Cover Pages: XML Daily Newslink: Friday, 16 March 2007

A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS and Sponsor Members
Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by:
SAP AG http://www.sap.com

Headlines

W3C Call for Implementations: XML Binding Language (XBL) 2.0
Mandatory Open Standards in Denmark
Lightbulb is Dead: Long Live OpenSSO Extensions!
A Phased Approach for Converting SQL-centric Applications to LINQ
SAP Architecture: Enterprise SOA Basics
Web Services Profile of XACML (WS-XACML)
Entitlement Management: The Next Security Wave
MSXML4 is Going to Be Kill Bit-ed
Real-world IT Security Challenges: Doing Away with Passwords
Red Hat Strikes Back With Next Generation Linux

W3C Call for Implementations: XML Binding Language (XBL) 2.0
Ian Hickson (ed), W3C Technical Report

W3C has announced the advancement of the "XML Binding Language (XBL) 2.0" specification to the status of Candidate Recommendation. The Working Group now encourages implementations. This specification will remain at the Candidate Recommendation stage until two complete and interoperable implementations exist, and will not conclude before 1-September-2007. An implementation will only be considered if it is publicly downloadable or available through some other public point of sale mechanism, and is intended for a wide audience and could be used on a daily basis. To be "complete and interoperable", an implementation must pass every test in a comprehensive test suite of every normative requirement of this specification. Written feedback is also welcome: the editor guarantees that all feedback sent to the above lists will receive responses before this specification advances to the next stage of the W3C process. While feedback is welcomed on all aspects of this specification, especially from implementors and authors using XBL on the Web, feedback is especially requested on two contentious issues: (1) possible use of the global 'xml:id' attribute instead of 'id'; (2) a possible new feature to allow a script running outside the element's bindings to get access to shadow tree or its bound element in the absence of an explicit binding. The XML Binding Language (XBL) describes the ability to associate elements in a document with script, event handlers, CSS, and more complex content models, which can be stored in another document. This can be used to re-order and wrap content so that, for instance, simple HTML or XHTML markup can have complex CSS styles applied without requiring that the markup be polluted with multiple semantically neutral 'div' markup elements. The element that the binding is attached to, called the bound element, acquires the new behavior and presentation specified by the binding. Bindings can contain event handlers that watch for events on the bound element, an implementation of new methods and properties that become accessible from the bound element, shadow content that is inserted underneath the bound element, and associated resources such as scoped style sheets and precached images, sounds, or videos. XBL can also be used to implement new DOM interfaces, and, in conjunction with other specifications, enables arbitrary tag sets to be implemented as widgets. For example, XBL could be used to implement the form controls in XForms or HTML. A companion document "Behavioral Extensions to CSS" describes a way to link to binding technologies, such as XBL, from CSS style sheets. This allows bindings to be selected using the CSS cascade, and thus enables bindings to transparently benefit from the user style sheet mechansim, media selection, and alternate style sheets.

Mandatory Open Standards in Denmark
John Goetze, Blog

The Danish Minister of Science, Technology and Innovation, Helge Sander, recently made a press announcement about his plan for following up on the Parliament Resolution 8 months ago. The implementation plan is presented in a report which suggests that "open standards should be implemented gradually by making it mandatory for the public sector to use a number of open standards when this becomes technically feasible". The report identifies an initial sets of open standards as candidates for mandatory use from 1 January 2008 "if an economic impact assessment shows that this will not involve additional costs to the public sector". The implementation plan's elements are as follows [excerpted]: (1) "From 1 January 2008, all new public IT solutions should make use of the mandatory open standards relevant to the IT solution in question unless there are significant reasons for not complying with these standards."; (2) "If there are significant reasons for not complying with the relevant mandatory open standards, this must be reported on signing the contract, stating the reasons for applying the exceptional provisions." [...] The proposed mandatory standards from 1-January-2008 falls within the following areas: standards for data interchange between public authorities; standards for electronic file and document handling; standards for exchanging documents between public authorities (Open Document Format and Office OpenXML); standards for electronic procurement in the public sector; standards for digital signatures; standards for public websites / homepages; standards for IT security -- only within the public sector. Around a dozen standards: Compliant XHTML or HTML, complaint CSS, WAI Level 2, OCES (digital signature), XML 1.0, XML Schema 1.0, NDR 3.0, FESD (document management), OIOUBL, UNSPSC, and DS484 (ISO 17799). With regard to standards for exchanging documents between public authorities, the report proposes that "it should be mandatory to use at least one of the document standards Open Document Format or Office OpenXML", and that it is up to the individual agency to decide what they want. The report explains that a study will be conducted this year with the purpose of obtaining the necessary experience with these standards before 1-January-2008...

