Medusa, python web server framework, consumes only about 4-5 meg to run.  Best embeddable Java-based web server I could find was Bejy, weighing in at 277K disk and 6-8 meg memory.  That is really good considering Bejy supports Servlets 2.3, JSP 1.2, and SSL.  In comparison, Jetty, a popular embeddable Java web server, need 1+ meg disk and 16+ meg memory.  Only downside to Bejy seems to be that its not open source and only available for non-commercial use.

JSP is not good for desktop webapps because JSP requires Java compiler.  Are there any JSP engine that generates Java bytecode directly?  In theory, all you need is a bytecode generator tool like Apache's BCEL and some duck tapes.  If not, template languages like Velocity makes more sense for desktop webapps.

What a bummer.  I had been working on a desktop application that uses ASP.NET to drive DHTML UI, but I just found out that ASP.NET is supported on following platforms only:

• Windows 2000 Professional/Server
• Windows XP Professional
• Windows 2003 Server family

That leaves out Windows 9x, Me, and XP Home which make up about 50% of all desktop platforms out there.  Admittedly, these platforms don't have IIS installed, but I am using Cassini, a small web server, to host ASP.NET.  Everyone can forget about writing UPP, PersonalWebProxy, or what-ever-you-call-it using ASP.NET.

Unless I find a reasonable workaround, I'll have to port everything I have written so far over to either Python or Java.  At this point, I am leaning heavier toward Python because it has tight interoperability with COM and Win32 via PythonCom and PythonWin.  Damn.

Judge Motz ordering Microsoft to ship Sun's Java VM in every copy of Windows will mean a renewed hope for Java desktop applications.  Its too bad that there is no 'shared' JVM support nor responsive GUI yet in Java, but this is a good turn of events.  I wish Judge Motz would order Microsoft to ship their own .NET Framework with every copy of Windows within 120 days.

SourceID implements Liberty Alliance 1.1 spec.  People behind it are PingID and Jabber folks with Andre Durand being the primary pusher.  Looking at my workstack, I'll probably play with it around 2 weeks from now.

I have been looking at several crypto APIs and the picture is not pretty and getting worse.  At this time, most developers I know are ignoring standard APIs like GSS, CDSA, and PKCS#11 as well as platform APIs likeWin32 CryptoAPI.  Popular open source libraries like OpenSSL and Crypto++ rule.  Architecturally, I like CDSA and GSS.  CDSA is nice because it is open source, has fair documentation, and well designed.  Unfortunately, CDSA is not being pushed strongly by Intel and supporters.  Netscape announced support and then abandoned it.  NSA seems to consider it important as an interoperability hub of sort, but favors GSS according to some presentations I found.  GSS is also well designed, but there is no readily available Win32 implementation nor adapters.  CDSA has adapters for OpenSSL and PKCS#11.  With GSS, I am not even sure where to get C header files.  If there is enough call for it, maybe I'll put together an open source GSS library (OpenGSS?).  Otherwise, I'll probably use CDSA with minimal leakage across the project.

SDK is not released yet, but libraries are included in PGP 8.0 installation.  So I spent a few hours trying to make it work with my PGP code written for an older version of the SDK (v1.7.8).  Two immediate problems, SDK library file name have changed and quite a number of functions have been removed.  I guess they don't care about backward compatibility from the developer's perspective.  So I am halting my PGP work until PGP 8.0 SDK is released.

With all the noise about conflicts within Liberty Alliance and disbanding of AOL Magic Carpet team means I will be spending less time on Liberty Alliance.  These days, I am busy with PGP, Acrobat, Digital Signature, and SAML.

I have always thought that security companies are too focused on technology and generally clueless about what users and markets want.  Bruce Schneir, for example, discovered that security is a process and not some magical mixture of technologies.  Its great that he was able to shift from technological perspective to operational perspective.  Carol Coye Benson writes from marketing perspective, a step beyond operational perspective, on shared authentication.  She is right on the ball.