One of the more thankless jobs at MSN Windows Live is to work on the Passport team. Many of the product teams that are customers of the service tend to view it as a burden, myself included. One of the primary reasons for this is that instead of simply being the username/password service for MSN Windows Live it is actually a single-sign in system which encompasses a large number of sites besides those owned by Microsoft. For example, you can use the same username and password to access your email, travel plans or medical information.

Trevin Chow of the Passport team has written a blog post entitled Why does Passport sign-in suck? where he addresses one of the pain points its customers face due to its legacy as a single sign-in system. He writes

Q: Why do you keep asking me to sign in over and over again even though I've checked "automatically sign me in"?  What don't you understand about "automatic"?!
 
One of the biggest problems with see in the network of MSN, Windows Live and Microsoft sites is that Passport sign-in is seen way too often by users.  It appears as if we are disregarding your choice of "automatically sign me in" and randomly asking you to sign in when we want with no rhyme or reason...
 
Passport sign-in 101
Passport sign in is based on cookies. Because HTTP is stateless, we have only 2 ways of persisting information across requests -- the first being to carry it on the query string, and second via HTTP cookies.  The first method (query string) isn't useful across browser sessions (open IE, close it, and re-open), which leaves us only option 2 (cookies).  Cookies are the mainstay of modern web sites, and allows very powerful personalization and state management.  Passport leverages this to provide the world's largest web authentication (aka sign-in) system in the world.
 
Passport first validates your identity by validating your "credentials" (email address and password combination) that you typed in on our sign-in UI.  Once validated, Passport uses cookies in the passport.com and the partner's domain (eg. www.live.com, MSN Money, MSDN) to vouch for your identity.  The cookies in our partner's domain act as assertions that you are who you say you are.    Because each partner site trusts Passport, the sign-in authority, assertions about a user's identity from Passport are also trusted by the partner.
...
After you sign into one partner site in the "passport network", users can freely go to subsequent partner sites and sign in. This is where the magic of Passport comes into play and single sign-on is achieved.  When you visit another partner site, and click "sign in" you are redirected to Passport servers. Because you already authenticated once to Passport (represented through your passport.com cookies), we don't need to validate your credentials again and can issue a service ticket for this new partner website.
 
But Trevin, you just said that "because you already authenticated once to Passport <snip>, we don't need to validate you credentials again...".  That clearly isn't the case since I seem to keep getting asked for my password!
 
In the last section, especially the last paragraph, I purposely left out some detail for simplicity. We can dive into more detail now that you have a better high-level understanding of the flow of passport sign-in.
 
In order to have a secure single sign-on system, you simply cannot have one prompt for a login then be able to access any site.  It sounds counter-intuitive, since that's what "single sign-on" seems to imply.  This would only be possible if every single website you accessed had the same level of security and data sensitivity.  We all know that this is not the case, and instead, sites vary in the level of security needed to protect it. 
 
On the lower end of the spectrum (least sensitive), we have sites like www.live.com, which is merely personalization.  In the middle, have sites like Live Mail, which has personal information such as email from your friends.  On the extreme end of the scale (most senstitive) we have sites like Microsoft Billing which contains your credit card information.  Because of this varying levels of data sensitivity, each site in the Passport network configures what we'll call their "security policy" which tells passport parameters to enforce during sign in which is supposed to be directly related to their data sensitivity -- the more sensitive the information therein, the "tighter" the security policy.
...
All our partner websites currently have a mis-matched set of security policies, each set at their own discretion of their team's security champ.  It's because of the inconsistent security plicies, you keep getting asked for your password over and over.
 
Wow, so this sounds like a tough problem to solve.  How are you going to fix this? 
 
Our team is absolutely committed to make the sign in experience the best on the internet.  To fix this specific problem, our team is moving to a centralized definition of security policies.  What does this mean? Instead of each partner website telling us the specific parameters of the security policy (such as time window), they instead will tell us an ID of a security policy to enforce, whose definition will be on the Passport sign-in servers.  This means, that by offering a limited set of security policies we limit the mistakes partner websites can make, and we will inherently have more consistency across the entire network for sign in.  Additionally, it gives us more agility to tweak both the user experience and security of the network since Passport is in total control of the parameters.

This is just one consequence of Passport's legacy as a single-sign in system causing issues for MSN Windows Live sites. Another example of an issue we've faced was when deciding to provide APIs for MSN Spaces. If you read the Getting Started with the MetaWeblog API for MSN Spaces document you'll notice that instead of using the user's Passport credentials for the MetaWeblog API, we instead use a different set of credentials. This is because a user's Passport credentials were deemed to be too valuable to have them being entered into random blog editing tools which may or may not be safeguarding the user's credentials properly.

