So here are some reasons, partly from people I talked with, partly some I just made up ;-)

• There are lots of players: Business has business requirements, Risk Management adds requirements on top, IT has to implement all that and the last part being security which sometimes are not really able to talk to the other parties involved because of a culture mismatch (security is mostly technical people). A wholistic approach would probably help but it is easy to imagine that this is far from happening.
• There are lots of legal regulations and frameworks you need to comply with, adding yet more requirements to the mix.
• My suspicion: Quite a lot of over-engineering. From my experience elsewhere you actually see this happening in nearly every area. It takes time and effort then to find out that many use cases are actually never happening or can be solved with simpler tools. Maybe compare Java and Python ;-)
• Lots of legacy system you cannot simply replace.

Moreover I would think that some companies also just want to sell their products quite a bit longer instead of reinventing all the time.

That being said there also seemed to be some wish to make things simpler. This has been coming up in some talks where it either was about quick wins or rethinking your infrastructure on new projects.

The web

Lets once again look at the web and what’s happening there. The main difference is probably (as Eve put it nicely) that on the web you have to convince people to use your protocols. E.g. for authorization you of course could use Kerberos but the internet community refused it and now there is the much simpler OAuth instead.

And not even that: OAuth in itself is becoming even simpler to implement. Or look at the Facebook Graph API and the Open Graph Protocol. Both are very simple in their use.

Of course you have far higher security requirements in the enterprise than on the web but this will change the more security sensitive things you do online (e.g. shopping, eGovernment services etc.). Then the big question is: How easy acually is it to do strong authentication?

But besides different requirements you also see different means in solving problems, just take these two:

• REST vs. SOAP
• JSON vs. XML

So the question might be: Can the enterprise learn from the web? And vice versa?

My answer would be yes:

• the web from the enterprise about necessary requirements
• the enterprise can learn from the web how to build the simplest possible protocol to do the job.

The question is how big the resistance will be. As an example let me mention Kim Cameron’s keynote on the new ADFS2.0. He was asked then why it sounded like a replacement for LDAP and he said while he has a strong love for LDAP, time simply moves on. Asked if he knew how many people in the audience relied on LDAP he added that Active Directory of course is still built on LDAP.

Which makes me wonder: Why is LDAP still around? Isn’t there some RESTful, JSONified alternative to it? (I actually directly started to implement one out of curiosity on how this might look). Or is everything soon replaced by security tokens and Attribute Bases Access Control (ABAC)?

One thing is clear: Things are in motion (UMA and the interest in it might be a sign of this) and it  won’t get boring anytime soon. Lets see where we are at EIC 2011 in regards of web/enterprise protocol fusion.

I stumbled into the European Identity Conference 2010 actually only by accident, more being a web developer than an enterprise IT guy (although having to do with it in terms of connecting e.g. Plone to an LDAP server in our bigger clients). But I don’t regret that I actually did!

What made me go there were actually two (related) things:

1. The opportunity to meet one of my co-podcaster at Data Without Borders finally in person, namely Eve Maler
2. The opportunity to attend the workshop on User Managed Access, a Kantara Initiative workgroup which I was involved with quite a bit at it’s start (and which is chaired by Eve).

I then ended up attending also the actual conference as I got free entry for being a blogger and podcaster from the open web standards field (thanks, kuppingercole!). It didn’t stop there, though, because soon I was also sitting on a panel on data portability with Eve and Drummond Reed (me for being a former board member of the Data Portability Project) and suddenly also on another one with Eve again and Andreas Reisen from the Ministry of the Interior of Germany. The topic of that wasn’t really clear until shortly before and it turned out to be Post Privacy (I guess I had some influence on this).

Especially this last panel turned out to start a very interesting discussion (also thanks to moderator John Hermanns), but more on that later.

What I learned

First of all I learned that the UMA specification compared to back then when I left is not really easy to understand. To prove that I did some rough implementation the following afternoon. It also means that I probably will be more active again in the workgroup.  What surprised me a little though was that UMA actually got quite some interest which I didn’t expect as I saw it more as a web standard. But enterprise and web seem to converge and this is a good thing!

I also met other UMA participants I only talked on the phone with yet, esp. Domenico Catalano, Iain Henderson, Maciej Machulak and Hasan Akram.

