Paul Madsen is on a roll again. Latest amusing brainstorm: build an SDO Tycoon game! Only there’s one feature missing: What would standards development be without some wacky voting rules? Players should be able to explore the game-theoretic possibilities in designing rules that encourage consensus — to fall apart…
I don’t have a cat, more’s the pity, so instead of Friday cat-blogging I’ll have to stick to Friday time-wasters.
My friend works for Philips, and recently he mentioned its new site Shave Everywhere. We quizzed him: Like shaving in Kansas, shaving in Paris, and shaving in Tokyo? Oh, no, indeed not… It must be seen to be believed. (Safe for work by virtue of strategic beeping and pixellation. :-) )
My colleague Gerald Beuchelt has posted JavaOne slides on his brainchild, Project FIFI (Fast Infoset For Indigo). He’s been documenting his work on this project for a while at his blog, Web Services Contraptions, and he’s been working closely with his BOF co-presenters Paul Sandoz and Santiago Pericas-Geertsen — mavens on the Fast Infoset standard and its implementations — for some time now.
The promise held out by FIFI is that your web service operations can be interoperable across platforms and high-performance. (I admit I say “performant” in casual conversation…) If you’re interested a world where you don’t have to pick two from good, fast, and cheap, make sure to get in touch with Gerry to find out more.
Through ConsortiumInfo.org (no surprise), I just came across this Gartner report on the impact of the approval of the OpenDocument Format as ISO/IEC 26300. Their take is that since ISO is unlikely to also approve Open XML given its similar scope, this is a blow to Microsoft’s attempts at standardization of its format. The following recommendations appear in the report, and they seem eminently sensible to me given Gartner’s assessment of the situation:
Users: Recognize that you eventually will be saving your office product data in an XML-based format. Users that need ODF support today or need to comply with ISO standards should explore applications that support ODF. These applications may be cheaper to acquire, and enable different functionality, but the migration will not be inexpensive and will involve compatibility issues when exchanging documents with Microsoft Office users. If you need compatibility with Microsoft Office formats or cannot cost justify a migration, lobby Microsoft to support ODF and look for plug-ins that allow you to open and save ODF files from within Microsoft applications.
Vendors supporting any application using document formats that deliver content to people: Seek opportunities to leverage ODF, particularly “mash-up” approaches to content creation and sharing.
I hadn’t been closely following the various de jure standards tracks of these formats very closely, and didn’t realize ISO/IEC approval of ODF was imminent. But this news somehow transported me back to the days of SGML vs. ODA.
ODA was a comprehensive “compound document format” intended to be the be-all and end-all for office documents. It originally stood for Office Document Architecture, then was renamed to Open Document Architecture to seem more inclusive. Wikipedia has a short article on it, which matches my recollection of the situation. It was a big complicated spec that squished together structure and presentation, and while it had — after many years — achieved sanction, with ITU-T and ISO standardization coming in 1999, it ultimately had no traction.
SGML was approved as ISO 8879 in 1986, and though we weren’t using it yet at Digital in the late 80’s, most of us were using “Standard Digital Markup Language”, a sort of proto-SGML used within the company (a bit similar to GML and its role within IBM) that had start-tag/end-tag pairs and the like; it was eventually productized as VAX Document (whoa! it lives on!). In my part of the tech doc business, we were totally sold on “generic markup”, particularly since we were now in the position of generating CDs along with paper documentation and “single source/multiple outputs” was an expensive reality. Word-processing programs gave us all kinds of headaches, and the editors and doc tools people, at least, were deeply suspicious of giving writers the ability to add lots of formatting on their own. Thus, we were suspicious of ODA too; around my office we used to refer to it as the Odious Document Architecture.
Okay, so having content creators control presentation was a juggernaut. Yes, yes, I do see the appeal (and indulge in this activity several times a day…). What’s interesting is that the problem just…dissolved away.
