December 3, 2004

Let’s try it, if all goes well it will fail

I am a bit confused about the attempt of the credit report companies to “protect the link” to the new site where one can get free credit reports (see the bottom of this article). I understand the problem of phishing and I agree that this site will be a very tempting target for phishing. The “solution” the people at annualcreditreport.com came up with is that links to their site won’t work unless the link is either on the FTC web site or one of the three credit report companies. For example, try clicking here and it should give you an error. This is presumably done by checking the “Referer” HTTP header. Yes, it’s “referer”, not “referrer”, an example of how authors of Web browsers are normatively required to make spelling mistakes, this should keep all of us spec editors on our toes (which, as a side note, happens to be literally the case for me this week because I slammed my heel on the edge of the swimming pool by doing an aggressive flip turn a bit too close to the wall during a Master’s swimming training session).

Anyway, back to the “protect the link” story. Let’s see how this would work. I have in front of me a hypertext link to their site. If I know that the site has this “protection” then why would I click on it? If it works then it’s a fake and I don’t want to use it and if it’s not a fake then it won’t work. In any case I know I’ll have to enter the URL by hand so I’ll do it right away. And if I am not aware of this behavior then I will click on the link. If it works (because the link is a fake), then I have no reason to suspect anything fishy and I’m in trouble. If it doesn’t work (because the link is real) then I’ll see that I have to enter the URL by hand and I will be out of trouble but I wasn’t in trouble to start with since the link was correct. In either of these four permutations this system doesn’t do any good.

The scary thing is that when people learn about this system, they might actually be more trustful with sites that implement something like this. But what stops a phishing site from doing the exact same thing, giving people an error message unless they type the URL by hand? Nothing. This reminds me of an email I once got from my bank to “educate” me about phishing. With “helpful” advice such as “we will never request personal information from you until after you are logged into our site using your username and password”. Hello? I give them my credentials and this supposedly authenticates them to me?

Comments Off on Let’s try it, if all goes well it will fail

Filed under Everything, Security

December 2, 2004

Just on time for the Christmas tree

I must admit I was embarrassed to link to a copy of MUWS which was (1) a Word document and (2) covered with change tracking annotations in my previous post. Kind of like having friends or neighbors drop by when your laundry is spread out on the living room floor for folding. Well, now there are better links available to clean PDF versions of WSDM MUWS Part 1 and WSDM MUWS Parts 2. Note that these are still working drafts, they haven’t been approved by the technical committee yet. But the vote is currently open (for a week) and these are the versions that the committee is expected to promote to Committee Draft. Next step, OASIS standard…

Comments Off on Just on time for the Christmas tree

Filed under Everything, Standards

December 1, 2004

That’s not an identifier. THIS is an identifier (say it with a Crocodile Dundee accent)

I already explained that I agree with Paco’s view that EPRs are not identifiers. Pankaj also provided a concrete example of why confusing references and identifiers causes problems. Paco just sent a new, better explanation of his earlier point, in the format of a formal proposal to the WS-Addressing WG. His proposal and its justification are a must read. He starts with a “what is required from an identifier” paragraph, which reads:

An identifier to be useful must allow meaningful comparison for identity or “sameness”. This requires them to overall unique and unambiguous, otherwise no meaningful comparison is possible. Moreover one could argue that to be really useful identifiers should not be reused once they’ve been made invalid.

Compare this with the specification for the ResourceId property defined in MUWS Part 1 (note: this is a link to the current working draft as a Word document, not yet a committee draft). Some highlights that match very well with Paco’s expectations for a *real* identifier:

  • Globally unique: A manageability endpoint MUST create the ResourceId URI in a way that ensures that the ResourceId is unique to the resource managed through the manageability endpoint and globally unique.
  • Uniqueness in time: A ResourceId MUST NOT be reused by the implementation of a manageability endpoint for another resource, even after the original resource no longer exists.
  • Consistency across endpoints: An implementation of a manageability endpoint SHOULD use a ResourceId that is suggested by the characteristics of a resource.

And the spec goes on to define in more details why/how implementers should ensure that difference manageability endpoints for the same resource return the same ResourceId, persistence of the ResourceId in time and how to establish “sameness” when for some reason different manageability endpoints for the same resource are unable to return the same ResourceId (correlatable properties). Go ahead and read it or wait a couple of weeks if you want to see a committee draft as a clean PDF rather than a Word document with change tracking turned on.

Comments Off on That’s not an identifier. THIS is an identifier (say it with a Crocodile Dundee accent)

Filed under Everything, Standards, Tech

November 24, 2004

Feeds and feedback

I got a few requests for syndication URLs for this blog, so here is where you can find them: http://devresource.hp.com/blogs/vambenepe/viewFeeds.action. Four of them to choose from! But I have to agree that one URL that can be found on the page beats four that can’t be found… No good reason why this wasn’t on the page by default and it should be fixed soon. In the meantime, you now know where to find them if you hadn’t yet guessed (like many did and Bloglines seems to do by default) that adding “rss.xml”, “rdf.xml” or “atom.xml” at the end of the blog URL was worth a try.

