With Debashish's Help I am moving all posts from this blog on rollerweblogger to wordpress. I hopefuly should complete this migration by this weekend. Once all the posts including comments are migrated over I hope you would continute reading my new wordpress hosted blog.

UPDATE : The reason for migrating the blog over is because I wish to enable yadis/lid/openid/sxore and infocard (PHP & JAVA) authentication on the blog. And it's not possible with a hosted service. So That was my only reason.

AH!!! Hellooo world. Java based infocards are taking over... Here's Yet another Java Based Infocard Relying Party Demo. This time It's Ashish Jain's implementation of it. Ashish works for PingIdentity and is also the co-author of J2EE 1.4 Bible & Enterprise SOA (I bet you didnt need that introduction, as you would have known that already.).

His demo is available at pingidentity's Jetty Based demo server. His implementaion however does not use bouncycastle or XOM but is again a Java based RP developed from scratch using XMLBeans and XMLSEC.

It sure is a chweeth Object Oriented world aint it ??

UPDATE : There's one thing for sure that infocard and WS-* is helping me with. IE: Making new connections and a LOT of new friends.

Well, I do not wanna say that I buy the concept of User Controlled Identities in it's "entirety" But however I'd like to say that I am trying pretty hard to buy into the "concept". Amartya Sen, The co-author of "Identity and Violence" says that the "freedom to choose one's identity affiliations is the antidote to divisive extremism"

Well. I'd not hesitate to do my part in playing a role to eliminate divisive extremism. And just to add to that I'm buying Kim's concept.. slowly.. very very very very slowly...

However while on the "identity" subject, like the "rest of the world"... I too have a question for Kim. Whats with this symmetric proof key in the SAML assertion? Like me, I bet there are several-several folks out there who are awaiting an answer... Kim Please... Could you ? PLEASE...

A few folks have been having issues using self signed server certificates to invoke the Identity Selector WinFX Component. Here's a short walkthorough on how to use a self signed certificate and save a few $$$'s from having to but a Certificate from a Trusted Authority.

The key is to use the sha1rsa Signature Algorithm instead of using the default md5rsa Signature Algorithm.

openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out server.key
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt

Then copy the server.key and server.crt to your webservers config directory.
cp server.key /etc/httpd/conf/ssl.key/
cp server.crt /etc/httpd/conf/ssl.crt/

Change file access permissions
chmod go-rwx /etc/httpd/conf/ssl.key/server.key

Made a test cert
make testcert

Create a server.pem file as by concatenating the server.key file and the server.crt file as follows:
cat /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt > /etc/httpd/conf/server.pem

restart your webserver.

Your self signed certificate should now invoke the identity selector without any issues...

NOTE : Remember folks. If youre learning anything at all from all of us who are blogging our experiences and processes about getitng infocard to work in all these various platforms and scenarios to PLEASE "pay it forward".

A must read : via Pat's blog :

From fellow Libertyite, Paul Madsen, comes this amusing take on user-centric identity. Many a true word spoken in jest!

Happy Monday.

I was chatting with a friend recently about "successful marketing strategies". and I was told that one of the most successfull ones had been the Mc Donalds Happy Meal. Yes, true, the Happy Meal really is one of the best. & then I thought... "infocard"... is this a "stratergy" that microsoft had ?

But InfoCard will only succeed if there are innovative people like you who are willing to take the time to build interesting relying parties and identity providers.

FROM: A First Look at InfoCard

Microsoft is known for it's marketing strategies. They succeeded in making "windows" the defacto standard for desktops. I really dont care how the did it, but the bottom line is that they did it !! Well, I then remembered that "infocard" can be only as successful as it's adoption.

Well, Here's what I think. (my perception)
Microsoft has generated so much interest and buzz in the marketspace with the "Laws of Identity", The "Identity Metasystem" and "infocard" that everybody wanted to know what it was and how to use it. I was one of them....

Microsoft didnt want to make "infocard" implementation a "insert CD..., click next...(a few times), and then click finish..." procedure.. They wanted folks to adopt it. They also wanted the "community" to show that they could do it on their own with Java, PHP, etc... Basically they showed us a "carrot" and made us run for it... Once the "community" showed that they could easily do it, it would make everybody believe that implementing it is not a complex task. It's not expensive and it's do-able. Well, They sure succeeded at that.

PS: Kim, if that was the strategy, Hats off to you. You did it !!!(extremely well planned). Now you know why I idolize you.

