For those of you who were at the Cinncinnati NFJS show, please continue on to the next blog entry in your reader--you've already heard this. For those of you who weren't, then allow me to make the announcement: Hi. My name's Ted Neward, and I am now a ThoughtWorker . After four months of discussions, interviews, more discussions and more interviews, I can finally say that ThoughtWorks and I have come to a meeting of the minds, and starting 3 September I will be a Principal Consultant at ThoughtWorks.

How do I force propagation of changes to information about a certificate revocation list after an update? A service is going to have several kinds of caching around the information that links the certificate to revocation information. The first kind of caching is based on the revocation mode of the certificate. A revocation mode of NoCheck disables checking on the certificate while a revocation mode of Offline directs checking to use a cached certificate revocation list. A revocation mode of Online

If you've been following along, I have mentioned the WCF security guide project being worked on in the patterns and practices team a few times now. After months of drafts and betas, the complete guide is now ready for official release. The WCF security guide is available as a free download.

We recently updated our website and some links have broken as a result. Here's the place you should go to get the latest version of Password Minder: http://mercury.pluralsight.com/tools.aspx Sorry for any inconvenience!

How do I find the address of a client connection to make a trust decision? Don't base security decisions on the perceived client address. Any address that we have comes from the underlying socket implementation and could be spoofed. The data that the socket has is sourced by the client. You should be using a source of information that has a verification process that the server trusts, such as a certificate, to distinguish clients. Next time: Reader Trends

Security programming today tends to contain large amount of plumbing code to handle the modeling, management, and evaluation of identities. An identity is the basis of many common security operations, such as authentication, personalization, authorization, and access control. There are a variety of different kinds of identities and ways of implementing security operations on top of those identities. Here are two libraries that help make dealing with identities easier. Zermatt is a claims-based identity

For a couple of years now, I've been giving talks about "claims-based identity", and "claims-aware applications". The most concrete example of a claims-based identity architecture that I've been able to show so far is Active Directory Federation Services v1 (ADFS) and Windows CardSpace. And the claims programming model I've been using is the one that shipped with WCF in the System.IdentityModel assembly. But today I'm happy to announce that there's a new path

Finally there's a home on the Internet for information cards . I've been waiting for this for a long time - a place to point consumers, executives, and developers to learn more about information cards. And it's not just a Microsoft thing. Founding members include Google, PayPal, Novell, and the Liberty Alliance. While the adoption of information cards has been happening at a snail's pace, this collaboration might just change that. And that would be very good for consumers.

Host headers in IIS are a way to associate multiple names with a single address. The typical use of host headers is to be able to host more than one web site at a single IP address by giving each of the web sites a distinct DNS name. Host headers also play a role in WCF beyond the definition of a web site. Metadata for a web service, such as that appearing WSDL, uses host headers as a way to pick a preferred name when talking about the service. The user interface for setting host headers is relatively

What does the InactivityTimeout on a secure channel do? The inactivity timeout on a message security channel controls how long the channel will allow pending security sessions to linger in its cache before giving up on them. This is completely different from the inactivity timeout on a reliable messaging channel, which controls how long the reliable session will live without an infrastructure message before being torn down, and the inactivity timeout in the application, which controls how long the