The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Last modified: October 09, 2008
XML Daily Newslink. Thursday, 09 October 2008

A Cover Pages Publication
Provided by OASIS and Sponsor Members
Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by:
Sun Microsystems, Inc.

Parity Provides Free Online Identity Management
Robert Vamosi, CNET

Parity, an information management company, announced a new Web service called CardPress that makes issuing online information cards a little easier. Information cards are online equivalents of physical ID cards, such as a driver's license. Online customers would have an electronic wallet with various information cards, bypassing the need to type in user names and passwords. A student accessing a university network, for example, would simply present his or her electronic student information card. CardPress provides Web sites with a free (for low-volume usage) turn-key, hosted software-as-a-service (SaaS) solution. The information cards are designed for associations, organizations, and merchants, and can enable one-click log-ins, phishing protection, and single sign-on (SSO) across multiple partner sites, and can eliminate costs associated with restoring lost or forgotten passwords... Currently there are only two organizations offering or soon to offer CardPress cards. Boston Community Change, which rewards charitable donations to local schools, is only open to Boston-area residents. The Minuteman Library Network, a consortium of libraries in Massachusetts, also plans to offer the cards. The service would allow Minuteman Library members secure access to online resources. Both are available through an electronic wallet site called Azigo (currently in beta). In the coming days, Parity expects to add more associations. In June 2008, the Information Card Foundation (ICF) was created with the stated goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards. Member companies include Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community. Paul Trevithick, CEO of Parity, is the current chairman of the ICF. Unlike having a credit card number, which anyone on the Internet can use at anytime, the ID card model proposed by the ICF requires that all three players (user, provider, reliant party) be synced in real time before the transaction can proceed...

See also: on the Information Card Foundation

JanRain Promotes OpenID Adoption Through the Long Tail
Mark Hendrickson, TechCrunch

JanRain, creator of some of the most popular OpenID software libraries and a forum-like communications tool called Pibb, has released a new SaaS offering for websites that want to become relying parties for OpenID. We're told that the service, simply called RPX, makes it possible to start accepting users with OpenID accounts within one day. This is actually the second SaaS solution provided by JanRain, the first being the similarly named OPX, which lets websites do the opposite: provide OpenID accounts to users, who can then sign into any other websites that accept them. JanRain also provides OpenID accounts to users directly through its myOpenID service. Helping websites become relying partners is more important (at least at this point in the game) than helping them become providing partners. That's because few popular sites accept OpenID and, consequently, consumers see little reason to set up OpenID accounts for themselves. This is an even bigger problem than the user experience issues that have plagued the movement over the last few years. RPX is being marketed toward medium sites that want to increase their registration conversation rates, import user information from elsewhere, and build out connections to other social services via OAuth. It's not meant as much for big internet sites like Blogger, Plaxo and AOL, who have become relying parties using their in-house technical resources. The question stands as to whether OpenID will gain momentum through the long tail or adoption by a critical mass of the big players. It will probably take a few very popular services, such as MySpace and Facebook (through their respective Data Availability and Connect services), to popularize the protocol. But once they do, services like RPX should help the long tail take advantage of it...

See also: the JanRain announcement

Beginner's Guide to OAuth, Part IV: Signing Requests
Eran Hammer-Lahav, OAuth Online Tutorial

This interactive tutorial puts into action concepts previously discussed about the OAuth Security Architecture. As an authorization delegation protocol, OAuth must be secure and allow the Service Provider to trust the Consumer and validate the credential provided to gain access. To accomplish that, OAuth defines a method for validating the authenticity of HTTP requests. This method is called Signing Requests. The explanation presented here is designed as an interactive walkthrough with customizable inputs. Next to each set of inputs you will find an expand "[+]" icon allowing you to change the example and see how such changes affect the intermediate and final results. To expand the forms, click on the "[+]" icons which will open the form or click again to collapse. Making changes to the pre-filled values will immediately change the walkthrough content. You can also adjust the default values the example starts with by choosing from one of the pre-configured use cases. You may select: (1) Example used in the OAuth Specification; (2) Non URL-Safe Parameter; (3) Non-English Parameter; (4) Create Your Own. In this walkthrough, the Consumer would like to access a Protect Resource... The Consumer has previously registered with the Service Provider and obtained the Consumer Key... It has executed the OAuth workflow and obtained a Token... To sign the request, the Consumer is using [one of the signature methods]... The OAuth information such as Consumer Key and Token is included in the request using special OAuth Parameters starting with the 'oauth_' prefix, most of which are mandatory... The OAuth Parameters and request parameters are collected together in their raw, pre-encoded form. The parameters are collected from three locations: the URL query element (as defined by IETF RFC 3986, section 3), the OAuth 'Authorization' header (excluding the 'realm' parameter), and parameters included in a single-part 'application/x-www-form-urlencoded' POST body (as defined by HTML4). The parameter locations are more relevant to the Service Provider as it needs to extract them from the incoming Consumer request. The Consumer should have all the parameters in their separated and pre-encoded form as it builds the request..." See other parts of the Beginner's Guide to OAuth.