From Iain I heard about another interesting topic actually, which is that both big parties in the UK had citizen control over their data in their programs. According to him they don’t really know what it means in practice but he and his company MyDex (and others) are there to help with Personal Datastores. I didn’t really gave a chance to interview him on how this would work in practice but I think he would make a great guest in Data Without Borders, so we probably will invite him soon. I should add that Iain also thinks about using UMA for this purpose.

Then there was the actual conference. Unfortunately I didn’t have the time to follow everything and so I wasn’t following  much on cloud computing (and I wish more people in the IT scene would actually do live blogging or at least twitter). So I learned a lot about which how claim based access is a done thing (at least according to Kim Cameron). I learned that OpenID has usability problems (not really new) and how they could be solved (new), I learned about the germen eID card and all the world wide non-interoperability of internet authentication. I learned that instead of PowerPoint you should start with Word (ugh? I would say: Use proper tools for online collaboration, not something for writing letters. Talk to me if you want some ideas ;-) ). I also learned that IT guys are sometimes having complexes, too (I remember a slide saying “IT guys are not dumb!” and people complaining how everybody beats on them).

What I missed: The Web

What I missed though was more talk about web standards. There was hardly any talk about e.g. OAuth (although it won an award last year), WebFinger, XRD, LRDD, Salmon, the connect mechanisms of Twitter and Facebook etc.

Along with that was social media was only used rarely. I can say that I was the most frequent twitterer there while only maybe 10 people twittered here and then. I am not sure if any blog posts except mine actually have been written. I even heard the phrase “I will be the last person to use Twitter”. So do enterprise IT guys live in some hole? Is it too different? Is their usual environment so controlled that they fear to do such things?

Some conversation I head during lunch seems to point into this direction as somebody explained to me how it feels strange if some client suddenly twitters about one of their meetings. Moreover companies have the problem of data leakage into Facebook, Twitter and LinkedIn (the latter seems to be the mostly used tool for social activities online).

I guess there are interesting times ahead when companies need to find a way to handle that. One way might be to forbid it but stemming against the internet revolution so far hasn’t worked, so good luck with that! Lets hope they think about more useful strategies which embrace the web and not fight it. There at least seems to be some interest in using social media also inside the company. A very interesting topic where I also have lots of ideas on.

What could be different?

The EIC 2010 was a well organized conference with interesting topics (and good food). Some things could be more experimental though in my opinion.

So here are some ideas:

First: Look at IIW and see how a barcamp style conference just works (I’ve never been there but I know that Barcamps work). So I would really like to see more flexible structure in place. Take the post privacy panel for instance. This mainly was setup spontaneous and I personally would have had lots more topics I would have loved to discuss with people in some sort of session. Yet there was no time or space for it. What we had were mostly one-to-many talks which are good for an introduction of a topic but not for a good discussion of it.

So make it more Barcamp-style! Maybe not the whole conference but maybe parts of it, e.g. one day.

Second: Then try to invite more web people. The web is different in that things need to be simple on the web while not being too simple (read: insecure). And something enterprise IT needs is simple. Moreover it would be great if there wouldn’t be two groups of people working on several very similar problems each on their own.

Third: Put up Twitter Walls. Explain what Twitter is, encourage people to use it and also to blog about it. Attracting more web people will actually help this.

Fourth: Record also the smaller rooms or let people (like myself) record it. So much information seems to be gone now if you haven’t been there, esp. the panel discussions.

Fifth: Put the materials on the web for free. My opinion: You go to a conference to share with the world. So share it with the world!

As Martin Kuppinger did a keynote on 5 trends in various topics I, too, will leave it at those 5 points. I learned a lot (and if it’s just how enterprise IT ticks) and might even come back next year :-)

Further Reading

Here are my blog posts about the conference so far:

• UMA Workshop at European Identity Conference
• Kim Cameron on Minimal Disclosure
• 5 Quick Wins to Leverage Your Existing Identity Infrastructure Through Convergence (Martin Kuppinger)
• National ID Card – Privacy by Design
• Improving the Security and Usability of OpenID
• On national electronic ID cards, Interoperability and Trust Frameworks
• User Managed Access – a workshop and a prototype

More posts might actually still come, I have lots to talk about! (but actually would need more time).

So lets see what we actually have.

Germany

Andreas Reisen of the Ministry of the Interior presented the new german national electronic ID card being issued starting the end of this year (my session notes). As he states it implements privacy by design and indeed it sounded quite well done. You can not only use it to identify against government agencies but also to use it for online shopping and more. All those service providers need isn Authorization Certficate which they can obtain from the government and which states which data is allowed for them to be received (has somebody a link with details on how to apply etc.?).