The first big lesson on this was the Rainbow DTD, invented by EBT specifically to aid in the regularization of word-processing files as part of their “up-conversion” into SGML. Another sort of sideways influencer, I think, was the Text Encoding Initiative, which helped break some SGMLers’ dependency on the non-presentational markup argument — when you’re marking up an old newspaper for analysis, you might very well want to capture whether a particular story appeared above the fold on page 1. The next really huge lesson was the popularity of HTML and reasonable ways of doing stylesheets for it, which mocked many old-school attempts to get away from the corrosive effects of presentation. The final one was the appearance on the scene of the StarOffice XML/OpenOffice.org work, which began to fulfill a lot of fantasies about making real office documents manipulable with standard tools.
(I just found an interesting paper from 1996 on something called the JEDI Project, for Joint Electronic Document Interchange. Their analysis of TEI, TEI Lite, Rainbow, HTML3, and ODA, along with the various stylesheet technologies then available, was probably repeated by others many hundreds of times.)
The wild part is that SGML and ODA were pitted against each other and both pretty much fell over of their own weight (the latter took 14 years to standardize, for crying out loud), but it’s quite easy today for anyone to benefit from combining their approaches, and we’re down to arguing about which flavor to use for best success in interchange, future-proofing, and user control. Gartner’s first recommendation above was once seen as an intractable and even distasteful issue; now it’s trivial advice: “Recognize that you eventually will be saving your office product data in an XML-based format.”
In the living-out-a-dream category: Last weekend Mudcat played gig #6, this time a private party in a great location: a chocolate factory that resides in the old Red Hook Brewery in the Fremont neighborhood of Seattle. The atmosphere was so comfortable and welcoming, and the crowd so enthusiastic about our being there, that the experience was transcendent. We were reading each others’ minds about the natural arcs of solos and song endings, and we jammed much like we do in our practice sessions when we think no one else is listening.
We played for beer (and chocolate), but our host surprised us by presenting us with a bit of lucre at the end of the night — along with a lecture about how we should get used to being paid! For me it’s been, um, well, more than two decades since I made money from a gig. I’m tempted to frame it.
(The title of this post is from Lowell Fulson’s Sleeper, a tune we cover in Mudcat and one of our favorites. As it happens, the first — and only — band I ever made an actual living from was called Sleeper.)
Next gig: Saturday, June 24, 9pm, at the Montlake Ale House again. Be there or be square.
It’s time again for a SAML Up-Date. (I’m picturing a Brian Pinhead type reading this aloud…)
Two recent messages to the Security Services Technical Committee list bear interesting news:
First, Rob Philpott of RSA, esteemed former co-chair of the SSTC, announces that RSA’s patent licensing situation has become entirely implicit, with implementors no longer asked to take any action at all to request a royalty-free license — not even filling in a web form, which was how things stood before. The OASIS IPR page isn’t quite updated yet with this new information (I’ll update with a link when it is) but Rob’s message contains the new IPR statement from RSA, so you should go and take a look.
Second, Mary McRae of OASIS announces that the SSTC has put forward a series of Committee Drafts for a month-long public review; you can send your comments using this form. This bunch of specs is what the TC thinks of as “post-V2.0″ SAML profiles and extensions, and they’re intended to add interoperability for common use cases based on further deployment experience. (There are all sorts of extensions and profiles, some entirely private, being created and used by various people; the TC chooses to work on those that seem generally useful.)
The specs are as follows:
To highlight just one of these, the SAML XPath Attribute Profile “defines an attribute profile for SAML V2.0 using XPath V1.0 for attribute names. It lets SAML attribute authorities map XML documents, associated with a user, into SAML attributes. In particular, this profile enables attribute authorities to map Liberty Alliance data services into SAML attributes. XPath attributes can then be queried, asserted, and published in metadata.” Liberty defines something called the Data Services Template or DST, which provides protocol boilerplate “for the query and modification of data attributes exposed by a data service”, which is one of the key use cases that come up in personal profile attribute-sharing scenarios and many others. Basically, this little SAML profile allows you to construct SAML-flavored attribute constructs out of arbitrary XML content by using an XPath expression as the attribute name, which is extremely useful not only in the Liberty DST case but in general.