See also: the OAuth web site

W3C First Public Working Draft for 'Widgets 1.0: Updates'
Marcos Caceres (ed), W3C Technical Report

Members of the W3C Web Applications Working Group have published the First Public Working Draft for the "Widgets 1.0: Updates" specification. The Web Applications WG is part of the Rich Web Clients Activity in the W3C Interaction Domain. It is expected that this document will progress along the W3C's Recommendation track. The 'Widgets 1.0: Updates' specification defines a model to allow a widget user agent to locate and replace a widget resource with a new or different version of a widget resource. The updates model is designed to work both over HTTP and from local storage. For updates performed via the Web, the model makes use a simple XML documents that authors place on a Web server to indicate, amongst other things, where the next most suitable version of a widget resource can be retrieved from. It also defines a mechanism that allows authors to be notified of installation errors or success. The specification also describes how to renegotiate security policies when widgets are updated.

See also: the W3C Rich Web Clients Activity

OASIS Launches Cross-Enterprise Security and Privacy Authorization TC
Staff, OASIS Announcement

OASIS has formed a new group to standardize the way healthcare providers, hospitals, pharmacies, and insurance companies exchange privacy policies, consent directives, and authorizations within and between healthcare organizations. The OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee will specify healthcare profiles of existing OASIS standards to support reliable, auditable methods of confirming personal identity, official authorization status, and role attributes. This work aligns with security specifications being developed within the U.S. Healthcare Information Technology Standards Panel (HITSP). A cooperative partnership between the public and private sectors, HITSP is a national, volunteer driven, consensus-based organization that is working to ensure the interoperability of electronic health records in the United States. XSPA will be developed at OASIS alongside other core security standards, such as the Security Assertion Markup Language (SAML), Web Services Trust (WS-Trust), and the Extensible Access Control Markup Language (XACML). The XSPA work will draw on these standards and the expertise behind them, as part of its goal to identify and fill in the gaps. In accomplishing the work of the XSPA Committee, OASIS is focused on addressing the very sensitive issues related to the access of patient information. David Staggs, co-chair of the OASIS XSPA Technical Committee: "While the primary focus of our work will center on the HITSP interoperability specifications, we expect XSPA will have broad applicability to health communities beyond government regulated transactions. We intend to solicit use cases from other instances of cognate data exchanges—particularly in healthcare privacy contexts—to improve our work." The work of the OASIS XSPA Technical Committee may even extend beyond healthcare to general business models and other industry applications where support for privacy rights is needed, such as finance.

