All things security - Single Sign On technology, Certificates, Encryption. Security Blanket

Big News

Everyone has probably already seen the regarding Sun and Microsoft and announcement regarding interoperability. This is a very cool announcement and it is something that we have been working on for quite a while in lots of different ways.

The technical details in these announcements are typically glossed over and discussed at a very high level. At my level, I've been involved in various "Microsoft Interoperability" projects for several years, mostly involving Kerberos and single-sign on technologies. I have worked with Microsoft people in various IETF working groups for several years and always found them to be very smart and easy to work with. As engineers, we are usually more interested in getting stuff to work correctly and less interested in the executive level sparring that has occurred in the past.

Regarding the new interoperability

This document describes the protocols used to achieve the web-based single-sign on that is covered by the agreement. Note that this is NOT the same as the GSSAPI/SPNEGO web-based single sign-on technology that I described here. This new interoperability protocol is based on Web Single Sign-On Metadata Exchange Protocol, which involves XML, SOAP, HTTP, and a bunch of "WS-*" protocols. It does not involve any Kerberos or GSSAPI token exchanges.

The other SSO protocol

HTTP Auth-Negotiate with GSSAPI/SPNEGO is useful for extending the Kerberos SSO to internal web sites that only need to authenticate the user. The Web SSO MEX protocol gives the server access to alot more information beyond just the users authentication credentials, the "metadata exchange" part of the name (MEX) refers to all of the other information that can be conveyed in the exchange. The Kerberos SSO exchange typically only involves authentication credentials (tickets) but not alot of extra data associated with the identity being asserted.

Kerberos by itself would never get us close to the level of interop provided by Web SSO MEX. Web SSO MEX allows for interop across environments that use Liberty and WS-Federation and makes it possible to use the Java Enterprise System OR Windows 2003 Servers, which is a big win for enterprise customers that typically have a mix of both and have been frustrated in the past by the inability to leverage both in a compatible way. This announcement should not discourage companies from moving forward with Kerberos integration and improving internal security. Kerberos SSO is more than just web authentication, it can be applied to lots of other non-Web based protocols as well. In Solaris 10 (and later) SSH, LDAP, FTP, telnet, rlogin, and rsh are all Kerberized. Other protocols like SMTP (mail), POP, and IMAP can also be Kerberos enabled with combinations of protocols like SASL/GSSAPI/Kerberos thus extending SSO to almost all of the most commonly used protocols inside of an enterprise (big or small).

So, while I view this announcement as a very positive step forward for Sun, I think there may be some confusion by some over the details of the protocols being used (or not used as the case may be for Kerberos). As I learn more, I will try to clarify the differences more in the future.

Remember the day when concert tickets were in the $10-$20 range? Me either. Well, that's not true either. I do recall paying around $14 for several shows at the Pittsburgh Civic Arena (since renamed "Mellon Arena"), back in my high school years. Today, great seats for a popular tour can easily go well above $100 a seat, (which, I *think* is well above the inflation rate). I read that the Rolling Stones are offering their "Gold Circle" seats for their upcoming tour for about $450. Ouch. I like the Stones (or, at least I like the music they made back in the 1967-1971 period, plus Some Girls and Tattoo You a little later), but I think I would have to settle for some of the cheaper and more distant seats if I were to go to that one.

Which brings me in a roundabout way to my real topic ... U2. I love U2. Really. I'm going to the show in Philadelphia tomorrow night. Then I gotta wait 5 months for their 2 October shows in Wash DC. For all of these shows, I decided to pay up for the expensive seats and have a good view of things. It worked out great last tour, I was right next to the stage, about 10 rows up. I suppose I could have taken my chances on the $50 GA tickets and tried to get lucky to get into the "bomb shelter" (i.e. inside of the catwalk circle that extends out into the floor). Odds are low (I've read its about 1 in 5) and if you don't make it you are likely stuck craning your neck all night and dealing with lots of pushing and shoving for a bad view. I'd love to get into the cirle, but I'd prefer to pay for a known quantity in this case.

The cool thing about this tour is that Sun is powering the "ONE" campaign, as fellow blogger MaryMary has blogged about extensively. She was actually lucky enough to meet Bono (and some other celebs). I am not hooked into that part of the business and will have no such access, but I am looking forward to the show(s).

With all the hype for the new Star Wars movie coming out next week (I think), I found this funny blog from none other than Darth Vader himself.

Some of the comments are almost as funny as the blog itself.

OpenSolaris is coming! The world will get to see, warts and all, the gory details of how and why Solaris works the way it does. I'm not actively involved in any sort of decision making on how OpenSolaris will work or how code contributions from outside of Sun will be reviewed. I do know how things work from the inside, though. In addition to the obvious requirements that new code doesn't break old code, interfaces stability rules must be maintained, and architectural integrity must be respected, there are other "rules" that we (inside Sun) must follow. Among these are our "cstyle" rules - rules that govern how the code must appear (braces and indentation rules, for example).

This sort of thing (enforcement of style rules) has been known to spark religious wars in some companies that I worked at prior to Sun and is always a contentious subject when 2 people with different style preferences try to merge their code.

I read an interesting article yesterday on Joel On Software about coding standards and how code styling standards can be misused (as well as how and why they are indeed useful). Mostly the article is about Windows programming and there is considerable discussion on Hungarian notation and the use of exception handlers in Java and C++. It is all sort of interesting and timely (at least for me) because I've been wondering how the external community will view our code from a readability and "stylistic" point of view. I guess we'll find out soon enough...

I borrowed some CSS from fellow bloggers MaryMary and Martin today to give my blog the new corporate look (see Sun.Com).

I bought a book on CSS a while back called 101 Essential Tips, Tricks, and Hacks (by Rachel Andrew) from SitePoint and found it to be very helpful in designing web pages WITHOUT having to use alot of TABLE tags. This book is especially good for someone (like me) who prefers to learn by looking at examples. This book has tons of good examples as well as descriptions. I highly recommend it for anyone who is interested in learning or writing web pages using CSS.

I see that Sun has a new look on our website today - I like it. I then noticed that my blog is linked from the Solaris Security Page as a Security related blog. Hmmm, I sort of feel obligated to post a bit more frequently now and try to remain topical (it's hard).

Lately, I've had my head buried in ASN.1 encoding and decoding software. If you have ever needed to parse ASN.1 data, you may sympathize with me a bit - it is a pain. There are some freeware tools for helping encode and decode ASN.1 data, but upon closer investigation, they always seem to fall short in some critical area - such as being able to parse and compile a complex ASN.1 syntax like PKCS#12. Anyway, if anyone can recommend a good ASN.1 package, I'd love to hear from you. (I've already looked at esnacc and asn1c).