Category Archives: Uncategorized

Certificate Authority Trust Model

Posted on September 9, 2010 | Leave a comment

There are many different kinds of certificate authorities available.  A description from Windows 2000 Server documentation helps to clarify.  The different players are:

  • Root CA
  • Subordinate CA
    • Intermediate CA
    • Issuing CA

The CA hierarchies are very flexible based on simple rules.

The root CA is always at the top.  It has a public/private key pair with the public key living in the public certificate signed by itself.  It is perhaps a bit vain but it has no equal in the line of trust.  It is the CA that is actually trusted by the client and server resources.  The root CA needs to be protected as much as possible in the owner organisation.  It is okay to have multiple CAs in a single organisation but this implies that every trusting element needs to be updated with more root CAs.

CAs can be a child of a root CA.  These are known as subordinate CAs.  The subordinate CA’s certificate is signed by the root CA.  There are two kinds of subordinate CAs.  Intermediate CAs are responsible for verifying subordinate CAs.  Issuing CAs are meant to provide certificates to end uses.   An issuing CA would never provide support to a child CA (since it is not allowed).  Also, an intermediate would never provide certificates except for other CAs.

The trust for certificates is chained back to the root CA.  A certificate path can be constructed from the knowledge gained from the CA certificates.  It is much like a linked list in nature.  Given the end-user certificate, the CAs can be walked back to the root CA.

For Windows, trust is gained by having the root CA certificate in the “Trusted Root Certification Authorities” store.

Based on documentation, if Windows trusts an intermediate CA, it will add it to the Intermediate Certificate Store.

Windows (at least in Windows 2000) trusts certificates based on this flow:

Reasons for validation failing:

  • Dates are invalid or expired
  • Certificate not in correct format
  • Certificate fields might be invalid or missing
  • Thumbprint or signature do not match reality
  • Cert has been revoked
  • Root CA is not in the trust root certificate store

Interestingly, if a CA certificate in the path is expired, it can still be possible for the certificate at the bottom to be valid.  The key is that the CA certificate was valid when the bottom certificate was issued.  This is a strange twist but makes sense given the alignment of dates would be very complex otherwise.

These ideas are coming from a Microsoft point of view and might not match the rest of the world.  Also, the main source used was from Windows 2000 which is not the latest version.  So far, this was the most straight forward reference.

→ Leave a comment

Posted in Uncategorized

One line XML files

Posted on August 13, 2010 | 1 Comment

XML can be hard to read without any formatting. The computer could care less but human eyes cannot easily see the patterns.

This recently became obvious with the FedUtil program that comes with Windows Identity Foundation. All the XML ends up on a single line.

There are two easy ways to solve this problem:

1. Use Visual Studio and press CTRL-K CTRL-D to automatically format
2. Open the file in Internet Explorer (make sure the file ends with XML)

It makes a huge difference. Human readable, imagine that.

Update:

It is possible to apply this strategy to source as well in Visual Studio:

  1. Select the text you want to auto format (Ctrl-A for everything in the document)
  2. Ctrl-K, Ctrl-F (or Edit/Advanced/Format Section)

This can be very handy for normalizing the code without spending time making sure everything aligns properly.

 

→ 1 Comment

Posted in Uncategorized

Tagged

Git Over It

Posted on November 13, 2009 | Leave a comment

git-logo

Git is a tool used extensively for open source projects.  It is a way of distributing source control instead of the typical central repository.  History has it that Linus Torvalds himself developed the original tool.

Every Git working directory is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on network access or a central server.

Why is it called git?  The theory is that Linus named it after himself. :)  However, no one seems to know for sure.

Why git?  It all started as a dispute between the Linux developers and BitKeeper.  The BitKeeper tools had been free to the community until the company charged the developers with reverse engineering their product.   The result was that developers would need to pay to continue using BitKeeper.  Given the “free” nature of Linux development this obviously did not go down well.  Linus led the project to develop an alternative and the result is git.

The overall good news is that git has been widely adopted even though it was only created starting in 2005.  There are several good features it has compared to the traditional source control solutions.

  • Offline changes
  • Free (always helps)
  • Fairly simple commands
  • Distributed source management
  • Open source (for the hardcore)

To get a better introduction, visit the git homepage.  As a set of examples of this homepage:

Git Is...There is also a section on quick start.  Git has two paths for creating a repository.  Either it is created from a clone from another server or it is created from scratch.