See also: the XSPA TC public page

Google Code Adds Gadgets: MarkMail Helps
Staff, Mark Logic Announcement

Google has announced new support for embeddable "gadgets" on Google Code project pages. They introduced MarkMail as the recommended gadget for viewing and searching Google Code project list archives... A Google Gadget is an embeddable web object that puts a bit of third-party dynamic content into the middle of a web page. Gadgets are the things you place on your iGoogle home page or your Google Desktop, but you can also add them to your own web page with one line of JavaScript, or anyone else's page if it supports the OpenSocial APIs. MarkMail coordinated with the Google Code team over the last several months to load about 500 GoogleGroups lists (3.8 million emails) and build a new MarkMail Gadget to let Google Code developers search and analyze their lists using MarkMail. The new MarkMail gadget lets you view messages, threads, attachments, and senders, and a traffic chart for any set of messages you want to follow. The messages you choose to track with the gadget can be those from a single list, set of lists, a person, containing a term or phrase, or any combination. In fact, anything you can use in a search on MarkMail can be used as input to the gadget view. The new gadget offers two features not yet available on a daily traffic chart ( only does monthly traffic charts) and a view that coalesces threads. If you're a project leader (either on Google Code or somewhere else) it's now easier than ever to embed a MarkMail traffic chart and recent message list inside any of your project pages. If you're just a lurker, you can personalize your view on MarkMail traffic and embed that view into iGoogle or Google Desktop, or any other page. MarkMail is a free service for searching mailing list archives, with huge advantages over traditional search engines. It is powered by MarkLogic Server: Each email is stored internally as an XML document, and accessed using XQuery. All searches, faceted navigation, analytic calculations, and HTML page renderings are performed by a small MarkLogic Server cluster running against millions of messages. As of 2008-10-09, MarkMail was configured to search 5,773 lists and 32,073,826 messages. The first list started in October 1992. There were 3,582 active lists, recently accumulating 21,549 messages per day.

See also: the MarkMail Google gadget wizard

Connecting People to Resources: Federated Access Management
Masha Garibyan, JISC Briefing Paper

For UK readers and other interested parties: Joint Information Systems Committee (JISC) is pleased to announce the development of a new Access Management Infrastructure for the UK educational sector. In November 2006, JISC launched its UK Access Management Federation. Educational institutions throughout the UK have been invited to join the UK federation and adopt the federated access management standards, based on SAML and Shibboleth. This will allow users to access a number of internal and external services while signing on only once. The briefing paper is aimed at UK higher (HE) and further (FE) education institutions that wish to adopt federated access management and join the UK Access Management Federation, either by using paid-for support or by subscribing to an 'outsourced Identity Provider'... These are some of the questions an institution may wish to ask the provider: (1) Will you commit to remaining compliant with the UK federation for the duration of my contract? (2) Does your solution work with other SAML-based federations internationally? (3) Can you provide user accountability? (4) Do you have a roadmap for future developments (ie Shibboleth 2.0, provision of embedded certificates etc)? [...] The UK federation uses the Security Assertion Markup Language (SAML) standards1 for the communication of authentication, entitlement and attribute information. The core of the federation is implemented using the Shibboleth2 software from Internet2. It is recognised, however, that any particular software implementation may not be suitable for all participants, and federation members may deploy any software that meets their specific service goals. It is likely that organisations which regularly update their implementations to use the latest version of the Shibboleth software from Internet2 will continue to benefit from the widest range of interoperability options with other federation members...

See also: the Technical Recommendations

ISO/IEC JTC 1/SC 34 Working Group 5 on Document Interoperability
SC 34 Secretariat, Public Announcement

From ISO/IEC JTC 1/SC 34 (Document Description and Processing Languages) Docuument N1106: "Call for Participation - SC 34/WG 5: Document Interoperability, distributed to P, O and L Members of ISO/IEC JTC 1/SC 34 ; ISO/IEC JTC 1 Secretariat; ISO/IEC ITTF. In accordance Resolution 8 of the SC 34 Jeju plenary meeting, Working Group 5 has been established. SC 34 members are invited to nominate their experts to participate in this Working Group. Please send a list of participants showing names, affiliations and e-mail addresses to the SC 34 Secretariat by 2008-11-15. The information received will be forwarded to the WG 5 Convener for creation of a mailing list. Resolution 8: Establishment of Working Group 5 SC 34 establishes Working Group 5 as follows: Title: Document Interoperability. Terms of Reference: Develop principles of, and guidelines for, interoperability among documents represented using heterogeneous ISO/IEC document file formats. The initial work includes preparation of the Technical Report on ISO/IEC 26300—ISO/IEC 29500 translation. SC 34 instructs its Secretariat to issue a call for participation to the SC 34 members and to request ISO and IEC to publicise the existence of WG 5 to encourage participation from all who are eligible..." See also from the N1099 Resolutions (2008-10-03), "Resolution 11: Appointment of Project Editors for 29166: Open Document Format (ISO/IEC 26300) / Office Open XML (ISO/IEC 29500) Translation. SC 34 appoints Mr. Ning LI (China), and Mr. NAM, Dong Sun (Republic of Korea) as the co-editors of Project 29166 and notes that the National Body of Germany is expected to nominate a third co-editor." [Note: ISO/IEC 26300:2006 = Information technology — Open Document Format for Office Applications (OpenDocument) v1.0; ISO/IEC DIS 29500 = Information technology — Office Open XML File Formats. ISO/OEC JTC 1/SC 34 is the international standardization subcommittee for Document Description and Processing Languages standards and technical reports related to structured markup languages (specifically the Standard Generalized Markup Language (SGML) and the Extensible Markup Language (XML)) in the areas of information description, processing and association.]

