This issue of XML Daily Newslink is sponsored by:
SAP AG http://www.sap.com
- Go RBAC Now: Implement Role-Based Access Control for Stronger Security
- Introducing E4X (ECMAscript for XML)
- Defining the Grid: A Roadmap for OGSA Standards Version 1.1
- Is the Web Losing Its Edge?
- DMTF Celebrates Common Information Model (CIM) at 10 Years
- Serena Software Joins Mashup Mania
- SOAP Profile for XACML-SAML
- OASIS Extensible Resource Identifier (XRI) Resolution Version 2.0
- EFF Confirms Comcast's BitTorrent Degradation
Go RBAC Now: Implement Role-Based Access Control for Stronger Security
Roger A. Grimes, InfoWorld
Good computer security is driven by role-based, least-privilege access control. Each user should be given only the access that is necessary to perform their job—no, make that the specific task they are performing at a specific point in time. Unfortunately, even though RBAC (role-based access control) was formally introduced in 1992, it is still in its infancy on most platforms. There are many role-based management tools that work in Windows, Linux, and other OSes, but the most popular products work with only a few large products (that is, SAP, PeopleSoft, and so on) or just haven't been widely adopted. There are also many developing RBAC initiatives, such as the OASIS XML-based RBAC effort for Web-based content ["Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML v2.0]. Why investigate RBAC solutions? They're a good way to implement stronger security in your environment, and often it is required. Many industry-wide regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), require role-based security (PDF). If you're required to support PCI DSS in your environment, review section 7. Hospital and health-care-related entities are already aware that Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates use RBAC to protect patient information. The vision of RBAC security is this: No one knows better what security permissions or rights should be needed by a particular end-user when performing a particular task than the developer of the application. Unfortunately, this particular assumption is largely untrue. In general, most developers don't have a clue about the security needed to run their application. They just know the application runs perfectly fine when given Administrator or root privileges. This attitude is changing, with Windows Vista's User Account Control (UAC), Linux's sudo, and better development tools that allow needed security to be measured and defined.
See also: the OASIS specification
Introducing E4X (ECMAscript for XML)
Kurt Cagle, XML.com
Defining the Grid: A Roadmap for OGSA Standards Version 1.1
C. Jordan and H. Kishimoto (eds),
The Open Grid Forum (OGF) has embraced the Open Grid Services Architecture (OGSA) as the blueprint for standards-based grid computing. 'Open' refers to the process used to develop standards that achieve interoperability. 'Grid' is concerned with the integration, virtualization, and management of services and resources in a distributed, heterogeneous environment. It is 'service-oriented' because it delivers functionality as loosely coupled, interacting services aligned with industry-accepted Web service standards. The document provides information to the Grid community regarding the roadmap of the Open Grid Services Architecture (OGSA). It does not define any standards or technical recommendations, but contains schedule information for work being carried out by multiple OGF working groups and external organizations. One of the most important changes to the overall distributed grid architecture model in recent years has been the adoption of Web services as a foundation for method invocation and data exchange over a network. These services are built upon well known Web service specifications and provide access to grid resources using XML messages communicated typically using the Simple Object Access Protocol (SOAP) protocol. XML Schema provides a common typing system which when combined with Web Services Description Language (WSDL) provide the building blocks to exchange information across disparate systems. The evolving Web service specifications cover many different functional areas to include messaging content, transport, security, transactions, metadata, and workflow. The Web Services-Interoperability Organization (WS-I) has published the WS-I Basic Profile (BP) and the Basic Security Profile (BSP). OASIS has published the WS-Resource Framework (WSRF) which adds the notion of state to Web services which can be remotely accessed and monitored. OGSA builds on this modular non-proprietary foundation to define specifications which enable grid systems to interoperate and to share resources between organizational boundaries, defining a standardized grid service infrastructure. OGSA publishes this combination of evolving Web service specifications as OGF developed OGSA profiles, establishing the definition of a standardized interoperable grid systems. OGSA recognizes that it is important to track the evolution of Web service specifications and evaluate their impact periodically upon the OGSA Architecture as well as the grid community as a whole. This roadmap helps to serve that purpose by maintaining an enumeration of Web service dependencies and depicting their statuses in tables and graphics.
Is the Web Losing Its Edge?
