Congratulations!

[Valid RSS] This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

Source: http://iay.org.uk/blog/index.rdf

  1. <?xml version="1.0" encoding="utf-8" ?><rss version="2.0" xml:base="http://iay.org.uk/blog" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:og="http://ogp.me/ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:sioc="http://rdfs.org/sioc/ns#" xmlns:sioct="http://rdfs.org/sioc/types#" xmlns:skos="http://www.w3.org/2004/02/skos/core#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#">
  2.  <channel>
  3.    <title>Technology Stir Fry</title>
  4.    <link>http://iay.org.uk/blog</link>
  5.    <description></description>
  6.    <language>en</language>
  7.     <atom:link href="http://iay.org.uk/blog/rss.xml" rel="self" type="application/rss+xml" />
  8.      <item>
  9.    <title>Ant fixcrlf and UTF-8 on Windows</title>
  10.    <link>http://iay.org.uk/blog/2014/06/ant-fixcrlf-and-utf-8-windows</link>
  11.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I&#039;ve been working on a large XML processing system in which a sequence of steps implemented in Java and other technologies are orchestrated using &lt;a href=&quot;http://ant.apache.org&quot;&gt;Apache Ant&lt;/a&gt;. It has to run on Mac OS, Linux and Windows. It has been pretty stable for some time, but I recently set up a new Windows system and started seeing errors like this:&lt;/p&gt;
  12.  
  13. &lt;pre&gt;&lt;code&gt;Exception in thread &quot;main&quot; org.xml.sax.SAXParseException:
  14.    Invalid byte 3 of 3-byte UTF-8 sequence.
  15. &lt;/code&gt;&lt;/pre&gt;
  16.  
  17. &lt;!--break--&gt;
  18.  
  19. &lt;p&gt;Peeking at the content at various points in the process, it became clear that the problem was that something was corrupting a particular &lt;a href=&quot;http://en.wikipedia.org/wiki/UTF-8&quot; title=&quot;Wikipedia: UTF-8&quot;&gt;UTF-8&lt;/a&gt; encoded character. Early in the sequence the encoding looked like this:&lt;/p&gt;
  20.  
  21. &lt;pre&gt;&lt;code&gt;E2 80 9D
  22. &lt;/code&gt;&lt;/pre&gt;
  23.  
  24. &lt;p&gt;This &lt;a href=&quot;http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder&quot; title=&quot;handy dandy UTF-8 decoder&quot;&gt;corresponds to&lt;/a&gt; U+201D RIGHT DOUBLE QUOTATION MARK. Later in the sequence, this had become:&lt;/p&gt;
  25.  
  26. &lt;pre&gt;&lt;code&gt;E2 80 3F
  27. &lt;/code&gt;&lt;/pre&gt;
  28.  
  29. &lt;p&gt;This isn&#039;t valid, as all bytes in a multi-byte UTF-8 sequence must have the top bit set.&lt;/p&gt;
  30.  
  31. &lt;p&gt;So what happened? Well, this is Windows, so experience tells us it&#039;s probably something to do with &lt;a href=&quot;http://en.wikipedia.org/wiki/Windows-1252&quot; title=&quot;Wikipedia: Windows-1252&quot;&gt;Code Page 1252&lt;/a&gt;. That suspicion is given extra strength when you observe that character position &lt;code&gt;9F&lt;/code&gt; is undefined in CP1252, and the character it has been mapped to is &lt;code&gt;3F&lt;/code&gt;, &#039;?&#039;. In the end, the corruption turned out to be coming from this Ant task:&lt;/p&gt;
  32.  
  33. &lt;pre&gt;&lt;code&gt;&amp;lt;!-- Force the output file to use Unix line endings --&amp;gt;
  34. &amp;lt;fixcrlf file=&quot;${xml.dir}/@{o}&quot; eol=&quot;lf&quot;/&amp;gt;
  35. &lt;/code&gt;&lt;/pre&gt;
  36.  
  37. &lt;p&gt;The &lt;code&gt;fixcrlf&lt;/code&gt; task&#039;s &lt;a href=&quot;http://ant.apache.org/manual/Tasks/fixcrlf.html&quot;&gt;definition&lt;/a&gt; includes an optional &lt;code&gt;encoding&lt;/code&gt; attribute which, if not set, &quot;defaults to default JVM encoding&quot;. Fixing the issue is therefore as simple as adding an appropriate &lt;code&gt;encoding&lt;/code&gt;:&lt;/p&gt;
  38.  
  39. &lt;pre&gt;&lt;code&gt; &amp;lt;fixcrlf file=&quot;${xml.dir}/@{o}&quot; eol=&quot;lf&quot; encoding=&quot;UTF-8&quot;/&amp;gt;
  40. &lt;/code&gt;&lt;/pre&gt;
  41.  
  42. &lt;p&gt;Why is this necessary on some Windows systems but not others? Life is full of mysteries.&lt;/p&gt;
  43. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/software&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Software&lt;/a&gt;&lt;/li&gt;&lt;li class=&quot;taxonomy-term-reference-1&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/java&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Java&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  44.     <pubDate>Tue, 03 Jun 2014 13:39:14 +0000</pubDate>
  45. <dc:creator>iay</dc:creator>
  46. <guid isPermaLink="false">401 at http://iay.org.uk</guid>
  47.  </item>
  48.  <item>
  49.    <title>REEP Key Ceremony</title>
  50.    <link>http://iay.org.uk/blog/2014/05/reep-key-ceremony</link>
  51.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;The key ceremony for the &lt;a href=&quot;https://reep.refeds.org&quot; title=&quot;REFEDS public metadata registry&quot;&gt;REEP service&lt;/a&gt; took place on 2014-05-18 after the &lt;a href=&quot;https://refeds.org/meetings/may14/&quot; title=&quot;REFEDS at TNC2014&quot;&gt;REFEDS meeting&lt;/a&gt; in Dublin, Ireland.&lt;/p&gt;
  52.  
  53. &lt;p&gt;I witnessed this ceremony and was convinced that the key &lt;a href=&quot;http://iay.org.uk/files/blog/reep.pem&quot; title=&quot;REEP signing certificate&quot;&gt;attached to this post&lt;/a&gt; as a self-signed X.509 certificate was generated during the ceremony within the hardware security module in Sweden that will be used by the REEP service to sign metadata served by it. To certify this, I have generated a &lt;a href=&quot;http://iay.org.uk/files/blog/reep.pem.asc&quot; title=&quot;detached OpenPGP signature for reep.pem&quot;&gt;detached signature file&lt;/a&gt; for &lt;code&gt;reep.pem&lt;/code&gt; using &lt;a href=&quot;http://iay.org.uk/identity/pgp&quot;&gt;my PGP key&lt;/a&gt;.&lt;/p&gt;
  54.  
  55. &lt;p&gt;To the extent that you trust me to have taken care while witnessing the ceremony, you may find that validating my signature on &lt;code&gt;reep.pem&lt;/code&gt; gives you some comfort that metadata documents signed by the private key associated with &lt;code&gt;reep.pem&lt;/code&gt; are, indeed, legitimate outputs of the REEP service.&lt;/p&gt;
  56.  
  57. &lt;p&gt;As an aside about the ceremony itself, &lt;em&gt;proof&lt;/em&gt; that a particular computational event has occurred in a particular way is almost impossible in a world of networking and virtual machines. We&#039;ve known this for a long time: the paranoia goes back at least as far as Ken Thomson&#039;s &lt;a href=&quot;https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf&quot;&gt;Reflections on Trusting Trust&lt;/a&gt;. We&#039;re not quite living in &lt;a href=&quot;http://www.imdb.com/title/tt0133093/&quot; title=&quot;The Matrix (1999)&quot;&gt;The Matrix&lt;/a&gt;, but the evidence of ones senses doesn&#039;t really go very far towards absolute proof. So what the other witnesses and I did during the ceremony — all we could do, really — was gain &lt;em&gt;confidence&lt;/em&gt; by asking questions, taking photographs of the steps and trying to think of ways to validate them. For example, I was later able to verify that the &lt;code&gt;pkcs11-tool&lt;/code&gt; command being used was indeed the one which would be installed on a system running 64-bit Ubuntu 12.04. Unless, of course, Leif foresaw that trick and subverted the &lt;code&gt;md5sum&lt;/code&gt; command as well. It&#039;s turtles all the way down.&lt;/p&gt;
  58.  
  59. &lt;!--break--&gt;
  60. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;li class=&quot;taxonomy-term-reference-1&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/security&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Security&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-files field-type-file field-label-above&quot;&gt;&lt;div class=&quot;field-label&quot;&gt;Files:&amp;nbsp;&lt;/div&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot;&gt;&lt;span class=&quot;file&quot;&gt;&lt;img class=&quot;file-icon&quot; alt=&quot;Binary Data&quot; title=&quot;application/octet-stream&quot; src=&quot;/modules/file/icons/application-octet-stream.png&quot; /&gt; &lt;a href=&quot;http://iay.org.uk/files/blog/reep.pem&quot; type=&quot;application/octet-stream; length=1757&quot;&gt;reep.pem&lt;/a&gt;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;field-item odd&quot;&gt;&lt;span class=&quot;file&quot;&gt;&lt;img class=&quot;file-icon&quot; alt=&quot;Plain text icon&quot; title=&quot;text/plain&quot; src=&quot;/modules/file/icons/text-plain.png&quot; /&gt; &lt;a href=&quot;http://iay.org.uk/files/blog/reep.pem.asc&quot; type=&quot;text/plain; length=842&quot;&gt;reep.pem.asc&lt;/a&gt;&lt;/span&gt;&lt;/div&gt;&lt;/div&gt;&lt;/div&gt;</description>
  61.     <pubDate>Thu, 22 May 2014 14:44:45 +0000</pubDate>
  62. <dc:creator>iay</dc:creator>
  63. <guid isPermaLink="false">400 at http://iay.org.uk</guid>
  64.  </item>
  65.  <item>
  66.    <title>Feedly</title>
  67.    <link>http://iay.org.uk/blog/2013/06/feedly</link>
  68.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;There are only a couple of weeks left until &lt;a href=&quot;http://en.wikipedia.org/wiki/Google_Reader#Discontinuation&quot; title=&quot;Wikipedia: Google Reader: discontinuation&quot;&gt;Google Reader shuts down&lt;/a&gt;.  Like many other people (the &quot;loyal but declining&quot; following the product had certainly numbered in the millions) I&#039;ve been looking at alternatives for a while now.  I&#039;ve finally settled on &lt;a href=&quot;http://feedly.com&quot;&gt;feedly&lt;/a&gt;.&lt;/p&gt;
  69.  
  70. &lt;!--  break --&gt;
  71.  
  72. &lt;p&gt;Feedly isn&#039;t quite a drop-in replacement for Reader, but it&#039;s the closest I&#039;ve seen so far for someone in my position, which is to say a Mac/Safari + iOS user.  They also claim to support Android, Firefox and Chrome but I haven&#039;t tried it with those yet, and if you&#039;re primarily Windows or Windows Phone then you may need to look elsewhere.&lt;/p&gt;
  73.  
  74. &lt;p&gt;The reason feedly is so close to being a direct replacement for me is that they are concentrating on being an API level clone of Reader, which means they can bring the iOS application developers with them.  I&#039;ve used &lt;a href=&quot;http://reederapp.com&quot;&gt;Reeder&lt;/a&gt; as my Google Reader interface on the iPad since it came out, and the developer is &lt;a href=&quot;http://www.macstories.net/news/reeder-to-add-support-for-feedly-and-feed-wrangler/&quot;&gt;planning feedly support&lt;/a&gt;.  For now, I&#039;m using feedly&#039;s own iOS application.  This does fall over occasionally while running on my memory-constrained first generation iPad, but otherwise seems fairly solid.  If the reliability improves by the time the new version of Reeder is available, I may stick with it; as Reeder will require iOS 6 I&#039;d need a new iPad anyway.&lt;/p&gt;
  75.  
  76. &lt;p&gt;My final concern is that the feedly service is free, but already supporting something over seven million Reader refugees.  I really hope they find a decent way to make this pay.&lt;/p&gt;
  77.  
  78. &lt;p&gt;[Updated 2013-06-19: removed paragraph mentioning that there was no conventional web application, because there now is one.]&lt;/p&gt;
  79. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/software&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Software&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  80.     <pubDate>Mon, 17 Jun 2013 08:01:36 +0000</pubDate>
  81. <dc:creator>iay</dc:creator>
  82. <guid isPermaLink="false">398 at http://iay.org.uk</guid>
  83.  </item>
  84.  <item>
  85.    <title>RFC 6919</title>
  86.    <link>http://iay.org.uk/blog/2013/04/rfc-6919</link>
  87.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I&#039;m in the middle of several fairly large spec-writing projects at the moment, so this year&#039;s April Fool&#039;s &lt;a href=&quot;http://www.rfc-editor.org/rfc/rfc6919.txt&quot; title=&quot;RFC 6919 on Further Key Words for Use in RFCs to Indicate Requirement Levels&quot;&gt;RFC 6919&lt;/a&gt; seemed particularly apt:&lt;/p&gt;
  88.  
  89. &lt;blockquote&gt;
  90.  &lt;p&gt;The key words &quot;MUST (BUT WE KNOW YOU WON&#039;T)&quot;, &quot;SHOULD CONSIDER&quot;,
  91.  &quot;REALLY SHOULD NOT&quot;, &quot;OUGHT TO&quot;, &quot;WOULD PROBABLY&quot;, &quot;MAY WISH TO&quot;,
  92.  &quot;COULD&quot;, &quot;POSSIBLE&quot;, and &quot;MIGHT&quot; in this document are to be
  93.  interpreted as described in RFC 6919.&lt;/p&gt;
  94. &lt;/blockquote&gt;
  95.  