So check ‘em all out!
UP-DATE to the UP-DATE: Jeff Hodges, another esteemed former co-chair of the SSTC, comments further on the positive RSA IPR news. He also notes Google’s SAML-based single sign-on in their search appliance product. To me, Google’s usage of SAML looks remarkably robust, and their SPI documentation can function as another handy entry point into understanding how to do this stuff.
Recently I’ve been working with my team of XML Summer School lecturers on our materials, and Jeff floated the idea of a using a visual metaphor to show how each topic fills in another piece of the web services/SOA story. Paul advised against using “puzzle pieces”, which imply that the picture isn’t complete until you use every last piece. So we brainstormed some alternatives. (My unserious suggestions: onions and bricks…)
A common metaphor is Lego(R) and Duplo(R) pieces, which, due to a single standard (in this case imposed by the Lego company itself) for fit, always go together. But we can see that different “stacks” might not:
Lego-like conference swag
(It’s hard to see, but the upper one comes from DataChannel.) I found these while cleaning out my home office desk a few weeks ago, and immediately noted that they were not interoperable…
While hunting for additional useful metaphors, I googled “layering metaphors” and came across this fascinating paper on Software Metaphors. From the introduction, titled “Software as Fiction”:
As fiction, software is entirely and thoroughly metaphorical. Metaphors pervade every element and aspect of software, from the lowliest variable name to the largest of enterprise architectures. Software is so steeped in metaphors that we often overlook the extent and nature of these metaphors. Like fish in water, software developers often do not perceive the medium that surrounds us: our natural languages, natural conceptual models, and the natural and linguistic metaphors we use every day in our software designs. Even so, software developers borrow ideas, terminology and organizational structures from every field they encounter and every problem they solve.
Indeed, our brains can’t help applying patterns — and the most concrete and atom-based patterns, like the “Bad is Stinky” and “Categories are Containers” examples given in the paper, are the easiest to make because we’ve been familiar with those referents for a whole lifetime. In fact, every time we use a preposition, we’re making an implicit physical-relationship metaphor (this module hands control to that module; the UI goes in front of the business logic).
The paper is chock-full of interesting thoughts and even advice on effective naming of things like variables, taking into account their metaphorical roles. Its stated goal — “This essay explores a wide variety of these metaphors in hopes of awakening a greater awareness of them in software developers and in hopes of making their acknowledgement more common and explicit in the general practice of software development” — is pretty modest, but its encyclopedic collection of metaphors used in the creation and maintenance of software is impressive and fun to read. (The attempt to catalog every metaphor puts me in mind of Douglas Hofstadter’s Fluid Concepts and Creative Analogies, which describes his team’s attempts to duplicate in software the sorts of nano-analogy-making that minds do all the time — sort of a reverse view of this paper.)
Imagine my delight when I found the section connecting code threads to stitch patterns (for which this is a reverse view!):
Computer processors are now generally fast enough that they can usually switch between and effectively trace several execution threads “concurrently” according to human perception. Thus, execution threads can be likened to the straight warp on a loom, around which intricate patterns of code are entwined and intertwined to produce a fabric of data as results.
And there’s a section called “Mathematical Formulas, Impurities and Stench”, which explores the “bad is stinky” realm — for example, discussing a book on software refactoring that refers to “(deodorant) comments” used “to mask bad smells in the code”.
With apologies to William Steig and Ted Elliott (and thanks to Robin), perhaps software really is most like onions. (They stink?) Yes — no! (They make you cry?) No! (You leave them in the sun, they get all brown, start sproutin’ little white hairs?) No! Layers! Onions have layers. Software has layers! Onions have layers. You get it? They both have layers.
The logic seems irrefutable.
Rick Jelliffe participates in face attractiveness research, and in the end becomes a manga hero. Wild!