GitQuickStartAnything in parentheses is meant to be replaced with specific actions (like a directory or file).  To keep it simple, it is best to experiment with a locally created depot.  It is worth doing an easy walk through of the creation.

  1. git init
  2. git add .
  3. git commit -m “My message”

“git init” creates the initial depot for this current project.  It creates a subdirectory (usually hidden) called .git which contains all the information that git needs to keep to manage the source.  Think of it as being where everything is kept to keep git happy.

“git add .” instructs git to find every single file under the current directory and add it to the staging area to be prepared for committing. It will only add files that are new or changed when used with the “.” which is a great trick.  If there are files that you do not want to automatically add, you can always change the “.gitignore” file to skip over them.  Typically the object and binaries need to be skipped if the tree is actually built.  Doing the add is really just a sign of intent.  It does not actually change anything in the git tree.  Also of note, if you change any files that have been added, you need to add them again if you want to capture the changes in the staging area.

There is nothing to fear with commitment.  Commit with “git commit” just means that you want to capture all the changes into one thing.  This is where it updates the local git tree and it is seen as a kind of “snapshot” of where the code is at.  Keep in mind that a commit means nothing to anyone else.  A commit is just a local thing.  This enables git to be used offline and without the need for a central server ever.

However, git can also be used in a distributed team.  In fact, that was the original intent.  That is the point of the other path for creating a depot on the local machine.

Working off of a remote depot is in this order:

  1. clone a remote depot (git clone)
  2. make changes to the local files (git add)
  3. commit the changes (git commit)
  4. send the patch to someone that cares (git format-patch)

This is not the only way to do it.  It is also possible to submit the changes back to the remote depot assuming you have been authorized.

Coming from a world of PVCS and Perforce, git can take some getting used to.  It seems uncommon for git to be used in commercial products in Citrix (except for Xen products).  XenApp and XenDesktop are based on Perforce.

There are so many different places you can go to find out more about git.  Here are some examples:

Linus Torvalds (git creator) speaks about git at Google Talks.

Thanks goes to Michael Wookey in Citrix Labs Sydney for being such a great git advocate.

→ Leave a comment

Posted in Linux Tools, Source Control, Tools, Uncategorized, Windows Tools

Tagged

Disposable Devices

Posted on August 16, 2009 | 2 Comments

We are entering a very different era from our parents.  Technology is shifting from a very individual experience into a worldwide exchange.  As each wave forms, the resulting push goes further and further inland.  The goal is to reach some kind of perfection that will satisfy all our possible wants.  The frontier continues to expand.

Devices (laptops and smart phones) which are currently the focus of a mobile and remote work force are becoming disposable.  This is due to a number of factors such as damage, theft, and becoming obsolete.  The point is that real devices are always going to have a limited lifespan. 

It has been interesting to watch the computer industry over the last thirty years.  The speed of which the changes have come has only made technology obsolete that much faster.  Using a computer from more than five years ago is often a questionable venture.  Laptops and phones are probably more around 2 or 3 years. 

Given the limited lifespan, what is the real value?  Much like human knowledge, the best things are passed down.  The information is the soul of the device.  It is this data that needs to be preserved and propagated to new devices.

Add the concepts of virtualization and the Internet, it is possible to build a model whereby the information will never die.  In fact, given enough focus, the environment will evolve and flourish.

The information can be safely saved on trusted servers.  If the device is lost, stolen, or dead, the environment can be brought forward to a new device.

It is similar to the idea of storing photos on the web for backup purposes.  In theory, your photos will never be discarded.  The same would be true of your standard computing environment.

This kind of strategy puts the focus on what is really valuable.  It certainly is not the disposable device.

Admit to yourself one thing.  Your laptop ages twenty times faster than a human (laptop years).  Your phone is closer to 30 years to one human year.  I would bet your phone or laptop is already older than you.

The information however, is priceless, ageless, and completely virtual. 

Doesn’t it seem we always focus on what we can see?  It’s the things that can’t be seen that really make the lasting impact.