Your Thoughts ?

After several email, I thought that it would be best to point folks to a direct download of ie7 Build 7.0.5296.0 (The version that works). So folks. Please stop emailing me for this version. Simply download it from : radpishare.de. If you send me emails, please do not be surprised when I reply with a link to this blog post.

As far as the WinFX components go, download whatever is available from Microsoft's website. It would work.

And as far as the PHP and Java Code release goes (for both the RP and the infocard creator)... Patience my dear Watson, Patience... We've all waited so long for the right folks to release their code.. So Bear with me/us and have a little more patience.

BTW: This infocard crypto stuff is just cool. The ciphers the methods to encrypt/decrypt the tokens are smooth... However Robin Wilton (racingsnake) had a very good question, and I'm awaiting Kim's response.. I hope he does.

Chuck Mortimore, has posted the exact steps required to "consume" infocards on his blog (xmldap). I'm not gonna steal the spotlight from him. He deserves more credit for this than anybody else. This is a cross post from Chuck's blog.

Chuck writes:

To get started, you need to get your hands on the XML Token. This should be pretty simple, as your web framework will generally hand back parameters already URL decoded.

Once you’ve got the token, you’ll need to decrypt the token. The token is transmitted as encrypted XML.

Head On Over to Chuck's Blog to see what the xmlToken would look like
OR look at my previous post on what it looks like. Chuck's Post is "complete". Mine's truncated..

Basically what you have here is an ephemeral symmetric encryption key, which has itself been encrypted with the Public Key of the SSL Cert for the website InfoCard is interacting with. As you can see from the metadata provided in the KeyInfo fragment, the key is encrypted using RSA with OAEP encoding and SHA1, using the certificate identified in the SecurityTokenReference with the provided fingerprint (the fingerprint is a SHA1 hash of the cert bytes)

Your first job is to decrypt that encryption key. Step one : remove the Base64 encoding. Step 2 : you need to write a function which takes the private key for the cert referenced by the fingerprint, along with the data as input, and decrypts in this manner RSA-OAEP

Once you’ve successfully decrypted the key ( it should be 256 bits), you can use it to decrypt the token. As you can see in the XML, you need to use AES with a ChainedBlockCipher. Decrypt the token (Don’t forget to strip the initialization vectors...thanks Gary).

Head On Over to Chuck's Blog to see what the decrypted token would look like

The next step would be to quickly check the validity period on this Assertion to make sure it’s still fresh. You might also want to check the AssertionID against a table of previously seen assertions to prevent replay...depends on your level of paranoia.

On to signature validation...you should follow the steps outlined in XML-DSIG, but to paraphrase, check the digest of the canonicalized assetion against the digest in the SignedInfo block, and then validate the signature of the canonicalized SignedInfo using a PublicKey constructed from the provided KeyInfo.

Now, what’s bugging me is the use for the Symmetric Proof key provided in the Subject of the Assertion. Super Pat and I discussed this for awhile, and since it’s not used immediately in this protocol exchange, our best guess is that it’s used in subsequent interactions with the service, although I must admit the InfoCard docs are a little fuzzy on this subject. If anyone can fill me in, I’d appreciate it!

Finally, if your signature validation worked, extract the claims, enforce any policy you’d like, create a session, set a cookie, etc...

Chuck has also reverse-engineered the infocard token creation and has published a tool that can create a token for you on his demo servers.

Now since "infocard walled garden" has been made not so mystical, Here's are my thoughts.

The OBJECT tag required to invoke the Identity Selector is a cool tool, But on the RP side, the RP is just a listener that received tokens "pushed" to it. One does not really need the use of a InformationCardSignInHelper (ie: icardie.dll for ie7)to invoke the Identity Selector (WinFX CTP). One can easily write a tool, that creates these tokens using random data and start pushing these tokens to RP's. I see this as an extremely simple way to set up a DoS attack.

• So are infocards really "secure"?
• Would they make the common man's life easier?
• Would they make RP's more vulnerable to DoS attacks?

Like I said earlier, I am having a extremely hard time trying to digest the First Law from the "Laws Of Identity". For some reason I tend to lean strongly towards not being able to digest "user control". Hopefully over time, I shall grow out of it and be able to digest the theory.

SO: Higgins folks have a base to work off of for their open source version of "infocard-whatever" (not that they needed it). And I'd like to see if folks credit Chuck for HIS hard work.