Tuesday, June 03, 2003

Mike Amundsen I bumped into Mike Amundsen (EraServer.NET) in the exhibit hall shortly after Keith's talk on WSE v2.0. An extremely cool guy. Looks like we're all having way too much fun here at TechEd. I know that I am... 11:09:56 PM    comment []

WEB 401: Security Practices for Web Services (Part 2): Now My Brain Hurts WEB 401: Security Practices for Web Services (Part 2): Now My Brain Hurts Keith Ballinger (XML Web Services, Microsoft) Abstract Drill into the advanced concepts of Web Services security.  Specifically see how to build a service for key distribution and trust enforcement, how to enforce policy and how to deal with different tokens like SAML.  Review several patterns for proper programming techniques to build common trust and authorization services.  Explore the WS-Trust, WS-SecurityPolicy and WS-SecureConverastion specifications. Notes Disclaimer: I cannot validate that everything stated below is entirely accurate. Unfortunately, I wasn’t able to take notes on my laptop during the talk because my battery was running low. The following notes are from memory… Keith's talk covered WS-Trust, WS-SecureConversation, WS-Policy, and WS-SecurityPolicy. During his talk, he demo'ed support in WSE v2.0 for each specification. WS-SecureConversation looks to be very well supported in WSE v2.0. Through a new type – RequestTokenService, if I remember correctly - clients can issue a request security token (RST) message to a service endpoint, which returns a request security token response (RSTR) – a message which contains security token reference pointing to the new security context token and a proof token reference pointing to the "secret" for the returned context. Keith mentioned that WS-SecureConversation greatly improves security performance over a long running series of messages by orders of magnitude over WS-Security-based authentication on a message-by-message basis. Support for WS-Policy in WSE v2.0 looks to be incredibly promising. From what I saw in the demo, policy is applied to service descriptions and their associated endpoints through a HTTP handler. This handler uses policy documents (i.e. policy.xml) to control the way in which the WSDL in augmented with WS-Policy-related elements. This includes augmentation of custom WS-Policy-related elements include wse:role, which specifies a mapping to a particular Windows group or role on the host machine. At the server end, policy is validated by this handler prior to entering scope of the WebMethod. WS-SecurityPolicy support in WSE v2.0 will augment the current Web service stack very well. That is, the ability to persist policy assertions in WSDL of the particular types of security tokens required and types of encryption and/or signatures to be applied will provide a great deal more semantic meaning in service contracts. As a side note, WSE v2.0 supports policy assertion declarations to target particular elements through XPath or "parts", which closely resemble functors in C++. I was really excited to see Keith's talk and it did not disappoint one bit. Put simply: It rocked. It was the best talk I have heard at TechEd yet. 11:06:23 PM    comment []

WEB 305: Security Practices for Web Services (Part 1): Now I Understand WEB 305: Security Practices for Web Services (Part 1): Now I Understand Eric Schmidt (Platform Strategy & Partner Group, Microsoft) Abstract Security is the most mature area of the Web Services architecture and it should be.  However, getting up to speed on what security means in a Web Services world is a daunting task.  This session (of a two part session) is dedicated to covering the foundation for security in the Web Services architecture.  Specifically covering encryption, integrity via digital signatures and using various credentials like Windows identity, X509 certificates and custom tokens for authentication and authorization. We will review several patterns for proper programming techniques.  Use of the WSE will be shown. Other topics like choosing the right ciphering algorithm will be discussed. Walk away with a strong understanding of how to secure your Web Services. Notes It seemed as though Eric was pretty nervous - I totally understand. WS-Security is a big topic and it can be extremely daunting to cover in a single presentation. I applaud the amount of coverage he achieved in his presentation. He presented examples showing authentication using WSE v2.0 with UsernameTokens, KerberosTokens, X509Tokens, and authorization via AZMAN. Not only did he have a lot of demos, he also had to preclude everything with background theory. Man, talk about a tough presentation! Coupled with all the material, Eric was having trouble with his VPN connection. Talk about having a bad day - especially when it's TechEd! Nevertheless, I thought Eric did a good job getting through most of the material. Now, on to Keith's talk; Part 2, Now my Head Hurts! :-) 4:44:11 PM    comment []

FUNNY: Billy Hollis... Software Legend... and Keyboard Guitarist! Billy Hollis is featured here playing "Whip It" by Devo: (From the Gypsy Tea Room during the Jam! Session last night.) Other INETA/TechEd photos are being posted here: http://groups.msn.com/inetameetingatteched2003/shoebox.msnw?albumlist=2. 2:36:16 PM    comment []

Jam! Sessions and Billy Hollis Tonight, I attended my first Jam! session. I was very impressed. The people who showed up to play were incredibly talented. Especially Ralph Rivas, who is a colleague of mine at Empowered Software Solutions. The man is a master of the keyboard. What's more, he bought a keyboard guitar. Very Devo. Whip it good. What made the night for me was watching various people dance with a life-sized cut-out of Billy Hollis. Too funny. Particularly when Bill Evjen decided to bring Billy up on stage to serve as a back-up singer. I applaud the marketing department at Microsoft for the Software Legends concept. However, I don't think they could have ever expected the reaction the cut-outs made on attendees. While attending a booze-up at the Circle R last night, I watched as Juval Löwy and his associated cut-out made their way on stage to sing Karaoke. The entire concept screams of the legendary lawn gnome scenario, which I think is absolutely hilarious. On a side note, Paul Mehner is one of the best dancers I have ever seen. Yet another great time had by all. 12:28:32 AM    comment []