Re: Cannot Create A Web Site

On Mar 29, 12:37=A0am, "Bernard Cheah [MVP]"
wrote:
> Ya the RTM setup engine apparently got some bug in it.
> I have to rebuild my machine twice before SP1 as no way to fix it even wit=
h
> WAS.
>
> so get SP1 if you can. then only start your repro steps.

I have so many threads on this issue outstanding, it's taking a while
to close them all up.

As of 5:00 P.M., yesterday, after 167 hours of fiddling, I finally got
it to work. In this case, "it" is having a Visual SourceSafe 2005
repository rest behind IIS 7.0+WebDAV running on Vista Ultimate,
accessible by Visual Studio 2005 clients all over the Internet.

If you ask me if I would be able to recreate this scenario for someone
else using virgin installations of everything, my answer would be
"perhaps".

If you ask me if I would be able to take someone's existing IIS 7.0
configuration and recreate this scenario without ruining their
website, my answer would be, "most likely not".

If you ask me if I would be able to explain to another software
engineer in sufficient detail the mechanics of IIS 7.0+WebDAV such
that he might have a reasonable chance of getting it to work himself,
my answer would be "absolutely not."

So while I am very happy to have recovered the state which I had 7
weeks ago: a working source control system over the Internet I am
disappointed that all that time might have been spent learning
something that is resusable, like fixing my linear estimator for
optimizing TCP/IP retransmission problem, which contains resuable
knowledge [mathematics].

I definitely do _not_ attribute total fault to the authors of IIS 7.0.
Many of the problems arise from the Windows security model. IMO,
someone, somewhere, perhaps at Microsoft Research, needs to stop
coding, and start thinking more about the theoretical foundations of
security and acess control. My gut feeling that the persisent model of
access control involves a true public-key infrastructure. These
username/passwords models and concoctions like Active Directory
Service are simply not something that the Gods of Good Design might
look upon favorably, IMO. They are simply too tedious.

Yes, yes, I know, there are IT personnel earning $125,000US/year who
would be more than happy to come into your office and show you how you
got it wrong, and after 30 minutes or an hour, have it so that it does
what it's supposed to do.

I would like to see the day when we can avoid such people and simply
do it...a bit like writing a text message using Notepad, where the
user with a baseline level of intelligence, and sufficient computer
experience, say 20 years as a software engineer, feels confident that
there is a correlation between action, expectation, and manifestation.

As far as the peopole who designed the Windows Security model go:

You know you have done a good job as an architect/designer/visionary/
thinker/engineer, when someone who is reasonably intelligent and
experienced, but foreign to your field of expertise, looks at what you
have done, and says...."Hmmm....whoever did this did it the way I
might have done it if I were an expert in their field. A bit of
learning is involved, but this really is easy to use."

I did not get that sentiment while wading through the mess of access-
control mechanisms in Windows. And as I mentioned before, what is
most ironic about the 167 hours spent, is that, had I not spent 8
hours/day trying to re-setup IIS 7.0, etc...I would have been doing
research in...guess what??!!!...access control models and distributed
file systems. :)

So I already know how much easier it could be, compared to how it is,
which is why I Microsoft (Research?) could do a lot better.

To be fair, Kerberos is not a walk in the park either. Ticket-
granting ticket? I remember back in 1988 when Kerberos was just taking
off. The manual was thick even then. Yes, it worked, but it was, and
still is, unnecessarily complicated, IMO.

But as one CEO of a top-five anti-virus software company said at an
internall company meeting....

"You know, innovation is just one option. There is also the option of
continue to do what we do now, leaving bugs in our software. By this,
I mean that we actually benefit when our software is a mess. We should
not underestimate the revenue we gain from upgrades from buggy
software. And yes, there is incredible redundancy in our products, but
our customers don't need to know that. Since when did having a
confused customer ever hurt our bottom line?"

Perhaps Microsoft executives might have shared this highly lucrative
sentiment while committing to Kerberos as a security platform.

Whether they are deliberately leaving their access control models in
such a mess is debatable however, but who knows..

