I am afraid I'll have to delay beta testing of Arcot PGP Plugin for a few weeks, probably after my trip to Toronto.  While the economy seems to be bouncing back from my vantage point, I am still not at a point where I can refuse work for my clients.  Last week and this week, I have been busy working on a client's project.  As usual, I am being forced to accelerate to lightspeed on short notice toward a brickwall.  Wouldn't it be nice to be doing what Dave is doing, even with all the snow?  BTW, I signed up for the Amazon Workshop Scott Loftesness mentioned.  I got daydreaming scheduled for the entireday.

I just installed JDK 1.4.2 Beta 1 on my laptop.  1.4.2 Client VM supposedly reduces memory footprint by 25% although I haven't noticed any speed differences.  This version also supports XP Themes although I haven't tried it yet.  What I did notice was that JDK 1.4.2 installs and configures an executable named jusched.exe to run on startup and stay resident.  There was no mention on Sun webpages other than a bug report filed against it for an uninstallation problem.

Apparently, jusched.exe's official name is Java Update Scheduler and is used to check, download, verify, and install Java VM updates on daily, weekly, or monthly based on Java Plug-in Control Panel settings.  Gee, thanks a lot for wasting 2meg+ of memory, without asking me, so I can keep checking for Java VM update daily at 3AM although Java VM updates are months apart.  I wonder whose idiotic and arrogant muck for brain brought this about?

While I am ranting, allow me to raise my middle finger to salute folks at Apple and Real Networks for doing the same with Quicktime and RealPlayer.  Why don't you go sue Microsoft to gain access to Microsoft Update service instead of wasting our RAM space?  Failing at that, start a consortium to consolidate this sort of things.  If every software vendor did the same thing you guys have, I'll have to take a walk around the block everytime I start my PC.  Geesh.

A huge change under the e-commerce sea in the US is about to happen: credit card transaction liability shift from merchants to issuers.  Europe already shifted over last year.  This time around, its the US.  What I am not sure about is the exact date.

Originally, it was to be April 1st, 2003.  Schedule slipped and its difficult to figure out the real date.  Most trustworthy date is April 5th.  From that date, e-tailers can automatically shift liability to issuers by simeply attempting to verify the transaction using either Visa's Verified-by-Visa or MasterCard's SecureCode programs.

This is a huge event folks.  I wouldn't be surprised if more e-tailers in the US announce profitability in the near future.  That is, until Net Tax becomes a reality and choke online sales.

When XML first appeared, people started hyping it as a new technology.  I do understand why this happened.  Technology is like magic and people are willing to pay for technology.  Well, XML is not really a technology.  Its just a language, not unlike English and Korean.  Not very sexy at all.  The special thing about XML is this: it is a common language, more like English than Korean.

Well, its happening all over again with XACML, SAML, and Liberty Alliance.  People are hyping about them as new technologies, yet they are just common languges for specific domains, like the way doctors and lawyers have their own lingo even though they are all speaking English.  XACML is a language for describing access control policies.  SAML is a language for describing security assertions, attributes, and statements related to a person or a process.  Liberty is an extension of SAML for federated SSO.  Nothing new, but exciting in that many folks are speaking the same language.  Wonderful things happen when everyone speaks the same language.

Still, there is a heavy price to be paid before these new 'technologies' can be realized.  Everyone has to learn it, meaning bidirectional bridges have to be built before all those proprietary systems can start talking in XACML, SAML, and Liberty.  Ouch.  Thankfully, trouble means money for solutions providers just as pain means money for doctors.  XML is great because it draws people to look up at the sky and cause a great big pain in the neck.  Don't take two aspirins.  Make an appointment.

First it was Doc Searls' Making Mydentities, a customer-centric approach to identities in the World of Ends.

