Tim Jeanes: Microsoft TechEd (Thursday)

The first session today was on asynchronous ASP.NET. This is something we haven't really needed to use in the past because it's quite a pain and it doesn't improve the individual user's experience at all: if you request a web page then you're going to have to wait for all the information to come back before you can do anything anyway. The downside (that we'd overlooked) is that if the page is slow to load due to waiting for a large database request or a response from an external web service, then that ties up a thread from the pool, potentially preventing other users accessing the site if there's a lot of heavy traffic. This session walked through how to use multi-threading to make applications far more scalable (sometimes over 1000 times more scalable).

I don't think this is something we'll be implementing on every page we build (although practically all our pages query the database), but there are some pages that I think are good candidates for using this kind of methodology: ones that contain images we're pulling from the database or contacting the bank to take customers' payments, especially when these pages are amongst the most frequently-accessed ones.

A Q&A session on squeezing better performance out of .NET code contained a disappointing lack of stuff that I can immediately use, though it did give a few interesting insights into what's going on behind the scenes.

I attended a seminar and subsequent white board discussion that went into quite some depth of how to use Windows CardSpace to authorise users logging onto your website and to take credit card payments for your goods and services. CardSpace is just such a beautiful thing. If you're reading this blog, then the chances are that CardSpace isn't going to help much to protect your identity online. It's all about protecting the identity of people who are using the internet but have no idea what security is, and couldn't tell a phish from a fish. So many times, the speaker's or delegates' mothers were cited: what would my mum do if she visited such a site? How would my mum manage her cards? What would a phishing site be able to do with my mum's card?

The end user will never have to remember a username or password again; they can control exactly what personal information is sent to each site; even if two websites have access to each others' databases, they won't be able to tell that a user uses both those sites; and a user can (if they so wish) maintain a number of different identities for different purposes.

There was a demonstration of how to switch an existing site across to using CardSpace as well as the username/password system that's already in place. It's surprisingly simple: you'd have to add a few lines of HTML to the login page, one GUID column to the user table, and write a bit of easy code to handle the card data you receive. Public code libraries already exist to handle the decryption of the incoming key.

There's additional security for sites that (at present) require rather more security for setting up a user account than just picking a username and password - such as your online bank account. In this case the bank would dish out the virtual card that you then use to sign on. The bank is the only person who holds your details, and they'll never need to know your mother's maiden name.

I think CardSpace really has the power to revolutionise identity on the internet - especially as non-Microsoft systems providers are actively supporting it, and a number of banks are on board for using this as a more reliable method of user authentication.

Tim Jeanes: Microsoft TechEd (Monday)

Microsoft Tech.Ed Developers 2006 is considered the conference for computer geeks worldwide. The day before I flew out here, my house mate expressed his jealousy and asked if I had any space for him to stow away in my suitcase. I told him he'd have to share with the two others who had already asked.

Billed as "four days to get you months ahead of the game", it's actually five days if you include the pre-conference sessions on the Monday. Enthusiastic as we are, we turned up on site first thing Monday morning - only to find that though our flights had been booked a day early, no one had remembered to book our places on the pre-conference itself. We weren't the only ones disappointed to be turned away by the surly security guard.

*Sigh*

Oh well - registering still got us the conference pack, including a rather impressive DVD stuffed full of demo videos, white papers and hands-on labs: everything the keen geek needs to get his hands dirty. So, after a whistle-stop tour of the local tourist attractions, it was back to the oldest hotel in Barcelona to review the newest developments in IT.

And it's impressive stuff! There's a lot to be covered in the coming week, and we can't wait. Microsoft is splitting into three main areas, though of course they overlap and there's plenty more on the sidelines.

1. Office 2007
2. AJAX
3. Windows Vista


We haven't seen much of Office 2007 yet (what kind of geeks care that much about PowerPoint?), but I'm sure we will through the rest of the week.

AJAX is the tool used to make web sites more intuitively interactive - basically allowing you to do much more within the web page without the whole screen refreshing. It's the useful third of the much-hyped but little-understood Web 2.0 (the other two being rounded corners and a penchant for remaining constantly in beta testing). We're pretty excited about getting to see what Microsoft has to say about this and what ready-made tools they're supplying to use out-of-the-box.

Windows Vista is going to be a major step forward. It includes

• WPF (Windows Presentation Foundation) - what makes Vista a (much, much) prettier face than XP
• WCF (Windows Communication Foundation) - enabling communications using web services to make true SOAs (Service Oriented Applications) either over the internet or all on the same box
• WF (Workflow Foundation) - a way of tracing objects through real-life business processes (with, naturally, a pretty front-end). Incidentally, it seems they had to avoid using the word Windows in that last acronym to avoid confusion both with the WWF and the WWF.

From a programmer's perspective, all the Vista stuff is handled by the .NET Framework 3.0: a misnomer in my mind as it's an addition to Framework 2.0 - it doesn't replace anything at all. It does, however, enable us to write applications that use WPF, WCF, WF and Windows CardSpace.

This last one's interesting: on the surface it just looks like Microsoft having another bash at their abortive .NET passport idea, but under the hood it's a different kettle of fish altogether. This time it's using proper encryption - separately for the company hosting the site, the user and the provider of the user's identity. Crucially though, Card Space is only Microsoft's implementation of the Identity Selector Machanism: there's also an open source version that's backed by Apache and contributed to by Red Hat. Dishing out IDs in a compatible way is already in place from Sun, IBM and Novell.