See also: the report summary

Lightbulb is Dead: Long Live OpenSSO Extensions!
Pat Patterson, Blog

In October 2006, OpenSSO developers released the first SAML 2.0 implementation in PHP, codenamed 'Project Lightbulb' (because Lightbulb fits into LAMP). Lightbulb was initiated as an Open Web Single Sign-On (OpenSSO) subproject, designed to achieve federated identity for LAMP (Linux, Apache, MySQL, PHP, Python, and Perl) and MARS (MySQL, Apache, Ruby, and the Solaris Operating System). Lightbulb offered a service provider (SP) written in PHP with Security Assertion Markup Language (SAML) 2.0. In the few months since then, other folks have proposed similar extensions to OpenSSO, and the 'Lightbulb' name has looked increasingly anachronistic, particularly since the core OpenSSO project has always fully supported LAMP with its Apache HTTP Server and Tomcat policy agents. "Today, we launch OpenSSO Extensions, OpenSSO's code incubator, with three initial modules: (1) The SAML 2.0/PHP relying party formerly known as Project Lightbulb (2) An OpenID Identity Provider for OpenSSO, contributed by long-time OpenSSO committer, Paul Bryan (3) A PHP Client SDK for OpenSSO, contributed by Francesco Chicchiricco. To come: SAML 2.0 Ruby Relying Party. So: what is an OpenSSO Extension? Well, it's any piece of code that either extends OpenSSO to provide new functionality, for example, the OpenID identity provider, or interfaces with OpenSSO, extending other systems, such as the PHP Client SDK and SAML 2.0 relying party. OpenSSO Extensions is an incubator for modules that build on the access control, single sign-on and federation technology in OpenSSO, but are not part of the core project..."

A Phased Approach for Converting SQL-centric Applications to LINQ
Thiru Thangarathinam, DevX.com

Almost all applications need to integrate some sort of data, often from multiple data sources such as SQL Server or Oracle database tables. In .NET languages, you would traditionally perform these operations using SQL or an SQL variant in conjunction with a data access technology such as ADO.NET. But when applications need to perform similar data operations against XML files, you would need to write code using the XML classes provided by the .NET Framework. While the intent -- retrieving and updating data from a store—is the same in both cases, the knowledge and the code implementations required differ significantly for each data store. Until now, data access in the .NET framework has lacked a unified and consistent approach to accessing data from disparate data sources. To solve these data access inconsistencies, Microsoft introduced LINQ, the Language INtegrated Query Framework, which adds general-purpose query facilities for querying all types of information, including (but not limited to) relational and XML data. This article discusses a phased approach to migrate an existing SQL-centered ASP.NET Web site to leverage LINQ. [Note, from the LINQ Overview: "After two decades, the industry has reached a stable point in the evolution of object-oriented (OO) programming technologies. It has become apparent that the next big challenge in programming technology is to reduce the complexity of accessing and integrating information that is not natively defined using OO technology. The two most common sources of non-OO information are relational databases and XML. Rather than add relational or XML-specific features to our programming languages and runtime, with the LINQ project we have taken a more general approach and are adding general purpose query facilities to the .NET Framework that apply to all sources of information, not just relational or XML data. This facility is called .NET Language Integrated Query (LINQ). The extensibility of the query architecture is used in the LINQ project itself to provide implementations that work over both XML and SQL data. The query operators over XML (XLinq) use an efficient, easy-to-use in-memory XML facility to provide XPath/XQuery functionality in the host programming language. The query operators over relational data (DLinq) build on the integration of SQL-based schema definitions into the CLR type system. This integration provides strong typing over relational data while retaining the expressive power of the relational model and the performance of query evaluation directly in the underlying store."]