See also: the JTC 1/SC 34 web site

When Do You Want That?
Toby Considine, Blog

"One of the most fundamental acts of negotiating services is when something should occur. One would guess that this has been already well established, well completed. I know I assumed so when I was talking about the fundamental information that we needed to add for scheduling... You know that thing you click on to put something on your calendar? It is an ICalendar format. Corporate scheduling systems already use it. People already use it... VCAL is the original. It was developed as part of the Vision personal information manager. VCAL spawned VCalendar, developed by the Internet Mail Consortium. VCalendar spawned ICalendar, with the stamp of approval from the Internet Engineering Task Force (IETF). This nice standard is complete, but predates XML. Because the first significant application using ICalendar was the iCal program on the Macintosh, many people call the standard iCal. Information containing scheduling information in the iCalendar has the designated file extension '.ICS'. ICalendar defines different payloads. The Event defines something that begins and ends. The TODO has a due date, and can specify periodic reminders before that due date... Within the IETF, there was a draft proposal for a data transformation of iCalendar to XML in 1999 as the iCalendar XML DTD; it expired uncompleted in 1999... Microformats developed the intriguing hCalendar format, but this has been rejected by many groups, for usability issues; it still may be the best format for moving things into web services.There are concerns and incompatibilities surrounding the use of HCalendar, though... There is a calendar XML format, but it seems designed to transmit a monthly calendar for printing, not formats for exchanging schedules. All this leaves me in a quandary. Schedules, and exchanging schedule proposals, will be absolutely essential to building services and to demand response and to energy technology. And yet we do not seem to be able to standardize on an XML format for web services. What would you do?"

See also: earlier calendar references

The Book Cipher Algorithm: A Simple But Safe Approach to Security
Dejan Ristanovic and Jelica Protic, DDJ

Unless you're a professional cryptanalyst, writing cryptography code means meddling with "powers" you cannot fully comprehend, and seemingly insignificant slips can be fatal. During World War II, for instance, Polish and British mathematicians broke Germany's Enigma code only because the same message-key was enciphered twice at the beginning of every message. The Germans did this to avoid mistakes caused by radio interference, but at the same time, it ruined their carefully planned cryptosystem. And how many slips are there in the code that multiply big numbers, look for 1000-digits primes, and encrypt the fixed header of your document? With the Book cipher algorithm, you're safe from these kinds of errors because it is simple enough that you can code it in a few lines of C that are completely understandable, but still extremely secure. The so-called Beale ciphers, which point to a location of buried treasure somewhere in Bedford county, were coded in 1885, but still have not been decoded. This secret (or maybe hoax) has occupied some of the best cryptanalytic minds. Likewise, when Simon Singh gave 10 problems in the appendix of The Code Book, problem #5 (Book cipher) was the most difficult one for the winners of the 10,000 pound prize. Still, the Book cipher has probably never been used in commercial software... Basically, the Book cipher algorithm uses letters of subsequent words in some text or book as a key to encode a message... Cryptanalysts mostly agree that the Book cipher, if used properly, is practically unbreakable; nearly as good as the one-time pad. Why isn't it used every day? Maybe because of that "if used properly" clause—the complete algorithm is somehow "private." The next time you bury a treasure, you can describe its location within an encrypted message and be reasonably sure that it will not be decoded for the next 150 years, but if you have to organize a secure correspondence for a web of spies all over the world, finding, deploying, and protecting adequate books might prove very difficult. By implementing the Book cipher in your applications, you don't meddle with powers you cannot comprehend—you leave the meddling to users of your software.


XML Daily Newslink and Cover Pages sponsored by:

IBM Corporation
Oracle Corporation
Sun Microsystems, Inc.

XML Daily Newslink:
Newsletter Archive:
Newsletter subscribe:
Newsletter unsubscribe:
Newsletter help:
Cover Pages:

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: