herveyw's blog

Identity Backgrounders

2005-05-13T22:46:12-08:00

A couple of documents worth reading to get some context on what we're doing in the Identity space: The Identity MetaSystem The Laws of Identity...

Moving On...Federation Calls...

2005-05-13T09:25:27-08:00

I've been silent the last few months on WSE topics, the reason is actually simple: at the turn of the year I changed roles (was he pushed or did he jump?) to work on Active Directory Federation Server (ADFS) and InfoCard. ADFS will ship as part of the Windows Server 2003 R2 release and implements the WS-Federation Passive Profile, over time ADFS will evolve to become a full-blown WS-Federation / WS-Trust Security Token Service. InfoCard, a system for managing your identities, will be part of Indigo. Whilst I'm a little sad to have left WSE behind, I'm sure that Mark...

SHA-1 Broken?

2005-02-16T08:05:18-08:00

Bruce Schneier is reporting that SHA-1 has been broken. Interesting....

UsernameToken Security

2005-02-07T21:17:57-08:00

Matt Powell links to an article by Keith Brown on UsernameToken security. Worth reading....

WSE 2.0 Hands On Lab Updated

2004-12-03T14:31:24-08:00

The Hands On Lab materials for WSE have been updated for the WSE 2.0 SP2 release and now include VB.NET code as well as C#. If you're looking to get started with WSE 2.0, these provide some great grounding material....

WSE 2.0 SP2 Golden

2004-12-03T10:58:22-08:00

Service Pack 2 is final and available on MSDN. There was one additional fix between the Pre-Release and the final build involving policy processing for clients that do not send the WS-Addressing headers. In this case, request policy was being applied correctly but response policy would not be applied. Please report any issues you find on the product to wsefeed....

WSE 2.0 on .NET FX 2.0 - Update

2004-11-27T10:35:39-08:00

.NET Framework 2.0 is still a moving target for the WSE team but things have stabilized a lot recently. We made a few tweaks inside the WSE 2.0 SP2 PreRelease plus got a few bugs fixed in the framework itself. The net result is that we believe that WSE 2.0 SP2 will run correctly on .NET Framework 2.0. Note that this only applies to 32bit mode - there's no support in WSE2 for 64bit execution....

Multiple Security Headers

2004-11-27T10:05:41-08:00

SoftwareMaker (William T) has a long entry on multiple security headers. Here's how we thought about the problem for WSE2: In general, you cannot have 2 security headers that target the same node, even if they have different s:Actor values; i.e., one has s:Actor missing and one has s:Actor of next. This is because headers can be re-ordered in messages leading to problems verifying signatures or decrypting elements. This is a simple extension of the highlighted text that is quoted from the WS-Security specification: "Message security information targeted for different recipients MUST appear in different header blocks. This is due...

WSE 2.0 SP2 PreRelease

2004-11-22T17:38:18-08:00

A pre-release builds of WSE 2.0 Service Pack 2 is now available. The download links are: WSE 2.0 SP2 PreRelease Full Product WSE 2.0 SP2 PreRelease Runtime Product Here's the content from the readme file: Core product changes: A new compatibility section is used to select the wire format on the sending side. The mode attribute tells WSE runtime to generate a message which will be compatibable to a particular release of WSE. By default, the mode is WSE2RTM. It can be WSE2RTM, WSE2SP1 WSE2SP2 and so on. On the receiving end, a particular version of WSE runtime will be...

Keith Moves On

2004-09-29T00:10:47-08:00

Words from the man himself (actually, he's half the man he used to be as you can see here): After many years of work on Web services and WSE, I�ve decided to move on. Starting next week, I�ll be working on the Windows Media Player team. I�ve appreciated working with many of you and can�t describe how great it feels to have so many cool people using this product. I wish you all the best in your future endeavors. I have mixed feelings on this one, Keith and I were the first people on the WSE team back in the...

UsernameToken - SendHashed

2004-09-10T00:39:00-08:00

Scott Watermasysk posts about UsernameToken hashed passwords and Julia Lerman adds comments in which she says "the database needs to store clear text" although the recommended method is to "store a user's password as a hash, or even better a salted hash" in the database. I've thought about these posts a bit, here are my comments, hopefully they'll be useful for people trying to use these schemes. First, some basics. The word password, when used with the UsernameToken means password or password equivalent. There is absolutely no requirement that the value you use to construct the UsernameToken at the client...

WSE 2.0 on .NET Framework 2.0

2004-08-24T21:58:25-08:00

The WSE team recently ran a series of test passes with WSE 2.0 on .NET Framework 2.0 Beta 1 (aka Whidbey or VS 2005). We tried both the shipping version of WSE 2.0 and a recompiled version, but experienced a number of problems with both. We know for sure that the soap.tcp transport is completely broken - incoming connections generally fail with a SocketException during Accept processing. We've also run into a number of problems associated with ASMX classes. We're working with the relevant parties on the Framework team to try to resolve these issues, we believe that most of...

What's going on in WSE land?

2004-08-12T23:25:29-08:00

The plate is full right now for the WSE team, we have three pieces of work underway concurrently keeping everyone on the team busy (along with all those summer vacations, of course). First up is the C# implementation of the WS-I compliance test tools. I doubt many people know that this is also developed by the WSE team. Right now, the focus is on completing the implementation and testing of various Basic Profile and Basic Security Profile assertions. The BSP assertions right now are limited to examining the message without unravelling the signatures and encryptions; further on down the road...

WSE 2.0 Service Pack 1 - Update

2004-07-25T19:53:38-08:00

Several people have asked how soon this will be released. It should have been early last week but an interoperability problem came to our attention and needed to be investigated prior to release of the service pack. That investigation is now complete and no changes were needed to the service pack; as a result, it should appear within next few days. Now I can go back to my vacation... :-)...

WSE 2.0 Service Pack 1

2004-07-15T17:45:53-08:00

Service Pack 1 will be released very shortly. We've tried to address the major pain points that people found after the product was released. Here's a list of the changes from the readme file: Core product changes: WSE no longer throws an exception due to a SOAP message being signed by a KerberosToken security token in a time zone east of GMT. The value of the maxTokens attribute for the element specifies the maximum number of security tokens that may be contained within an incoming SOAP message. Previously, only natively supported security tokens counted towards the limit. All members...