When XML first appeared, people started hyping it as a new technology.  I do understand why this happened.  Technology is like magic and people are willing to pay for technology.  Well, XML is not really a technology.  Its just a language, not unlike English and Korean.  Not very sexy at all.  The special thing about XML is this: it is a common language, more like English than Korean.

Well, its happening all over again with XACML, SAML, and Liberty Alliance.  People are hyping about them as new technologies, yet they are just common languges for specific domains, like the way doctors and lawyers have their own lingo even though they are all speaking English.  XACML is a language for describing access control policies.  SAML is a language for describing security assertions, attributes, and statements related to a person or a process.  Liberty is an extension of SAML for federated SSO.  Nothing new, but exciting in that many folks are speaking the same language.  Wonderful things happen when everyone speaks the same language.

Still, there is a heavy price to be paid before these new 'technologies' can be realized.  Everyone has to learn it, meaning bidirectional bridges have to be built before all those proprietary systems can start talking in XACML, SAML, and Liberty.  Ouch.  Thankfully, trouble means money for solutions providers just as pain means money for doctors.  XML is great because it draws people to look up at the sky and cause a great big pain in the neck.  Don't take two aspirins.  Make an appointment.

First it was Doc Searls' Making Mydentities, a customer-centric approach to identities in the World of Ends.

• Let's say I have engaged a new category of business–a relationship registrar called MyID–to certify, authenticate and otherwise substantiate the preferences, permissions and other variables that might be involved in mydentity-based relationships with participating companies and other organizations (including federal, state and local public ones). When I'm not using this mydentity, I still default to anonymity or to the relationships provided by current systems. A mydentity is not a Required Thing, but rather a huge value-add for the companies willing to do business with it.
• Then, let's say I'm one of millions of other similarly registered folks.
• Now, let's say I have a mydentity-enabled relationship with Disney. My family goes to their theme parks, buys their movies and takes their cruises. But the relationship has substance of the sort many of us have long enjoyed, in a deep but narrow way, with airlines that grant us privileges as frequent flyers and airport lounge club members. We matter to each other. Our mydentity-informed transaction histories substantiate that, as do our allied relationships with other companies and other customers. The difference is that whatever "federation" exists among those companies happens at my grace, not theirs.
• Let's say I'm interested in making connections between Disney and certain other companies or kinds of companies with which I like to do business. That way, when I book a cruise, Disney will know and value the fact that I prefer to fly on United Airlines, stay in Marriott or Wyndham hotels and rent cars from Budget or Enterprise. Disney also will know there are kinds of businesses I don't want to deal with, such as the kind that make unsolicited telephone calls and e-mailings.

Russ Jones, a Glenbrook Partner, followed with "I should be the first to know".

"I should not only be able to watch my credit file, but various other combinations of my social security number, name, address, and telephone number, and other identity attributes. If someone opens a new account with my name and address but with another social security number, for example, I should be alerted. Bureaus should "unmask" the complexity of this situation and let consumers take control of how their identity attributes are accessed, used, and reported."

Finally, Jamie Lewis of the Burton Group raises the level of discussion a notch with "Ends and Means: Identities in Two Worlds", a very well written paper.  I particularly like the phrase 'World of Means'.  Unfortunately, he has no solution either other than pointing to somewhere between the World of Ends and Means.

Basic functionalities are now done.  I am enumerating through possible extra features before refactoring for runtime extensibility.  With two weeks, I'll be ready for beta testing.  Meanwhile, I am going to have to decide whether to publish it myself or not.

Final version of Eclispse 2.1 was released today, on schedule.  Its available here.  I didn't and still don't think it was ready to be released, but I would be very happy to be surprised.  Go get'em boys.

Both SAML and Liberty Alliance use XML-Signature for integrity and non-repudiation in profiles that use HTTP POST to pass sensitive information like assertions.  Unfortunately, these profiles are not as scalable as those using SOAP over HTTPS with bilaterally authentication.

This is because SSL can be deployed inexpensively over a server farm and SSL acceleration is becoming a commodity technology.  Also, SOAP-based profiles allow IDP and SP to open and keepalive bilaterally authenticated HTTPS channels.

XML-Signature, on the other hand, can't easily be deployed over a server farm due to higher expense, administration difficulties, and lack of expertise.  Note that IDP and SP must respectively sign and verify each time the user estabilish an authenticated session with a SP.

This worries me because I am interested in developing a browser plug-in that turns IE into a Liberty-Enabled Client.  Liberty-Enabled Client and Proxy (LECP) profile requires the use of XML-Signature to protect assertions from Identity Provider (IDP) to Service Provider (SP).

As I expected, RC3 release is in a shamble with multiple subreleases and broken builds.  The good news is that RC4 is going to be built tommorrow.  I have no idea when the final release is going to be although Eclipse website still say this Friday.  I hope they give us a couple of weeks to pound on RC4.

Replacing protected library files in use is a chore.  Yesterday, I had to replace some PGP 8.0 DLLs with debug versions so I could step through PGP code.  Since they are in use, I tried to use a Microsoft command-line tool inuse.exe to schedule those DLLs to be replaced after reboot.  Unfortunately, the files were protected by WFP (Windows File Protection).  So I disabled WFP temporarily by changing a registry setting.  Still a no go.  Frustrated, I tried something that shouldn't have worked.  I renamed the DLLs and copied over the replacement DLLs.  Now I am stepping through PGP to chase down a bug.  Windows security is unreal.

I thought Sean's article was a good glancing blow, but Danny and Uche apparently don't think so.  They are too busy defending RDF to realize that people like Sean are smart experienced experts whose criticisms should be carefully examined like rocks from a jade mine instead of focusing on flaws.

Sjoerd Visscher + Danny Ayers on the RDF article. Sjoerd says exactly what I was trying to say in the article. He points at Danny Ayers (and Uches) comments that are both worth a read.
I'm not anti-RDF, I'm anti "in-your-face" RDF. Thats a very different thing. Its why I like the idea of semantic shadows I explained in the article.  [Sean McGrath, CTO, Propylon]

I, like Sean, like the ideas behind Semantic Web and understand the benefits of RDF.  What I don't like is people claiming that Semantic Web is the Next Big Thing and that everyone will be using RDF eventually.  "In-You-Face" RDF, as Sean calls it, is what disgusts me.

When you put a typical XML fragment next to an RDF fragment, most people grok the XML fragment because, like a list of groceries, there is almost nothing to understand.  RDF fragment, on the other hand, requires some efforts to map from XML syntax to a mental model.  Without understanding the RDF model, its much harder.  Directed graph is easy enough to understand on a piece of paper.  A large directed graph in your head or in textual form is quite another beast.

You can't expect average web developers to use RDF without understanding it.  Yes, tools can ease the pain.  Tools also obfuscate and separate the user from the data.  Danny and Uche only sees the benefits of RDF, while people like Sean and I see disadvantages as well and recommends more judicial use of RDF.