It has some problems though like that you need to buy a certificate for all the addons separately. Adding the burden on also buying a card reader with it the real question is how adoption will look like. As Kim Cameron said on one panel: Belgium has an electronic ID card but there does not seem to be a rush to buy card readers.

And there is another problem with it: It’s proprietary, Germany only.

Europe

Now if we look at Europe, we see lots of national ID cards and some are even electronic. The only problem is that every country uses a different technology. Hence there is the need to implement an interoperability layer which the STORK project tries to accomplish. Marc Sel was given a talk on this. It seemed a bit disappointing though that not even the attempt on being interoperable in the first place is being made. Moreover it seems unclear  what the future of STORK is after the funding ends (at least according to some coffee break conversations).

The US

Now in Europe the idea of a national ID card is well established and while there is some protest against electronic versions there is no doubt that it will happen (or has already).

In the US things look a bit different in that there is no national ID card. Compared to Europe this makes things harder because there is no one central authority (e.g. government) which can issue those identities. Thus there is a somewhat more complicated solution in the US involving OpenID, Information Cards and something called the Open Identity Exchange. The latter builds so-called trust frameworks which make sure that Identity Providers and Relying Parties both adhere to certain standards (more specific Level of Assurance). The initial trust framework they developed was the one for the US Government.

Adoption?

Now all of this depends on adoption. And adoption again might be influenced by the following factors:

• How easy is it to use?
• How easy it is to understand?
• How well is my data protected?
• How much do I believe it?
• How many place where I can use my identity will exist?

and probably more.

The main problem with adoption might start directly in the beginning though: In order to use my eID card in Germany I need a certificate and a card reader. In the US I might have an OpenID but those can only get assurance level 1 with is not much. For more I’d need Information Cards and probably need to pass through some assurance process. Now which citizen does know InfoCards? Probably close to 0%.

Then what about the mobile use case? I won’t have my card reader with me all the time and probably it cannot connect to an iPhone. As we get more and more mobile this will be a problem, too. There was an interesting project by Deutsche Telekom though which used next generation SIM cards, Near Field Communication (NFC) and InfoCard selectors on mobile phone to make secure identification possible. This is far in the future though and might also not happen at all.

Then I need to trust this thing. If the government says that service providers can only access data I allow them to get, do I trust it? Isn’t this the same problems as with electronic voting where voters would have to trust TÜV or similar agencies in that the voting machine will work correcetly? There are systems where I can even check if my vote has been counted but these involve lots of crypto and thus mathematics and only experts understand it (and not even they do completely).

Keeping control is another problem: If the system involves too many settings, people won’t understand it. It needs to be seen how user interfaces will actually look like. Just look at Facebook and their ongoing refactoring of privacy settings and screens to see how difficult that is. And yet probably most people just click “ok”.

And then of course it depends on the places I can actually use it. This will be the chicken-egg problem. Here in Germany there are at least various companies testing the technology while I heard that in the US there is not yet one RP (is that correct?).

Conclusion

If we look at the landscape what we see looks like a very fragmented world of (centralized) online identity. If it will be a success will be seen. It would be great though if people would get together more and develop common standards being used at least EU wide. The complex system now available does not really sound as if it’s becoming successful anytime soon.

Add to that that people already have various identities on the net. The problem with these is though that they are not really strong identities and vulnerable to phishing or other attacks (unlike Information Cards but this actually needs to be seen should they ever be more widespread so that the bad guys have incentive to find ways to do it).

And there is of course the question on what’s better: A more decentralized structure like in the US or a government issued identity (which changes with each new card though, at least in Germany)? Or neither?

I guess we will find out.

User Managed Access

So what is User Managed Access and what do you need it for?

First if all it’s a workgroup at the Kantara Initiative led by Eve Maler and will at some point eventually be fed into the IETF for making it a standard.

The main goal of the UMA group is to make distributed authorization as easy and flexible as possible. Imagine having some resource you have hosted on “Host” and a “Requester” wants to access it (think client/server or something like that). The Requester might itself not act on behalf of the user owning the resource but on some “requesting party” (which also can be the same user).

Now the Host needs to make some decision if it grants access or not. In OAuth something like this is possible in that the user introduces the Requester to the Host first to transmit some access token. The limitation is though that the Requester needs to be known beforehand.

