When you mark a class as obsolete, you should also mark your class with the EditorBrowsable attribute to prevent it from showing up in IntelliSense.

[Obsolete("Old class no longer supported.")]
[EditorBrowsable(EditorBrowsableState.Never)]
public class OldClass
{
    //....
}

This book (Understanding Windows CardSpace by Vittorio Bertocci, Garrett Serack and Caleb Baker) is not a guide how to implement Windows CardSpace in your website or webservice, but this book helps you understand the reasoning behind Windows CardSpace and how it fits in the Identity Metasystem. As such it is a much better book, than a book which just explains how to add a widget to your website to authenticate users, could ever be.

The parts of the book follow a logical structure. Part 1 discusses the problems we face on the Internet: identity theft, phishing and others and a technology independent solution is proposed. Finally in part 2 CardSpace is introduced and the implementation of CardSpace (both managed and self-issued) in websites and webservices is discussed. Part 3 shows the practical and business considerations when working with the Identity Metasystem and Windows CardSpace.

Even if you're a regular reader of Vittorio's blog, and are familiar with the Seven Laws of Identity, this book still has value. If you're not familiar with one or the other, you really should read this book, since it's the first book which really made me understand the problems we face on the Internet today with respect to identity and why and how Windows CardSpace provides a solution.

With the release of Zermatt this book really has proven it's value: Zermatt makes it much easier to implement a Security Token Service and a Relying Party, but it won't help you understand the concepts behind them or why you need to implement them (or not).

16 more sessions have been announced for PDC2008, including some sessions about (the future of) languages:

An Introduction to F#
Learn about Microsoft's new language, F#, a typed functional programming language for the .NET Framework. F# combines functional programming with the runtime support, libraries, tools, and object model of .Net. Understand how F# asynchronous workflows help tame the complexity of parallel and asynchronous I/O programming and how to use F# in conjunction with tools such as Parallel Extensions for .NET.

The Future of C#
In this talk Microsoft Technical fellow and C# Chief Architect Anders Hejlsberg outlines the future of C#. He will describe the many forces that influence and shape the future of programming languages and explain how they fit into C#.

Deep Dive: Dynamic Languages in .NET
The CLR has great support for dynamic languages like IronPython. Learn how the new Dynamic Language Runtime (DLR) adds a shared dynamic type system, a standard hosting model, and support for generating fast dynamic code. Hear how these features enable languages that use the DLR to share code with other dynamic and static languages like VB.NET and C#.

And a session about claims-based security:

Claims-Based Identity: A Security Model for Connected Applications
Claims based security is the underpinning of many applications, services, and servers. This model enables security features like: multiple authentication types, stronger authentication on-the-fly, and delegation of user identity between applications. Learn how to use this model in .NET, how it integrates with Active Directory, how it works across platforms, how it works with existing applications, and how we use it at Microsoft.

The complete list can be found on the Microsoft PDC 2008 site.

One of my projects from last year was nominated for and won the IWS, Search Partner of the Year award. We received the award for a project we did for the Dutch consultancy company Twynstra Gudde.

We created a system which allows the user to search through many different subsystems using the simplest interface we could design:

Under the surface the system combines the results from all of their back-end systems to give the user a complete view of all the information available relevant to their search query.

The search results are presented in way that allows a user to filter the results and find detailed pages (all red text is a link):

I am very proud that I was part of the team to build this solution, which the client is very enthusiastic about and the Microsoft chose to honor with the Search Partner of the Year award!

Microsoft press release

Tam Tam press release

Eric Lippert is starting a series of articles about future changes in the C# method type inference specification and the implementation. He plans to write about the following points:

• What did method type inference look like in C# 2.0? Why was it inadequate for LINQ?
• How did we attempt to modify and ultimately rewrite the specification for C# 3.0?
• Where did we go subtly wrong in the specification and the implementation

The first 2 articles are posted on his blog:

0. Method Type Inference Changes, Part Zero
1. Method Type Inference Changes, Part One

One of my coworkers was struggling with an XML document with a default namespace, none of his attempts returned any nodes. The main reason for this was that his document contained a default namespace which he didn’t include in the query.