See also: the LINQ Overview

SAP Architecture: Enterprise SOA Basics
Kareemullah Shah Quadri, Blog

"So what is it all about these buzz words like SOA, ESA? The following article briefly touches upon the Service oriented Architecture and how it relates to SAP's vision of transforming the Enterprise business logic into a set of service oriented components. The intended audience is basically the beginners who want to know about SOA and ESA, developers who want to scale up their skills to 'possibly' the new, or may I say, the next architectural and programming paradigm for SAP. The article covers: Basic Terminology of Software Architectures; SOA definition—why , what , when and how; ESA and its relation to SOA; Evolution of SAP architecture; What does this change mean for developers? SOA is a design for linking computational resources (principally, applications and data) on demand to achieve the desired results for service consumers, which can be end users or other services. Services communicate with their clients by exchanging messages which are platform independent. Thus the services are defined by the messages they can accept and the responses they can give, which is why XML as a standard platform independent way of exchanging messages becomes all the more important. Enterprise Service oriented Architecture is the adoption of SOA at an enterprise level. It breaks the traditional Client server application oriented architecture. What Enterprise oriented architecture has done is to break down each of the core business functionality into services. This paves the way for building reusable components (services) using the existing service repository and hence promoting a common inter operatable platform for service reuse across disparate systems not only within but also across the systems spaning organisations and its partners... Although service based architecture in Enterprise systems seem to satisfy a more flexible model of computing, does it or can it come with more set of problems viz a viz performance, user response time, confusion between similar set of services. Can an agent based Architecture with a set of mobile agents performing the services help overcome the drawbacks. An Agent can be an independent entity performing a set of tasks for example an agent for handling purchase orders which can replicate and travel across network. Do you think the agent based architecture in its true sense (mobile agents across the network) will be the next Architectural paradigm for the Enterprise?

Web Services Profile of XACML (WS-XACML)
Anne Anderson, OASIS Presentation

This PDF document summarizes a presentation made at the OASIS XACML TC Face-to-Face meeting on 13-March-2007. Outline: Web Services Policy Background; XACML Web Services Policy Assertions; XACML Assertion Format; XACML Assertion Matching; Defined XACML Assertions [XACMLAuthzAssertion, XACMLPrivacyAssertion]; New XACML Functions and Attribute Identifiers; Open Issues. Abstract from "Web Services Profile of XACML (WS-XACML) Version 1.0": "This document specifies ways to use XACML in the context of Web Services for authorization, access control, and privacy policies. It specifies four types of information. (1) An authorization token or credential based on XACML to be used in a Web Services context for conveying an authorization decision from a trusted third party to a Web Service. (2) A policy Assertion type based on XACML elements for use with WS-Policy or other schemas and protocols; this Assertion may be used to convey both requirements and capabilities related to authorization, access control, and privacy for Web Service clients and for the services themselves. This Profile specifies standard formats, matching semantics, and usage guidelines for two Assertions derived from this type: one for authorization policies and the other for privacy policies. (3) Some ways in which Attributes for a client MAY be passed to a Web Service as part of a SOAP message in such a way that they can be authenticated as having been issued by a trusted authority. These Attributes may be used by the Web Service in evaluating the internal XACML policies of a service or enterprise that are relevant to a given Web Services access. (4) How to express P3P policy preferences and match them using the new Assertion based on XACML."

See also: WD 08

Entitlement Management: The Next Security Wave
Linda Musthaler, Network World

Burton Group analyst Gerry Gebel calls "entitlement management" an important new development in the security arena—one that you'll want to bring into your organization soon. Traditionally, entitlements have been built into each application your enterprise has. The new strategy is to remove access management from the applications and run it as a shared service in front of the applications. Entitlement management can be used to strengthen the security of Web services, Web applications, legacy applications, documents and files, and physical security systems. This approach has several benefits. First and foremost, it gives you the ability to implement a data-driven policy that is consistent across all applications. This is becoming more important in the face of regulatory pressures from Sarbanes-Oxley, HIPAA, PCI, and the like. With an entitlement management service, you can simplify your audit and compliance burden. There are several vendors with products on the market today. Many have chosen a three module architecture consisting of the Policy Administration Point (PAP) to provide centralized administration management; the Policy Decision Point (PDP) to evaluate resource-specific authorization policies; and the Policy Enforcement Point (PEP) to enforce the entitlement policies. Rajiv Gupta, founder and CEO of Securent, says that entitlement management is a strategic layer in the enterprise, and that it will take years for most companies to deploy one across their entire company. Many have deployed it across key applications and lines of business in only a few months time, though. He doesn't expect many organizations are willing to rewrite custom applications to remove the entitlement layer today. However, as more companies adopt the notion of a service-oriented architecture (SOA), entitlement management will certainly be a critical service to centralize.