Moreover the answer to the access question should not be simply based on a yes/no answer given beforehand. Instead we might also want to base it on certain claims. E.g. the Requester might need to prove that the Requesting Party is >18 years or maybe that this party has a certain role in a company.

For this to work UMA (and now OAuth 2.0, too) introduces a Authorization Manager (AM) which does the permission handling.

Basically there are three steps:

1. The user decides which AM he wants to use for a certain Host where he has some protected resource(s). The host is introduced to that AM, retrieves some metadata about the AM and then performs an OAuth request to obtain an AM access token which can be used later. This step is only done once in front.
2. At some point a Requester wants access to that resource and tries to access it. It will receive a 401 Unauthorized and with it the location of the AM (a URL). The Requester will then contact that AM, receive a list of claims (or the user will be asked in-bound as in OAuth) and needs to fulfill them. Note that this can also take place asynchronously, e.g. the AM can send an email or SMS to the User to ask what to do. Then the Requester will eventually receive a normal OAuth access token. Lets call this the Host Access Token.
3. The Requester now tries the request to the protected resource again, sending the Host Access Token with it. The Host then needs to verify this token with the Authorization Manager by using the AM Access Token. If everything is ok, access is granted.

(one remark: I am not sure how limited access is done with this, e.g. you might want to decide whether somebody can e.g. get your full calendar details or just free/busy)

You can read more about all this including a lot of use cases in my transcript of the UMA Workshop led by Eve Maler. The draft specification (which is work in progress) can be found here, the claims format here.

The prototype

Back in the day when UMA started, I was an active participant in the group but at some time had to drop because of time constraints and because the specification back then felt kinda complicated to implement. But luckily this has changed now. Thanks to the developments in OAuth and OAuth 2.0 the specification is now based on OAuth 2.0 which makes it much simpler than the original one.

But as a specification is only any good if you can implement it in a day I wanted to try it out right after the workshop on tuesday afternoon. The result can be found here and it’s a merged implementation of a UMA Host, Requester and Authorization Manager. I cheated a bit on step 1 and preintroduced them in code and I also did not implement the specification in all details (which makes it kinda insecure). The main process is in there though and for half a day work I am quite happy about the outcome.

The implementation hopefully also helps to identify misleading or missing parts in the specification which can then be fixed accordingly. I already made some comments via Diigo on the specification page.

So here is a screenshot of the Authorization Manager:

The code is open source and licensed under an MIT license.

The future goals for it are:

• Make it compliant to the specification while also working on the specification itself
• Split it into Host, Requester and Authorization Manager modules and try to make things into a library where possible
• Do a full fledged Authorization Manager implementation with audit, claims and so on.

All this depending on my spare time of course. There are also other implementations ongoing as you can see on the implementation page. This hopefully helps to also do proper interop testing.

All in all I am happy with the progress UMA did and here at the conference there also seems to be quite some interest in that work which also is motivating of course. So in case you are interested as well you might want to join the UMA workgroup at Kantara (which only involves agreeing to the IPR regulations).

It is build upon JanRain’s RPX service which makes it easy to use any of those login methods without implementing all of them. You only need to implement one method and this is the RPX method.

plonesocial.auth.rpx does just that.

Here is a little screencast I did showing you how it looks to the user:

(Link to YouTube video)

There is also an installation documentation, the source code is on bitbucket and here is the Plone product page.

The development of this product was sponsored by COM.lounge.

On March 15-19 the Plone Cathedral Sprint happened at the GFU Cyrus AG in Cologne, Germany. Focus was on fixing outstanding bugs in Plone 4.0 (soon to be released) and to start work on Plone 4.1.

About 25 sprinters have been on site working on it for 5 days. I took the opportunity to talk to Eric Steele, the release manager of Plone 4.0 for COM.lounge TV:

(Download MP3)

Eric was also asking people to perform screencasts on what they have been working on and as videos show more than 1000 words, here are those demos:

ReferenceBrowserWidget Overlays by Tom Gross

(Link to video)

New Search Results by Denys Mishunov

(link to video)

A new UI for Collections by Geir Baekholt

(link to video)

A new discussion component by Timo Stollenwerk

(link to video)

Updates on Plone Events by Vincent Fretin

(link to video)

A Finder for Plone by Robert Niederreiter

(link to video)

There of course has been lots more going on such as:

• German and dutch translations for Plone 4 (Martijn Schenk and Jan Ulrich Hasecke)
• Performance Improvements including the storage and handling of image data (Andreas Zeidler and Simon Pamies)

Here are more photos from the sprint and the tour of the bewery by Armon Stross-Radschinski:

A big thanks to the organizers for doing a great job on organizing such a productive sprint!

