's Identity Blog:

JanRain, Microsoft, Sxip, and VeriSign will collaborate on interoperability between OpenID and Windows CardSpace™ to make the Internet safer and easier to use. Specifically:

• As part of OpenID’s security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.

• Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure.  Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.

• JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users.  Information Cards, based on the open WS-Trust standard, are available though Windows CardSpace™.

• JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.

• JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.

• Microsoft plans to support OpenID in future Identity server products

• The four companies have agreed to work together on a “Using Information Cards with OpenID” profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Dick Hardt, Sxip Identity
Kim Cameron, Microsoft
Michael Graves, VeriSign
Scott Kveton, JanRain
 

http://www.identityblog.com/?p=668

#2 Ping Identity has released an open source module for Apache:

Ping Identity Corporation today announced the immediate availability of an open source module that allows Apache-hosted applications to use Windows CardSpace Information Cards for authentication. The Apache Authentication Module for CardSpace can be downloaded from http://www.SourceID.org, the open source federated identity management site sponsored by Ping Identity.

The Apache Authentication Module for CardSpace allows applications using an Apache Web server to use Information Cards as an additional authentication mechanism. It allows LAMP-based Web applications written in Perl or PHP to act as CardSpace relying parties (RP) by means of simple configuration. The module is responsible for decrypting the token submitted by the CardSpace identity selector, retrieving the claims and making the claims available for the application’s use.

http://www.pingidentity.com/about/show/165

This is important as it will increase the potential universe of sites secured with phishing-resistant mechanisms and provide a consistent user experience for consumers in CardSpace.

Between some exciting day job work, updating WCF content for the WCF Unleashed book, and writing 15 chapters for the CardSpace book (this time as a sole author) things have been pretty hectic.  Mix in the storm that flooded the first floor of the house, and it got even crazier.

The blog has been fairly dark for awhile, but that's about to change. In a few weeks, the CardSpace book will be handed in, and I can start focusing on other activities. In addition to weekly updates here, I'm also going to be starting a sister blog to this one, more details on that in the weeks to come.

So what's coming? Lots of stuff.

Like what?

I talked with the good folks at APress (my publisher for the CardSpace book), and I'm going to be able to release some of my code from the CardSpace book early, and put it into CodePlex.  This will include ASP.NET controls that integrate with membership. This will also include Windows Workflow Foundation activities and some utilities for creating managed cards.  These will hopefully be in CodePlex, which will include source, so you'll be able to get source and enhance them as you need to. I need to stress that these are from my book written as my 'night job', these are not official controls from Microsoft and should not be viewed as such.

I've actually been pretty busy on some other stuff during the day, and we're looking at what we can release of that (unrelated to CardSpace) to CodePlex as well.

Plus.. I've written about 6 labs in the past couple of days for an internal event.  I'm looking to release those as well, likely with the launch of the sister blog to this one.

Oh, and some InfoCenter Controls may just find there way into CodePlex as well (and if not, I'll release them as binaries from my blog). And I might just include a reference app that shows how to snag podcasts for your Zune

I was just on Amazon and it looks like the follow up to Windows Communication Foundation: Hands On! is now available for pre-order.

This book contains all of the content updated for RTM, plus 200+ more pages than the original. You'll also see that we've got a new co-author, Matt Winkler.

For those unfamiliar with Matt, he's the technical evangelist for Windows Workflow Foundation here in Redmond, and he's added some great WF content to the book.

If you want to get more details, you can find it here:

http://www.amazon.com/Windows-Communication-Foundation-Unleashed-WCF/dp/0672329484/sr=1-3/qid=1170008872/ref=sr_1_3/002-4228351-3336016?ie=UTF8&s=books

Mercuri's "Services SLA Paradox"

Paid services haven't taken off because there aren't SLAs from Service Providers.
There aren't SLAs from Service Providers because people aren't paying for services.

-----------------------

When someone gives you something for free, they have no obligation to you and you have no recourse if something goes wrong. When I was a student, if I was moving to a new apartment, my friends would would help me pack up my old place, load the truck, and unload it at my new apartment.  Sometimes people would show up late, sometimes things would get broken, but hey, they were doing me a favor, so I had no room to complain.

When I move now, I hire a moving company. Why? Because my time is more valuable to me than it was 15 years ago, and I also have much more expensive stuff.  If I was scheduled to move out of a house on the 31st, and the mover's truck broke down, I'd want to make sure the company could swap in another truck from their lot. If my $4,000 television is dropped, I want someone who's insured and who's going to make it right.

Today, we have a number of people giving away services - Google, Yahoo, Flickr, Amazon, StrikeIron, etc.  While there are exceptions like Amazon and StrikeIron that are doing some good work in the utility services space, where they're doing metered usage, I've had a hard time finding SLAs anywhere else. People are doing interesting mash-ups with 'free stuff', but is anyone willing to put free stuff in their application for any key piece of functionality? If you do, and you don't have SLAs, you're a gambler, and for your sake, I hope you're very lucky.

At the Web Builder 2.0 conference held earlier in the month, Day 1's keynote had a speaker who talked about Ajax and mashups, using his company's product as an example.  At the end of the presentation, he opened up the floor for Q&A, at which point I asked him two questions - "what about SLAs" and "what about federated identity".  The answers? 