→ 2 Comments

Posted in Uncategorized

Latest Citrix Receiver for iPhone video

Posted on May 6, 2009 | 1 Comment

→ 1 Comment

Posted in Uncategorized

Tagged ,

Virtual Hard Disk Specification

Posted on October 1, 2008 | 6 Comments

The Virtual Hard Disk Image Format Specification (VHD Spec) has been available from Microsoft since October 2006.  You can bypass registration and download straight from here.

The document is only seventeen pages long but manages to capture how it is set up.

The specification was originally created by Connectix and was gained by Microsoft from the acquisition in 2003.  Since then VHD has become more and more successful.  It is used by all Microsoft virtualization products (VirtualPC, Virtual Server, Hyper-V) and is gaining support from Citrix products as well (PVS and XenServer).  VHD looks to be the rising star for Windows based virtual machines.

Strangely, I had the opportunity to meet the creator of the original VHD specification at a BriForum 2008 dinner.  Unfortunately I did not get his business card.  His career path took some strange turns based on working at Connectix, being acquired by Microsoft, working for Microsoft, leaving to work at Calista, and then being acquired yet again by Microsoft.  He was part of the Calista contingent at BriForum 2008 in Chicago along with Nelly Porter.

The VHD format has some tricks up its sleeve.  Two of these are related to disk types.  There are three basic disk types.  They are:

·         Fixed hard disk image

·         Dynamic hard disk image

·         Differencing hard disk image

Fixed disk is pre-allocated to the size specified at creation.  Dynamic disk allocates on the fly based on a certain chunk size (for example 2MB).  Differencing disk is where two or more images are combined to form one virtual disk image.  Differencing would allow for a primitive cloning to take place.  It is similar in concept to linked clones but without the protection of the base not changing.

Being a virtual disk, it has no concept of files.  File interpretation is based solely on the file system code in Windows (NTFS).  This is another way of saying it is a block-based model.

Given the momentum of VHD within Citrix and Microsoft, there is a good chance that VHD will be used for more tasks.  Microsoft has acquired Kidaro, for example, which would imply that VHD will get a major push for transporting VMs around the extended enterprise (read mobile and home workers).  Given the nature of the Kidaro TrimTransfer technology, it should be possible to make this as painless as possible.

There is a competing model at Microsoft under the banner of Windows Imaging Format.  Instead of focusing on disks, it focuses on files.  It uses Single Instance Store (SIS) and is being used for Vista deployment.  It is an excellent model for deploying large sets of files especially with small variations between copies (instances).

Both of these formats allow for mounting (VHDMount and ImageX) into Windows.  VHDMount comes from Virtual Server 2005.

The hope is that VHD will become the standard over time.  There is another format called Open Virtualization Format (OVF) that is set to work across all platforms in the future.  This new format is intended to supercede all existing formats and make it easier to transport workloads between vendors.

→ 6 Comments

Posted in Microsoft, Uncategorized, VHD

Tagged , ,

Hype Cycle and Virtualization

Posted on August 9, 2008 | Leave a comment

In 1995, Gartner invented the concept of the Hype Cycle chart. It depicts the life of a new technology and how people perceive it over time. Below is the first chart displayed by Gartner in 1995.

Hype cycle from Gartner

The lessons to learn from such a diagram is that new technologies always go through a phase of intense expectations. There are five stages that have been identified. They are:

  1. Introduction
  2. Peak expectations
  3. Complete disillusionment
  4. Renewed interest
  5. Common use

You might have noticed that I changed the names from the original model. Why use fancy titles when they can be simple?

Most technologies (if not all) follow this curve. Initially a new idea is introduced. This idea generates much interest and products are made. Companies and people buy the products and the frenzy begins. Expectations of what the technology will achieve are greatly increased. That is, until, some day, someone starts revealing that the technology is not as good as first thought. Doubts enter the minds that once were excited about the technology. The swing goes down. Depending how severe the feedback is, the technology can dip pretty low.

Then something amazing happens. People start dusting off the technology and realize that it really was good for something. They start using it again, but without the hype factor. Slowly but surely the technology is adopted again and this time for good. Eventually the technology enters the mainstream and gets lost amongst all the other accepted technologies. It becomes second nature.

Of course some technologies really are obsoleted and die. It all depends on the strength of the newcomer.