-Le Chaud Lapin-

Re: Cannot Create A Web Site

In article <6af5a620-d81e-4bb9-b510-752b2e828501
@m3g2000hsc.googlegroups.com>, jaibuduvin@gmail.com says...
> I definitely do _not_ attribute total fault to the authors of IIS 7.0.
> Many of the problems arise from the Windows security model. IMO,
> someone, somewhere, perhaps at Microsoft Research, needs to stop
> coding, and start thinking more about the theoretical foundations of
> security and acess control. My gut feeling that the persisent model of
> access control involves a true public-key infrastructure. These
> username/passwords models and concoctions like Active Directory
> Service are simply not something that the Gods of Good Design might
> look upon favorably, IMO. They are simply too tedious.

My gut feeling is that unless you are Bruce Schneier, your "gut
feeling" will not factor into any of Microsoft's decision making on
matters related to security. It takes more than some vague complaints to
steer Microsoft on something as big as Windows Security.

> Yes, yes, I know, there are IT personnel earning $125,000US/year who
> would be more than happy to come into your office and show you how you
> got it wrong, and after 30 minutes or an hour, have it so that it does
> what it's supposed to do.

That comes out to about $60/hr. If they can solve in one hour what took
you 167 hours of fiddling, then I think the $60 spent is well worth it.

> I would like to see the day when we can avoid such people and simply
> do it...a bit like writing a text message using Notepad, where the
> user with a baseline level of intelligence, and sufficient computer
> experience, say 20 years as a software engineer, feels confident that
> there is a correlation between action, expectation, and manifestation.

It would not matter if you had 2000 years of software engineering
experience if the problem you are trying to solve is not in that domain.

> You know you have done a good job as an architect/designer/visionary/
> thinker/engineer, when someone who is reasonably intelligent and
> experienced, but foreign to your field of expertise, looks at what you
> have done, and says...."Hmmm....whoever did this did it the way I
> might have done it if I were an expert in their field. A bit of
> learning is involved, but this really is easy to use."

I disagree. You know you have done a good job when the *experts* in your
field say that you have done a good job. If someone is foreign to your
field of expertise, they are by definition not experts in that field.
Why use the opinion of non-experts as a measure of a "good job"?

> So I already know how much easier it could be, compared to how it is,
> which is why I Microsoft (Research?) could do a lot better.

By "it" are you talking about IIS or Active Directory or Kerberos?
In any case, unless you work for Microsoft, it is unlikely that you will
be getting your wish from Microsoft.

-- Matthew Davis

Re: Cannot Create A Web Site

"Le Chaud Lapin" wrote in message
news:6af5a620-d81e-4bb9-b510-752b2e828501@m3g2000hsc.googleg roups.com...

> Many of the problems arise from the Windows security model. IMO,
> someone, somewhere, perhaps at Microsoft Research, needs to stop
> coding, and start thinking more about the theoretical foundations of
> security and acess control. My gut feeling that the persisent model of
> access control involves a true public-key infrastructure. These
> username/passwords models and concoctions like Active Directory
> Service are simply not something that the Gods of Good Design might
> look upon favorably, IMO. They are simply too tedious.

Authentication (not security) is achieved by proving your Identity
(sufficiently for the remote service). And that means something you know,
something you have or something you are (or some combination thereof). PKI
and Passwords are just implementations. They are both theoretically sound.

Active Directory is a directory service - not a security implementation.

So, I don't really understand what your point is here. You seem to be mixing
and matching different components and confusing that with an overal security
architecture.

> As far as the peopole who designed the Windows Security model go:
>
> To be fair, Kerberos is not a walk in the park either. Ticket-
> granting ticket? I remember back in 1988 when Kerberos was just taking
> off. The manual was thick even then. Yes, it worked, but it was, and
> still is, unnecessarily complicated, IMO.

Microsoft has an enormously simple Kerberos implementation. You just install
AD. You add your machines to the domain. And away you go. Everything is
taken care of for you. It works for hundreds of millions of machines with
most people not have any idea that its even there. The total number of other
non-Windows Keberos implementations are probably just a rounding error.

> Perhaps Microsoft executives might have shared this highly lucrative
> sentiment while committing to Kerberos as a security platform.
>

Yeah - whatever. Kerberos is a robust, proven platform. If it's too
complicated for you - too bad. PKI isn't any simpler.

> Whether they are deliberately leaving their access control models in
> such a mess is debatable however, but who knows..

Again - your lack of understanding does not constitute a mess

Cheers
Ken