I now consider identity systems to be one big headache based on my experiences with Passport. This is probably why I've steadfastly avoided learning anything about InfoCard. I know there are folks trying to make this stuff easier at Microsoft but it seems like everytime I think about identity systems it just makes my teeth hurt. :(


 

Categories: Windows Live

Don Box has an excellent post on the entire REST vs. SOAP debate entitled Pragmatics where he writes

The following design decisions are orthogonal, even though people often conflate two or more of them:
 
  1. Whether one uses SOAP or POX (plain-old-XML).
  2. Whether or not one publishes an XML schema for their formats.
  3. Whether or not one generates static language bindings from an XML schema.
  4. The degree to which one relies on HTTP-specific features. That stated, screw with GET at your peril.
  5. Whether one adopts a message-centric design approach or a resource-centric design approach.
           
Some of the decisions (specifically 5) are architectural and sometimes philosophical.
 
Some of the decisions (specifically 1-2) are simple business decisions that are determined by who your target audience is.
 
  1. If you want a great experience for .NET/Java devs, you’ll typically publish schemas (through wsdl) and support SOAP.
  2. If you want a great experience for LAMP folks, you’ll support POX messages and will provide a non-XSD description of your formats.
  3. If you want to reach both audiences, you’ll do both #1 and #2.
  4. If you want to reach both audiences before your competition does, you'll avoid indulging in religious debates and ship something.

This is so true it hurts. Most of the discussion around XML Web services has unfortunately been driven by platform vendors in either the Java or .NET camps which has unnecessarily skewed the discussion. When you are an actual business decision maker faced with building services on the Web, a lot of the silly dogma around REST vs. SOAP simply dissipates. Instead it boils down to deciding how broad of an audience you want to reach and how much work you want to do to reach that audience.

That said, I'd quibble about needing to do both REST and SOAP if you want to reach both the enterprise developer crowd (i.e. Java/.NET developers) and the LAMP crowd. One counter example to this theory is RSS, it is a RESTful web service which hasn't needed to be SOAP based to result in lots of great apps built on it using the .NET Framework such as SharpReader, RSS Bandit and NewsGator Outlook Edition. From my perspective as an RSS reader developer, I will admit that it would have taken a lot less code to handle the feed processing in RSS Bandit if it was SOAP-based. On the other hand, from my perspective as a service provider I'd note that the amount of work needed to implement and support two APIs that do the same thing is often not worth it.

Coincidentally, today is the date of my semi-regular lunches with Don and now he's provided some good fodder for us to chitchat about over MSFT's cafeteria grub.


 

Categories: XML Web Services

February 17, 2006
@ 02:23 AM

For those who missed it, the MSN AdCenter team now has a blog at http://blogs.msdn.com/adcenter. The most recent post is about the New adCenter Release Coming Up and it reads

You may be asking yourself, "Why a new version?" Well, our goal is both to make your adCenter campaign management easier and to improve your user experience. We've learned a lot from the customer feedback we've gotten so far, and now we're ready to share our ideas with you.

Updates include:
1. Order creation process simplified into 4 steps
2. Broader differentiation between campaigns and orders  
3. New pricing tab includes all budget, bidding, and incremental pricing
4. Negative keywords can be applied at the order level
5. Keyword / ad rejections include reason codes

 and lots of other cool changes - I'll post more details here later in the week so you'll know what to expect when you login after the release - and when the release will happen.

This is one product I can't wait for Microsoft to ship. It's cool that we want to improve our search engine and other online properties to be more competitive but it is all for naught if we don't have a good story around how we and our customers make money from our services. AdCenter to the rescue...


 

Categories: MSN

February 16, 2006
@ 06:03 PM

Jason Fried of 37 Signals has a post critical of Office Live entitled Microsoft Office Live is "web based" where he writes

Office Live, Microsoft’s entry into the web-based office application space, went beta today.

Check out some of the system requirements for certain features of this “web-based” service:

  • To use the Edit in Datasheet feature within the Business Applications and Shared Sites areas requires Microsoft Office 2003.
  • To export to Business Contact Manager requires Microsoft Office 2003, Microsoft Office XP, or Microsoft Office 2000.
  • To import contacts from Microsoft Office Outlook requires Microsoft Office 2003 or Microsoft Office XP.
  • To link contacts to Microsoft Office Outlook requires Microsoft Office 2003.

And of course you must use IE. I never thought I’d see a web app suite that has more system requirements than a desktop app, but I guess I should never underestimate Microsoft.