Another IETF meeting is over and the OAuth crowd has met again! Lots of talk has been going on in the OAuth realm partly under the name of WRAP. Now what has WRAP to do with OAuth and what will happen in OAuth2.0 on which work has begun now?

In order to give us a glimpse of what is going on we have been interviewing David Recordon, co-inventor of OpenId and OAuth and now working at Facebook on Open Source and Open Standards. You can find this interview in our podcast “Data without Borders” or simply click here to get to the episode and the shownotes.

(photo by Joi Ito)

Today Cecilia Malmström, European Commissioner for Home Affairs, revealed her plans on fighting child abuse on the internet which means blocking such sites in the EU. From the proposal (which is not yet public but based on this proposal):

Each Member State shall, in accordance with the basic principles of its legal system, take the necessary measures to obtain the blocking of access by Internet users to Internet pages containing or disseminating child pornography, inter alia, by facilitating the competent judicial or police authorities to order such blocking or by supporting and stimulating Internet Service Providers on a voluntary basis to block such Internet pages. The blocking shall be subject to adequate safeguards, in particular to ensure that the blocking is limited to what is necessary, that users are informed of the reason for the blocking and that content providers, as far as possible, are informed of the possibility of challenging it.

(underlined are compromise proposals)

We had this discussion in germany last year and by now most of the parties see such a measures as not useful to help fighting child pornography. Thus it’s sad to see how this topic comes back through the backdoor of the EU.

The proposed method in germany was to ask ISPs to manipulate their DNS servers and redirect traffic to sites on a blacklist to a STOP sign with some explanation.

Here are 10 reasons why it does not really help but instead is a threat to the freedom of information on the internet:

1. Blocking these sites does not make these sites go away. They are still on the internet and can be accessed by anybody capable of circumventing the filters.
2. You can never make sure that no overblocking is happening. Due to the nature of some mechanisms such as DNS blocking you can only block whole domains not individual URLs. Moreover it’s not that easy to judge whether something should be blocked or not. Moreover it is not made mandatory that a judge has to be involved.
3. The blacklist needs to be classified. This means the public cannot check its contents and thus there is a threat of possible censorship. This might eventually just happen by accident to sites which criticize this law. Again a threat to freedom of communication.
4. If those lists leak (and they have in the past) it’s a shopping list for people searching for such sites. This is defeats the whole purpose.
5. Sites usually can be taken down (read: Content will be deleted) worldwide which an experiment of Alvar Freude of AK Zensur (Taskforce Censorship) in Germany showed. He managed to get 61 sites from a leaked list deleted within 12 hours. Moreover these sites are not really outside the jurisdiction of Europe or the USA as this graphic shows:
   (Chart by Florian Walther based on the leaked blacklists, red=many sites, another one here).

   This is also confirmed by a letter from the german federal police, which says that the number 3 countries which host child porn are USA, Germany and the Netherlands.

6. Blocking a website can be detected by the criminal operating of the website if looking for it (and thus expecting it). Thus it also means a warning for that criminal.
7. Only blocking a website also means that the criminal operating it will go uncharged.
8. The blacklists will usually not be re-checked if the content is still there and deleted if it isn’t.
9. Site operators which get on the blacklist are not informed about it and thus cannot protest against an eventual wrong decision.
10. Those filters can usually be circumvented quite easily. There is a video on YouTube showing on how to do that in a few seconds for the proposed german filters.
11. Abusive content is not only exchanged by means of the Word Wide Web but many other channels like IRC, NNTP, freenet etc., too. These channels will not be caught by access blocking.

It should be clear that such measures can not only be used against sites containing child porn but also potentially against any other content. In Germany it did not take long before all sorts of lobbies wanted to extend the list with general porn sites, foreign gambling sites, file sharing sites  and more.

The main problem though is the absence of the division of powers because usually the police departments control the lists.

What should be done?

If investigators would go after sites in Europa and USA much would be won already. This basically means:

1. Deleting sites instead of just blocking them
2. Strengthen international cooperation
3. Providing more personal to the police to be able to investigate more in these areas

There are surely useful things mentioned in that proposal but access blocking is not one of them.

Child porn as freedom of expression?

