Cover Pages: XML Daily Newslink: Monday, 07 April 2008

A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS and Sponsor Members
Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by:
IBM Corporation http://www.ibm.com

Headlines

Danish Agency Publishes Evaluation of SSO Open Standards Support
Unicode Consortium Announces Release of Unicode Standard Version 5.1
XML Schema for Media Control
Web Security Context: Experience, Indicators, and Trust
XACML Interoperability Demo for Health Care Scenario
Concordia Project Demonstrates Multi-Protocol Interoperability
RSA Conference 2008: Concordia Done, OSIS To Go
SaaS Single Sign-On: It's Time for a Lighter Approach
Web Oriented Architecture (WOA) May Soon Eclipse SOA
XML and Government Schizophrenia

Danish Agency Publishes Evaluation of SSO Open Standards Support
Announcement, Danish National IT and Telecom Agency

An April 03, 2008 press release from the the Danish National IT and Telecom Agency (IT- og Telestyrelsen) announced the publication of a 92-page report titled "Evaluation of Ten Standard Setting Organizations with Regard to Open Standards." This special study by IDC was commissioned to evaluate the degree of "openness" of the leading standard setting organizations. The study was conducted in support of the Danish parliament's "Parliamentary Resolution B103", unanimously adopted on 02-June-2006, on the use of open standards for software in the public sector. The Resolution instructed the Danish Government to ensure that the public sector's use of information technology, including the use of software, should be based on open standards. Ten standard setting organizations were evaluated and all organizations had the opportunity to review and comment on the evaluation of their organization. The ten organizations are: CEN, Ecma, ETSI, IETF, ISO, ITU, NIST, OASIS, OMG, and W3C. Standards organizations are generally aware of the need of openness because they all aim at providing successful, widely accepted standards. However, the concepts of openness and consensus have been implemented using different models that relate to the type of organization, their formal foundation and their degrees of formalization. The definition of "open standards" was specified to consist of three criteria: (1) The standard is fully documented and accessible by public [Open documentation]; (2) The standard should be free to implement without economical, political or legal restictions -- now as well as in the future [Open IPR, Open access, Open interoperability]; (3) The standard is managed and maintained in an open forum through an open process [Open meeting; Consensus; Due process; Open change; Ongoing standards support].

Unicode Consortium Announces Release of Unicode Standard Version 5.1
Staff, Unicode Consortium Announcement

The Unicode Consortium has announced the release of Unicode Version 5.1, containing over 100,000 characters, and provides significant additions and improvements that extend text processing for software worldwide. Some of the key features are: increased security in data exchange, significant character additions for Indic and South East Asian scripts, expanded identifier specifications for Indic and Arabic scripts, improvements in the processing of Tamil and other Indic scripts, linebreaking conformance relaxation for HTML and other protocols, strengthened normalization stability, new case pair stability, plus others given below. The Version 5.1.0 data files and documentation are final and posted on the Unicode site. In addition to updated existing files, implementers will find new test data files (for example, for linebreaking) and new XML data files that encapsulate all of the Unicode character properties. A major feature of Unicode 5.1.0 is the enabling of ideographic variation sequences. These sequences allow standardized representation of glyphic variants needed for Japanese, Chinese, and Korean text. Unicode 5.1 contains significant changes to properties and behaviorial specifications. Several important property definitions were extended, improving linebreaking for Polish and Portuguese hyphenation. The Unicode Text Segmentation Algorithms, covering sentences, words, and characters, were greatly enhanced to improve the processing of Tamil and other Indic languages. The Unicode Normalization Algorithm now defines stabilized strings and provides guidelines for buffering. Standardized named sequences are added for Lithuanian, and provisional named sequences for Tamil. Unicode 5.1.0 adds 1,624 newly encoded characters. These additions include characters required for Malayalam and Myanmar and important individual characters such as Latin capital sharp s for German. Version 5.1 extends support for languages in Africa, India, Indonesia, Myanmar, and Vietnam, with the addition of the Cham, Lepcha, Ol Chiki, Rejang, Saurashtra, Sundanese, and Vai scripts. The Unicode Collation Algorithm (UCA), the core standard for sorting all text, is also being updated at the same time. The major changes in UCA include coverage of all Unicode 5.1 characters, tightened conformance for canonical equivalence, clearer definitions of internationalized search and matching, specifications of parameters for customizing collation, and definitions of collation folding. The next version of the Unicode locale project (CLDR) is also being prepared on the basis of Unicode 5.1, and is now open for public data submission.