A number of comments in response to the blog post have pointed out that it is misleading since it implies that Office Live requires Microsoft Office when in truth most of the features mentioned are related to importing and exporting data to and from Microsoft Office products like Outlook. Since the target audience for Office Live is the same as that for the majority of the products of 37 Signals it is unsurprising that they are so hostile to the service.

However this isn't to say that there isn't some valid criticism here. Jason is right that Internet Explorer is required to use Office Live. I also had an issue with this especially since in Windows Live we have an explicit goal that Internet Explorer and Firefox users should get an equivalent user experience. When I talked to the Office Live folks about this they pointed out to me that although Internet Explorer is required to create a site using the service, the websites created with it (such as http://daresofficelivesite.com) work fine in all major Web browsers. This is a good step but they know they can do better.

As it is with all feature requests in product development, the best way to get Firefox support to show up in Office Live is for users demand it. That's what happened with Windows Live and I'm sure the same will end up happening for  Office Live. I'm sure the question won't be if but rather when it shows up. 


 

Categories: Office Live | Windows Live

February 16, 2006
@ 05:22 PM

A few days ago, I asked Edgeio: An eBay Killer or Just Another Lame Startup? which seems to be a question that was asked by several other bloggers. On the Edgeio blog there is a post entitled More Bloggers Discuss Edgeio which promises to address some of the questions raised about the service. The blog post states

There are three key things people bring up when questioning whether or not edgeio will be successful.

1. Will bloggers want to post classified listings on blogs?

2. How to deal with the inevitable spam onslaught?

3. Assuming 1 & 2 are overcome, what stops everyone from entering the market?

These are all great questions whose answers I'd love to see. For #1 the edgeio folks have to convince vendors of blogging tools and hosted blogging services to make it easy for people to mark up their blog posts as auction listings. I called this a 'Make this blog post a classified listing' checkbox in my previous post on Edgeio. Then there is the task of convincing people that instead of listing items for sale on eBay or Craig's List, they should instead post an entry in their blog. This will be an uphill battle. Assuming they solve that, question #2 points out that the next hurdle is dealing with the inevitable avalanche of splogs which will pollute the system. Blog search engines like Technorati seem to be doing a decent job at filtering out splogs so this is tough but not an insurmountable problem.

The real doozy is question #3. Once they've convinced the blogosphere to start posting classified listings on their blogs instead of using existing listing sites AND have done a decent job holding down spam, they still have to contend with the Google factor. From my perspective, the functionality Edgeio plans to provide is the kind of feature that could be added to Google Base by an enterprising developer in his or her 20% time let alone if a bigger player like eBay or Craig's List decides to get in this space.  Besides proclaiming that they have patents protecting their business model, I can't see how Edgeio plans to answer question #3 above. I'll be watching their blog to see what their answers to the above questions. My curiousity is definitely piqued. 


 

Categories: Social Software

February 15, 2006
@ 06:04 PM

David Hunter has a blog post entitled Microsoft relaunches bCentral, calls it Office Live where he writes

Press release:

Sept. 23, 1999 — Microsoft Corp. today announced the launch of Microsoft® bCentral, a new portal created specifically to meet the needs of small and growing companies. Microsoft bCentral provides a comprehensive and integrated suite of services to help growing companies leverage the Internet to improve their business. The site delivers services in three key areas: getting a business started online by connecting to the Web and building a Web site; promoting and marketing online to reach new customers; and managing a business more effectively. A beta version of the new site will be available in the United States beginning Sept. 30, 1999, at http://www.bCentral.com/ .
Change the menu a little and call it Office Live and you have today’s announcement:
Feb. 15, 2006 — Microsoft Corp. today announced the beta availability of Microsoft® Office Live (http://www.OfficeLive.com), offering small-business customers a cost-free opportunity to experience the company’s new Internet-based software services firsthand. A milestone for the online services previewed last fall, Microsoft Office Live combines the power of software and services to deliver rich and seamless experiences to small companies that want a presence online.

Microsoft Office Live helps lower the barriers to doing business online by offering small companies a set of Internet-based business services. Designed for ease of use and affordability, the online services are designed to give small businesses the same advantages as larger enterprises by getting them up and running on the Internet quickly, easily and inexpensively.

There were no surprises from the various “preannouncements” yesterday or even from the original Office Live announcement...So what’s with the Office moniker? There had been some expectations, despite all the clues to the contrary, that there were to be online versions of at least some of the Office products. Those hopes were dashed...The use of “Office” in “Office Live” apparently connotes business usage, and that’s it...So I guess we take it for what it is. There may well be a play in the hosted “intranet replacement” offering if they roll out some useful applications, but that’s a story we heard about the now defunct bCentral too (e.g. [1], [2]). Presumably, Microsoft thinks they’ll have more luck this time around, but it’s not clear why.

