Monthly Archives: May 2008

Sweet CARML Goodness

Phil Hunt has this interesting demo of the CARML-enabled attribute service API in for the IGF Attribute Service. Personally I would have preferred a downloadable sample application to a video, but it’s still interesting.  The OpenLiberty folks seem to be the right track by focusing on keeping the developer interface simple to use.

Of course this is only useful to the Java side of the application development spectrum. It will be interesting to see if there is ever any traction on developing .NET and scripting language bindings for this.

How much for that LDAP server in the Window?

Jackson Shaw window shops the Red Hat Directory Server and doesn’t like what he sees:

Would I pay for an LDAP directory server today? No, I wouldn’t. I’d either go with OpenLDAP, ADAM or deploy an actual Active Directory domain controller (not free, but at ~$800 or less for unlimited users…) because I’ve talked to customers that have deployed >million user directories with each of those choices, they have vibrant user communities, are supported (vendor or community) and are technically sufficient for almost every purpose. I think if I was a small business with 500-2000 users I’d be looking at using a free solution, too – $10/user is just too much for a piece of history.

I agree with Jackson, but I can see one segment that would pay for this. If you had a Linux only infrastructure but wanted to have a vendor supported LDAP server then I suppose you would be willing to pay for it. But I really can’t see this as a robust market to build and maintain a product for.

I remember talking to an IT group that maintained a ~200K entry commercial LDAP server back ending a customer portal. They were going through a painful and time consuming data scrubbing exercise because they only had a 200K license and had been told they couldn’t buy more. I suggested moving to OpenLDAP or ADAM but they wouldn’t even consider it. Go figure.

There are always choices

People say they have no choice to justify choices they have already made.

Service providers say they have no choice to justify divulging their customers’ identities to the governments of the countries they want to do business with. For instance in this recent article about the Google vs Facebook flap Joe Kraus of Google said:

“Google lives and dies on protecting users’ privacy,” Kraus added. “We believe [Friend Connect] is good for users in terms of control and extremely protective of users’ privacy.”

Ironically this quote was published on the same day that it was reported that Google had given the Government of India the identity of a man who had criticized and posted vulgar comments about an Indian politician on Okrut using his GMail account. Apparently the “lives and dies” part is really more of a guideline that a rule.

Google’s defense (like Yahoo’s in an earlier more serious case with Chinese dissidents) was that they were just following the laws of the country they operated in. To bend Godwin’s law a little, this is a little like saying they are “just following orders”.

There are also conflicting reports about RIM giving the Government of India the ability to decrypt Blackberry traffic in India. If, in the end, RIM decides to compromise the security of its customers using their handsets in India, their defense will also be that they had no choice.

Of course these companies had choices. There are always choices. They could have refused the governments requests and taken the consequences. But when faced with choices like these most companies will do what’s best for their short term business interests. As consumers we need to be aware of this and take this into account when deciding what information to entrust our service provider with.

This security risk is also global. A country like China, where there is no effective restraint on government power, could demand from your service provider your information no matter where you live. They could further demand that your service provider not inform you of this. Why? Because they can.

Now here is a sobering thought. So far I have been discussing personal information and identity. But there is no reason to assume that your company’s data is not at risk if you use a SAAS provider that does business in countries like China.

BMC and IdM

Felix Gaehtgens of Kuppinger Cole has some interesting observations about BMC’s new position on IdM (and gives me a nice mention as well).  Radovan Semančík has some interesting speculation as well. Both posts are well worth your time if you are interested in BSM or enterprise IdM.

And of course TalkBMC has lots of great bloggers talking about BSM and other topics.

A compassion that knows no bounds

Apparently the Chinese government will allow the parents of children killed or disabled in the recent earthquake to replace them, free of charge. From the Fox News article:

Those families can obtain a certificate to have another child, the Chengdu Population and Family Planning Committee in the capital of hard-hit Sichuan province said.

Just when I was used to thinking of them as despotic tyrants, they go and show their tender side. Of course there are limits to their mercy:

Chinese couples who have more than one child are commonly punished by fines.

The announcement says that if a child born illegally was killed in the quake, the parents will no longer have to pay fines for that child – but the previously paid fines won’t be refunded.

If the couple’s legally born child is killed and the couple is left with an illegally born child under the age of 18, that child can be registered as the legal child – an important move that gives the child previously denied rights including free nine years of compulsory education.

But seriously. “Appalling” doesn’t even begin to describe this.

OpenID, Phishing, and a strange choice in browser support

Mike Jones points out a site where you can test drive a man-in-the-middle Phishing attack against OpenID. This is scary stuff. But as Mike points out, there a couple of glimmers of light. One is Information Cards because it provides very strong protection against Phishing in general. The other is OpenID PAPE specification, which allows an RP to request specific authentication mechanisms.

Paul Madsen points out another possible mitigation. Sxipper apparently has anti-phishing support built into its OpenID integration. Sxipper is an open source browser plug-in from one of the Sxip-* companies (I can’t keep track of which one). Now when I say browser plug-in, I should be more specific. I mean it is a Firefox plug-in. Only. No IE support.

And there in lies a strange conundrum in the Identity community. I have worked side by side with a lot of the best minds in the Identity community and noticed that with the exception of the Microsoft guys, there is a strong bias towards using Firefox almost exclusively. This results in thinking about and developing plug-ins (such as Sxipper and SeatBelt) for Firefox only.

Personally I mostly use IE. It’s not that I prefer IE to Firefox, quite the contrary. IE 7.0 crashes with depressing regularity. But I use IE because I write Enterprise Software and that is what my customers are using. I need to experience what my customers are experiencing or I am not doing my job right. Even if I was writing software for the general public, I would still expect that the majority of my customers would be using IE.

One of these is not like the others

If I was to spend some time searching the web on this memorial day I could use


Or perhaps Dogpile:


Or old reliable Yahoo:


On the other hand if I wanted a big old slap in the face I could try Google:


 Yes, Google’s bi-annual snub of the veterans and their families continues (hat tip to Instapundit).  It’s a free country, and Google has the right to insult the memory of the service men and women that have paid the ultimate price for the freedom that Google now enjoys.

And I am free to not use their services. It’s a freedom I exercise often.