• Let's say I have engaged a new category of business–a relationship registrar called MyID–to certify, authenticate and otherwise substantiate the preferences, permissions and other variables that might be involved in mydentity-based relationships with participating companies and other organizations (including federal, state and local public ones). When I'm not using this mydentity, I still default to anonymity or to the relationships provided by current systems. A mydentity is not a Required Thing, but rather a huge value-add for the companies willing to do business with it.
• Then, let's say I'm one of millions of other similarly registered folks.
• Now, let's say I have a mydentity-enabled relationship with Disney. My family goes to their theme parks, buys their movies and takes their cruises. But the relationship has substance of the sort many of us have long enjoyed, in a deep but narrow way, with airlines that grant us privileges as frequent flyers and airport lounge club members. We matter to each other. Our mydentity-informed transaction histories substantiate that, as do our allied relationships with other companies and other customers. The difference is that whatever "federation" exists among those companies happens at my grace, not theirs.
• Let's say I'm interested in making connections between Disney and certain other companies or kinds of companies with which I like to do business. That way, when I book a cruise, Disney will know and value the fact that I prefer to fly on United Airlines, stay in Marriott or Wyndham hotels and rent cars from Budget or Enterprise. Disney also will know there are kinds of businesses I don't want to deal with, such as the kind that make unsolicited telephone calls and e-mailings.

Russ Jones, a Glenbrook Partner, followed with "I should be the first to know".

"I should not only be able to watch my credit file, but various other combinations of my social security number, name, address, and telephone number, and other identity attributes. If someone opens a new account with my name and address but with another social security number, for example, I should be alerted. Bureaus should "unmask" the complexity of this situation and let consumers take control of how their identity attributes are accessed, used, and reported."

Finally, Jamie Lewis of the Burton Group raises the level of discussion a notch with "Ends and Means: Identities in Two Worlds", a very well written paper.  I particularly like the phrase 'World of Means'.  Unfortunately, he has no solution either other than pointing to somewhere between the World of Ends and Means.

Basic functionalities are now done.  I am enumerating through possible extra features before refactoring for runtime extensibility.  With two weeks, I'll be ready for beta testing.  Meanwhile, I am going to have to decide whether to publish it myself or not.

Final version of Eclispse 2.1 was released today, on schedule.  Its available here.  I didn't and still don't think it was ready to be released, but I would be very happy to be surprised.  Go get'em boys.

Both SAML and Liberty Alliance use XML-Signature for integrity and non-repudiation in profiles that use HTTP POST to pass sensitive information like assertions.  Unfortunately, these profiles are not as scalable as those using SOAP over HTTPS with bilaterally authentication.

This is because SSL can be deployed inexpensively over a server farm and SSL acceleration is becoming a commodity technology.  Also, SOAP-based profiles allow IDP and SP to open and keepalive bilaterally authenticated HTTPS channels.

XML-Signature, on the other hand, can't easily be deployed over a server farm due to higher expense, administration difficulties, and lack of expertise.  Note that IDP and SP must respectively sign and verify each time the user estabilish an authenticated session with a SP.

This worries me because I am interested in developing a browser plug-in that turns IE into a Liberty-Enabled Client.  Liberty-Enabled Client and Proxy (LECP) profile requires the use of XML-Signature to protect assertions from Identity Provider (IDP) to Service Provider (SP).

As I expected, RC3 release is in a shamble with multiple subreleases and broken builds.  The good news is that RC4 is going to be built tommorrow.  I have no idea when the final release is going to be although Eclipse website still say this Friday.  I hope they give us a couple of weeks to pound on RC4.

Replacing protected library files in use is a chore.  Yesterday, I had to replace some PGP 8.0 DLLs with debug versions so I could step through PGP code.  Since they are in use, I tried to use a Microsoft command-line tool inuse.exe to schedule those DLLs to be replaced after reboot.  Unfortunately, the files were protected by WFP (Windows File Protection).  So I disabled WFP temporarily by changing a registry setting.  Still a no go.  Frustrated, I tried something that shouldn't have worked.  I renamed the DLLs and copied over the replacement DLLs.  Now I am stepping through PGP to chase down a bug.  Windows security is unreal.