Joab Jackson, Government Computer News Tech Blog
See also: Keith Fahlgren's blog
DMTF Celebrates Common Information Model (CIM) at 10 Years
Staff, DMTF Announcement
The Distributed Management Task Force released an announcement to celebrate the tenth anniversary of the launch of its Common Information Model (CIM) standard: "The DMTF Common Information Model Achieves 10 Years as an Open Standard: CIM Matures as a Pervasive Standard and Continues to Expand into New Markets." CIM provides a common definition of management information for systems, networks, applications and services, and allows for vendor extensions. CIM's common definitions enable vendors to exchange semantically rich management information between systems throughout the network. CIM is composed of a Specification and a Schema. The Schema provides the actual model descriptions, while the Specification defines the details for integration with other management models. In 1997, the DMTF CIM Sub-Committee, comprised of participants from CA, Compaq (now HP), HP, Intel, Microsoft, Novell, Sun Microsystems and Tivoli Systems (now IBM) made CIM Version 1.0 available. During the next decade, CIM gained broad industry adoption. The standard has been implemented in all major operating systems since Windows 98 and is used as the fabric for server and desktop management. CIM has even moved into the virtual world to serve as the basis for DMTF's virtualization management technology. The technology has also expanded to provide definitions for storage management, peripherals, network components and applications. CIM has been implemented into many products currently offered from many major corporations.
See also: Common Information Model (CIM) Standards
Serena Software Joins Mashup Mania
Larry Barrett, InternetNews.com
Serena Software on has announced the general availability of its Business Mashup software suite, giving companies of all sizes the ability to build these handy mashup applications without the hassle or expense of going through their IT departments. Tim Zonca (Serena Director of Product Marketing): "For every project IT is doing, 10 projects get ignored. This backlog isn't growing because IT is incompetent or doesn't have the right skills. It's a simple supply and demand issue. A lot of IT budgets haven't grown since 2000, so there's this ever-growing application backlog." Serena Software thinks it might have a solution that doesn't tax the already overwhelmed IT departments, yet still makes it possible for employees to build customized mashups without taking any engineering classes at night. Business Mashups 2008 includes the Mashup Composer and Mashup Server applications. The Composer component is a point-and-click visual design tool that connects various applications (maybe from your ERP or CRM system) and automates business processes such as sales discount approvals or time-off requests. Without writing any new code, the Composer lets users pick and choose the functionality and applications they want to mash together, click the "publish" button and send their mashups to the mashup server. Acording to the announcement, Serena's pre-built Business Mashups automate common business and IT processes including: vacation requests, employee onboarding, sales discount approvals, agile project management, support case escalations, and IT change requests. Additionally, Business Mashups combine content and processes from many different systems using industry-standard SOA and Web services interfaces, making it possible to quickly extend the functionality of existing applications.
See also: the announcement
SOAP Profile for XACML-SAML
Chad La Joie, SWITCH Working Draft
The SAML 2.0 Profile of XACML defines extension to SAML V2.0 assertion and request-response protocol messages. This "SOAP Profile for XACML-SAML" specification defines the use of these messages over the SAML 2 SOAP binding. The document is a working draft produced by SWITCH as a product of its work within the EGEE JRA 1 working group. It is based on the OASIS working draft of the SAML 2.0 Profile of XACML, Version 2.0. This document corrects and clarifies a significant number of items incorrectly specified in previous versions. From the author's posting: "For part of some EGEE work that I'm involved in I came up with a profile, in draft form currently, for the XACML over SAML protocol defined within the OASIS XACML working group. The basic goal of the document is to restrict possible options into a baseline subset such that discreet implementations might inter-operate. I think Valerio [Venturi]'s summary of the document, as follows, is good: (1) requirement for using the SAML SOAP binding as in SAMLBind; (2) requirement for having mutual authentication between the requester and the responder; (3) some requirements on the elements usage; (4) requirements on authN, integrity and confidentiality. Note this document is only about interoperability at the protocol level, it does not speak to the other necessary item here which is a profile for the information (attributes) within the XACML request/response context." EGEE (Enabling Grids for E-sciencE) brings together scientists and engineers from more than 240 institutions in 45 countries world-wide to provide a seamless Grid infrastructure for e-Science that is available to scientists 24 hours-a-day. SWITCH [Swiss TeleCommunication System for Higher Education and Research; Teleinformatikdienste fuer Lehre und Forschung], Serving Swiss Universities since 1987, represents the interests of Switzerland as a research centre in numerous bodies and its key role therefore makes an important contribution to the development and operation of the Internet in Switzerland.