  96. &lt;p&gt;I briefly considered making use of this and waiting to see if anyone noticed.  So far, I have resisted the temptation, and am sticking with &lt;a href=&quot;http://www.rfc-editor.org/rfc/rfc2119.txt&quot; title=&quot;RFC 2119 on Key words for use in RFCs to Indicate Requirement Levels&quot;&gt;RFC 2119&lt;/a&gt;.&lt;/p&gt;
  97.  
  98. &lt;!--break--&gt;
  99. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/humour&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Humour&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  100.     <pubDate>Sun, 07 Apr 2013 15:06:35 +0000</pubDate>
  101. <dc:creator>iay</dc:creator>
  102. <guid isPermaLink="false">397 at http://iay.org.uk</guid>
  103.  </item>
  104.  <item>
  105.    <title>Balloon Animal</title>
  106.    <link>http://iay.org.uk/blog/2013/04/balloon-animal</link>
  107.    <description>&lt;div class=&quot;field field-name-field-image field-type-image field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; rel=&quot;og:image rdfs:seeAlso&quot; resource=&quot;http://iay.org.uk/files/styles/medium/public/blog/image/pisces.jpg?itok=ZNGdb72L&quot;&gt;&lt;a href=&quot;http://iay.org.uk/files/blog/image/pisces.jpg&quot;&gt;&lt;img typeof=&quot;foaf:Image&quot; src=&quot;http://iay.org.uk/files/styles/medium/public/blog/image/pisces.jpg?itok=ZNGdb72L&quot; width=&quot;165&quot; height=&quot;220&quot; alt=&quot;giant balloon sculpture shaped like a spiral sea-shell&quot; title=&quot;Pisces, by Jason Hackenwerth&quot; /&gt;&lt;/a&gt;&lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;No, not &lt;a href=&quot;http://www.flickr.com/photos/iay/245514118/&quot; title=&quot;Balloon Dog Sculpture, Venice, 2006&quot;&gt;that one&lt;/a&gt;.  This one is a sculpture by &lt;a href=&quot;http://www.jasonhackenwerth.com/&quot;&gt;Jason Hackenwerth&lt;/a&gt; called &lt;em&gt;Pisces.&lt;/em&gt; It&#039;s made out of 10,000 balloons; apparently, the artist and his assistants had to wear earplugs during construction to protect themselves against the squeaky noises.&lt;/p&gt;
  108.  
  109. &lt;p&gt;The sculpture is in the &lt;a href=&quot;http://www.nms.ac.uk/our_museums/national_museum/whats_on/everyone/science_festival/pisces.aspx&quot; title=&quot;Pisces at the NMS&quot;&gt;Grand Gallery, National Museum of Scotland&lt;/a&gt; until April 14th; it&#039;s well worth a visit if you&#039;re in town.
  110. &lt;!--break--&gt;&lt;/p&gt;
  111. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/photography&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Photography&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  112.     <pubDate>Sat, 06 Apr 2013 17:15:25 +0000</pubDate>
  113. <dc:creator>iay</dc:creator>
  114. <guid isPermaLink="false">396 at http://iay.org.uk</guid>
  115.  </item>
  116.  <item>
  117.    <title>Many Twelves</title>
  118.    <link>http://iay.org.uk/blog/2012/12/many-twelves</link>
  119.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;Well, you don&#039;t see &lt;a href=&quot;http://rt.com/news/features/december-12-marriage-doomsday-844/&quot; title=&quot;last one this century&quot;&gt;that&lt;/a&gt; every day.&lt;/p&gt;
  120. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/miscellanea&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Miscellanea&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  121.     <pubDate>Wed, 12 Dec 2012 12:12:12 +0000</pubDate>
  122. <dc:creator>iay</dc:creator>
  123. <guid isPermaLink="false">395 at http://iay.org.uk</guid>
  124.  </item>
  125.  <item>
  126.    <title>Pretty Fly</title>
  127.    <link>http://iay.org.uk/blog/2012/10/pretty-fly</link>
  128.    <description>&lt;div class=&quot;field field-name-field-image field-type-image field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; rel=&quot;og:image rdfs:seeAlso&quot; resource=&quot;http://iay.org.uk/files/styles/medium/public/blog/image/pretty-fly.png?itok=77GVsae1&quot;&gt;&lt;a href=&quot;http://iay.org.uk/files/blog/image/pretty-fly.png&quot;&gt;&lt;img typeof=&quot;foaf:Image&quot; src=&quot;http://iay.org.uk/files/styles/medium/public/blog/image/pretty-fly.png?itok=77GVsae1&quot; width=&quot;220&quot; height=&quot;148&quot; alt=&quot;Network selection dialog with &amp;quot;Pretty Fly For a WiFi&amp;quot; as an option.&quot; title=&quot;Pretty Fly For a WiFi&quot; /&gt;&lt;/a&gt;&lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;Seen on my phone while in a hotel in Philadelphia last week.  If you&#039;re wondering why I think this is funny, you probably need to view this &lt;a href=&quot;http://www.youtube.com/watch?v=nzY2Qcu5i2A&quot; title=&quot;YouTube: The Offspring - Pretty Fly (For A White Guy)&quot;&gt;reference video&lt;/a&gt;.&lt;/p&gt;
  129. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/humour&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Humour&lt;/a&gt;&lt;/li&gt;&lt;li class=&quot;taxonomy-term-reference-1&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/travel&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Travel&lt;/a&gt;&lt;/li&gt;&lt;li class=&quot;taxonomy-term-reference-2&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/photography&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Photography&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  130.     <pubDate>Mon, 08 Oct 2012 17:56:28 +0000</pubDate>
  131. <dc:creator>iay</dc:creator>
  132. <guid isPermaLink="false">394 at http://iay.org.uk</guid>
  133.  </item>
  134.  <item>
  135.    <title>Future of Federations</title>
  136.    <link>http://iay.org.uk/blog/2012/10/future-federations</link>
  137.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I&#039;m speaking later today as part of a session on the &lt;a href=&quot;http://events.internet2.edu/2012/fall-mm/agenda.cfm?go=session&amp;amp;id=10002570&amp;amp;event=1149&quot;&gt;Future of Federations&lt;/a&gt; at the &lt;a href=&quot;http://events.internet2.edu/2012/fall-mm/index.html&quot;&gt;Internet2 Fall Member Meeting&lt;/a&gt; in Philadelphia.&lt;/p&gt;
  138.  
  139. &lt;p&gt;Here is a &lt;a href=&quot;http://iay.org.uk/files/blog/20121002-young-futuretech.pdf&quot;&gt;PDF version of my slides&lt;/a&gt;.  They are really just a list of the emerging technologies I think may affect identity federations in the short to medium term future; I think things are changing quickly enough that looking further forward than a couple of years is just too difficult.&lt;/p&gt;
  140.  
  141. &lt;!--break--&gt;
  142. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  143.     <pubDate>Tue, 02 Oct 2012 02:12:13 +0000</pubDate>
  144. <dc:creator>iay</dc:creator>
  145. <guid isPermaLink="false">393 at http://iay.org.uk</guid>
  146.  </item>
  147.  <item>
  148.    <title>UK federation Metadata Aggregation</title>
  149.    <link>http://iay.org.uk/blog/2012/08/uk-federation-metadata-aggregation</link>
  150.    <description>&lt;div class=&quot;field field-name-field-image field-type-image field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; rel=&quot;og:image rdfs:seeAlso&quot; resource=&quot;http://iay.org.uk/files/styles/medium/public/blog/image/UKf-Flows-2012-08-12_0.png?itok=LzVVyyfb&quot;&gt;&lt;a href=&quot;http://iay.org.uk/files/blog/image/UKf-Flows-2012-08-12_0.png&quot;&gt;&lt;img typeof=&quot;foaf:Image&quot; src=&quot;http://iay.org.uk/files/styles/medium/public/blog/image/UKf-Flows-2012-08-12_0.png?itok=LzVVyyfb&quot; width=&quot;220&quot; height=&quot;154&quot; alt=&quot;diagram full of boxes and arrows&quot; title=&quot;UK federation metadata aggregation flows in schematic form&quot; /&gt;&lt;/a&gt;&lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;One of the systems I work on is the back end of the &lt;a href=&quot;http://ukfederation.org.uk&quot; title=&quot;UK Access Management Federation for Education and Research&quot;&gt;UK federation&lt;/a&gt;&#039;s metadata system.  Although I&#039;ve talked about this in several presentations, the bare structural diagram isn&#039;t very informative on its own.  Here, I present a snapshot of the architecture, and go into a lot more depth on the what, how and why than you&#039;d get from just the slide on its own (click on the image to get a larger version).&lt;/p&gt;
  151.  
  152. &lt;p&gt;I hope that this article can perform double duty as a case study for the &lt;a href=&quot;http://shibboleth.net/products/metadata-aggregator.html&quot; title=&quot;Shibboleth Metadata Aggregator&quot;&gt;Shibboleth metadata aggregator&lt;/a&gt; tool, which acts as the engine behind the metadata system and to which I also contribute as a developer.&lt;/p&gt;
  153.  
  154. &lt;!--break--&gt;
  155.  
  156. &lt;h3&gt;Metadata Repository&lt;/h3&gt;
  157.  
  158. &lt;p&gt;The main source of metadata processed and published by the UK federation is the federation&#039;s own metadata repository, shown at the top left as a &quot;database&quot; labelled &lt;code&gt;uk*.xml&lt;/code&gt;.  This is literally a collection of XML files, one for each &lt;code&gt;&amp;lt;md:EntityDescriptor&amp;gt;&lt;/code&gt; registered by the federation&#039;s members.&lt;sup id=&quot;fnref:fn-spaces&quot;&gt;&lt;a href=&quot;#fn:fn-spaces&quot; class=&quot;footnote-ref&quot;&gt;1&lt;/a&gt;&lt;/sup&gt;  These files are held in a &lt;a href=&quot;http://subversion.apache.org&quot; title=&quot;Apache Subversion version control system&quot;&gt;Subversion&lt;/a&gt; repository and exposed to the back end as a directory of &quot;fragment&quot; files.&lt;/p&gt;
  159.  
  160. &lt;p&gt;This is in some ways a fairly primitive approach (many federations have chosen to build their tools around a relational database) but we have stuck with it because we have found that it has a number of advantages.  One big advantage is that it separates the concerns of acquisition and maintenance of metadata on behalf of members from the back-end processes very cleanly.  At the same time, using something like Subversion means that we have an automatic audit trail of every change to registered metatata, including the details of the change, when the change happened, who made it and why.  We even have the option of rolling individual entities back to any earlier state if required.  These all seem like good things to have at the heart of a trust brokerage system, but as far as I know the only other system which has so far taken the same approach of using a source control repository as the central data store has been the &lt;a href=&quot;https://github.com/Yaco-Sistemas/peer/&quot; title=&quot;PEER software repository at github&quot;&gt;PEER&lt;/a&gt; software.&lt;/p&gt;
  161.  
  162. &lt;h3&gt;Metadata Exchange Inputs&lt;/h3&gt;
  163.  
  164. &lt;p&gt;Metadata that doesn&#039;t come from UK federation members must by definition come from elsewhere, and I&#039;ve drawn the diagram to show four such metadata exchange (MDX) relationships with four hypothetical partner federations: FedA and FedB have a &quot;production&quot; relationship with the UK federation, while FedC and FedD have yet to reach that state and are in &quot;pre-production&quot;.&lt;sup id=&quot;fnref:fn-actual&quot;&gt;&lt;a href=&quot;#fn:fn-actual&quot; class=&quot;footnote-ref&quot;&gt;2&lt;/a&gt;&lt;/sup&gt;&lt;/p&gt;
  165.  
  166. &lt;p&gt;I&#039;ve drawn the four partner federations as little clouds because I want to be nebulous about exactly how this system interacts with them.  In practice, of course, most such interactions will at least start by fetching metadata (usually in the form of a &lt;code&gt;&amp;lt;md:EntitiesDescriptor&amp;gt;&lt;/code&gt; document) from an agreed location.&lt;/p&gt;
  167.  
  168. &lt;h3&gt;Generating the Output Aggregates&lt;/h3&gt;
  169.  
  170. &lt;p&gt;The UK federation generates and publishes quite a few metadata aggregates (SAML &lt;code&gt;&amp;lt;md:EntitiesDescriptor&amp;gt;&lt;/code&gt; documents residing at well-known locations).  You can see them listed down the right hand side of the diagram, as outputs from the system, along with one non-metadata document which provides a statistical summary in HTML format. If you want the full details, you can find them in the &lt;a href=&quot;http://www.ukfederation.org.uk/library/uploads/Documents/federation-technical-specifications.pdf&quot; title=&quot;UK federation: Federation Technical Specifications&quot;&gt;Federation Technical Specifications&lt;/a&gt;; for these purposes, though, all you need to know is that:&lt;/p&gt;
  171.  
  172. &lt;ul&gt;&lt;li&gt;Most federation members consume the &quot;Production&quot; aggregate.&lt;/li&gt;
  173. &lt;li&gt;The &quot;Production&quot;, &quot;Fallback&quot; and &quot;WAYF/DS&quot; aggregates are very similar, with only minor formatting and entity selection differences.&lt;/li&gt;
  174. &lt;li&gt;The &quot;Test&quot; aggregate is where we try out new things; it is consumed only by knowing guinea-pigs.&lt;/li&gt;
  175. &lt;li&gt;The &quot;Export&quot; aggregate is what metadata exchange partners are expected to consume, as a complement to our consumption of their &quot;FedX&quot; aggregate on the left hand side of the diagram.&lt;/li&gt;
  176. &lt;/ul&gt;&lt;p&gt;The process of generating all of these documents is an off-line &quot;daily signing run&quot; performed by an authorised member of the federation team, who wields a cryptographic token containing the federation&#039;s signing key.  Again, there are negative and positive features of such a relatively unsophisticated approach: in this case, &quot;there&#039;s a human in the loop&quot; falls strongly into both categories.&lt;/p&gt;
  177.  