See also: XML and Unicode

XML Schema for Media Control
Orit Levin (et al., eds), IETF Informational RFC

IETF announced that a new Request for Comments "XML Schema for Media Control" is now available in online RFC libraries. The specification has been produced by members of the IETF Multiparty Multimedia Session Control (MMUSIC) Working Group. The RFC 5168 document defines an Extensible Markup Language (XML) Schema for video fast update in a tightly controlled environment, developed by Microsoft, Polycom, Radvision and used by multiple vendors. This document describes a method that has been deployed in Session Initiation Protocol (SIP) based systems over the last three years and is being used across real-time interactive applications from different vendors in an interoperable manner. New implementations are discouraged from using the method described except for backward compatibility purposes. New implementations are required to use the new Full Intra Request command in the RTP Control Protocol (RTCP) channel. The Multiparty MUltimedia SessIon Control (MMUSIC) Working Group was chartered to develop protocols to support Internet teleconferencing and multimedia communications. These protocols are now reasonably mature, and many have received widespread deployment. The group is now focussed on the revisions of these protocols in the light of implementation experience and additional demands that have arisen from other WGs (such as AVT, SIP, SIPPING, and MEGACO)... The MMUSIC work items are pursued in close coordination with other IETF WGs related to multimedia conferencing and IP telephony (AVT, SIP, SIPPING, SIMPLE, XCON, MEGACO and, where appropriate, MIDCOM and NSIS).

Web Security Context: Experience, Indicators, and Trust
Thomas Roessler and Anil Saldhana (eds), W3C Technical Report

Members of the W3C Web Security Context Working Group have published a revised version of the Working Draft specification "Web Security Context: Experience, Indicators, and Trust." It defines guidelines and requirements for the presentation and communication of Web security context information to end-users; and good practices for Web Site authors. To facilitate access to relevant background, various sections of this document are annotated with references to input documents that are available from the Working Group's Wiki, and to pertinent issues that the group is tracking. The documents in the wiki include background, motivation, and usability concerns on the proposals that reference them. They provide important context for understanding the potential utility of the proposals. The W3C Web Security Context Working Group focuses on the challenges that arise when users encounter currently deployed security technology, such as TLS: While this technology achieves its goals on a technical level, attackers' strategies shift towards bypassing the security technology instead of breaking it. When users do not understand the security context in which they operate, then it becomes easy to deceive and defraud them.

XACML Interoperability Demo for Health Care Scenario
Staff, OASIS Announcement

At the RSA 2008 Conference, members of the OASIS open standards consortium, in cooperation with the Health Information Technologies Standards Panel (HITSP), demonstrated interoperability of the Extensible Access Control Markup Language (XACML) version 2.0. Simulating a real world scenario provided by the U.S. Department of Veterans Affairs, the demo showed how XACML ensures successful authorization decision requests and the exchange of authorization policies. The XACML Interop at the RSA 2008 conference utilizes requirements from Health Level Seven (HL7), ASTM International, and the American National Standards Institute (ANSI). The demo features role-based access control (RBAC), privacy protections, structured and functional roles, consent codes, emergency overrides and filtering of sensitive data. Vendors show how XACML obligations can provide capabilities in the policy decision making process. The use of XACML obligations and identity providers using the Security Assertion Markup Language (SAML) are also highlighted. According to the ANSI/HITSP announcement, the multi-vendor demonstrations "highlight the use of OASIS standards in HITSP-approved guidelines, known as 'constructs,' to meet healthcare security and privacy needs. The Panel's security and privacy specifications address common data protection issues in a broad range of subject areas, including electronic delivery of lab results to a clinician, medication workflow for providers and patients, quality, and consumer empowerment. HITSP is a multi-stakeholder coordinating body designed to provide the process within which affected parties can identify, select, and harmonize standards for communicating health care information throughout the health care spectrum. As mandated by the U.S. Department of Health and Human Services (HHS), the Panel's work supports Use Cases defined by the American Heath Information Community (AHIC). 'This is the first time the RSA Conference will highlight in an Interop demo the healthcare scenario, the Electronic Health Records (EHR), and associated interoperable terminologies of clinical roles, patient consent directives, obligations, and business logic,' said John (Mike) Davis, standards architect with the VHA Office of Information in the Department of Veterans Affairs, and a member of the HITSP Security, Privacy and Infrastructure Technical Committee."