SLAs: These services are free, so there are no SLAs.

Identity: These services (Yahoo) are free, so that's not an issue.

I find it amazing that people don't pro-actively address the SLA and Identity issues, and I find it borderline irresponsible that 'experts' ignore or wave off these questions when raised. The need for SLAs should not be such a surprise, people who've spent time looking at the space at this have written about it, myself having done so back in 2001  ("14 Best Practices for Selecting a Web Service Provider", 2001, .NET Magazine, Fawcette) Yes, it's cool to include maps, search, and images in my application but if the service code go down - or disappear entirely - at any time, for many scenarios they're a non-option.

If you want to use services for anything real - and by real I mean something you'd use in a key area of an Enterprise or Commercial Software/WebSite - you need to have a Service Level Agreement. Using a service effectively moves a third party from being a vendor to being a business partner. The service provider controls the hardware, the bandwidth, the support, etc. but the service interactions are exposed through your application, with your brand, and your reputation attached to it.

With today's lack of SLAs, if the service goes down for an hour on Thursday, it goes down for an hour on Thursday. Moreover, there's no guarantee that the service is going to be around for a week, a month, a year, etc.  Google just announced (http://news.com.com/2061-10812_3-6145053.html) that they're no longer taking on new customers for the SOAP API they'd been offering. They're moving new customers to an AJAX API. If you were evaluating this and building this functionality into a spec for a smart client application you were developing, and now it's gone, sorry charlie. What were you expecting? You're not paying for it, so you can't complain. Without an SLA, no promises are ever made  made by the provider, so there are no promises to break.

My argument is that SLAs are late to the game, because people aren't paying for services and people aren't paying for services because there are no SLA's. Something I've shamelessly named 'Mercuri's Services SLA Paradox'.  There are some positive movements in the right direction - Amazon and StrikeIron come to mind - but they are definately the exception and not the rule.

If you're like me, you'd like to be able to leverage and mashup services that you can depend on. If we collectively don't stand up and insist on these, we're stifling innovation. I challenge you to ask the providers - at conferences, in forums, online and in person - "What is your SLA for your services and what will it take/cost for you to offer me this service in a dependable fashion?"

InfoCard has officially been renamed this week.  It is now Microsoft CardSpace (WCS).  As with the rebranding of Indigo to Windows Communication Foundation or for old schoolers like Thunder to Visual Basic, this is nothing to be concerned about.

This is just a natural transition from an internal, pre-release codename to a the official product name.

WCF and WF in Public Sector.PPT (2.16 MB)

I did a webcast today on WCF, WF, and Infocard in Public Sector today.  For the Retail and Fin Serv webcasts I'd done previously, I'd had great scores (>8/9 in some cases), but there were always requests for additional vertical content after the fact.

I tried switching it up today for the pub sector session (more vertical, less core wcf/wf/identity), but the presentation just didn't click. I think I'll re-record and post a link to it when it's available, I'm pleased with the InfoCard demo, though, as I think it provides additional value. 

I've attached my deck to the start of this post, as I wanted people to see the legacy empowerment section that we didn't get to review.

If you're new to the blog, I wanted to point you to some of the demos I've got online, including:

http://www.marcmercuri.com/ct.ashx?id=d0cffe95-b683-4f7c-b883-44feeb0afd43&url=http%3a%2f%2fwww.marcmercuri.com%2fDownloads%2fFinServDevCon.zip

As well as a syllabus for learning InfoCard:

http://www.marcmercuri.com/PermaLink.aspx?guid=eae5a6ef-a12e-4cfd-bd65-56fdf0b103f4

Cheers,

Marc

Just a reminder - I've got a webcast tomorrow on WCF, WF, and Infocard in Public Sector.

This will also include some new, never before seen demos, so wanted to make sure it was reposted.  As a side note, I think I'll tweak with the blog while I'm at TechEd to provide more direct links to samples and webcast information.

If you only go to one Chalk Talk at TechEd this year, check out this one. 

Anyone who's worked in a large Enterprise is familiar with the challenges of getting new machines provisioned and available in a reasonable amount of time. Typically the wait is days/weeks/months. Credit Suisse has solved this problem, and Leslie Muller will be discussing the Virtual Machine Provisioning System that was built and deployed  earlier this year using WF, WCF, Virtual Server, ASP.NET, and AzMan.

I've had the privilege of being involved in this project, and I think this session will be great in a couple of respects. It's an opportunity to go beyond the samples and the case studies and listen to an Architect at a Fortune 50 customer who's developed and deployed WinFX successfully. It's also a great opportunity to connect with Leslie, who is a thought leader and is doing some very interesting, very impactful work that transcends verticals.

Full abstract and location details below: 

Abstract: Credit Suisse Group is a leading global financial services company, providing clients with investment banking, private banking and asset management services worldwide. Like in most enterprises, Credit Suisse provided their developers with physical machines for development. Issues such as combination of authorization, physical delivery times and compliance-related workflows led to slow development timeframes. Their R&D group built an extremely extensible self-service virtual-machine provisioning system that enables software developers in a fraction of the time to easily, securely and rapidly provision on-demand disposable workstations, servers, and multi-tier environments. Credit Suisse will exponentially increase software developer productivity, drastically lower IT costs and ensure compliancy with continuously stringent regulatory requirements. The