  178. &lt;h3&gt;The Shibboleth Metadata Aggregator&lt;/h3&gt;
  179.  
  180. &lt;p&gt;The majority of the actual work is performed by the &lt;a href=&quot;http://shibboleth.net/products/metadata-aggregator.html&quot; title=&quot;Shibboleth Metadata Aggregator&quot;&gt;Shibboleth Metadata Aggregator&lt;/a&gt; command-line tool.  This takes all of the inputs on the left and produces all of the outputs on the right, in a single invocation.&lt;sup id=&quot;fnref:fn-except&quot;&gt;&lt;a href=&quot;#fn:fn-except&quot; class=&quot;footnote-ref&quot;&gt;3&lt;/a&gt;&lt;/sup&gt;&lt;/p&gt;
  181.  
  182. &lt;p&gt;The Shibboleth metadata aggregator (MDA from now on) is a Java framework which processes &lt;em&gt;collections&lt;/em&gt; of &lt;em&gt;items&lt;/em&gt; by applying a sequence of configured &lt;em&gt;stages&lt;/em&gt;.&lt;/p&gt;
  183.  
  184. &lt;p&gt;In the case of the UK federation metadata system, all of the items are of type &lt;code&gt;DOMElementItem&lt;/code&gt;, and &quot;wrap&quot; a DOM document.  This allows any XML-based document to be processed as an item, but it&#039;s worth noting that the MDA framework is completely generic.  This means that you could use the same framework to process any kind of information (&lt;a href=&quot;http://en.wikipedia.org/wiki/JSON&quot; title=&quot;JSON (JavaScript Object Notation) at Wikipedia&quot;&gt;JSON&lt;/a&gt;, for example) just by writing some additional classes.&lt;/p&gt;
  185.  
  186. &lt;p&gt;Stages are implemented as Java beans, which is to say they are instances of Java classes with some properties set at configuration time.  That&#039;s not as limiting as it might sound, as Java has mechanisms to allow calling a number of other languages: it&#039;s fairly easy to write stage implementations that allow those languages to be used.  For example, the MDA distribution includes a number of stage definitions to allow the use of the XPath and XSLT languages in various ways, and these are heavily used in the UK federation metadata system.&lt;/p&gt;
  187.  
  188. &lt;p&gt;Each stage implementation can do as much, or as little, as makes sense.  Typically, though, each performs a simple task and relies on being combined with other stages to build up functionality.  This kind of approach will be familiar to some readers from the Unix command line, where small utilities are often connected together in sequence to achieve more sophisticated effects.  It is no coincidence that the MDA uses the same term, &quot;pipeline&quot;, for its major grouping construct.&lt;/p&gt;
  189.  
  190. &lt;h3&gt;Plumbing: Pipelines, Branching and Merging&lt;/h3&gt;
  191.  
  192. &lt;p&gt;When you invoke the MDA from the command-line, you provide the name of a Spring configuration file, and the name of a &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/Pipeline.html&quot; title=&quot;MDA API: Pipeline&quot;&gt;&lt;code&gt;Pipeline&lt;/code&gt;&lt;/a&gt; bean to execute.  In the simplest case, that pipeline will contain stages to retrieve, transform and then serialise the data you&#039;re processing.  You can also perform simple aggregation with just one pipeline: if the pipeline includes multiple &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/DOMFilesystemSourceStage.html&quot; title=&quot;MDA API: DOMFilesystemSourceStage&quot;&gt;&lt;code&gt;DOMFilesystemSourceStage&lt;/code&gt;&lt;/a&gt;s, for example, the items fetched by each will be added to the collection as it passes along the pipeline.&lt;/p&gt;
  193.  
  194. &lt;p&gt;The UK federation metadata system is a bit more complex, and requires multiple pipelines to be used to achieve the effects required.  The main &lt;code&gt;generate&lt;/code&gt; pipeline invoked from the command line is shown in the diagram as the sequence of blocks connected by doubled arrows, running from the files representing UK-registered entities, through &quot;collect, check and process&quot;, two &quot;merge&quot; blocks and the &quot;testPipeline&quot;.&lt;sup id=&quot;fnref:fn-structure&quot;&gt;&lt;a href=&quot;#fn:fn-structure&quot; class=&quot;footnote-ref&quot;&gt;4&lt;/a&gt;&lt;/sup&gt;&lt;/p&gt;
  195.  
  196. &lt;p&gt;The &quot;production merge&quot; and &quot;pre-production merge&quot; blocks are instances of &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/PipelineMergeStage.html&quot; title=&quot;MDA API: PipelineMergeStage&quot;&gt;&lt;code&gt;PipelineMergeStage&lt;/code&gt;&lt;/a&gt;, which cause additional pipelines to be executed and their results merged into the calling pipeline&#039;s collection according to some defined strategy.  In our case, we use &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/PipelineDemultiplexerStage.html&quot; title=&quot;MDA API: PipelineDemultiplexerStage&quot;&gt;&lt;code&gt;DeduplicatingItemIdMergeStrategy&lt;/code&gt;&lt;/a&gt; to resolve conflicts so that any entity registered with the UK federation takes precedence over an entity with the same &lt;code&gt;entityID&lt;/code&gt; offered by FedA, which in turn would take precedence over an entity with the same &lt;code&gt;entityID&lt;/code&gt; offered by FedB.  This is not the only merge strategy one could come up with,&lt;sup id=&quot;fnref:fn-merge&quot;&gt;&lt;a href=&quot;#fn:fn-merge&quot; class=&quot;footnote-ref&quot;&gt;5&lt;/a&gt;&lt;/sup&gt; but it&#039;s simple and gives predictable, unsurprising results.&lt;/p&gt;
  197.  
  198. &lt;p&gt;The opposite of merging in results from other pipelines is to branch off from the &lt;code&gt;generate&lt;/code&gt; pipeline in order to create multiple output streams.  This happens twice in the &lt;code&gt;generate&lt;/code&gt; pipeline, at the two places where normal arrows branch off from the double-lined path.&lt;sup id=&quot;fnref:fn-meaculpa&quot;&gt;&lt;a href=&quot;#fn:fn-meaculpa&quot; class=&quot;footnote-ref&quot;&gt;6&lt;/a&gt;&lt;/sup&gt;  The &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/PipelineDemultiplexerStage.html&quot; title=&quot;MDA API: PipelineDemultiplexerStage&quot;&gt;&lt;code&gt;PipelineDemultiplexerStage&lt;/code&gt;&lt;/a&gt; is used in both cases; this stage takes a list of predicate/pipeline pairs and can create any number of child pipelines.  For each, the collection is filtered according to the provided predicate and then the nominated pipeline is invoked on the filtered collection.  Often, the predicate is simply &quot;everything&quot; and the pipeline starts with a copy of the collection.  Another simple option, used in the &lt;code&gt;exportPipeline&lt;/code&gt; and &lt;code&gt;wayfPipeline&lt;/code&gt; branches, is to use &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/XPathItemSelectionStrategy.html&quot; title=&quot;MDA API: XPathItemSelectionStrategy&quot;&gt;&lt;code&gt;XPathItemSelectionStrategy&lt;/code&gt;&lt;/a&gt; to select only the items matching an arbitrary XPath expression, such as &quot;not labelled as hidden from the main WAYF&quot;:&lt;/p&gt;
  199.  
  200. &lt;pre&gt;&lt;code&gt;/md:EntityDescriptor[not(md:Extensions/wayf:HideFromWAYF)]
  201. &lt;/code&gt;&lt;/pre&gt;
  202.  
  203. &lt;p&gt;Although at the moment I only use it in one rather obscure corner of the system, I can&#039;t really  close the &quot;Plumbing&quot; section without at least mentioning the &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/SplitMergeStage.html&quot; title=&quot;MDA API: SplitMergeStage&quot;&gt;&lt;code&gt;SplitMergeStage&lt;/code&gt;&lt;/a&gt;.  This splits the collection according to a predicate you supply, runs different pipelines on those two sub-collections, then merges the results using your chosen strategy.  Handy.&lt;/p&gt;
  204.  
  205. &lt;h3&gt;Metadata Validation&lt;/h3&gt;
  206.  
  207. &lt;p&gt;Metadata aggregation would be easy if it was just a question of gluing smaller XML documents together to make a bigger one.  However, any real-world metadata &lt;em&gt;service&lt;/em&gt; needs to apply policy in various ways to be useful.  Sometimes that&#039;s a question of transforming or selecting metadata (for example, using &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/PipelineDemultiplexerStage.html&quot; title=&quot;MDA API: PipelineDemultiplexerStage&quot;&gt;&lt;code&gt;DeduplicatingItemIdMergeStrategy&lt;/code&gt;&lt;/a&gt; to resolve merge conflicts) but sometimes we want to say &quot;condition X is not permitted to occur; if it does, handle it by doing Y&quot;.  The MDA framework has a generic approach to this kind of requirement, and we use it heavily in the UK system.&lt;/p&gt;
  208.  
  209. &lt;p&gt;As well as the &quot;wrapped&quot; DOM document itself, each item carries around a collection of &lt;em&gt;item metadata&lt;/em&gt; which can be used for any purpose by the stages processing the item.  For example, a stage might check for a prohibited condition and add an &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/ErrorStatus.html&quot; title=&quot;MDA API: ErrorStatus&quot;&gt;&lt;code&gt;ErrorStatus&lt;/code&gt;&lt;/a&gt; to the item metadata if the condition was detected.  It would be left to a later stage to take appropriate action (issuing a warning, deleting the item, or even halting the system).  One advantage of this separation between detection and handling is that all of an item&#039;s status messages can be displayed at the specified point in the pipeline; another is of course that the stages that handle detection of conditions don&#039;t have to understand all the possible ways in which they might be handled.&lt;/p&gt;
  210.  
  211. &lt;p&gt;The MDA distribution includes a &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/XMLSchemaValidationStage.html&quot; title=&quot;MDA API: XMLSchemaValidationStage&quot;&gt;&lt;code&gt;XMLSchemaValidationStage&lt;/code&gt;&lt;/a&gt; to check that an item is schema-valid against any of a provided collection of schema documents.  The UK federation system checks against schema documents for 22 namespaces, and has a separate check to report any elements in &quot;rogue&quot; namespaces we don&#039;t have a schema for.&lt;/p&gt;
  212.  
  213. &lt;p&gt;Many of the other checks we run are instances of &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/XSLValidationStage.html&quot; title=&quot;MDA API: XSLValidationStage&quot;&gt;&lt;code&gt;XSLValidationStage&lt;/code&gt;&lt;/a&gt;, which implements a validation framework I had previously developed independently.  This uses XSLT transforms to do XML pattern matching.  Here&#039;s a simple example:&lt;/p&gt;
  214.  
  215. &lt;pre&gt;&lt;code&gt;&amp;lt;xsl:template
  216.        match=&quot;ds:KeyInfo/*[namespace-uri() != &#039;http://www.w3.org/2000/09/xmldsig#&#039;]&quot;&amp;gt;
  217.    &amp;lt;xsl:call-template name=&quot;error&quot;&amp;gt;
  218.        &amp;lt;xsl:with-param name=&quot;m&quot;&amp;gt;
  219.            ds:KeyInfo child element not in ds namespace
  220.        &amp;lt;/xsl:with-param&amp;gt;
  221.    &amp;lt;/xsl:call-template&amp;gt;
  222. &amp;lt;/xsl:template&amp;gt;
  223. &lt;/code&gt;&lt;/pre&gt;
  224.  
  225. &lt;p&gt;Metadata accidentally violating this rule causes some Shibboleth 1.3 SPs to dump core, so obviously we&#039;d rather fix that mistake than have production services fall over.&lt;/p&gt;
  226.  
  227. &lt;p&gt;XSLT and XPath work well for simple XML pattern matching, but aren&#039;t much good outside that realm.  If things get more complicated, it&#039;s fairly easy to write a Java class to detect the condition you&#039;re looking for and add an appropriate &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/ErrorStatus.html&quot; title=&quot;MDA API: ErrorStatus&quot;&gt;&lt;code&gt;ErrorStatus&lt;/code&gt;&lt;/a&gt; to the item:&lt;/p&gt;
  228.  
  229. &lt;pre&gt;&lt;code&gt;item.getItemMetadata().put(new ErrorStatus(...));
  230. &lt;/code&gt;&lt;/pre&gt;
  231.  
  232. &lt;p&gt;For example, I&#039;ve written a stage to check that valid CIDR notation is used in &lt;code&gt;&amp;lt;mdui:IPHint&amp;gt;&lt;/code&gt; elements.  This would be impractical in pure XPath/XSLT; in Java, the hard work is all done by a single call to an OpenSAML utility class.&lt;/p&gt;
  233.  
  234. &lt;p&gt;It&#039;s sensible to write many small tests rather than a few large ones, so we&#039;ve ended up with a large number of individual checking stages.  The easiest way to keep this manageable (particularly if you apply the same tests in multiple places in the system, as we do) is to group the tests together at various levels by combining stages into a &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/CompositeStage.html&quot; title=&quot;MDA API: CompositeStage&quot;&gt;&lt;code&gt;CompositeStage&lt;/code&gt;&lt;/a&gt;.  At the highest level, including a single &lt;code&gt;CHECK_std&lt;/code&gt; stage at any point in the system applies the full battery of checks; what is done with any detected problems depends on context.&lt;/p&gt;
  235.  
  236. &lt;h3&gt;Collect, Check &amp;amp; Process&lt;/h3&gt;
  237.  