The sad thing is that there wasn’t really a way to let me know of that problem (lack of feed URL) either since this blog doesn’t currently support comments (should be fixed soon) and doesn’t even provide my email address. Not that my address is hard to find on Google since my last name is not common. But, in the interest of rich metadata it should still be available on this blog (doesn’t this fit well in the much-quoted discussion between Adam “just Google it” Bosworth and Marc “give me metadata or give me death” Canter?). So, until it is available permanently on the page, here is where to send feedback: vbp@hp.com.

The paint is still fresh…

[UPDATE: the blog has since moved and these URLs are not correct anymore. The RSS feed is now at https://stage.vambenepe.com/wp-rss2.php]

Comments Off on Feeds and feedback

Filed under Everything, Off-topic

November 24, 2004

Globus toolkit in Apache?

As Savas already noted (and commented on), Globus seems to intend to contribute all of their toolkit to Apache (warning, this is a link to a Word doc). This follows an earlier co-submission, between HP and Globus, of the WSRF and WSN implementation. It will be interesting to see how the Web services project at Apache scales up with all these contributions.

Comments Off on Globus toolkit in Apache?

Filed under Everything, Implementation

November 23, 2004

Whose policy is it anyway?

Greg recently posted an interesting article on what’s ahead of us in terms of really using policies in conjunction with Web services. I agree with him that the interesting question is not in “features and properties” versus WS-Policy. Whether you use one, the other, or a combination of the two you’ve still barely scratched the surface. I also agree that policies should not be tied with WSDL descriptions (a problem of F&P). But a key thing I would add to Greg’s list of what people need to be able to do with policies is define more precisely what “components” of the architecture policies are attached to. Yes, the “service” component is not sufficient as policies can be attached to more granular or less granular levels. But what are these levels? Who defines them? How do we come to agreement on them?

WSDM MUWS 1.0 Part 1 (coming in December) will define such basic components as “property”, “operation” and “event” that can have policies attached to them. These are components that are more granular than a “service” or an “endpoint”. Then you have relationships (defined in MUWS Part 2) that can also have attached policies. And you can have policies applied at a higher granularity level than the service, for example at the level of a business process made up of several services. Who will define these components?

Once we have these policy-capable components defined, we can go back to Greg’s question about attaching policies to them. “Multiple methods of association”, as he suggests, is one possible approach. Another way is to make more daring (shall we say) usage of existing addressing methods. For example the way WS-Management does it in its section 3. But this comes at the cost of throwing down the drain the benefits associated with opaque reference properties in WS-Addressing. Is it worth it? Any other alternative?

Comments Off on Whose policy is it anyway?

Filed under Everything, Standards, Tech

November 22, 2004

32K ought to be enough for everyone

A couple weeks back I had to spend time moving my Outlook local folder file (the *.pst) from where it was by default (somewhere like “c:documents and settingsusernamelocal settingsapplication datamicrosoftoutlook”) to “c:mail”. And I also had to rename my rules (e.g. from something like “WSDM mailing list” to “w1”). And to merge several rules into one (so for example now all emails from ws-i.org go to the same “WS-I” folder, I can’t have one subfolder per working group anymore). That took some time (both to figure out what I needed to do and to make the changes) and left me less productive than before (non-descriptive rule names make them harder to manage and I have lost some granularity in the filtering by consolidating filters). Aren’t outlook rules supposed to make you more productive rather than less?

So why all the trouble? Simply because Exchange says all your rules have to fit in 32K. So it’s ok to have a endless signatures with quotes form other people (that somehow prove that you’re smart) or contact info for your kid’s favorite party clown. But rules, despite being vital to managing the flood of incoming email when you subscribe to several mailing lists, only get 32K.

The most infuriating aspect is that I can’t figure why that is. The rules I use are stored on the server but executed on the client. Clearly it can’t be a matter of storage space on the server. It stores dozen of megabytes of email for me. Turning 32K into 1MB would make little difference. And I’d be happy to settle for a tiny bit less email space for some badly needed rule storage space. It can’t be because of computing resources to execute the rules either. They run on my client machine, not on the server. And my 32K turn into less than 20 rules. Surely, 20 simple rules (the typical rule is “if this comes from mailing list foo put it in the foo folder”) can’t overwhelm my machine. And if they do, let me decide whether it’s worth it to me or not.

Of course this is all the fault of the WS-Addressing WG. I had postponed making the needed changes because of lack of time, but the crazy traffic on the Ws-Addressing mailing list forced me to make room for another filter. So emails could be properly dispatched to the right folder. Ironically, this is for an addressing specification. My take-away is that if Microsoft is only going to give us 32K to dispatch SOAP messages with WS-Addressing header (like they decided to do for email) then I don’t understand why they are so fond of reference properties and reference parameters. Hopefully Don won’t let the Exchange architects anywhere near Indigo. ;-)

Comments Off on 32K ought to be enough for everyone

Filed under Everything, Off-topic

November 21, 2004

WS-Management feedback workshop

The tireless Jorgen is organizing another feedback workshop. Actually, this time they’re packing two in one session. There will be one for WS-Management and one for WS-Transfer and WS-Enumeration. All that in one day, it’s going to be hard if there is a lot of feedback provided. Which may or may not be the case… But in any case, this session is good news for everybody.