See also: the HITSP announcement

Concordia Project Demonstrates Multi-Protocol Interoperability
Staff, Concordia Project Announcement

The Concordia Project, a global cross-industry initiative formed by members of the identity community to drive harmonization and interoperability among identity initiatives and protocols, announced its first interoperability event taking place at RSA Conference 2008 in San Francisco on Monday, April 7 from 9:00am - 12:30pm. The event will include FuGen Solutions, Internet2, Microsoft, Oracle, Ping Identity, Sun Microsystems and Symlabs demonstrating varying interoperability scenarios using Information Card, Liberty Alliance, and WS-* identity protocols. Over 500 RSA Conference participants have registered to attend the Concordia Project interoperability event to date. The April 7 demonstrations have been developed to meet use case scenarios presented to the Concordia Project by enterprise, education and government organizations deploying digital identity management systems and requiring multi-protocol interoperability of identity specifications. Since the formal launch of the Concordia Project in June of 2007, deployer use case scenarios involving Information Card, Liberty Alliance and WS-* identity protocols have been presented by AOL, the Government of British Columbia, Boeing, Chevron, General Motors, Internet2, theNew Zealand State Services Commission, the US GSA and the University of Washington. Concordia members decided collectively on what interoperability demonstrations should be developed first based on identity management commonalities and priorities identified by the majority of deploying organizations. During the RSA Conference event, Concordia members will demonstrate multi-protocol interoperability based on two of the fourteen use case scenarios submitted to the project to date. The first includes Oracle, Internet2, FuGen Solutions, Microsoft, Ping Identity, Sun Microsystems and Symlabs and is characterized by a user authenticating to an identity provider (IdP) using an InfoCard and communicating that authentication to a relying party through either SAML 2.0 or WS-Federation protocols. The second includes Internet2, Oracle, Sun Microsystems and Symlabs demonstrating SSO flow between chained SAML and WS-Federation protocols.

RSA Conference 2008: Concordia Done, OSIS To Go
Pat Patterson, Identity Management Blog

The author blogs on the the Project Concordia workshop held at RSA 2008 on 2008-04-07, showing SAML 2.0/WS-Federation single sign-on from a service provider to an identity provider, the identity provider authenticating the user via a managed information card and sending claims from the card to the service provider as SAML 2.0 attributes. Note that not every combination of SAML 2.0/WS-Federation SP, IdP and Information Card STS completely works, but enough that the approach was proven. Slides from the "Concordia/RSA Interop Demo" describe the products involved. OpenSSO primarily attracts enterprises interested in deploying a web access management or federation solution using open source tools. An Information Card RP Extension has been contributed by Patrick Petit. The OAIS (Open Source Identity Systems) demonstration shows the OSIS User centric identity network interoperability between identity providers, card selectors, browsers and websites demonstrates how users can 'click-in' to sites via self-issued and managed information cards, or i-cards. Open ID, Higgins Identity Framework, Microsoft CardSpace, SAML, WSTrust, Kerberos and X.509 components interoperate within an identity layer from open-source parts...

See also: the slides

SaaS Single Sign-On: It's Time for a Lighter Approach
Kjell Backlund, SYS-CON SEO/SEM Journal