  238. &lt;p&gt;The UK federation metadata system&#039;s &lt;code&gt;generate&lt;/code&gt; pipeline begins by fetching the metadata for all entities registered with the federation using the &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/DOMFilesystemSourceStage.html&quot; title=&quot;MDA API: DOMFilesystemSourceStage&quot;&gt;&lt;code&gt;DOMFilesystemSourceStage&lt;/code&gt;&lt;/a&gt;.  We then transform the metadata for each item in various ways to bring it into a consistent state: remember that this metadata has been collected from members over a span of years dating back well before the UK federation&#039;s official launch in 2006, and things have changed a lot in that time.  For example, one stage synthesises &lt;code&gt;&amp;lt;mdrpi:RegistrationInfo&amp;gt;&lt;/code&gt; elements for entities registered before that standard even existed.&lt;/p&gt;
  239.  
  240. &lt;p&gt;Most of these transforms are stages based on &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/XSLTransformationStage.html&quot; title=&quot;MDA API: XSLTransformationStage&quot;&gt;&lt;code&gt;XSLTransformationStage&lt;/code&gt;&lt;/a&gt;, which as you might guess allows you to apply an arbitrary XSLT transform to each item.  XSLT really shines here: it&#039;s very easy to write a transform that targets some pattern in XML and replace instances of it with something else.&lt;/p&gt;
  241.  
  242. &lt;p&gt;One &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/XSLTransformationStage.html&quot; title=&quot;MDA API: XSLTransformationStage&quot;&gt;&lt;code&gt;XSLTransformationStage&lt;/code&gt;&lt;/a&gt; stage handles the injection of the thousands of scopes representing UK schools into the metadata for the schools sector&#039;s shared identity provider entities.  The XSLT in this stage is very complex, and takes around four seconds of CPU time to run; replacing it with a Java-based stage would reduce both complexity and runtime.&lt;/p&gt;
  243.  
  244. &lt;p&gt;&lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/saml/EntityDescriptorItemIdPopulationStage.html&quot; title=&quot;MDA API: EntityDescriptorItemIdPopulationStage&quot;&gt;&lt;code&gt;EntityDescriptorItemIdPopulationStage&lt;/code&gt;&lt;/a&gt; is used to extract each entity&#039;s &lt;code&gt;entityID&lt;/code&gt; and place it into the item&#039;s metadata as an &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/ItemId.html&quot; title=&quot;MDA API: ItemId&quot;&gt;&lt;code&gt;ItemId&lt;/code&gt;&lt;/a&gt; object.  This is used to identify the entity when reporting errors, and it is used in other circumstances as a canonical name for the item.  For example, &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/PipelineDemultiplexerStage.html&quot; title=&quot;MDA API: PipelineDemultiplexerStage&quot;&gt;&lt;code&gt;DeduplicatingItemIdMergeStrategy&lt;/code&gt;&lt;/a&gt; uses &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/ItemId.html&quot; title=&quot;MDA API: ItemId&quot;&gt;&lt;code&gt;ItemId&lt;/code&gt;&lt;/a&gt; as the name of the item to compare so that the strategy implementation can be used on any kind of item, rather than just on SAML metadata.&lt;/p&gt;
  245.  
  246. &lt;p&gt;After performing these transformations, the resulting items are subjected to our full battery of checks, including schema checks and some checks specific to entities registered with the UK federation, such as the rule that each such entity must posess an &lt;code&gt;&amp;lt;md:OrganizationName&amp;gt;&lt;/code&gt; element matching the canonical name of one of our members.  Obviously, we don&#039;t impose that particular check on metadata we acquire from metadata exchange partners.&lt;/p&gt;
  247.  
  248. &lt;p&gt;Any errors at all detected at this point (and represented by &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/ErrorStatus.html&quot; title=&quot;MDA API: ErrorStatus&quot;&gt;&lt;code&gt;ErrorStatus&lt;/code&gt;&lt;/a&gt; objects attached to the items) represent mistakes in our metadata repository.  A sequence of stages culminating in an &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/ItemMetadataTerminationStage.html&quot; title=&quot;MDA API: ItemMetadataTerminationStage&quot;&gt;&lt;code&gt;ItemMetadataTerminationStage&lt;/code&gt;&lt;/a&gt; ensures that any such errors are reported and result in the signing process being immediately abandoned so that the error can be corrected.  To reduce the chance of an error being detected during the daily signing run, we operate an instance of the &lt;a href=&quot;http://jenkins-ci.org&quot; title=&quot;Jenkins continuous integration server&quot;&gt;Jenkins&lt;/a&gt; continuous integration server; this runs an abbreviated pipeline whenever the repository is changed, and e-mails the team if an error is encountered.&lt;/p&gt;
  249.  
  250. &lt;h3&gt;Metadata Exchange Input Channels&lt;/h3&gt;
  251.  
  252. &lt;p&gt;The pipelines which run to fetch metadata from our metadata exchange partners follow the same general approach as we use for UK-registered metadata, but there are some significant differences.&lt;/p&gt;
  253.  
  254. &lt;p&gt;These pipelines normally begin by using &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/DOMResourceSourceStage.html&quot; title=&quot;MDA API: DOMResourceSourceStage&quot;&gt;&lt;code&gt;DOMResourceSourceStage&lt;/code&gt;&lt;/a&gt; to fetch a single item representing a metadata &lt;em&gt;aggregate&lt;/em&gt; from a well-known URL rather than fetching many individual items from the local file system.  Because this step involves the Internet, we now have to account for the possibility that an attacker has substituted evil metadata for the metadata our partner intended us to have:&lt;/p&gt;
  255.  
  256. &lt;ul&gt;&lt;li&gt;&lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/XMLSignatureValidationStage.html&quot; title=&quot;MDA API: XMLSignatureValidationStage&quot;&gt;&lt;code&gt;XMLSignatureValidationStage&lt;/code&gt;&lt;/a&gt; checks that this metadata came from our partner.  This protects against substitution attacks.&lt;/li&gt;
  257. &lt;li&gt;&lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/saml/ValidateValidUntilStage.html&quot; title=&quot;MDA API: ValidateValidUntilStage&quot;&gt;&lt;code&gt;ValidateValidUntilStage&lt;/code&gt;&lt;/a&gt; checks both that the aggregate has a &lt;code&gt;validUntil&lt;/code&gt; attribute at all, and that the metadata provided is still valid because that instant is not yet in the past.  Together, these protect against replay attacks.&lt;/li&gt;
  258. &lt;/ul&gt;&lt;p&gt;If either of these checks fails, the signing process is abandoned in the same way as if a critical error had been detected in our own registered metadata.  For the present, this seems like the best way to handle a situation which should only arise during an active attack.&lt;/p&gt;
  259.  
  260. &lt;p&gt;Assuming that the aggregate has proven valid, the single item representing the aggregate is broken down into one item for each component SAML &lt;code&gt;EntityDescriptor&lt;/code&gt; using &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/saml/EntitiesDescriptorDisassemblerStage.html&quot; title=&quot;MDA API: EntitiesDescriptorDisassemblerStage&quot;&gt;&lt;code&gt;EntitiesDescriptorDisassemblerStage&lt;/code&gt;&lt;/a&gt;.  Each resulting item is then transformed in minor ways to bring it closer to UK federation conventions:&lt;/p&gt;
  261.  
  262. &lt;ul&gt;&lt;li&gt;&lt;code&gt;&amp;lt;md:EmailAddress&amp;gt;&lt;/code&gt; values are made standards-compliant by adding a &lt;code&gt;mailto:&lt;/code&gt; scheme where necessary.&lt;/li&gt;
  263. &lt;li&gt;An appropriate &lt;code&gt;&amp;lt;mdrpi:RegistrationInfo&amp;gt;&lt;/code&gt; element will be added for any entity which does not already possess one.&lt;/li&gt;
  264. &lt;/ul&gt;&lt;p&gt;As with the UK-registered metadata, &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/saml/EntityDescriptorItemIdPopulationStage.html&quot; title=&quot;MDA API: EntityDescriptorItemIdPopulationStage&quot;&gt;&lt;code&gt;EntityDescriptorItemIdPopulationStage&lt;/code&gt;&lt;/a&gt; is used to extract each entity&#039;s &lt;code&gt;entityID&lt;/code&gt; and place it into the item&#039;s metadata as an &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/ItemId.html&quot; title=&quot;MDA API: ItemId&quot;&gt;&lt;code&gt;ItemId&lt;/code&gt;&lt;/a&gt; object.&lt;/p&gt;
  265.  
  266. &lt;p&gt;Before letting any metadata pass through to our members, of course we need to check its validity.  In this case, we run the usual battery of tests plus some that are specific to metadata received in this way (such as checking that &lt;code&gt;&amp;lt;mdrpi:RegistrationInfo&amp;gt;&lt;/code&gt; elements have a &lt;code&gt;registrationAuthority&lt;/code&gt; value that is appropriate for this particular channel).&lt;/p&gt;
  267.  
  268. &lt;p&gt;There is, however, a significant difference in the handling of error conditions.  You will recall that if an error is detected on UK-registered metadata, the whole signing run is abandoned until the problem can be repaired.  Errors in imported metadata are reported, but result in the discarding of the metadata for that particular entity rather than having an effect on all metadata from that partner, or on the signing run as a whole.  In other words, when the error is one which we can&#039;t repair ourselves, the approach is to isolate it as far as possible and continue without it.&lt;/p&gt;
  269.  
  270. &lt;h3&gt;Output Aggregate Pipelines&lt;/h3&gt;
  271.  
  272. &lt;p&gt;By comparison with the rest of the system, the pipelines used to generate the output aggregates are relatively straightforward.  Most use &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/saml/EntitiesDescriptorAssemblerStage.html&quot; title=&quot;MDA API: EntitiesDescriptorAssemblerStage&quot;&gt;&lt;code&gt;EntitiesDescriptorAssemblerStage&lt;/code&gt;&lt;/a&gt; to combine the many individual items into one aggregate.&lt;sup id=&quot;fnref:fn-hagg&quot;&gt;&lt;a href=&quot;#fn:fn-hagg&quot; class=&quot;footnote-ref&quot;&gt;7&lt;/a&gt;&lt;/sup&gt;  In all but the export aggregate, XSLT is used to inject the federation&#039;s &quot;trust root&quot; metadata.&lt;/p&gt;
  273.  
  274. &lt;p&gt;Before using &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/DOMElementSerializer.html&quot; title=&quot;MDA API: DOMElementSerializer&quot;&gt;&lt;code&gt;DOMElementSerializer&lt;/code&gt;&lt;/a&gt; to write the aggregate into an output file, a final set of checks are run to make sure that no critical errors have crept in somehow.  If these fail, the signing run is of course abandoned until the system can be repaired.&lt;/p&gt;
  275.  
  276. &lt;h3&gt;Statistics Pipeline&lt;/h3&gt;
  277.  
  278. &lt;p&gt;The statistics pipeline doesn&#039;t generate a SAML aggregate; instead, the output is a file containing statistics on UK-registered entities.  For example, today it tells me that 51 service provider entities (7.3% of the registered SPs) still lack embedded key material.  This is simply a matter of using &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/saml/EntitiesDescriptorAssemblerStage.html&quot; title=&quot;MDA API: EntitiesDescriptorAssemblerStage&quot;&gt;&lt;code&gt;EntitiesDescriptorAssemblerStage&lt;/code&gt;&lt;/a&gt; to join everything together and running an &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/XSLTransformationStage.html&quot; title=&quot;MDA API: XSLTransformationStage&quot;&gt;&lt;code&gt;XSLTransformationStage&lt;/code&gt;&lt;/a&gt; on that single item.  Additional beans representing information such as the federation membership list are fed in through the &lt;code&gt;transformationParameters&lt;/code&gt; property.  The result of that transform is still a DOM item to be serialised into an output file, but it&#039;s HTML rather than SAML metadata.&lt;/p&gt;
  279.  
  280. &lt;p&gt;This is one of those things that sounds pretty neat when it&#039;s a 20-line quick hack and ends up looking a lot less attractive when it&#039;s a 1752-line XSLT document full of &lt;a href=&quot;http://exslt.org/set/functions/distinct/index.html&quot; title=&quot;EXSLT: set:distinct&quot;&gt;&lt;code&gt;set:distinct&lt;/code&gt;&lt;/a&gt; and &lt;a href=&quot;http://exslt.org/dyn/functions/closure/index.html&quot; title=&quot;EXSLT: dyn:closure&quot;&gt;&lt;code&gt;dyn:closure&lt;/code&gt;&lt;/a&gt; calls.  The obvious alternative would be to write a stage using Java and something like the Velocity templating engine.&lt;/p&gt;
  281.  
  282. &lt;h3&gt;Final Thoughts&lt;/h3&gt;
  283.  
  284. &lt;p&gt;There&#039;s a lot to the UK federation metadata system; on the other hand, it&#039;s doing quite a lot.  For example, we almost certainly do more validity checking of UK federation metadata than our peers do, if only because we have an extensible framework we can do that within.&lt;/p&gt;
  285.  
  286. &lt;p&gt;The use of the Shibboleth MDA allowed me to put this system together bit by bit as I migrated functionality away from its predecessor, refactoring multiple times along the way.  At the level of individual stages, there&#039;s very little complexity at all.&lt;/p&gt;
  287.  
  288. &lt;p&gt;In the unlikely event that you&#039;d like more detail on any of the above, or in the more likely event that I&#039;ve not made something as clear as it could be, please contact me either through &lt;a href=&quot;http://iay.org.uk/contact&quot; title=&quot;iay.org.uk contact page&quot;&gt;the site&lt;/a&gt; or directly at &lt;a href=&quot;mailto:[email protected]&quot;&gt;[email protected]&lt;/a&gt;.&lt;/p&gt;
  289.  
  290. &lt;p&gt;&lt;strong&gt;[2017-06-08: updated links to MDA documentation.]&lt;/strong&gt;&lt;/p&gt;
  291.  
  292. &lt;div class=&quot;footnotes&quot;&gt;
  293. &lt;hr /&gt;&lt;ol&gt;&lt;li id=&quot;fn:fn-spaces&quot;&gt;
  294. &lt;p&gt;The single exception to this rule is &lt;a href=&quot;https://spaces.internet2.edu&quot; title=&quot;Internet2 &amp;quot;Spaces&amp;quot; wiki&quot;&gt;Internet2&#039;s &quot;Spaces&quot; wiki&lt;/a&gt;: Internet2 is not a member of the UK federation, but we have registered this entity on their behalf in order to benefit our own members.  Formally, this is under an old memorandum of understanding; in practice, this is the kind of odd edge case I expect to be able to eliminate in the future with more metadata exchange relationships. &lt;a href=&quot;#fnref:fn-spaces&quot; class=&quot;footnote-backref&quot;&gt;↩︎&lt;/a&gt;&lt;/p&gt;
  295. &lt;/li&gt;
  296.  
  297. &lt;li id=&quot;fn:fn-actual&quot;&gt;
  298. &lt;p&gt;At the time of writing (2012-08-10), the live back end is operating with no &quot;production&quot; level relationships and with only one pre-production relationship (which is due to transition to production relatively soon).  That wouldn&#039;t really show the architecture very effectively (and would quickly become outdated), so I&#039;ve generalised here.  &quot;In the lab&quot; I have MDX &quot;channels&quot; coded for about 30 of the national research and education federations; plugging those channels in is obviously more than just a technical problem. &lt;a href=&quot;#fnref:fn-actual&quot; class=&quot;footnote-backref&quot;&gt;↩︎&lt;/a&gt;&lt;/p&gt;
  299. &lt;/li&gt;
  300.  
  301. &lt;li id=&quot;fn:fn-except&quot;&gt;
  302. &lt;p&gt;In practice, there are still a couple of operations which we use other tools for.  A small C program I wrote long ago normalises white space in the output to minimise file size, and then actual signing of the aggregates is performed by &lt;a href=&quot;https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home&quot;&gt;XMLSecTool&lt;/a&gt;.  Once the whitespace normaliser has been rewritten as an aggregator stage, both of these operations can at least in principle be included in the aggregator invocation. &lt;a href=&quot;#fnref:fn-except&quot; class=&quot;footnote-backref&quot;&gt;↩︎&lt;/a&gt;&lt;/p&gt;
  303. &lt;/li&gt;
  304.  
  305. &lt;li id=&quot;fn:fn-structure&quot;&gt;
  306. &lt;p&gt;This might seem rather an odd arrangement: after all, isn&#039;t the main point of the process to generate the production metadata, not some testing artifact?  One answer is that you can decompose your overall problem in any number of ways and get the same effect: the current system takes advantage of the progressive intermediate collections that exist between the &quot;merge&quot; blocks.  Other ways of doing the same thing could make sense, and refactoring the structure of the system can be done very easily within the MDA framework without needing any of the logic to be rewritten. &lt;a href=&quot;#fnref:fn-structure&quot; class=&quot;footnote-backref&quot;&gt;↩︎&lt;/a&gt;&lt;/p&gt;
  307. &lt;/li&gt;
  308.  
  309. &lt;li id=&quot;fn:fn-merge&quot;&gt;
  310. &lt;p&gt;One situation where such a precedence-based merge strategy would not apply would be in an aggregator which isn&#039;t also a registrar, such as &lt;a href=&quot;http://www.geant.net/service/edugain/pages/home.aspx&quot; title=&quot;eduGAIN&quot;&gt;eduGAIN&lt;/a&gt;.  While in the UK federation, metadata registered with us must be regarded as authoritative beyond any that could be offered by someone else (including cases in which &quot;our&quot; metadata is accidentally reflected back to us), eduGAIN has no ordering among its members.  Instead, eduGAIN&#039;s aggregator gives &lt;em&gt;precedent&lt;/em&gt; to the first member federation to present metadata for a particular &lt;code&gt;entityID&lt;/code&gt;; as long as that member continues to do so, that member&#039;s metadata for the entity will be preferred even if another member presents metadata for the same &lt;code&gt;entityID&lt;/code&gt;.  This provides stability while still allowing an entity to &quot;move&quot; from one member federation to another in the long term.  None of the merge strategies provided with the MDA framework have persistent state in this way, but as merge strategies are just beans, it&#039;s pretty simple to write custom variants to do anything you need. &lt;a href=&quot;#fnref:fn-merge&quot; class=&quot;footnote-backref&quot;&gt;↩︎&lt;/a&gt;&lt;/p&gt;
  311. &lt;/li&gt;
  312.  
  313. &lt;li id=&quot;fn:fn-meaculpa&quot;&gt;
  314. &lt;p&gt;If anyone has a good idea as to how to show the demultiplexer stages in the diagram more explicitly without making the diagram even harder to follow, please let me know. &lt;a href=&quot;#fnref:fn-meaculpa&quot; class=&quot;footnote-backref&quot;&gt;↩︎&lt;/a&gt;&lt;/p&gt;
  315. &lt;/li&gt;
  316.  
  317. &lt;li id=&quot;fn:fn-hagg&quot;&gt;
  318. &lt;p&gt;The exception is the test aggregate, which has a more complex hierarchical structure with multiple &lt;code&gt;md:EntitiesDescriptor&lt;/code&gt; elements; this addresses some specific policy concerns and is likely to be a long-term direction for the UK federation.  This construction is implemented by combining &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/pipeline/SplitMergeStage.html&quot; title=&quot;MDA API: SplitMergeStage&quot;&gt;&lt;code&gt;SplitMergeStage&lt;/code&gt;&lt;/a&gt; and two &lt;a href=&quot;https://build.shibboleth.net/nexus/service/local/repositories/site/content/java-metadata-aggregator/0.9.2/apidocs/net/shibboleth/metadata/dom/saml/EntitiesDescriptorAssemblerStage.html&quot; title=&quot;MDA API: EntitiesDescriptorAssemblerStage&quot;&gt;&lt;code&gt;EntitiesDescriptorAssemblerStage&lt;/code&gt;&lt;/a&gt;s. &lt;a href=&quot;#fnref:fn-hagg&quot; class=&quot;footnote-backref&quot;&gt;↩︎&lt;/a&gt;&lt;/p&gt;
  319. &lt;/li&gt;
  320.  
  321. &lt;/ol&gt;&lt;/div&gt;
  322. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  323.     <pubDate>Sun, 12 Aug 2012 20:25:10 +0000</pubDate>
  324. <dc:creator>iay</dc:creator>
  325. <guid isPermaLink="false">390 at http://iay.org.uk</guid>
  326.  </item>
  327.  <item>
  328.    <title>Use Maturity Fruits</title>
  329.    <link>http://iay.org.uk/blog/2012/06/use-maturity-fruits</link>
  330.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;blockquote&gt;
  331.  &lt;p&gt;Use Maturity Fruits.&lt;/p&gt;
  332.  
  333.  &lt;p&gt;Cut the top of the lemon, introduce the part of the tool with the teeths and tur it down.&lt;/p&gt;
  334.  
  335.  &lt;p&gt;Your left hand hold the cup, while the right hand twist the lemon and press her softly at variable points.&lt;/p&gt;
  336.  
  337.  &lt;p&gt;Serve her directly at the table, squeeze the lemon softly and enjoy the juice wherever you want.&lt;/p&gt;
  338.  
  339.  &lt;p&gt;At least put the lemon down in her ceramics vessel.&lt;/p&gt;
  340. &lt;/blockquote&gt;
  341. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/humour&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Humour&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  342.     <pubDate>Mon, 25 Jun 2012 17:11:28 +0000</pubDate>
  343. <dc:creator>iay</dc:creator>
  344. <guid isPermaLink="false">389 at http://iay.org.uk</guid>
  345.  </item>
  346.  <item>
  347.    <title>Silver &amp; Light</title>
  348.    <link>http://iay.org.uk/blog/2012/06/silver-light</link>
  349.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;&lt;a href=&quot;http://ianruhter.tumblr.com/&quot;&gt;Ian Ruhter&lt;/a&gt; makes photographs with a large camera.  A very large camera.  His camera is so large that it is essentially the rear end of a big blue cargo van, which at least means transportation is built in.&lt;/p&gt;
  350.  
  351. &lt;p&gt;He&#039;s using the &lt;a href=&quot;http://en.wikipedia.org/wiki/Collodion_process&quot; title=&quot;Wikipedia: Collodion process&quot;&gt;wet collodion process&lt;/a&gt; which amongst other things means pouring noxious chemicals over the plates in the field.  The introduction to his &lt;a href=&quot;http://vimeo.com/39578584&quot; title=&quot;Vimeo: Silver &amp;amp; Light&quot;&gt;short documentary&lt;/a&gt; shows some of this process in a deliciously misleading way, and has a fair bit of footage of the plate preparation and shooting processes.&lt;/p&gt;
  352.  
  353. &lt;p&gt;The plates themselves, which in this process also carry the final image, are large sheets of metal.  I thought I was stretching things a bit when I worked with 5x4 inch negatives: one of Ruhter&#039;s standard plate sizes seems to be 5x4 &lt;em&gt;feet&lt;/em&gt;.&lt;/p&gt;
  354.  
  355. &lt;p&gt;If you&#039;ve never seen large images from a direct imaging process like this, it&#039;s tempting to regard this as a bit of a gimmick, or at best just a way of making a really large photographic print.  That&#039;s not what you experience when you stand in front of something like a &lt;a href=&quot;http://www.20x24studio.com/&quot;&gt;20&quot;x24&quot; Polaroid&lt;/a&gt;.  Photographs like this have a physical presence; it&#039;s immediately clear that they are, to paraphrase what Ruhter says in the film, not enlargements and not copies, but original and unique objects.&lt;/p&gt;
  356.  
  357. &lt;p&gt;I&#039;m really glad there are still people in the world crazy enough to do this kind of thing.&lt;/p&gt;
  358.  
  359. &lt;!--break--&gt;
  360. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/photography&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Photography&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  361.     <pubDate>Mon, 18 Jun 2012 14:10:40 +0000</pubDate>
  362. <dc:creator>iay</dc:creator>
  363. <guid isPermaLink="false">388 at http://iay.org.uk</guid>
  364.  </item>
  365.  <item>
  366.    <title>EPS International 2012 Entry Closes Soon</title>
  367.    <link>http://iay.org.uk/blog/2012/06/eps-international-2012-entry-closes-soon</link>
  368.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;The &lt;a href=&quot;http://www.edinburghphotographicsociety.co.uk/&quot;&gt;Edinburgh Photographic Society&lt;/a&gt; has been running an annual open exhibition since its founding in 1861; this is believed to be the oldest continuously running photographic exhibition in the world.  That&#039;s one and a half &lt;em&gt;centuries&lt;/em&gt;, which makes my paltry two-decade-or-so stint as the exhibition&#039;s Database Wrangler look rather paltry.&lt;/p&gt;
  369.  
  370. &lt;p&gt;This year, the 150th &lt;a href=&quot;http://exhibition.edinburghphotographicsociety.co.uk/&quot;&gt;Annual Exhibition of Photography&lt;/a&gt; will be held in Edinburgh from the 7th of August to 4th September.  Entries for the exhibition close on the 22nd of June, which means that you still have time to participate if you&#039;re quick.&lt;/p&gt;
  371.  
  372. &lt;p&gt;This year, the awards available have been extended to commemorate the 150th Exhibition, so if you have ever considered entering this would be a great time to do so.&lt;/p&gt;
  373.  
  374. &lt;p&gt;Entry forms and copies of the rules can be found at:&lt;/p&gt;
  375.  
  376. &lt;blockquote&gt;
  377.  &lt;p&gt;&lt;a href=&quot;http://exhibition.edinburghphotographicsociety.co.uk/entry&quot;&gt;http://exhibition.edinburghphotographicsociety.co.uk/entry&lt;/a&gt;&lt;/p&gt;
  378. &lt;/blockquote&gt;
  379.  
  380. &lt;p&gt;Good luck!&lt;/p&gt;
  381.  
  382. &lt;!--break--&gt;
  383. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/photography&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Photography&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  384.     <pubDate>Sun, 03 Jun 2012 11:14:32 +0000</pubDate>
  385. <dc:creator>iay</dc:creator>
  386. <guid isPermaLink="false">387 at http://iay.org.uk</guid>
  387.  </item>
  388.  <item>
  389.    <title>Drupaled</title>
  390.    <link>http://iay.org.uk/blog/2012/05/drupaled</link>
  391.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;The site update work I talked about in the &lt;a href=&quot;http://iay.org.uk/blog/2012/05/site_changes.html&quot; title=&quot;Technology Stir Fry: Site Changes&quot;&gt;last post&lt;/a&gt; has been completed:&lt;/p&gt;
  392.  
  393. &lt;ul&gt;&lt;li&gt;Everything has now moved from the &lt;code&gt;www.iay.org.uk&lt;/code&gt; domain to &lt;code&gt;iay.org.uk&lt;/code&gt;.&lt;/li&gt;
  394. &lt;li&gt;Both of the old &lt;a href=&quot;http://www.movabletype.com/&quot; title=&quot;Movable Type&quot;&gt;Movable Type&lt;/a&gt; blogs (this one, &lt;em&gt;Technology Stir Fry,&lt;/em&gt; and the long retired &lt;a href=&quot;http://iay.org.uk/there/blog&quot; title=&quot;[email protected] blog&quot;&gt;&lt;code&gt;[email protected]&lt;/code&gt;&lt;/a&gt;) have been imported into &lt;a href=&quot;http://drupal.org&quot; title=&quot;Drupal&quot;&gt;Drupal&lt;/a&gt;.&lt;/li&gt;
  395. &lt;li&gt;Many URLs have changed as part of this, but I think I have entered redirects for all of them (Drupal&#039;s aliasing and redirect systems are really nice).&lt;/li&gt;
  396. &lt;li&gt;In particular, the two blogs have new RSS feed locations, but the redirects &lt;em&gt;seem&lt;/em&gt; to work for at least some RSS aggregators, such as Google Reader.&lt;/li&gt;
  397. &lt;/ul&gt;&lt;p&gt;I&#039;m pretty happy with the conversion, although I&#039;ll probably change the theme once I have thought a bit about how I&#039;d like the site to look like long term.  Being able to theme everything at once will be nice; I&#039;ve never been happy with the blogs looking so different to the rest of the site.&lt;/p&gt;
  398.  
  399. &lt;p&gt;&lt;a href=&quot;http://iay.org.uk/contact&quot; title=&quot;Contact form&quot;&gt;Let me know&lt;/a&gt; if you spot any rough edges.&lt;/p&gt;
  400.  
  401. &lt;p&gt;[2012-06-01: Updated the site &lt;a href=&quot;http://iay.org.uk/colophon&quot;&gt;colophon&lt;/a&gt; with some description of the Drupal modules I&#039;m using.]
  402. &lt;!--break--&gt;&lt;/p&gt;
  403. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/site-updates&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Site Updates&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  404.     <pubDate>Thu, 31 May 2012 16:17:12 +0000</pubDate>
  405. <dc:creator>iay</dc:creator>
  406. <guid isPermaLink="false">386 at http://iay.org.uk</guid>
  407.  </item>
  408.  <item>
  409.    <title>Site Changes</title>
  410.    <link>http://iay.org.uk/blog/2012/05/site_changes.html</link>
  411.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I&#039;m planning to make some fairly large changes to the site over the next couple of months.  These will undoubtedly break things, and if you do run into oddities I&#039;d appreciate &lt;a href=&quot;http://iay.org.uk/contact&quot; title=&quot;site contact page&quot;&gt;a quick note&lt;/a&gt; so that I can unbreak them.&lt;/p&gt;
  412. &lt;p&gt;Today, the site will be moving from having a canonical name of &lt;code&gt;www.iay.org.uk&lt;/code&gt; to the simpler &lt;code&gt;iay.org.uk&lt;/code&gt;.  Everything &lt;i&gt;should&lt;/i&gt; be redirected safely from the old location, but I can&#039;t rule out the possibility of some redirection loops to start with.&lt;/p&gt;
  413. &lt;p&gt;Later, the two blogs (including this one) will be migrated from Movable Type into the same &lt;a href=&quot;http://drupal.org&quot; title=&quot;Drupal&quot;&gt;Drupal&lt;/a&gt; content management system as most of the rest of the site uses these days.  Again, I&#039;m hoping that everything interesting will be redirected safely but I do plan to change the organisation of things like archive index pages so some links may well break.&lt;/p&gt;
  414. &lt;p&gt;Wish me luck.
  415. &lt;/p&gt;
  416. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/site-updates&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Site Updates&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  417.     <pubDate>Thu, 10 May 2012 10:17:48 +0000</pubDate>
  418. <dc:creator>iay</dc:creator>
  419. <guid isPermaLink="false">384 at http://iay.org.uk</guid>
  420.  </item>
  421.  <item>
  422.    <title>Just My Type</title>
  423.    <link>http://iay.org.uk/blog/2012/01/just_my_type.html</link>
  424.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;Santa was good to me this year, and brought me a copy of &lt;a href=&quot;http://www.amazon.co.uk/Just-My-Type-About-Fonts/dp/1846683017&quot;&gt;&lt;i&gt;Just My Type: A Book About Fonts,&lt;/i&gt;&lt;/a&gt; by Simon Garfield.&lt;/p&gt;
  425. &lt;p&gt;If you&#039;ve ever had a copy of the &lt;a href=&quot;http://www.amazon.co.uk/Letraset-Catalogue-Lettering-Typefaces-Products/dp/B001EB0JNW&quot;&gt;&lt;i&gt;Letraset Catalogue&lt;/i&gt;&lt;/a&gt; on your shelf, or know what (rather than who) &lt;a href=&quot;http://en.wikipedia.org/wiki/Arnold_Böcklin_(typeface)&quot;&gt;Arnold Böcklin&lt;/a&gt; is and can recognise it in the street, you&#039;d enjoy reading this.  If you can instantly tell &lt;a href=&quot;http://en.wikipedia.org/wiki/Helvetica&quot;&gt;Helvetica&lt;/a&gt; and &lt;a href=&quot;http://en.wikipedia.org/wiki/Arial&quot;&gt;Arial&lt;/a&gt; based only on their respective lower-case &#039;a&#039;s, it might be a bit simplistic for you.&lt;/p&gt;
  426. &lt;p&gt;A word to the wise: skip the chapter on Eric Gill&#039;s personal habits.  No Wikipedia link for that one.
  427. &lt;/p&gt;
  428. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/books&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Books&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  429.     <pubDate>Thu, 12 Jan 2012 16:43:49 +0000</pubDate>
  430. <dc:creator>iay</dc:creator>
  431. <guid isPermaLink="false">383 at http://iay.org.uk</guid>
  432.  </item>
  433.  <item>
  434.    <title>Google+</title>
  435.    <link>http://iay.org.uk/blog/2011/10/google.html</link>
  436.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I&#039;ve been pretty disappointed by social networking &quot;products&quot; up to this point.  I do use &lt;a href=&quot;https://twitter.com/iay&quot; title=&quot;@iay&quot;&gt;Twitter&lt;/a&gt; once in a while, but it&#039;s pretty ephemeral stuff.  I think that&#039;s fine, it means I don&#039;t have to worry about missing anything.&lt;/p&gt;
  437. &lt;p&gt;When I was very young and naïve, I thought Facebook looked pretty interesting.  In practice, the level of sheer malevolence displayed by the company and its founder have stopped me from using it for anything other than keeping up with the family.&lt;/p&gt;
  438. &lt;p&gt;Ever hopeful, I now have a &lt;a href=&quot;https://plus.google.com/u/0/108766996122105192149&quot; title=&quot;+Ian Young&quot;&gt;presence on Google+&lt;/a&gt;.  It&#039;s possible that this new service will end up as malign as Facebook, but for now at least I feel much less like I am being packaged up and sold as product.  It seems, really, like a social network done right.&lt;/p&gt;
  439. &lt;p&gt;All that seems to be missing is the &lt;em&gt;people.&lt;/em&gt;&lt;/p&gt;
  440. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  441.     <pubDate>Tue, 11 Oct 2011 09:19:52 +0000</pubDate>
  442. <dc:creator>iay</dc:creator>
  443. <guid isPermaLink="false">382 at http://iay.org.uk</guid>
  444.  </item>
  445.  <item>
  446.    <title>The Avant Cellist</title>
  447.    <link>http://iay.org.uk/blog/2011/03/the_avant_celli.html</link>
  448.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I stumbled upon the music of &lt;a href=&quot;http://www.zoekeating.com/&quot; title=&quot;zoë keating: avant cello&quot;&gt;Zoë Keating&lt;/a&gt; (specifically, &lt;a href=&quot;http://www.amazon.co.uk/Tetrishead/dp/B002IU7PEY/&quot; title=&quot;Tertrishead at amazon.co.uk&quot;&gt;Tetrishead&lt;/a&gt;) some years ago in, of all places, an early &lt;a href=&quot;http://www.dawnanddrew.com/&quot; title=&quot;&#039;Dawn and Drew: always profane, rarely profound&#039;&quot;&gt;Dawn and Drew&lt;/a&gt; podcast.  The latter fell victim to my &quot;unsubscribe from one thing every week&quot; rule four or five years ago, but I come back to this hypnotic music again and again.&lt;/p&gt;
  449. &lt;p&gt;You should, of course, run out and buy all of her music &lt;a href=&quot;http://www.zoekeating.com/projects.html&quot; title=&quot;zoë keating: music and projects&quot;&gt;directly from her web site&lt;/a&gt; in order to increase the likelihood that we&#039;ll all have more to enjoy in the future.  The thing that prompts this post, though, is a short &lt;a href=&quot;http://www.youtube.com/watch?v=63wanWqzav8&quot; title=&quot;YouTube - Avant Cellist&quot;&gt;documentary film&lt;/a&gt;.  It was made by Intel as some kind of advertising ploy for a semiconductor product that they happen to manufacture, but thankfully that&#039;s not too blatant and the film is well worth its six minutes.  The soundtrack is superb, as you might expect.&lt;/p&gt;
  450. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/miscellanea&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Miscellanea&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  451.     <pubDate>Sun, 27 Mar 2011 12:07:25 +0000</pubDate>
  452. <dc:creator>iay</dc:creator>
  453. <guid isPermaLink="false">381 at http://iay.org.uk</guid>
  454.  </item>
  455.  <item>
  456.    <title>New Roots</title>
  457.    <link>http://iay.org.uk/blog/2011/01/new_roots.html</link>
  458.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I run a simple X.509 Certification Authority for internal systems, and certain external systems used by clients (the majority of external systems use commercial certificates).  From 2011-01-02, this CA will use a new root certificate:&lt;/p&gt;
  459. &lt;ul&gt;&lt;li&gt;PEM: &lt;a href=&quot;http://iay.org.uk/static/ca/iay-ca-g1-2011.crt&quot; title=&quot;PEM format root certificate from 2011-01-02&quot;&gt;iay-ca-g1-2011.crt&lt;/a&gt;&lt;/li&gt;
  460. &lt;li&gt;DER: &lt;a href=&quot;http://iay.org.uk/static/ca/iay-ca-g1-2011.cer&quot; title=&quot;DER format root certificate from 2011-01-02&quot;&gt;iay-ca-g1-2011.cer&lt;/a&gt;&lt;/li&gt;
  461. &lt;/ul&gt;&lt;p&gt;The SHA1 fingerprint for this certificate is:&lt;/p&gt;
  462. &lt;ul&gt;&lt;li&gt;&lt;tt&gt;34:6E:CB:19:25:15:E7:94:ED:AF:A4:F1:C4:79:BF:92:C5:8B:3C:D5&lt;/tt&gt;&lt;/li&gt;
  463. &lt;/ul&gt;&lt;p&gt;For reference, the previous root certificate is here:&lt;/p&gt;
  464. &lt;ul&gt;&lt;li&gt;PEM: &lt;a href=&quot;http://iay.org.uk/static/ca/iay-ca-g1-2006.crt&quot; title=&quot;PEM format root certificate to 2011-01-23&quot;&gt;iay-ca-g1-2006.crt&lt;/a&gt;&lt;/li&gt;
  465. &lt;li&gt;DER: &lt;a href=&quot;http://iay.org.uk/static/ca/iay-ca-g1-2006.cer&quot; title=&quot;DER format root certificate to 2011-01-23&quot;&gt;iay-ca-g1-2006.cer&lt;/a&gt;&lt;/li&gt;
  466. &lt;/ul&gt;&lt;p&gt;The last certificate issued under the old root certificate expires on 2011-01-23.&lt;/p&gt;
  467. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/security&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Security&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  468.     <pubDate>Mon, 03 Jan 2011 13:15:27 +0000</pubDate>
  469. <dc:creator>iay</dc:creator>
  470. <guid isPermaLink="false">380 at http://iay.org.uk</guid>
  471.  </item>
  472.  <item>
  473.    <title>Surviving Interfederation</title>
  474.    <link>http://iay.org.uk/blog/2010/12/surviving_inter.html</link>
  475.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;&lt;a href=&quot;http://iay.org.uk/blog/2010/12/Zombies.pdf&quot; title=&quot;Zombie Horde&quot;&gt;&lt;img src=&quot;http://iay.org.uk/blog/2010/12/Zombies.013.png&quot; alt=&quot;Please do not take photos with hats on&quot; border=&quot;0&quot; width=&quot;240&quot; height=&quot;159&quot; align=&quot;right&quot; /&gt;&lt;/a&gt;&lt;/p&gt;
  476. &lt;p&gt;I gave a presentation to &lt;a href=&quot;https://sites.google.com/site/jiscfam10/&quot; title=&quot;FAM10 conference&quot;&gt;FAM10&lt;/a&gt; back in October in Cardiff, in the &quot;Not for the faint hearted&quot; session.  You can download the slides as a PDF file from the illustration on the right.&lt;/p&gt;
  477. &lt;p&gt;My working title was &quot;How to Survive the Coming Zombie Apocalypse&quot;, but the presentation was really about how to survive the transition from cozy local federations to federated operation in the global internet.  Whether that looks like a scary prospect depends, of course, on how conservative you&#039;ve been to date: UK federation recommendations have always emphasised the difference between technical trust and behavioural trust, and the talk goes into some detail on this topic.&lt;/p&gt;
  478. &lt;p&gt;Understanding trust allows you to protect yourself against the zombie hordes (sorry, I mean &quot;entities not bound by your local federation&#039;s behavioural norms&quot;).  The other topic covered in detail is how to benefit from interfederation by making sure that you&#039;re running software capable of interoperating widely.
  479. &lt;/p&gt;
  480. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  481.     <pubDate>Thu, 02 Dec 2010 11:58:45 +0000</pubDate>
  482. <dc:creator>iay</dc:creator>
  483. <guid isPermaLink="false">379 at http://iay.org.uk</guid>
  484.  </item>
  485.  <item>
  486.    <title>BEER</title>
  487.    <link>http://iay.org.uk/blog/2010/09/beer.html</link>
  488.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;BEER is the current attempt at a decent acronym for a new service in the federated identity space.  BEER stands for [Bunch|Bucket|Bag] of End Entities Registry, and you should be profoundly glad we didn&#039;t go with any of the earlier names.&lt;/p&gt;
  489. &lt;p&gt;You can find out more about it &lt;a href=&quot;https://spaces.internet2.edu/display/BEER/Home&quot; title=&quot;BEER project wiki&quot;&gt;at the project&#039;s wiki&lt;/a&gt;; Nicole Harris has a &lt;a href=&quot;http://access.jiscinvolve.org/wp/consuming-beer/&quot; title=&quot;Consuming Beer at JISC Access Management Focus&quot;&gt;pretty good summary&lt;/a&gt; of the idea and what it might mean.&lt;/p&gt;
  490. &lt;p&gt;One thing that seems to be confusing people about BEER is that it&#039;s easy to make the assumption that it&#039;s trying to be a federation along the lines that we have at present, just with less strict membership rules.  I&#039;m not saying that such a thing wouldn&#039;t have a use (&lt;a href=&quot;https://www.testshib.org/testshib-two/index.jsp&quot; title=&quot;TestShib Two&quot;&gt;TestShib&lt;/a&gt; has been very useful for many people, although it leans so far towards openness that some would argue that it &lt;a href=&quot;https://www.testshib.org/testshib-two/index.jsp&quot; title=&quot;The first rule of TestShib is: never trust TestShib.&quot;&gt;falls over&lt;/a&gt;), but this is not what BEER is about.&lt;/p&gt;
  491. &lt;p&gt;It&#039;s probably more helpful to look at BEER as a new kind of thing, an independent &lt;em&gt;registrar&lt;/em&gt; of metadata.  Its job is to assure the &lt;em&gt;authenticity&lt;/em&gt; of the metadata it publishes (in terms of establishing that the metadata for an entity has a connection to the owner of the associated domain) without attempting to make guarantees about any of the things you might later layer on top of that &quot;technical trust&quot;.  As such, it&#039;s aiming to be a component in an overall trust framework rather than a complete solution in the way that many of the existing federations see their role.&lt;/p&gt;
  492. &lt;p&gt;Whether such a service has a long term role to play depends on whether the various existing federations start to converge in terms of their view of their own roles, and of course whether that convergence is in the direction of monolithic trust or in the direction of separation of the different trust components.  Both approaches have supporters, of course, and we&#039;ll just have to see how things work out.  It will be obvious from &lt;a href=&quot;http://iay.org.uk/blog/2009/05/concepts_and_me.html&quot; title=&quot;Technology Stir Fry: Concepts and Methods V1.10&quot;&gt;previous&lt;/a&gt; &lt;a href=&quot;http://iay.org.uk/blog/2009/11/fam09_metadata.html&quot; title=&quot;Technology Stir Fry: FAM09: Metadata Aggregation&quot;&gt;posts&lt;/a&gt; that I&#039;m in the &quot;separate the concerns, behavioural trust is end-to-end&quot; camp, which I&#039;d broadly characterise as the design we chose for the &lt;a href=&quot;http://ukfederation.org.uk/&quot; title=&quot;UK Access Management Federation for Education and Research&quot;&gt;UK federation&lt;/a&gt;, and which I think has worked out pretty well in that community.&lt;/p&gt;
  493. &lt;p&gt;By coincidence, I&#039;ll be talking at &lt;a href=&quot;http://fam10.eventbrite.com/&quot; title=&quot;Federated Access Management 2010&quot;&gt;FAM10&lt;/a&gt; next week about how to survive a scary post-apocalyptic future in which not all UK federation metadata originates from the federation&#039;s own members, and BEER will certainly be on the agenda.  As will &lt;a href=&quot;http://en.wikipedia.org/wiki/Guinness&quot; title=&quot;Wikipedia: Guinness&quot;&gt;beer&lt;/a&gt;, of course, although probably not during the talk.&lt;/p&gt;
  494. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  495.     <pubDate>Wed, 29 Sep 2010 12:22:24 +0000</pubDate>
  496. <dc:creator>iay</dc:creator>
  497. <guid isPermaLink="false">378 at http://iay.org.uk</guid>
  498.  </item>
  499.  <item>
  500.    <title>Bureaucracies and Thermodynamics</title>
  501.    <link>http://iay.org.uk/blog/2010/06/bureaucracies_a.html</link>
  502.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;Another eternal principle, well put:&lt;/p&gt;
  503. &lt;blockquote&gt;&lt;p&gt;Bureaucracies temporarily suspend the Second Law of Thermodynamics. In a bureaucracy, it’s easier to make a process more complex than to make it simpler, and easier to create a new burden than kill an old one.&lt;/p&gt;&lt;/blockquote&gt;
  504. &lt;p&gt;[from &lt;a href=&quot;http://www.shirky.com/weblog/2010/04/the-collapse-of-complex-business-models/&quot; title=&quot;The Collapse of Complex Business Models&quot;&gt;The Collapse of Complex Business Models&lt;/a&gt; by &lt;a href=&quot;http://www.shirky.com/&quot; title=&quot;Clay Shirky&#039;s Internet Writings&quot;&gt;Clay Shirky&lt;/a&gt;]&lt;/p&gt;
  505. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/humour&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Humour&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  506.     <pubDate>Fri, 25 Jun 2010 10:50:49 +0000</pubDate>
  507. <dc:creator>iay</dc:creator>
  508. <guid isPermaLink="false">377 at http://iay.org.uk</guid>
  509.  </item>
  510.  <item>
  511.    <title>How Many Elephants?</title>
  512.    <link>http://iay.org.uk/blog/2010/05/how_many_elepha.html</link>
  513.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I&#039;ve been thinking a fair bit these last few months about the notion of &lt;a href=&quot;http://www.google.com/search?q=misaligned+incentives&quot; title=&quot;Google search for &#039;misaligned incentives&#039;&quot;&gt;misaligned incentives&lt;/a&gt;.  Both professionally and in the public policy sphere, people optimise for what&#039;s best for them individually; if you want a particular outcome, you need to make sure that everyone involved has an incentive towards making that outcome a reality.&lt;/p&gt;
  514. &lt;p&gt;I recently came across this perfect expression of the idea, which I pass along here without further comment:&lt;/p&gt;
  515. &lt;blockquote&gt;&lt;p&gt;
  516. It&#039;s true: never let the guy with the broom decide how many elephants can be in the parade.
  517. &lt;/p&gt;&lt;/blockquote&gt;
  518. &lt;p&gt;[&lt;a href=&quot;http://twitter.com/hotdogsladies&quot; title=&quot;Merlin Mann on the Twitter&quot;&gt;Merlin Mann&lt;/a&gt; &lt;a href=&quot;http://twitter.com/hotdogsladies/status/12546802419&quot;&gt;said that&lt;/a&gt;.]&lt;/p&gt;
  519. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/humour&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Humour&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  520.     <pubDate>Wed, 19 May 2010 16:28:34 +0000</pubDate>
  521. <dc:creator>iay</dc:creator>
  522. <guid isPermaLink="false">376 at http://iay.org.uk</guid>
  523.  </item>
  524.  <item>
  525.    <title>Free Cake: Not a Lie</title>
  526.    <link>http://iay.org.uk/blog/2010/05/free_cake_not_a.html</link>
  527.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;&lt;a href=&quot;http://en.wikipedia.org/wiki/Portal_(video_game)&quot; title=&quot;Wikipedia: Portal (video game)&quot;&gt;This was a triumph.&lt;/a&gt;&lt;/p&gt;
  528. &lt;p&gt;I&#039;m making a note here: &quot;&lt;a href=&quot;http://en.wikipedia.org/wiki/Portal_(video_game)#Awards&quot; title=&quot;70 Game of the Year awards&quot;&gt;Huge Success&lt;/a&gt;&quot;.&lt;/p&gt;
  529. &lt;p&gt;Portal is &lt;a href=&quot;http://store.steampowered.com/freeportal/&quot;&gt;free for the next few days&lt;/a&gt;, on both PC and Mac.&lt;/p&gt;
  530. &lt;p&gt;If you&#039;ve never played it, Portal is pretty hard to describe.  Instead, I&#039;ll just &lt;a href=&quot;http://store.steampowered.com/video/400/922&quot;&gt;direct you to the trailer&lt;/a&gt;.&lt;/p&gt;
  531. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/humour&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Humour&lt;/a&gt;&lt;/li&gt;&lt;li class=&quot;taxonomy-term-reference-1&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/gaming&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Gaming&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  532.     <pubDate>Mon, 17 May 2010 11:22:44 +0000</pubDate>
  533. <dc:creator>iay</dc:creator>
  534. <guid isPermaLink="false">375 at http://iay.org.uk</guid>
  535.  </item>
  536.  <item>
  537.    <title>E-mail Certificates</title>
  538.    <link>http://iay.org.uk/blog/2010/01/email_certifica.html</link>
  539.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;The Thawte &lt;a href=&quot;http://www.thawte.com/resources/personal-email-certificates/index.html&quot; title=&quot;Thawte Web of Trust&quot;&gt;Web of Trust&lt;/a&gt;, for which I was a fairly junior &lt;a href=&quot;http://iay.org.uk/blog/2007/12/thawte_wot_nota.html&quot; title=&quot;Technology Stir Fry: Thawte WoT Notary&quot;&gt;notary&lt;/a&gt;, was shut down recently.  This included revoking all existing certificates back in November, at least according to Thawte&#039;s &lt;a href=&quot;https://search.thawte.com/support/ssl-digital-certificates/index?page=content&amp;amp;id=SO12658&quot; title=&quot;Frequently Asked Questions for the EOL of WOT / Class One&quot;&gt;FAQ&lt;/a&gt; on the closure.  Amusingly — but perhaps not surprisingly to anyone familiar with the area — I&#039;ve had to date precisely &lt;em&gt;no&lt;/em&gt; queries relating to my continued use of the supposedly revoked personal e-mail certificate.&lt;/p&gt;
  540. &lt;p&gt;The only other S/MIME certificate authority I&#039;m aware of that does Web of Trust type identity validation is &lt;a href=&quot;http://www.cacert.org/&quot;&gt;CAcert&lt;/a&gt;; unfortunately their root certificate isn&#039;t trusted by most browsers and e-mail clients and until that happens (if it ever does) I can&#039;t recommend them as a replacement.  Similarly, the lack of built-in PGP/GPG support in current mail clients rules that system out for most people.&lt;/p&gt;
  541. &lt;p&gt;If you had a Thawte S/MIME e-mail certificate, you may have been able to trade it in for a 1-year &lt;a href=&quot;http://www.verisign.com/authentication/individual-authentication/digital-id/index.html&quot; title=&quot;VeriSign: Digital IDs for Secure Email&quot;&gt;equivalent from VeriSign&lt;/a&gt; free of charge.  Unfortunately, after the first year it looks like VeriSign charge $19.95 per annum even for a &quot;persona not validated&quot; certificate, which doesn&#039;t sound to me like a lot of bang for your buck.&lt;/p&gt;
  542. &lt;p&gt;One alternative for the cost-conscious is Comodo&#039;s &lt;a href=&quot;http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html&quot; title=&quot;Instant SSL by Comodo: Free Secure Email Certificate&quot;&gt;Free Secure Email Certificate&lt;/a&gt; product.  Again, this is &quot;persona not validated&quot; but should be sufficient for most uses and you can&#039;t beat the price.&lt;/p&gt;
  543. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  544.     <pubDate>Mon, 18 Jan 2010 12:21:18 +0000</pubDate>
  545. <dc:creator>iay</dc:creator>
  546. <guid isPermaLink="false">374 at http://iay.org.uk</guid>
  547.  </item>
  548.  <item>
  549.    <title>FAM09: Metadata Aggregation</title>
  550.    <link>http://iay.org.uk/blog/2009/11/fam09_metadata.html</link>
  551.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;Metadata aggregation as a route to cross-federation inter-operation continues to be my main focus for the year, and yesterday I &lt;a href=&quot;http://www.jisc.ac.uk/whatwedo/themes/accessmanagement/federation/events/federatingthenextgeneration/MetadataAggregation&quot; title=&quot;FAM09: Metadata Aggregation&quot;&gt;delivered a presentation&lt;/a&gt; on the subject at JISC&#039;s &lt;a href=&quot;http://www.jisc.ac.uk/whatwedo/themes/accessmanagement/federation/events/federatingthenextgeneration.aspx&quot; title=&quot;FAM09: Federating the next generation&quot;&gt;Federating the next generation&lt;/a&gt; event.&lt;/p&gt;
  552. &lt;p&gt;I think the talk went reasonably well; a couple of people remarked that they liked having the key concepts separated out and clarified.  People even chuckled in the right places a couple of times.&lt;/p&gt;
  553. &lt;p&gt;Checking Twitter for the &lt;a href=&quot;http://twitter.com/#search?q=%23fam09&quot; title=&quot;Twitter: #FAM09&quot;&gt;#FAM09&lt;/a&gt; tag I find that the main thing a couple of people took away from the talk was a &lt;a href=&quot;http://twitter.com/fooflington/statuses/5979053141&quot;&gt;snarky remark&lt;/a&gt; I made about &lt;a href=&quot;http://www.w3.org/TR/xslt&quot; title=&quot;W3C: XSL Transformations (XSLT)&quot;&gt;XSLT&lt;/a&gt;.  Curiously, I find that I&#039;m fine with that.&lt;/p&gt;
  554. &lt;p&gt;As usual, here&#039;s a PDF version of my slides from the presentation:&lt;/p&gt;
  555. &lt;blockquote&gt;&lt;p&gt;&lt;a href=&quot;http://iay.org.uk/blog/2009/11/20091123-Metadata-Aggregation.pdf&quot; title=&quot;20091123-Metadata-Aggregation.pdf&quot;&gt;20091123-Metadata-Aggregation.pdf&lt;/a&gt;&lt;/p&gt;&lt;/blockquote&gt;
  556. &lt;p&gt;There are a fair number of animated diagrams in this talk, and not as many words as usual.  That might mean that some parts are hard to follow without hearing me talk.  I&#039;m going to try and get hold of the audio recording made at the time and will upload a slide-synchronised version of the talk later if possible.&lt;/p&gt;
  557. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  558.     <pubDate>Tue, 24 Nov 2009 08:14:42 +0000</pubDate>
  559. <dc:creator>iay</dc:creator>
  560. <guid isPermaLink="false">373 at http://iay.org.uk</guid>
  561.  </item>
  562.  <item>
  563.    <title>No Hats</title>
  564.    <link>http://iay.org.uk/blog/2009/11/no_hats.html</link>
  565.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;&lt;a href=&quot;http://www.flickr.com/photos/[email protected]/4063497413&quot; title=&quot;View &#039;Please do not take photos with hats on&#039; on Flickr.com&quot;&gt;&lt;img src=&quot;http://farm3.static.flickr.com/2438/4063497413_5ef329dd3e_m.jpg&quot; alt=&quot;Please do not take photos with hats on&quot; border=&quot;0&quot; width=&quot;240&quot; height=&quot;207&quot; align=&quot;right&quot; /&gt;&lt;/a&gt;&lt;/p&gt;
  566. &lt;p&gt;Seen on a recent trip to San Antonio, Texas, which is probably the last place you&#039;d expect to see any attempt to constrain the use of any kind of headwear.&lt;/p&gt;
  567. &lt;p&gt;Obviously they don&#039;t mean you can&#039;t wear your own hat while taking photos; what they want to prevent is people wearing the display hats for the purposes of having their photographs taken.  Or at least I think so; there were no hats in the vicinity of this particular notice.&lt;/p&gt;
  568. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/photography&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Photography&lt;/a&gt;&lt;/li&gt;&lt;li class=&quot;taxonomy-term-reference-1&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/travel&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Travel&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  569.     <pubDate>Sun, 01 Nov 2009 14:01:38 +0000</pubDate>
  570. <dc:creator>iay</dc:creator>
  571. <guid isPermaLink="false">372 at http://iay.org.uk</guid>
  572.  </item>
  573.  <item>
  574.    <title>Imperfect</title>
  575.    <link>http://iay.org.uk/blog/2009/11/imperfect.html</link>
  576.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;Many of us, particularly if we have been programmers, have got into the habit of regarding computers as flawless execution engines.  People with more of an electronics background tend to be a bit more sceptical, I think.&lt;/p&gt;
  577. &lt;p&gt;I&#039;ve been trying to figure out why I couldn&#039;t burn a Fedora 11 DVD to upgrade one of my oldest machines for several months now.  I had checked the SHA-256 hash of the download then copied the file from the server where I run BitTorrent across to a desktop machine&#039;s external hard drive.  The burned disk verified against the image on the machine that created it but the installation self-test always failed, claiming the disk was corrupt.  I tried burning from the same image on another machine; I tried burning at different speeds; I tried different blank DVDs.  No change.&lt;/p&gt;
  578. &lt;p&gt;Finally, today, I thought to try verifying the hash on the copied image rather than the original one.  It was different.  Comparing the original download with the copy, I discovered two locations in the copy where byte 0x12 of a block had dropped the 0x08 bit.&lt;/p&gt;
  579. &lt;p&gt;It&#039;s probably not a coincidence that the machine on which I made the corrupted copy has recently come back from a couple of extended &quot;warranty repair&quot; holidays during which first the main system logic board and then (at my strong and repeated insistence) the actual DRAM were replaced.  The machine had been having some intermittent problems involving applications shutting down unexpectedly; these looked like memory issues to me but the manufacturer&#039;s diagnostics had always given it a clean bill of health.  As an old-school computer guy, of course, I know that the manufacturer&#039;s diagnostics &lt;em&gt;never&lt;/em&gt; detect real memory issues.&lt;/p&gt;
  580. &lt;p&gt;The moral of the story?  I&#039;m not sure there is one: &quot;faulty hardware sometimes gives the wrong answer&quot; seems rather an obvious thing to say.  On the other hand, if you are aware of the concept of &lt;a href=&quot;http://en.wikipedia.org/wiki/Metastability_in_electronics&quot; title=&quot;Wikipedia: Metastability in electronics&quot;&gt;metastability in electronics&lt;/a&gt;, you know that there&#039;s no such thing as perfect hardware as long as the logic needs to talk to the outside world.  So we can reduce the frequency of odd weirdness to the point where we never expect to encounter it, but we can never make it go away altogether.&lt;/p&gt;
  581. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/hardware&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Hardware&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  582.     <pubDate>Sun, 01 Nov 2009 13:16:03 +0000</pubDate>
  583. <dc:creator>iay</dc:creator>
  584. <guid isPermaLink="false">371 at http://iay.org.uk</guid>
  585.  </item>
  586.  <item>
  587.    <title>Concepts and Methods V1.10</title>
  588.    <link>http://iay.org.uk/blog/2009/05/concepts_and_me.html</link>
  589.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I&#039;ve talked about a metadata exchange approach to inter-federation working here before.  Since &lt;a href=&quot;http://iay.org.uk/blog/2008/10/metadata_interc.html&quot; title=&quot;Technology Stir Fry: Metadata Interchange V3&quot;&gt;my last update&lt;/a&gt;, I think we&#039;ve seen some level of acceptance in both the technical and policy communities that this is — at least in principle — a valid approach, and there is work going on in a variety of places on that basis.&lt;/p&gt;
  590. &lt;p&gt;One thing that has become apparent as that work has developed is that we need to look at some of our basic assumptions with a fresh eye: complex problems can be often be simplified by looking at them from a different direction.  To that end, &lt;a href=&quot;http://expatchad.info/&quot; title=&quot;expatchad.info&quot;&gt;Chad La Joie&lt;/a&gt; (of &lt;a href=&quot;http://www.switch.ch/&quot; title=&quot;SWITCH: Serving Swiss Universities&quot;&gt;SWITCH&lt;/a&gt; and &lt;a href=&quot;http://shibboleth.internet2.edu/&quot; title=&quot;Internet2: Shibboleth project&quot;&gt;Shibboleth&lt;/a&gt;) and I have put together &lt;em&gt;Interfederation and Metadata Exchange: Concepts and Methods,&lt;/em&gt; the current version of which you can download here:&lt;/p&gt;
  591. &lt;blockquote&gt;&lt;p&gt;&lt;a href=&quot;http://iay.org.uk/blog/2009/05/concepts-v1.10.pdf&quot; title=&quot;Interfederation and Metadata Exchange: Concepts and Methods&quot;&gt;concepts-v1.10.pdf&lt;/a&gt;&lt;/p&gt;&lt;/blockquote&gt;
  592. &lt;p&gt;The main aim of &lt;em&gt;Concepts&lt;/em&gt; is to provide a framework in which it is possible to think clearly about identity federations in a multi-federation world.  This involves first separating concerns and then recombining them in new ways, leading to what we think is probably best thought of as a global &lt;em&gt;metadata layer.&lt;/em&gt; There is also coverage of some of the technical implications of such an approach, but we&#039;ve tried to keep that part as light-weight as possible here.&lt;/p&gt;
  593. &lt;p&gt;During the recent &lt;a href=&quot;http://events.internet2.edu/2009/spring-mm/&quot; title=&quot;Spring 2009 Internet2 Member Meeting&quot;&gt;Internet2 Member Meeting&lt;/a&gt; in Arlington, this document was also reviewed by Scott Cantor, Steven Carmody, Josh Howlett, Leif Johansson, Thomas Lenggenhager and Valter Nordh.  We are grateful to our colleagues for their many constructive comments, which we have have tried to incorporate faithfully in the current version.  I will leave it to those individuals to state whether, and to what degree, they endorse our conclusions.&lt;/p&gt;
  594. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  595.     <pubDate>Fri, 22 May 2009 10:38:47 +0000</pubDate>
  596. <dc:creator>iay</dc:creator>
  597. <guid isPermaLink="false">370 at http://iay.org.uk</guid>
  598.  </item>
  599.  <item>
  600.    <title>Details, Details</title>
  601.    <link>http://iay.org.uk/blog/2009/05/details_details.html</link>
  602.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I&#039;ve been using Apple&#039;s &lt;a href=&quot;http://www.apple.com/mightymouse/&quot; title=&quot;Mighty Mouse&quot;&gt;Mighty Mouse&lt;/a&gt; on my desktop machines for a couple of years now.  I quite like them, although the mouse&#039;s inability to represent both mouse buttons being held down at the same time makes it necessary to keep a conventional mouse around for things like gaming.&lt;/p&gt;
  603. &lt;p&gt;This is a nice mouse to use, though.  For example, it makes a nice solid mechanical click when you use the left or right buttons (even though there is really only one mechanical button — the whole mouse — touch sensors inside give you two &quot;logical&quot; buttons).&lt;/p&gt;
  604. &lt;p&gt;There&#039;s even a tiny clicking sound when you squeeze the side buttons or roll the little trackball around.  You can hardly hear these sounds in a normal office, but they make all the difference to the &quot;feel&quot; of the device.  And, until today, I would have meant that literally: I&#039;d have sworn that I could feel the little clicks through my fingertips.&lt;/p&gt;
  605. &lt;p&gt;Today, quite by accident, I discovered that the mouse &lt;i&gt;does not make these tinier sounds if it isn&#039;t plugged in…&lt;/i&gt; or, in the case of the wireless version, if you take the battery out.&lt;/p&gt;
  606. &lt;p&gt;Yes, there&#039;s a &lt;a href=&quot;http://arstechnica.com/old/content/2005/08/dissect.ars&quot; title=&quot;Ars Technica: Dissecting Mighty Mouse&quot;&gt;tiny speaker&lt;/a&gt; inside, whose only purpose is to make sounds that are almost — but not quite — too quiet to hear.&lt;/p&gt;
  607. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/hardware&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Hardware&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  608.     <pubDate>Thu, 14 May 2009 15:27:21 +0000</pubDate>
  609. <dc:creator>iay</dc:creator>
  610. <guid isPermaLink="false">369 at http://iay.org.uk</guid>
  611.  </item>
  612.  <item>
  613.    <title>Lessons</title>
  614.    <link>http://iay.org.uk/blog/2009/04/lessons.html</link>
  615.    <description>&lt;div class=&quot;field field-name-body field-type-text-with-summary field-label-hidden&quot;&gt;&lt;div class=&quot;field-items&quot;&gt;&lt;div class=&quot;field-item even&quot; property=&quot;content:encoded&quot;&gt;&lt;p&gt;I&#039;m in Arlington, Virginia this week for the &lt;a href=&quot;http://events.internet2.edu/2009/spring-mm/&quot; title=&quot;Spring 2009 Internet2 Member Meeting&quot;&gt;Internet2 Member Meeting&lt;/a&gt;.  As usual, lots of good hallway conversations and meetings.  I had to work my passage this time by contributing a presentation to a joint session on &lt;a href=&quot;http://events.internet2.edu/2009/spring-mm/agenda.cfm?go=session&amp;amp;id=10000483&amp;amp;event=909&quot; title=&quot;Building on Success: from Identity Federation to Interfederation&quot;&gt;Building on Success: from Identity Federation to Interfederation&lt;/a&gt;.&lt;/p&gt;
  616. &lt;p&gt;As well as the traditional statistics about how large the &lt;a href=&quot;http://www.ukfederation.org.uk/&quot; title=&quot;UK Access Management Federation for Education and Research&quot;&gt;UK federation&lt;/a&gt; has become, I talked a bit about some of the things I think contributed to its success.  This was more in terms of broad concepts than details, the idea being to give people thinking of setting up new federations a guide to some of the tradeoffs involved.&lt;/p&gt;
  617. &lt;p&gt;As usual, here&#039;s a PDF version of my slides from the presentation:&lt;/p&gt;
  618. &lt;blockquote&gt;&lt;p&gt;&lt;a href=&quot;http://iay.org.uk/blog/2009/04/20090428-Lessons-iay.pdf&quot; title=&quot;20090428-Lessons-iay.pdf&quot;&gt;20090428-Lessons-iay.pdf&lt;/a&gt;&lt;/p&gt;&lt;/blockquote&gt;
  619. &lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class=&quot;field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix&quot;&gt;&lt;h3 class=&quot;field-label&quot;&gt;Tags: &lt;/h3&gt;&lt;ul class=&quot;links inline&quot;&gt;&lt;li class=&quot;taxonomy-term-reference-0&quot; rel=&quot;dc:subject&quot;&gt;&lt;a href=&quot;/blog/tag/identity&quot; typeof=&quot;skos:Concept&quot; property=&quot;rdfs:label skos:prefLabel&quot; datatype=&quot;&quot;&gt;Identity&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;</description>
  620.     <pubDate>Wed, 29 Apr 2009 14:43:56 +0000</pubDate>
  621. <dc:creator>iay</dc:creator>
  622. <guid isPermaLink="false">368 at http://iay.org.uk</guid>
  623.  </item>
  624.  </channel>
  625. </rss>
  626.  

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

  1. Download the "valid RSS" banner.

  2. Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)

  3. Add this HTML to your page (change the image src attribute if necessary):

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//iay.org.uk/blog/index.rdf

Copyright © 2002-9 Sam Ruby, Mark Pilgrim, Joseph Walton, and Phil Ringnalda