The folks working on Office Live have big plans for the service. The big question is whether our execs will let them execute on their vision or whether we'll continue to practice death by risk aversion.


 

Categories: Office Live

February 15, 2006
@ 05:27 PM

Office Live is now live at http://www.officelive.com. As I mentioned yesterday, our team has been working closely with the folks behind Office Live. This means that I got the hook up with regards to early access to the service. I've heard it's okay to post screenshots so I'll be posting some with my review of the service. There are 3 basic SKUs of the service

  1. Office Live Basics: This service makes it easy for a small business to create and manage its website. It features all the basics you need to create your first Web site including free Web hosting, Web site statistics, a personalized domain name (bring your own domain or get one through Microsoft), and up to 5 e-mail accounts for your domain.

  2. Office Live Collaboration: This service makes it easy to store, share, and manage your everyday business information in one central online location. Users can create any number of password-protected Web sites for collaborating among internal employees and external customers, suppliers, and vendors. The service provides access to business applications for managing one's customer relationships, employees and project management.

  3. Office Live Essentials:  A combination of the Basics and Collaboration SKUs with a few more benefits such as getting 50 email accounts instead of just 5 with your custom domain. 

Office Live is a mix of a number of core services a small business needs to exist today. It gives them a domain registrar, email hosting, internal and external web site hosting, as well as line of business applications all in a single place.

When I tested the service, I got myself an Office Live Essentials account. The sign up steps including choosing a domain name which was automatically registered for me by the service, providing my contact information, entering my credit card information and agreeing to the terms of use. The domain I created was http://www.daresofficelivesite.com/ which may not be available until a few hours after this posting. Below are some screenshots of the service, click the images for larger versions of the screenshots.


Member Center - Overview


Web Site - Overview


Web Site - Page Editor


Business Applications - Dashboard


Users & Accounts

In general I think Microsoft has a winner here. My girlfriend used to be a professional photographer and she definitely could have used a service like Office Live. It definitely hits the sweet spot for small businesses. 

However there is a bunch of work that needs to be done. As you can see from the screenshots, the service provides a lot of functionality and options. I think perhaps too much which could be overwhelming to the target audience of small businesses that are likely too small to even have an IT staff. I found features such as the business dash board a bit overwhelming. Another small gripe is that I couldn't set up email accounts because it kept giving me an 'invalid password' error when I tried to create an email account. I assume this is because I was using a weak password but it didn't say that. That was rather irritating and I gave up trying to create a new email account. Thus I couldn't get a screenshot to confirm that the user interface for the hosted email is that of Windows Live Mail. I know the folks behind Office Live will be eagerly awaiting feedback on their product, so give it a shot

I should probably see about asking some of these folks to start blogging if they haven't already. :)


 

Categories: Office Live

February 14, 2006
@ 05:55 PM

Our team has been partnering with the Office Live folks and I've been pretty impressed at how far along they have come in a short time. I haven't been able to blog about their product yet but today I saw a post from Joe Wilcox entitled What Office Live Is Not which gives good insight into the goals of the product.

He writes

Last night, Microsoft lifted the NDA for Office Live, so I am rapidly blogging a day sooner than expected. Office Live goes live--at least in limited beta--tomorrow.

So there is to confusion about Office Live:

* Office Live absolutely is not a hosted version of Microsoft Office. People have asked me if Microsoft is hosting Office applications or would do so in the future. Answers are no and highly unlikely. I don't expect Microsoft to offer a hosted version of Office as part of Office Live. Ever. While Microsoft obviously is concerned about the Web 2.0 concept, the company is not going into the hosted applications business.

Most of the extended capabilities do functionally derive from Microsoft server software, such as Exchange, SharePoint and Project. The service provides basic e-mail and calendaring capabilities (such as might be seen from Exchange), collaboration functions (such as come with SharePoint Portal Server) and for working on projects (such as supported by Project Server).

Based on JupiterResearch surveys, Microsoft's target market of businesses with fewer than 10 employees would be highly unlikely to run server software products like Exchange, SharePoint or Project. Microsoft's approach extends those products' capabilities--and their potential benefits--to the smallest businesses. As those businesses grow, Microsoft has created opportunity for its partners to upsell server software that would maintain and extend Office Live capabilities. Smart.