Another thing I want to make clear: Cecilia Malmström stated again today that it cannot be that child porn should be protected as a form of freedom of expression.

Nobody says something like that though. All that critics of this and similar proposals say is that it can limit the freedom of expression because it installs a censorship infrastructure which can easily be misused.

We had a big change of mind during the discussion about a similar law in Germany and except the conservatives now everybody agrees that it’s useless.

Let’s hope for a quick change of mind in Europe, too!

And for this to happen please make the problem public, call and write your MEPs and explain it to them!

More on the matter:

Follow the #censilia hashtag (after #zensursula, the hashtag for minister Ursula von der Leyen who has similar plans)

Here is a list of those talks:

CLTV41: Scaling with NoSQL
CLTV42: NoSQL in the Cloud
CLTV43: Lightning Talks
CLTV44: Schema Design with Document-Oriented Databases
CLTV45: The Evolution of the Graph Data Structure from Research to Production
CLTV46: Toward Web Standards for NoSQL
CLTV47: Lab Session on Apache CouchDB
CLTV48: What’s new in MongoDB 1.4

You can subscribe to COM.lounge TV via iTunes here:

You can find the event description here.

The biggest impact of course had Google Wave thanks to the buzz Google created around it. And indeed the technology behind it is impressive as it allows collaboration on a keystroke by keystroke basis even across several servers. Google Wave still has a long way to go though before becoming a really useful tool. It needs a better (or one at all) client-server protocol unifying robots and web clients, it needs an open source web client or preferably many of them and of course it also needs more experiments with usability including definitions of workflows and ACLs.

But Google Wave is not the only thing happening these days. There also is Mozilla Bespin, an online text editor for programmers, which also sports collaboration features although they also need some work. And there is EtherPad which allows for online collaboration with a simple RichText editor and is really easy to use.

So maybe it is no wonder that Google acquired AppJet, the company behind EtherPad, in order to integrate it with Google Wave, one hears. This raised the question though what it actually is they want to integrate because their own Wave client already has all the features of EtherPad, if not more (like gadgets, file uploads etc.).

Moreover users of EtherPad haven’t been impressed by the decision of Google to basically shutdown EtherPad or at least the public creation of new pads (as documents are called there). Luckily Google and AppJet listened to them and reopened the creation of public pads.

Open Source FTW

But the big news in that news transition plan is not the reopening but instead the announcement that EtherPad and the server infrastructure behind it will be open sourced. This is really great news as I see more and more people’s need to be able to collaborate online in an easy way. Here EtherPad really shines of course mainly because it’s simplicity and because there is no need to register to use it (unlike Google Wave).

What’s missing?

The good news about Google Wave is that it also is open source, at least partly. There is the Google Wave Federation Prototype Server which you can install yourself on your server but this only federates with the Google Wave Sandbox which is a different server than the Google Wave Preview. Moreover it does not allow you to use accounts you might create on your own Federation Prototype Server.
This basically means that for using the Google Wave Web client you always need to have a Google account which is not what the promise of Google Wave has been (which was that you can run your own Wave infrastructure behind your firewall). What’s missing is really a viable open source alternative to the Google Wave client.

Now EtherPad is doing something very similar although it is limited to be run on a single server. This is sufficient though for most cases esp. if it’s really just about text editing. Nevertheless it would be great if the future of EtherPad would be to be an open source client for Google Wave and then capable of connecting to a wave server hosted by yourself. Unfortunately that blog post was quiet about whether this is the plan or not. And if not is also needs to be seen if the code base actually allows for easy integration.

We also shouldn’t forget that there is another Google Wave client called pygowave which is an attempt to start not with federation (meaning the synchronisation between servers as the Prototype server does) but with the online collaboration aspect. Unfortunately it’s broken for me right now but eventually this might morph itself into a Google Wave client which can connect to a server hosted by yourself. As it does not have the manpower of Google behind it if still lacks many features of the official Google Wave client but to be honest I think some more experimenation on how Wave could be used and presented is also needed.

But while there are only bits and pieces around right now the outlook is promising because:

• with the Federation Prototype server there is a good basis for an easy to use server
• with EtherPad there is the possibility of an easy to use and open source Wave client or at least a different system for online collaboration
• with pygowave there is the possibility of an open source Wave client and server.

And most importantly of course if that many of these developments are happening in the open source space which avoids the demise of some great products to end up in some drawer to never see the light of the day again.