I will not be too over-enthusiastic, but what i’ve seen so far is a nice programming model, which seems to make sense (after thinking about it) and will hopefully reduce a lot of the complexities that many devs face today (e.g. choosing which technology over the other or painfully try to combine several technology stacks).
A lot of effort has been put into the bridging of the XML/Objects impedance mismatch, and time will tell if we can build XML messaging based systems in the future without touching (or maybe even knowing) angle brackets.
Here comes the obligatory security part :)
- Seems that all binding (besides WSI-BP) have security enabled by default – which is good
- I suggested to force even WSI-BP to work only over SSL by default (and that we have to manually disable that). The other attendees didn’t like the idea :)
- I really like that there is now an easy mechanism for services to provide a certificate with which a client can encrypt UsernameTokens (config setting, no coding)
- Indigo config files will get tremendously complex, and complexity is the natural enemy of security. We really need good tools that check config files for plausability. In addition i want something like the WSE Policy Advisor and big red lights if something with the security config is wrong. As a side note – i just assume the Indigo configs are compatible with the .NET 2.0 ProtectedConfiguration providers (but haven’t tried, yet).
- What’s really annoying is, that there is no built-in validation of the incoming messages against schema. While this is a general problem, everybody knows that input validation is maybe the most crucial part in today’s application security. Please, Microsoft, include a validator – this does not have to be the standard behaviour – but it would be so nice to just flip a switch and have validation (and support for XSD Patterns and other restrictions).
- I was happy to see that the authorization demos were centered around AzMan.
- System.Security.Authorization seems to be an interesting new namespace. Pierre wrote about it already.
Will Indigo put instructors and consultants out of business (quoting dbox) ? Surely not. I expect a lot of people to use the straightforward programming interface right out of the box – but problems will arise later in the project (meet LOLA) – we will see if we can solve these problems then by reconfiguring and rebinding, without changing the code in the function.
The three days were a really nice overview, and i will definitely dive into the security APIs as soon as they look a little more stabilized. Good work!