When XML first appeared, people started hyping it as a new technology. I do understand why this happened. Technology is like magic and people are willing to pay for technology. Well, XML is not really a technology. Its just a language, not unlike English and Korean. Not very sexy at all. The special thing about XML is this: it is a common language, more like English than Korean.
Well, its happening all over again with XACML, SAML, and Liberty Alliance. People are hyping about them as new technologies, yet they are just common languges for specific domains, like the way doctors and lawyers have their own lingo even though they are all speaking English. XACML is a language for describing access control policies. SAML is a language for describing security assertions, attributes, and statements related to a person or a process. Liberty is an extension of SAML for federated SSO. Nothing new, but exciting in that many folks are speaking the same language. Wonderful things happen when everyone speaks the same language.
Still, there is a heavy price to be paid before these new 'technologies' can be realized. Everyone has to learn it, meaning bidirectional bridges have to be built before all those proprietary systems can start talking in XACML, SAML, and Liberty. Ouch. Thankfully, trouble means money for solutions providers just as pain means money for doctors. XML is great because it draws people to look up at the sky and cause a great big pain in the neck. Don't take two aspirins. Make an appointment.
First it was Doc Searls' Making Mydentities, a customer-centric approach to identities in the World of Ends.
Let's say I have engaged a new category of business–a relationship registrar called MyID–to certify, authenticate and otherwise substantiate the preferences, permissions and other variables that might be involved in mydentity-based relationships with participating companies and other organizations (including federal, state and local public ones). When I'm not using this mydentity, I still default to anonymity or to the relationships provided by current systems. A mydentity is not a Required Thing, but rather a huge value-add for the companies willing to do business with it.
Then, let's say I'm one of millions of other similarly registered folks.
Now, let's say I have a mydentity-enabled relationship with Disney. My family goes to their theme parks, buys their movies and takes their cruises. But the relationship has substance of the sort many of us have long enjoyed, in a deep but narrow way, with airlines that grant us privileges as frequent flyers and airport lounge club members. We matter to each other. Our mydentity-informed transaction histories substantiate that, as do our allied relationships with other companies and other customers. The difference is that whatever "federation" exists among those companies happens at my grace, not theirs.
Let's say I'm interested in making connections between Disney and certain other companies or kinds of companies with which I like to do business. That way, when I book a cruise, Disney will know and value the fact that I prefer to fly on United Airlines, stay in Marriott or Wyndham hotels and rent cars from Budget or Enterprise. Disney also will know there are kinds of businesses I don't want to deal with, such as the kind that make unsolicited telephone calls and e-mailings.
Russ Jones, a Glenbrook Partner, followed with "I should be the first to know".
"I should not only be able to watch my credit file, but various other combinations of my social security number, name, address, and telephone number, and other identity attributes. If someone opens a new account with my name and address but with another social security number, for example, I should be alerted. Bureaus should "unmask" the complexity of this situation and let consumers take control of how their identity attributes are accessed, used, and reported."
Finally, Jamie Lewis of the Burton Group raises the level of discussion a notch with "Ends and Means: Identities in Two Worlds", a very well written paper. I particularly like the phrase 'World of Means'. Unfortunately, he has no solution either other than pointing to somewhere between the World of Ends and Means.
Basic functionalities are now done. I am enumerating through possible extra features before refactoring for runtime extensibility. With two weeks, I'll be ready for beta testing. Meanwhile, I am going to have to decide whether to publish it myself or not.
Looks like Saddam is going to use chemical weapons pretty soon. I don't know what we can do in response though. Use tactical nukes on those Iraqi divisions? I guess we'll have to do something that drastic to prevent copycats. What about Baghdad though?
Final version of Eclispse 2.1 was released today, on schedule. Its available here. I didn't and still don't think it was ready to be released, but I would be very happy to be surprised. Go get'em boys.
Both SAML and Liberty Alliance use XML-Signature for integrity and non-repudiation in profiles that use HTTP POST to pass sensitive information like assertions. Unfortunately, these profiles are not as scalable as those using SOAP over HTTPS with bilaterally authentication.
This is because SSL can be deployed inexpensively over a server farm and SSL acceleration is becoming a commodity technology. Also, SOAP-based profiles allow IDP and SP to open and keepalive bilaterally authenticated HTTPS channels.
XML-Signature, on the other hand, can't easily be deployed over a server farm due to higher expense, administration difficulties, and lack of expertise. Note that IDP and SP must respectively sign and verify each time the user estabilish an authenticated session with a SP.
This worries me because I am interested in developing a browser plug-in that turns IE into a Liberty-Enabled Client. Liberty-Enabled Client and Proxy (LECP) profile requires the use of XML-Signature to protect assertions from Identity Provider (IDP) to Service Provider (SP).
As I expected, RC3 release is in a shamble with multiple subreleases and broken builds. The good news is that RC4 is going to be built tommorrow. I have no idea when the final release is going to be although Eclipse website still say this Friday. I hope they give us a couple of weeks to pound on RC4.