See also: the associated posting
OASIS Extensible Resource Identifier (XRI) Resolution Version 2.0
Gabe Wachob, Drummond Reed (et al., eds), OASIS Committee Draft
OASIS announced the release of a approved Committee Draft of the "Extensible Resource Identifier (XRI) Resolution Version 2.0" specification for public review. The comment period ends 1-February-2008. The specification defines a simple generic format for resource description (XRDS documents), a protocol for obtaining XRDS documents from HTTP(S) URIs, and generic and trusted protocols for resolving Extensible Resource Identifiers (XRIs) using XRDS documents and HTTP(S) URIs. These protocols are intended for use with both HTTP(S) URIs as defined in RFC 2616 and with XRIs as defined by Extensible Resource Identifier (XRI) Syntax Version 2.0 or higher. Extensible Resource Identifier (XRI) provides a uniform syntax for abstract structured identifiers. Because XRIs may be used across a wide variety of communities and applications (as Web addresses, database keys, filenames, object IDs, XML IDs, tags, etc.), no single resolution mechanism may prove appropriate for all XRIs. However, in the interest of promoting interoperability, this specification defines a simple generic resource description format called XRDS (Extensible Resource Descriptor Sequence), a standard protocol for requesting XRDS documents using HTTP(S) URIs, and standard protocol for resolving XRIs using XRDS documents and HTTP(S) URIs. Both generic and trusted versions of the XRI resolution protocol are defined (the latter using HTTPS (RFC 2818) and/or signed SAML assertions). In addition, an HTTP(S) proxy resolution service is specified both to provide network-based resolution services and for backwards compatibility with existing HTTP(S) infrastructure.
See also: the announcement
The Electronic Frontier Foundation (EFF) has confirmed the research done by the Associated Press into Comcast's traffic shaping. EFF released a report detailing its own investigation into allegations that Comcast is selectively degrading the performance of peer-to-peer systems on its networks, and has concluded that the ISP giant is indeed targeting certain protocols for active interference with reset packets. [Report: "Packet Forgery By ISPs: A Report on the Comcast Affair".] The EFF also detailed its research methods in a separate report, and provided a guide to duplicating their tests. The tests involve using two computers simultaneously at two different Comcast user connections. Computers are connected directly to the internet at both locations with no firewalls between the computers and the cable modems. A packet sniffer on each end of the connection is used to compare outgoing and incoming packets, and by observing differences in transmitted and received data, the EFF claims it can prove Comcast is targeting BitTorrent and Gnutella traffic for slowdowns.
See also: the report
Selected from the Cover Pages, by Robin Cover
In November 2007, OASIS issued a proposed charter for a new "OASIS Testing and Monitoring Internet Exchanges Technical Committee." While the proposal is not associated with a supporting (pre-TC-formation) Technical Committee Discussion List, technical issues addressed in the TC Charter Proposal are similar to some being treated by the current OASIS Test Assertions Guidelines (TAG) TC and OASIS ebXML Implementation Interoperability and Conformance (IIC) TC, and by the closed OASIS Conformance Technical Committee. In particular, "Event-Driven Test Scripting Language (eTSL)" Version 0.85 under development within the OASIS ebXML Implementation Interoperability and Conformance (IIC) TC is proposed for contribution to the TaMIE TC. The proposed TaMIE TC will define an event-centric test case scripting markup and execution model for systems that use Internet-based messages or events in collaborations between partners, or between components, where collaboration is achieved by the means of choreographed exchanges of discrete units of data. The TaMIE TC would produce four key deliverables, including (1) a requirements document, which may include use cases for Internet exchanges, test assertions for related standards, references to existing test case dialects or existing logging formats or systems; (2) a specification defining a test case execution model and scripting that supports both the testing and monitoring of message and business data exchanges; (3) a set of examples and use cases; (4) an implementation of the specification used for proof of the proposed concept and principle.
XML Daily Newslink and Cover Pages are sponsored by:
|BEA Systems, Inc.||http://www.bea.com|
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/