Google Wave: Important for Messaging

Google Wave, recently announced by Google and available later this year, is important for messaging. The launch presentation is worth viewing by anyone interested in messaging.

Google Wave has an abstraction that seeks to replace both email and IM, and perhaps shared document editing too. Google argues that email was designed a long while ago, and that with modern technologies we can do much better. A converse argument is that email is a natural and basic electronic communication that evolved without design (much as soccer evolved without the need for formal rules or design). Things that really impress me about Google Wave are:

• The amount that can be done in the browser, in a way that is clearly browser independent. This is a long, long way from static HTML.
• The way that messages are shared as you type. (Scary, but really neat technology.)
• The use of XMPP (Internet Standard eXtensible Messaging and Presence Protocol) for federation. The need for getting XMPP (as well as HTTP) into the browser seems an increasing priority.

This is a technology to watch.

Desirability of a Multi-Vector UI

I watched my son using his iPhone the other day to exchange SMS with his girlfriend. The UI was modeled on iChat (Apple’s IM client), and it seemed a natural way to use SMS. My Nokia phone has an integrated messaging interface, and gives a uniform UI for SMS and email. I can see my SMSs with a listing pretty much like my email. The key observation is that UI can be remarkably independent of the underlying technology.

Under the hood, Wave is essentially “bboards on steroids.” It is a shared data structure to which multiple users can contribute. Having this will add to the list of things that I need to interact with.

What I would like is a single UI that deals with all of the underlying abstractions (email, IM, SMS, Wave) — a communicator that can present information in an appropriate manner and use whichever channel is appropriate. It would be good to decouple the UI from the transport more strongly.

Email Won’t Go Away

I often end up in interminable email discussions with multiple nested quotes of previous messages. Engineers seem particularly fond of this style. Google Wave seems to offer a much superior interface for this type of dialogue.

However, it does not seem a replacement for all email. Email can often be a highly transactional mechanism. When dealing with emails to external organizations and individuals, there will often be shared internal review of the message and a carefully worded response before it is sent. The sharing and dynamic nature of Wave does not seem appropriate for the external communication. Email as it stands seems to have uses for which it will not get replaced. It seems to remain a basic and essential communications building block.

Google Wave Won’t Be the New Desktop Client

For those with almost permanent access to fast networks, shifting to a Web-based communications option seems quite plausible. For those who travel on trains and planes, carrying your email world on your laptop remains highly desirable. The ability to use Google Gears to replace this seems pretty much a fantasy for now.

It also feels right to me that having an optimized tool (both in UI and protocol terms) for tasks that are done a lot (and I do email a LOT) seems sensible. If you have special communications protocols such as IMAP (Internet Message Access Protocol) and XMPP, why try to layer things over HTTP?

The lack of competition in desktop email clients is a problem. I use Outlook, which I think is the best option available, but it could do so much better. The lack of serious competition to Outlook is a real problem (and yes, I know about Thunderbird). Competition in the browser market has really improved things for everyone. We need a good desktop client. It is crazy that there is not a client that does efficient IMAP and XMPP with an integrated UI.

Google Wave does not provide an answer to this, but it certainly challenges all who are concerned with communications UI.

This was originally posted on the Ferris Research Blog.

Steve Kille speaking at e-Identity conference

Isode CEO Steve Kille will be speaking at the European e-Identity Management Conference in London taking place on the 25/26 June 2009.

Steve's talk on "ICAO Master Lists and Passport Verification using PKI" will take place on day two of the conference at 11:00am. The full conference program can be found here in PDF format.

We'll publish a sumary of Steve's talk, including slides, the week following the event.

Full conference details can  be found at http://www.revolutionevents.plus.com/eema/

M-Switch Advanced Guide

It would be fair to say that here at Isode, writing documentation does not rank high on our list of fun things to do. Yet we realise that it's essential and, for R14.4, our engineers made a special effort to ensure that at release our documentation (all of which is available from this page) was up to date with the many new features we introduced.

One of the harder manuals to maintain has always been the M-switch Advanced Administration Guide so for this release and going forward we've decided to publish this guide as a Wiki, available here.

If any of our Customers or Partners wish to contribute their knowledge to this wiki, then please let us know and we'll make editing passwords available.

Updated Eval Guide: Directory Services Interface

Following on from the release of R14.4 last week we're re-writing our evaluaton guides to take into account the new features shipped with this release.

The first of these re-written guides (Directory Services Interface & Password Policy) is now on the website. Those who have run through this guide previously will note that it's now considerably quicker to setup due to our bundling of Tomcat and the automatic setup of web applications.

R14.4 now available for download

After a long run of 28 blog posts about 'forthcoming' R14.4 features, we've now shipped the software. R14.4v0 is now available for download by customers and existing/new evaluators.