Let’s bring this hype cycle to bear on the virtualization space. It is clear that virtualization is in a very favorable light. In fact, for modern computers, it looks to be ramping up the hype cycle rather nicely. It is fairly safe to assume that there will be a turning point but it is unclear how long that will take. It would probably be safe to assume that it will happen in the next three to five years.

The problem really isn’t with virtualization, but rather the fact that it is being oversold and applied to situations that might not always be better. The analogy for this is that when you have a hammer, the whole world is a nail. Virtualization is actually just one of many different technologies needed to move computer architectures ahead. It is a given that it is important but it certainly is not the only important player.

At some point there is going to be a lot of push back on virtualization. Perhaps it come when the over-hyped solutions get people so angry that there is a big backlash. It is always hard to say when those kind of things are going to happen.

The industry will get hit and something new will take its place. Eventually it will hit bottom and people will once again realize that it is good for something. Virtualization will be recover and be stronger from the journey. Eventually it will become commonplace and transparent. People won’t even know its there but yet it will be incorporated into almost all of the computer systems around them. In a way, it will become like a boring commodity.

People love drama. People love to get rushed into the excitement of hype. Many a good tale has been told about the wonders of the new. It’s part of this path to understand that emotions drive change. The only downfall of too much anticipation is that the demands will never be met. As any consumer in our society and typically they will say that they still want more.

That’s the core of it right there. Hype exists to satisfy our desire for more. Hype shows us the golden way where we will want no more. The problem obviously that hype can never fill our hunger. Promises never match delivered goods. The hunger grows stronger as the technology fails to satisfy.

We start looking for something else. The cycle continues.

It is only when the emotion is gone that the technology really has a chance to survive. The rush is gone but the true benefits remain. The idea was given birth by emotion but survives on its true merit.

It’s hard not to get caught up in the early excitement. It’s hard to ask the hard questions when everyone else just wants it to go forward. Realistically it is the most difficult to buck the trends and realize the value independent of the hype.

I just realized that this is the nature of “Good to Great” companies related to using technology. Perhaps everyone would be better off if the hype didn’t get so out of control.

→ Leave a comment

Posted in Uncategorized, Virtualization

Tagged ,

Beyond Hardware Virtualization

Posted on August 7, 2008 | 3 Comments

Just when technology matures, a new technology rises to challenge it. In this case we are seeing the dawn of application and desktop virtualization against the well established rule of full hardware virtualization. Before getting too deep into the detail of the differences and features, it is worthwhile to try to define the relative classes of virtualization.

Wikipedia calls what I call hardware virtualization “Platform virtualization“. The goal, overall, it to provide a platform that can run any code (including the guest operating system) isolated from the rest of the native system. There are several subclasses with the most relevant being “Full virtualization”, “Hardware-assisted virtualization” and paravirtualization. Technically, the techniques are different but the goal remains the same. It is possible to install a full guest operating system in a VM and run the software for that OS within.

What kind of problems does hardware virtualization face? Informally, here’s a list:

  1. Emulation of hardware is a tricky business and always slower than native hardware
  2. Emulation of the opcode instructions is guaranteed to be slower
  3. The size of the virtual disk can limit flexibility in transfer
  4. The collective size of many virtual disks can clog up shared data storage
  5. Duplication of licensing costs (host and guest usually require a license each)
  6. Guest and host often do not work well together related to host and guest applications
  7. Virtual machine always needs a Virtual Machine Manager installed (requiring admin rights)
  8. Emulated devices usually have little correspondence to native hardware features

That’s probably enough for now. No one solution is going to address every concern but you can see how these kind of concerns add up to a desire for something else.

What if it was possible to virtualize the system at a higher level? What if you could virtualize right about the operating system layer? Wouldn’t that reduce the need to emulate and virtualize so much?

That is exactly what application and desktop virtualization is attempting to achieve.

Wikipedia has a an early attempt to capture this field with “application virtualization“. The basic goal with application virtualization is to reduce the footprint of virtualization while still giving the benefits of running applications anywhere. An application thinks that it is running on a certain environment when really it is being managed by a thin layer below it. This layer is responsible for providing a smooth surface which can lay on top of similar host platforms.

It is perhaps more widely known as making it easy to install once and then run everywhere. Solutions typically do not require admin rights for the user. It also means that one file can encapsulate the entire application instead of the typical large set of files.