As a reminder here a sample how to query an XML document with a default namespace.

Sample XML document:

<?xml version="1.0" encoding="utf-8" ?>
<root xmlns="urn:paulvanbrenk.com/2008/06">
  <book>
    <author>C. Sells</author>
    <title>Programming WPF</title>
  </book>
  <book>
    <author>C. Petzold</author>
    <title>Application = Code + Markup</title>
  </book>
  <book>
    <author>C. Anderson</author>
    <title>Essential WPF</title>
  </book>
</root> 

This doesn’t work:

// load sample document
XmlDocument doc = new XmlDocument();
doc.Load("../../sample.xml");

// try query without namespace
var node1 = doc.SelectNodes("/root/book/title");

Console.WriteLine("node1.Count == 0 {0}", node1.Count == 0);

If you add an XmlNamespaceManager the call to select nodes is able to resolve the nodes:

// load sample document
XmlDocument doc = new XmlDocument();
doc.Load("../../sample.xml");

// add namespace manager
XmlNamespaceManager xnManager = new XmlNamespaceManager(doc.NameTable);
xnManager.AddNamespace(/* prefix */ "x", /* uri */ @"urn:paulvanbrenk.com/2008/06");

var node2 = doc.SelectNodes("/x:root/x:book/x:title", xnManager);

Console.WriteLine("node2.Count != 0 {0}", node2.Count != 0);

And using XLinq makes it a little more readable:

XDocument xDoc = XDocument.Load("../../sample.xml");
XNamespace x = "urn:paulvanbrenk.com/2008/06";

var node3 = from item
                in xDoc.Elements(x + "root").Elements(x + "book")
            select item.Element(x + "title");

Console.WriteLine("node3.Count() != 0 {0}", node3.Count() != 0);

Note how you query the nodes by combining the XNameSpace and the node name.

sample: sample.zip (2.6 KB)

When hashing a password, you usually use a salt to to make it harder for an attacker to attack the password (see [0]), since the salt is needed to calculate the hash, the same salt is needed to verify a password.

The submitted Hash( Salt + Password ) must be equal to the stored Hash( Salt + Password ).

The common place to store the salt is in a separate field alongside the hash, but this may cause either one to get out-of-sync with the other. A better solution is to concatenate the salt and the hash and store both in one byte array.

static void Main(string[] args)
{
    RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

    byte[] salt = new byte[0x10];
    rng.GetBytes(salt);

    Rfc2898DeriveBytes deriveBytes = new Rfc2898DeriveBytes("the password", salt, /*iterations*/ 5);

    byte[] passHash = deriveBytes.GetBytes(0x100);

    byte[] result = Merge(passHash, salt);
}

private static byte[] Merge(byte[] first, byte[] second)
{
    byte[] result = new byte[first.Length + second.Length];
    Buffer.BlockCopy(first, 0, result, 0, first.Length);

    Buffer.BlockCopy(second, 0, result, first.Length, second.Length);

    return result;
}

Extracting the salt from the hash is relatively simple:

private static byte[] ExtractSalt(byte[] hash, int length)
{
    byte[] salt = new byte[length];

    Buffer.BlockCopy(hash, hash.Length - length, salt, 0, length);

    return salt;
}

You use this salt to generate the hash for the password you want to check and after adding the salt to the end both byte arrays must be equal.

[0] See p.350-352 in Practical Cryptography by Niels Ferguson and Bruce Schneier why salting a password is a good idea.

Sample: HashSample.cs.txt (1.78 KB)

Yesterday I moved this blog to IIS 7 in integrated mode on Windows 2008 and the fact that you can still read this shows it worked without a problem. This is Scott Hanselman’s guide for the migration, but the only thing you’ll have to change is the httpmodule- and httphandler mapping in the web.config, which is something the “appcmd.exe” tool can do for you (the errorpage when running your site with the old web.config shows you how).