While I’m at it, I thought I’d mention that WSDM holds a “feedback workshop” every Thursday from 9AM to 11AM Pacific time and 24/7 on the mailing list of the technical committee…;-)

Comments Off on WS-Management feedback workshop

Filed under Everything, Standards

November 17, 2004

More on WS-Addressing EPRs

After an email exchange with Anish about my previous blog entry I would like to clarify what I wrote on Sunday. I agree that EPRs can be used as identifiers. Just like phone numbers. For example, a specification could require that the Reference Properties be constituted of the element, in effect making the EPR an identity representation by virtue of containing one. And this is fine.

My point is not that this should not be done, it is that the WS-Addressing working group does not need to concern itself with, or even acknowledge this usage of EPRs. The Ws-Addressing working group should concentrate on producing an XML element to package the information necessary to invoke a Web service endpoint. This is what is asked of it. Considering whether and how this can be used for identity consideration is at best a waste of time and at worst a source of unneeded complexity and formalism. Keep it simple.

Note: the most alert readers will have noticed that the prefix of the namespace for the MUWS ResourceId element has changed between my entry on Sunday and this entry from “muws-xs” to “muws-xs-1”. Looks like a detail but this is a sign of an important and very cool improvement that was decided by the WSDM TC today. I am implementing this change in the MUWS spec right now (this blog entry is my little “pause” from the editing work, scary as it sounds). Stay tuned for more. WSDM 1.0 is coming soon to a printer (and a JVM) near you.

Comments Off on More on WS-Addressing EPRs

Filed under Everything, Standards, Tech

November 14, 2004

WS-Addressing EPRs are not identifiers

I haven’t yet decided whether to join the WS-Addressing working group at W3C and I must say that the deluge of emails going on over there doesn’t do anything to alleviate my main fear about joining the group, i.e. that it will suck a lot of time. Just as I am trying to free more time to work internally on architectural issues related to the MAE (Management for the Adpative Enterprise) effort rather than externally, in standards bodies. But I am monitoring the mailing list of the WS-Addressing working group as what happens to the EPR concept is important to many specifications I am involved with, such as WSDM, WS-Notification and the WSRF patchwork. And it’s always interesting to read what the smart people involved in this discussion have to say. It feels like the Web services communitty has been waiting for an opportunity to have this discussion for a long long time.

One thing that is clear to me after using EPRs for a while is that they are not meant to be identifiers, just references. Their only goal is to tell you how to talk to an endpoint. Francisco Curbera hits the nail on the head in this email message. Identifying endpoints and whatever it is that they represent is a different thing altogether and not in scope for WS-Addressing. It is in scope for management applications of Web services and this is exaclty what WSDM MUWS (Management Using Web Services) provides through the muws-xs:ResourceId property, along with (optionally) the “correletable properties” capability.

Other issues that the WS-Addressing group now has to deal with include usage of Reference Properties (and especially how they get mapped to SOAP headers) and what Reference Parameters are good for. Those got slipped into the version of the spec submitted to W3C and were not available to us when designing WSDM, WSN and WSRF. Not that we would necessarily have used them anyway. Another issue that hasn’t yet showed up on the WS-Addressing mailing list is whether it is appropriate for someone to modify EPRs it receives if there is some “out of band” understanding of how they are built. My guess is that the group will punt on that one (which is reasonable) but I am looking forward to the discussion and will raise this question if no group member does. I might write more on some of the topics in this last paragraph in later entries.

Comments Off on WS-Addressing EPRs are not identifiers

Filed under Everything, Standards, Tech

November 9, 2004

Building blocks of an “adaptive enterprise”

Call it “laziness” or “smart reuse”, here is a pointer to a Web services journal opinion piece I wrote a few months back in an attempt to explain how the different efforts going on in the industry around Web services, grid, SOA management, virtualization, utility computing, <insert your favorite buzword>, fit together to provide organizations with the flexibility and efficiency they need from their IT in order to thrive. This is how it starts:

Enterprise services are created by combining infrastructure services, applications, and business processes. To be able to adapt quickly to business changes, enterprise IT must evolve from management of individual resources to management of interrelated services. [more…]

1 Comment

Filed under Articles, Business, Everything, Tech

November 9, 2004

Can you hear the muse?

Check out this proposal. It brings three new incubator projects to the Web services activity in Apache. And they come with working code.

The projects are:

  • Muse, an open source implementation of WSDM MUWS. With existing code contributed by HP.
  • Apollo, an open source implementation of the WS-ResourceFramework (WSRF) specifications. With existing code contributed by HP and Globus.
  • Hermes, an open source implementation of the WS-Notification specifications. With existing code contributed by HP and Globus. You’ll also notice in the description of this project that it includes support of WS-Eventing (but this is not included in the contributed code).

Comments Off on Can you hear the muse?

Filed under Everything, Implementation