I hosted a session yesterday on “Lightweight SAML and Liberty” at the Internet Identity Workshop. You can find the notes here. I thought it was interesting that there wasn’t a lot of “religion” about issues such as the use of XML Signature: a brute-force solution such as providing an API that abstracts away from having to know it seemed about as popular as removing it entirely somehow (e.g., by writing an alternate POST binding). For completeness in exploring the solution space, I tried suggesting that signing be removed entirely — and got snorts of derision, which is pretty much what I was expecting to hear. Whew! I will definitely be following up on what I learned from this session.
For people who aren’t familiar with the various SAML outrearch sources, it may be helpful to know that there’s a very short Executive Overview, a draft Technical Overview (we could really use input on how to improve this — drop me a line with ideas), a bunch of slide sets (all linked from the main SAML committee page), a developers’ mailing list called saml-dev (subscribe, archive), a FAQ (I need to update sometime soon, using questions raised on saml-dev), and more.
Technorati tag: iiw2006
I’ve had a devil of a time getting “on the grid” in the last few days — I’m temporarily without a cell phone and I spent yesterday at day 1 of the Internet Identity Workshop unable to get a workable net connection. Arrghh! But now the wireless seems to be working for me…ahhhh.
Yesterday’s session was in the more traditional conference mode — a series of presentations intended primarily for information transfer — whereas now we’re in unconference mode. Kaliya had asked me to speak yesterday on SAML and Liberty, and in my allotted 20 minutes I attempted to do a few things: introduce SAML and Liberty versions of terms for common concepts; review their design centers; and demonstrate (with Hubert’s help) how these protocols can be used in a user-centric interaction model. I’ll post my slides once I solve a few more of my remaining technical difficulties. (I’m not sure if it was entirely clear that, while Hubert was working from a Flash demo for convenience, what was shown was really implemented — albeit not in productized form — using Sun’s Access Manager product…)
The unconference concept is intriguing. I like its self-organizing nature, and it’s blissfully free of the over-engineered conference planning and expensive collateral you usually find at technical conferences. We’re meeting in the Computer History Museum in various corners of a huge open space, which feels right. There’s also a free espresso bar service provided, which seems like an essential given that Kaliya described the goal as making the whole event about the coffee breaks rather than rigid speaking sessions.
Here are a few of my random notes and impressions from day 1.
Eugene Eric Kim: Noted that everyone lies on self-registration forms on the web. He suggested that a policy infrastructure that allows for you to direct a site not to share your attributes, or only share them on your terms, could give the right incentives for people not to lie. For example, what if a site gave you a cut of the money they make off of selling your demo data? Hmm.
Paul Trevithick: Mentioned in passing that he believes the goal of “owning your identity” is naive. Bold! Mostly he spoke about the lexicon work at identitygang.org. I have to say that I’m uncomfortable with a lot of the definitions that have been flying around, mostly because they don’t take into account the enormous work that’s been done on security glossaries. My W3C workshop paper pointed to several sources that I think are more comprehensive and useful. It does seem that “identity provider” and “claim” seem to be winning the day and that’s probably good, though we need a lot more precision around them both. (One person here at IIW is going to be hosting a session called “What does ‘persona’ mean?” Good luck to him!)
Johannes Ernst: Discussed mostly Yadis, which has a cool logo I hadn’t noticed before. Yadis seems like hot stuff. I wasn’t fully convinced by some of Johannes’s arguments in favor of URL-based identity (SMTP remains a huge killer app), but I’d like to dig into it more. My question to him after his session: Wow, how can Yadis possibly do all those things without using WS-Policy?!? (Do I need to put a smiley on that?)
Dick Hardt: Did a revised version of his famous presentation, which some wag in the audience dubbed “Identity 2.1″. The new news here was that SXIP is moving its DIX standardization effort into a form that is built on top of SAML — he called it a “user-centric profile of SAML”. This is great news, and I’m eager to see how this is shaping up; John Merrells is doing a session today on that.
More later…
Technorati tag: iiw2006