A simpler way of viewing it is that the application is fully encapsulated. Because of this, it can be easily moved around and executed by many different people. As a result of this, it is much smaller than a whole virtual machine and runs under the native operating system with full access to the features of the native hardware. It is more like the application is a sibling to host applications than a child. The guest operating system model can isolate the environment so much that applications may not be able to communicate beyond simple means. The plumbing in application virtualization is much more straight forward.

Application virtualization addresses several of the concerns mentioned above with hardware virtualization.

  1. There is no emulation of hardware with application virtualization
  2. There is no need to virtualize instructions
  3. There is no virtual disk and the application encapsulation is always smaller
  4. There is no wasted space (unlike the virtual disks)
  5. There is only one operating system (one license)
  6. There is no virtual operating system wall between the two sides
  7. There is no need for admin rights
  8. Since devices aren’t emulated, the application gets the full features

Application virtualization does not handle device driver additions or dependencies. However, some solutions can handle services. Application virtualization also does not handle running applications on non-similar operating systems (like running Linux on Windows).

The intent is to keep things simple and do what is needed but not more.

There have been quite a few companies involved with improving this field over the last few years and the evolution of ideas has progressed quickly. It seems that maturity is problem within reach in the next two or three years.

So, don’t get too comfortable with virtual machines just yet. There’s this thing called application virtualization which is on the horizon.

Oh, and I almost forgot to mention desktop virtualization. It is a step beyond application virtualization which virtualizes the content of an entire desktop. This gives more integration and security for what would normally be viewed as independent applications. It also opens up more possibilities with things like having the users install their own applications in a controlled fashion. It’s a bit harder to classify at this point so it is a good place to stop.

I’m not saying hardware virtualization is bad. I’m just saying that there’s something evolving which avoids some of the pitfalls of virtualizing everything.

→ 3 Comments

Posted in Uncategorized, Virtualization

Tagged ,

Server Based Computing versus Virtual Desktop Infrastructure

Posted on August 3, 2008 | 6 Comments

One of the things I did not see coming was the pending battle between Server Based Computing (SBC) and Virtual Desktop Infrastructure (VDI). This first became obvious at BriForum 2008 with sessions titled such as “SBC vs VDI”. The resulting discussions were very lively and ran throughout all the different VDI discussions. This is also being shown through the variety of posts related to the relative benefits.

Having been around the block a few times, I see this discussion to be a bit religious in nature. In other words, every one has strong beliefs and it is unlikely that many people are going to change their minds about what they believe in. Secondly, it is pretty pointless to argue when it comes to doing what fits best. Either it works for you or it does not. Talk is cheap. :)

To me, the two are much more related that what people typically say. Surprisingly this can be true in life with many other topics as well. Some difference has been isolated and blown out of proportion to the point of excluding the other. Oh well, that’s just how people can be.

Truthfully, I would classify VDI as a new variant of SBC. Why? VDI runs on a virtual machine on a server. The truth is that by adding virtualization, it is possible to host multiple user desktops using the actual desktop operating system. The attraction is obvious if you understand the weaknesses of traditional SBC. With Terminal Services, there are limitations related to applications installing and the user not getting their normal desktop experience. There is also the risk of having one system being shared without virtualization. All it takes is one false step in kernel space in the system goes down.

On the other hand, virtualization has a cost. It should never be expected that virtualization will match native performance. Also, virtualizing at the hardware layer guarantees a great deal of duplication between virtual machines. This includes having a copy of the operating system per user. The disk model also means that each user is likely to own a virtual drive in the gigabytes. In collective, this adds up to a massive amount even if most of the space in the drives is not being used.

These are just some quick surface differences. Is there really anything worth getting upset about? Well, no.

But, strangely I sense this tension between the two groups. The old SBC group almost seems a bit threatened. Maybe it is just my imagination. If it is there perhaps it is just the uncertainty.

Anyways, Brian Madden has already declared that he thinks VDI is going to win. To me this seemed a bit early to declare and besides that it will not really matter in the end since both are actually SBC.

Perhaps another way of saying it is that VDI is disruptive and is not being treated real seriously by the old SBC camp. Well, some care. But the point is that VDI is seen to be a bit like a toy compared to the mature existing SBC market.