MSXML4 is Going to Be Kill Bit-ed
Staff, Microsoft XML Team's MSXML WebLog

"As a part of our MSXML4 End of Life plan , we are going to kill bit MSXML4 in the October - December 2007 timeframe of this year. Kill Bit applies to Internet Explorer only. After the kill bit , applications will not be able to create MSXML4 objects in the browser. Applications outside IE like C++ apps will continue to work with MSXML4. We are announcing this in advance so that our customers get sufficient time to try their applications with MSXML6 and give us feedback on their experience. We are going to kill-bit MSXML4 to ensure a secure browsing experience for our customers. We are planning to also remove MSXML4 from the Download Center page within the next twelve months. Support for MSXML4 going forward will be restricted to high impact security issues only. MSXML6 is the latest version available to MSXML customers today. This is where all the functionality, performance and security improvements are going in. In addition, MSXML6 provides improved W3C compliance and increased compatibility with System.XML in .Net. The recommendation for MSXML customers is to program using MSXML6 and upgrade applications using older versions to MSXML6. We believe this is the best plan for MSXML customers going forward: it avoids confusion regarding multiple versions, ensures a safe browsing experience when using MSXML, and provides a path to use future functional improvements . We strongly encourage everyone to start using MSXML6 SP1.MSXML6 SP1 is now available for all supported downlevel platforms. The summary is: MSXML6 should be your first choice. This is the MSXML version that will be carried forward. MSXML6 shipped with Vista and we are working on getting this in downlevel OS Service Packs. MSXML3 has the advantage of having shipped with every supported OS; we are committed to keeping MSXML3 robust and stable but won't be adding any functional improvements. MSXML4 is in maintenance mode with a very high bar for fixes approaching End of Life. MSXML 5 is exclusively meant for Office. Do not take any dependencies on it." The download is available for Microsoft Core XML Services (MSXML) 6.0 Service Pack 1: "MSXML 6.0 Service Pack 1 (MSXML6.1) has improved reliability, security, conformance with the XML 1.0 and XML Schema 1.0 W3C Recommendations, and compatibility with System.Xml 2.0." Supported Operating Systems: Windows 2000 Service Pack 4; Windows Server 2003; Windows Server 2003 Service Pack 1; Windows XP Service Pack 2.

See also: the download

Real-world IT Security Challenges: Doing Away with Passwords
Roger A. Grimes, InfoWorld

This article reports on a particular company that's doing away with passwords all together because it considers passwords as one of the weakest links in their security armor. It has moved to RSA tokens for two-factor VPNs and fingerprint readers for local logons. The company did a multiyear test into the best fingerprint readers. The company is trying to remove any instance where an employee would have to put in a password so that it can increase the password length to a far greater than normal maximum. In this particular case, it wanted the minimum password size to be 128 characters or greater. Yes, it understands that Windows logon passwords only go to 127 characters, but it is willing to patch the appropriate DLLs. The thought is to make passwords so uncrackable and unguessable that they essentially become a crypto private key (although that would be a misnomer). With passwords at 128 characters, a password cracker obtaining one of the password hashes would be far more likely to have a hash collision—which is just as good as the real password in a Windows environment—than to crack the actual password... Under this plan, employees would face a logon screen where they would enter their PIN and RSA token information and get authenticated. Behind the scenes, RSA and Citrix would accept the two-factor token authentication information and pass an extremely long Windows password to authenticate to the needed Windows resources. It was an interesting proposal, so I called RSA and Citrix. Both companies replied back immediately, that, yes, this was possible... Both RSA and Citrix had quality products, were responsive, and had great integration documentation. I can say this: If you are thinking of getting away from passwords, RSA and Citrix have a great integration solution for you.

Red Hat Strikes Back With Next Generation Linux
Sean Michael Kerner, InternetNews.com

Red Hat released the latest version of its Red Hat Enterprise Linux 5 (RHEL) flagship product today with a flurry of new features, upgrades and improvements. The RHEL 5 release comes as Red Hat faces a multi-front battle in the operating systems space against rivals Microsoft, Novell and Oracle. In this release, Red Hat is touting new virtualization, security, storage and application options that it hopes will keep it ahead of competitors making a run for Red Hat's market share. Paul Cormier, executive vice president of engineering at Red Hat, called it not just the next release of the operating system, but the next generation for Red Hat. Virtualization is a key new aspect of RHEL 5, which has been under development for the past eighteen months. It includes a fully integrated server virtualization capability that extends throughout the operating system and is fully manageable. New capabilities added to Red Hat's Network management solutions extend it to enable the detection, management and creation of new virtualized RHEL guests. The SELinux implementation assets got a big security overhaul in this release, too. SELinux implements mandatory access controls on the kernel, which allows programs to run with only necessary permissions. The general idea is that by improving access control overall, security is improved. By contrast, the SELinux implementation in the prior version of REHL was considered by many to be difficult to implement because it lacked an exhaustive list of targeted policies for application deployments. The Red Hat Database Availability Solution is all about making databases such as Oracle, Sybase, MySQL EnterpriseDB, IBM's DB2 and others more reliable in a clustered database system.


SEARCH \| ABOUT \| INDEX \| NEWS \| CORE STANDARDS \| TECHNOLOGY REPORTS \| EVENTS \| LIBRARY

Headlines

Sponsors