SaaS brings a lot of advantages to businesses - no need to invest in purchasing and maintaining licenses and infrastructure, and no need to worry about upgrades and bug fixes. Larger companies, however, face a major challenge related to user authentication and management. Larger companies have invested a lot of time and effort in improving user productivity, compliance and security, and in cutting user management costs. They have done so using technologies like single sign-on and centralized user management. SaaS applications are now challenging those efforts and threatening to bring them back to the situation where every user has several different usernames and passwords and the customers have several different user directories to maintain. Currently there are a few common ways for SaaS providers to give users single sign-on and/or to let customers use their internal user management solutions to manage access to the SaaS application: (1) Identity federation; (2) Delegated authentication; (3) Encrypted links; (4) User directory synchronization. Identity federation, as a concept, is exactly what is needed—SaaS providers can offer customers single sign-on and automated user management based on current information in their internal user directory. Identity federation based on SAML, WS-Federation or ADFS, however, requires each customer to invest in and roll out software compliant with those technologies... Delegated authentication provides users single sign-on by using an existing logon, for instance on a corporate intranet, to generate tokens that can be used to grant access to a SaaS application. However, delegated authentication does not bring any help to maintenance of user profiles and access rights, which still have to be maintained manually in the application. It also requires time and technical resources by the customer... Google Analytics, the SaaS application for monitoring web site usage, offers a different and interesting view to the problem. Each Analytics customer needs to integrate Analytics with its web site in order to be able to collect and monitor usage statistics. By choosing a scripting integration model requiring only a few lines of JavaScript on the web pages, Google managed to lower the requirements on the customers' web sites and the technical skills required to do the integration. As a result, they managed to get hundreds of thousands of customers in 18 months...

Web Oriented Architecture (WOA) May Soon Eclipse SOA
Dana Gardner, ZDNet Blog

A recent blog post questions whether services oriented architecture (SOA) was driving substantive transformation inside of enterprise IT. My conclusion is that something is not quite right in SOA-ville. The uptake of general-purpose service enablement is by no means a hockey stick trend line. The adoption patterns some five years into the SOA evolutionary path do not show a slam dunk demand effect. The role, impact and importance of SOA is, in fact, ambiguous—still. Many see it as merely an offshoot of EAI, rather than a full-blown paradigm shift. Meanwhile, some other trends that do demonstrate more of a hockey stick adoption pattern—social media, Ruby/Phython, RESTful interactions, and RIAs—are worth a fresh look in the context of SOA. The new kids on the innovation block are experimenting at break-neck speed with social media, social networking, Ruby on Rails, SaaS, Python, REST and the vital mix of rich Internet application (RIA) approaches. Something is going on here that shows the compelling attraction of better collaboration and sharing methods, of self-defining social and work teams, of faster and easier applications development, of not moving old systems to the Web but just moving to the Web directly, and the recognition that off-the-wire applications with fine UIs are the future... I'm wondering now whether the window for holistic SOA deployment and value, as it has been classically defined, is being eclipsed. Is it possible that Web interfaces and data disintermediation for legacy applications will be enough? Is it possible that exposing the old applications, and reducing costs of IT support via consolidation and modernization is enough? In short, is the path of least resistance to business transformation one that necessarily requires a fording of the SOA stream? Or is there a shorter, dry path that goes directly to Web oriented architecture? Is SOA therefore the impediment or empowerment to transformation on the right scale and at Internet time?

XML and Government Schizophrenia
Michael C. Daconta, O'Reilly Opinion

The U.S. Government is very leery of technology fads and that is why it often has a love/hate relationship with XML. For every technology that exists, the government has a huge legacy investment. So, while the corporate world may turn on a dime and quickly adopt the latest and greatest thing—the government must contend with huge legacy issues, a two-year (minimum) budget planning cycle, and a horde of technologists actively engaged and personally invested in that legacy technology that you want to throw away! [...] Let me briefly discuss a program that I initiated when working for the Department of Homeland Security (DHS). The National Information Exchange Model (NIEM) started as a joint-venture between DHS and the Department of Justice (DOJ) to harmonize and speed up the process of information sharing between the federal government and state and local governments—actually State, Local and Tribal governments. The basic idea is that it combines a registry of standard data objects (modeled via XML Schema), a process for quickly producing an exchange message, a governance process for the model, and robust tool support. The model leveraged and extended an existing model called the Global Justice XML Data Model (GJXDM). It is widely used by law enforcement at all levels of government and now is also being widely used at DHS. It has multiple success stories behind it including the Amber Alert and the national sex offender registry. I highly encourage everyone to look at it and help make it better. So, what does this mean for Government Schizophrenia? For information sharing, XML is a favorite but is attacked continuously in relation to weak data modeling support, weak encoding of binary objects, performance issues, and many more...

See also: the NIEM web site


SEARCH \| ABOUT \| INDEX \| NEWS \| CORE STANDARDS \| TECHNOLOGY REPORTS \| EVENTS \| LIBRARY

Headlines

Sponsors