The blog posts that related to R14.4 can be seen by clicking on this link. Alternatively there's a run-down of the new features on the R14.4 product page on our website.

R14.4 is a significant update to our complete product set with new features for our XMPP Server M-Link, LDAP/X.500 Directory Server M-Vault, POP/IMAP Message Store & Gateway M-Box , both the SMTP and X.400 versions of our M-Switch message switch and our X.400/Internet mail conversion server, M-Switch MIXER.

We've also made considerable improvements and additions to our management tools.

Over the next few weeks we'll be publishing and blogging about the changes we're making to our evaluation guides to take these new features into account.

Isode R14.4: XUXA (Test & Demo X.400 User Agent) Features

This is the final message describing new features in Isode R14.4, scheduled to ship this week. You can see all of the messages on this blog relating to R14.4 by clicking on this link.

Isode provides XUXA as a test and demonstration X.400 client. This gives access via X.400 P3 or P7 to the capabilities of Isode's servers and APIs.  R14.4 contains a number of improvements including:

1. Demonstration of the new X.400 features, in particular message sequence integrity (needed for AMHS Security).

2. Ability to send and receive X.411 security labels.  A specific goal of this is to help test out M-Switch MIXER security label handling.
3. Probe improvements, to set message length and content type.
4. New logging tab to give easy access to log and error information.
5. Improved handling of messages with multiple body parts. Body parts can now be saved directly from the Body parts list.

We've also made a general improvement in support of Directory Names. X.400 OR Names comprise an OR Address and a Directory Name.   Older X.400 deployments primarily work on the basis of OR Address, and XUXA has used OR Addresses only. Use of OR Addresses is pragmatic, but has the disadvantage of containing the rather awkward ADMD and PRMD components.  Directory lookup is supported, but addresses are primarily handled as OR Addresses.   R14.4 adds a mode so that Directory Names can be used (or both, which looks rather ugly). This will help test out Directory Name based deployments.  Use of Directory Names allows a more natural naming structure and hiding the OR Addresses (as IP addresses are hidden by Internet email addresses), and also means that information on users, including capabilities can always be looked up.

In addition P772/STANAG 4406 Military Header "Message Type" is now correctly set and Displayed (previously this was GUI only), so there is now a working P772 header in addition to STANAG 4406 Priority (MTS). We may add UI support for other P772 capabilities (now fully supported in the underlying C and Java client APIs) in a future release and would welcome feedback on this.

Isode R14.4: STANAG 5066 Console Improvements

This is the penultimate message describing new features in Isode R14.4, scheduled to ship this week. You can see all of the messages on this blog relating to R14.4 by clicking on this link.

STANAG 5066 Console is a GUI tool provided by Isode to help set up and test STANAG 5066 Networks over HF, VHF and UHF Radio. It also provides service discovery and operator chat.

We've made a number of improvements to the STANAG 5066 Console in R14.4, which make it easier to use and more flexible:

• Better information on STANAG 5066 activity

• Improved performance analysis
• More configuration options (e.g., enabling use of multiple SAPs)
• Support for operation where STANAG 5066 servers only support ARQ (or to perform ARQ only tests)

The screenshot below shows reporting of traffic between multiple nodes and the throughput summary.

Isode R14.4: Audit Database - switch to full JDBC operation

This one of a series of a messages describing new features in Isode R14.4, scheduled to ship in April 2009. You can see all of the messages on this blog relating to R14.4 by clicking on this link

Isode's audit database is used to hold message audit information, derived from M-Switch audit logs on one or more servers.

The audit database supports Isode management tools that provide statistics, message tracking, and quarantine management. Although some tools use JDBC, others are specific to the Postgres database.

R14.4 contains a significant upgrade to our audit database integration and tools, so that all of our tools and components access the audit database using JDBC. We continue to support Postgres, but the Isode products are now essentially independent of Postgres.

In a future release, we plan to support an additional simple SQL database that we will bundle with the Isode release. This will be ideal for demonstrations and evaluations.

We may support additional SQL databases. Because of minor variations of JDBC between database implementations, careful testing with any databases that we choose to support is vital, and we will need to run copies at Isode for effective support. Because of this, we will need to consider carefully which of the many available databases we support. Our choice of databases will primarily be driven by the requirements of Isode customers.  

Isode R14.4: Sodium, Sodium Sync, LDAPS and Strong Authentication

This one of a series of a messages describing new features in Isode R14.4, scheduled to ship in April 2009. You can see all of the messages on this blog relating to R14.4 by clicking on this link

R14.4 adds considerable flexibility in strong authentication configuration for Sodium and Sodium Sync. This is of particular importance for Sodium Sync, which may need to connect with strong authentication (e.g., using LDAPS) to a server with a strong authentication configuration that is quite different to the local one.