For now, small businesses would largely consume these services in a Web browser. There are some ties back to Office products, and I expect to see more of these ties with the release of Office 12. I will discuss more of this in another post.

* Google isn't the target here and, in many respects, neither is the nebulous Web 2.0 concept. As I wrote back in November, "Microsoft hopes to generate greater customer value and make new-version Office and Windows upgrades more appealing. MSN has done a tremendous job cranking out new products and services, well ahead of the long Office and Windows development cycles. The point: If Google didn't exist, Microsoft probably still would have embarked on a services strategy."

Microsoft is probably more concerned about a Salesforce.com than a Google here. Microsoft's core business is applications and operating systems. Services like Salesforce.com negate the value of both applications and operating systems, territory Microsoft won't easily cede. It's no coincidence that CRM is a major Office Live feature.

Once the product goes into beta I'll probably do a review along with some screenshots [if the team doesn't mind]. There is definitely good stuff coming down the pipe here.


 

Categories: Office Live

February 13, 2006
@ 09:19 PM

Harry Pierson has a blog post entitled SPARK is Out of the Bag where he writes

As part of the new job, I'm involved in the planning a workshop called SPARK, which Dion Hinchcliffe blogged about this morning. (Dion also writes a blog here - bringing the total to three - so I created a combined feed just to keep track of all the places he writes). My new boss Mike also mentioned SPARK this morning. In the hopes of sparking futher interest (pun intended), here's the overview of SPARK:

SPARK is the first in a series of high-level forums hosted by Microsoft that use a workshop setting to examine “the issues that matter most” in the practice of strategic architecture and produce guidance for the industry as a whole.

Today, new social movements, advances in technology, and forces within business are overlapping to create a landscape glutted with challenges and opportunities. In many cases, these forces have driven the deployment of new technologies and the adoption of new behaviors, adding multiple layers to an already complex set of issues that must be navigated. Architects are searching for a solution that helps manage this complexity.

SOA, Software as a Service, Web 2.0, and Edge are all elements of the solution, but are they the complete picture? Are they a sufficient answer to the issues?  Can they be used together in a productive and efficient fashion? What matters most?

SPARK is an invite-only event and it looks like I was invited. I'm not sure what to expect. On the one hand it looks like one giant game of buzzword bingo with Web 2.0 hypesters and SOA propaganda-ists trying to outdo each other throwing out spurious buzzwords and grand proclamations. On the other hand some of the invitees have me intrigued and it would be good to compare notes on building services for the World Wide Web in today's world with other folks facing the same kind of issues I do in my day job.

I'll definitely be attending this workshop but not the accompanying MIX '06 conference. However I still plan to flip the bozo bit on any idiot that tries to talk to me about Web 2.0 while at this workshop.


 

Categories: Web Development

From the USA Today article Bill would keep servers out of China we learn

Now, Congress is stepping in with proposed legislation that could hobble the companies as they plunge deeper into one of the world's hottest economies. This is Round 2 for Congress. Last year, it scrutinized and slowed other business deals with ties to China's government among oil companies and computer makers.

Rep. Chris Smith, R-N.J., is drafting a bill that would force Internet companies including Google, Yahoo and Microsoft to keep vital computer servers out of China and other nations the State Department deems repressive to human rights. Moving servers would keep personal data they house from government reach. But that also could weaken the firms' crucial Internet search engines. (Related: AOL tries to speak Chinese.)
...
Google last month launched Google.cn, a version of its No. 1 search engine that prevents Chinese residents from seeing, for example, photos of tanks confronting Tiananmen Square protesters in 1989. Also last month, Microsoft acknowledged shutting down a blog run by a Chinese journalist critical of the government.

Last fall, Yahoo acknowledged giving information to Chinese officials that led to a 10-year prison sentence for a journalist accused of divulging state secrets. Last week, Reporters Without Borders, a journalism group critical of Yahoo's cooperation with Chinese officials, accused it of working with the Chinese government in another case that led to a dissident being jailed. Yahoo said it was unaware of the case.

The companies say they are unhappy with the restrictions yet must honor local laws.
...
Google's site launch came days after it rebuffed a U.S. Justice Department subpoena demanding that it turn over data on how millions of users search the Internet.

In contrast, Yahoo, Microsoft and America Online all cooperated with Justice.

Since this affects my day job I won't comment on it other than to say I find this entire debate very interesting. I will mention that unlike the USA Today reporter who wrote this story I'm not sure that the U.S. government's interest in the IBM/Lenovo or Unocal/CNOOC deals last year is comparable to the current efforts by members of congress.


 

Categories: Current Affairs