The news is that VDI is not going away and new trends saw that it is well on its way to supplant the older SBC business. I can sense a few heads shaking. Well, maybe not tomorrow. But, it will eventually.

The reasons will become more obvious as time goes by. The first step was to remote the desktop environment in its natural state. This has been accomplished. The next step is to tackle things that SBC never did quite figure out. This includes the ability to remote high performance graphics/audio on the LAN. This too has already begun to happen. Further refinements are coming including the ability to remote USB devices and further integrate the experience between the two machines. The goal overall is to completely blur the distinction between the client and host machines. In a sense, you get two machines with one environment with the combined power and strength of each.

Ultimately you get the ability to have a universal desktop which works anywhere (well almost). This universal desktop does not really care how it is run (local or remote) and always adjusts to situation with the maximum performance. It is incredibly idealistic to believe this is possible but the writing is already on the wall that it is coming and sooner than anyone is expecting.

Part of the reason I blog is to share what I see coming. It is hard to convince anyone in the beginning but given enough years it eventually comes true.

About five years ago I put forward an idea inside Citrix that we should investigate using virtualization to support different operating systems remotely. This was proposed to address the need to remote workstation operating systems (like Windows XP) which would be more compatible than the server (like Windows 2003). It was also hoped that we could remote things like Linux if needed. I saw this as the future of MetaFrame since it would give a much more mainframe like approach to hosting different platforms. In other words, the only decent way to truly support applications is to given them what they expect and then find a way to remote it. The idea did not catch on at the time. It would not be until VDI came around that this idea finally came to light.

About 13 years ago I proposed that we create a single user version of WinFrame that would work on Windows (Not NT). The idea was it would help to have a commercial product intended for consumers. At the time Citrix was not widely known and an easy way to address it was to target the lower end with a product that would be seen and appreciated. It was not until PortICA came around in 2006 that this begun in earnest.

It is little known that around 2002 there was a project called Jardine that duplicated MetaFrame on Windows XP using Terminal Services. This was very clever and timely work done to target managing XP with ICA. The problem was that Microsoft said no. They didn’t like it. They refused to license Terminal Services for the non-server environment to Citrix. The project died soon after.

PortICA was built on the assumption that we could not use Terminal Services interfaces. This meant rewriting aspects of the TS stack since we simply didn’t have rights to them.

The realization that came from this is that Citrix once again had control of a stack and that past limitations would be removed if we saw an opportunity. There is a big play for potential improvement over the typical TS code base.

Balanced against this is the constant tightening of the TS platform with what Citrix is allowed to do. Microsoft wants things to be just so and Citrix really has little choice in the matter.

But perhaps the most obvious reason why VDI will come out ahead is the shear number of competitors chasing after the business. Unlike old SBC/TS, there is pressure to evolve quickly with some very nimble and small companies. It will be true that companies like Citrix will validate the market much like IBM did the original personal computers but this does not mean that anyone is guaranteed to win. This is not related to size but rather mind share. If Citrix does not move quickly to embrace VDI even stronger, it risks losing this market to younger players.

However, all is not lost. SBC is still important and will be used to leverage into the VDI market. The most clever thing that Citrix could do right now is combine their offerings back into one. One of the most consistent messages I heard at BriForum is that one product is better than two in this space. This is largely viewed from a management angle. One of the companies is already providing a dual VDI/SBC product. There is no reason for Citrix not to do this as well.

So, why am I writing all this down?

Well, I’ve written it recently internally (based on the trip report to BriForum). My concern is that this information will not reach the right people easily. I also would deem that this kind of stuff is not secret and should be openly shared. Pretending that people don’t know is perhaps one of the most severe mistakes any organization can ever make.

Having come to the end you might be curious what I think of the title.

My answer is that it should really be “SBC and VDI”. The versus implies turmoil and in this case it should really be overlapping circles of coverage.

→ 6 Comments

Posted in Citrix Ideas, Uncategorized, VDI, XenDesktop

Tagged , , ,

Hello world

Posted on September 11, 2006 | 2 Comments

Cactus shade

I am a developer/researcher in Citrix Advanced Products group.  One of the things I would like to do is interact more with the community to learn what is currently going on. 

Nothing else to report just yet. 

 I am interested in discussing what people think about DVI.

→ 2 Comments

Posted in Uncategorized