Strong Authentication can be used with X.500 DAP, LDAPS (the deprecated, but widely used direct mapping of LDAP onto TLS), and with LDAP. Strong authentication with LDAP (not using LDAPS) requires use of TLS, using the START-TLS option. LDAP Bind profiles can be configured to use TLS, with either strong authentication or other methods. The signing part of strong authentication simply makes use of a configured Secure Identity to sign the message, which will include client's Directory name as the X.509 certificate's subject name.

Server verification requires checking of the X.509 Certificate associated with the server, which will be supplied by the server in the bind. A trust anchor (Certificate) will be provided as part of the Secure Identity of the client, and for a local server this will usually be appropriate for server verification. Additional verification parameters, such as use of CRL checking can be configured as part of the bind profile.  

Where the configured trust anchor is not appropriate, the certificate provided by the server will be presented to the user. Sodium checks that the server certificate contains information that correctly identifies the server, using the certificate's SubjectName and (for LDAP), DNS Name and IP address

SubjectAltName values. Any inconsistencies are flagged to the user. The user may accept the certificate for one connection only or configure the certificate as "trusted" in the bind profile. This provides a secure and convenient mechanism to configure trust with remote servers.

The following screenshots show:

• What happens if you ask Sodium to do a "Strong" bind to an LDAP URL.  In this case, Sodium uses SASL EXTERNAL, which implies "startTLS" (so the box is checked and can't be turned off), and allows you to choose an identity to use:

• What happens if you ask Sodium to do a "Simple" bind to an LDAP URL.  In this case, the user has requested startTLS.  I.e. it'll connect, startTLS, then do a simple bind.  In this case no identity is used, but any server certificate will be checked against the user's trusted certificates.

• The "trusted certificates" associated with a bind profile.

• The dialog that is displayed if you do a bind over LDAP with TLS (either LDAPS or LDAP+startTLS) and the server sends back  a certificate which isn't trusted and (in this case) has failed the server id check.

Isode R14.4: New Features in Sodium & Sodium Sync

This one of a series of a messages describing new features in Isode R14.4, scheduled to ship in April 2009. You can see all of the messages on this blog relating to R14.4 by clicking on this link

We've made a number of improvements to Sodium and Sodium Sync for R14.4, which are described here. New features common to both Sodium and Sodium Sync:

1. Allow locking of the entry view and current tab, to make it more convenient to navigate around a group of entries whilst maintainingthe same information view.
2. Various new templates and template improvements.
3. Enumerations in templates can be set case-insensitive.
4. A manager mode is introduced, giving additional control over availability of advanced features and display.
5. Subentries may be viewed (in manager mode), and subtree specifications may be edited to control administrative areas.
6. Collective attributes may be added and edited within the collective attribute subentry. Collective attributes allow values to be set for entries that are common over an administrative area. 
7. Arbitrary attributes may be added to any entry, both user attributes and operational attributes.  This supports extensible objects.
8. Access control may be viewed and edited in the ACI tab (when enabled). This has been described in more detail in an earlier blog post.
9. Search results may now be refreshed.

New Features in Sodium Sync include:

1. Options to easily integrate with the File Transfer by Email channel in M-Switch for incremental synchronization over email.
2. Synchronization to Microsoft Active Directory (AD).  AD's LDAP access has some interesting special characteristics. A functional goal of the initial Sodium Sync release was synchronization from AD.  R14.4 adds synchronization to AD. Caveats:
   • X.400 Addresses are not synced to the AD format (this could be added). They can be pulled from AD.
   • Passwords are not synced (this could be added).  Note that it is possible to push passwords into AD using a special mechanism but they cannot be pulled out.
   • AD requires that attributes of Directory Name syntax point to local AD entries. Data synced must comply with this, and must not contain loops or forward references.
3. Paged results are supported in the sync, which removes restrictions on DIT fan-out when syncing with AD.
4. Entry filtering may now be done with a true LDAP filter in additional to the hierarchical filter previously supported.
5. Attribute filtering now supports filtering of individual object class values.
6. Dereferencing alias entries is supported as an option.
7. Applying a complete update from a change-LDIF is now optimised to make the minimum possible changes (similar to a sync-from-LDIF).
8. Merge syncs are better supported through a safety check that forbids addition and deletion of entries.
9. GUI changes make it easier to enable/disable scheduled syncs, and to force a complete update on a cached sync.
10. Scheduled sync from a queue now flushes the queue.
11. Now checks for existing entries in the target subtree, to reduce risk of destroying data by configuring a sync in the "wrong place".

We welcome feedback on all of these improvements as well as suggestions for future development.