This issue of XML Daily Newslink is sponsored by:
Sun Microsystems, Inc. http://sun.com
- Parity Provides Free Online Identity Management
- JanRain Promotes OpenID Adoption Through the Long Tail
- Beginner's Guide to OAuth, Part IV: Signing Requests
- W3C First Public Working Draft for 'Widgets 1.0: Updates'
- OASIS Launches Cross-Enterprise Security and Privacy Authorization TC
- Google Code Adds Gadgets: MarkMail Helps
- Connecting People to Resources: Federated Access Management
- ISO/IEC JTC 1/SC 34 Working Group 5 on Document Interoperability
- When Do You Want That?
- The Book Cipher Algorithm: A Simple But Safe Approach to Security
Parity Provides Free Online Identity Management
Robert Vamosi, CNET News.com
Parity, an information management company, announced a new Web service called CardPress that makes issuing online information cards a little easier. Information cards are online equivalents of physical ID cards, such as a driver's license. Online customers would have an electronic wallet with various information cards, bypassing the need to type in user names and passwords. A student accessing a university network, for example, would simply present his or her electronic student information card. CardPress provides Web sites with a free (for low-volume usage) turn-key, hosted software-as-a-service (SaaS) solution. The information cards are designed for associations, organizations, and merchants, and can enable one-click log-ins, phishing protection, and single sign-on (SSO) across multiple partner sites, and can eliminate costs associated with restoring lost or forgotten passwords... Currently there are only two organizations offering or soon to offer CardPress cards. Boston Community Change, which rewards charitable donations to local schools, is only open to Boston-area residents. The Minuteman Library Network, a consortium of libraries in Massachusetts, also plans to offer the cards. The service would allow Minuteman Library members secure access to online resources. Both are available through an electronic wallet site called Azigo (currently in beta). In the coming days, Parity expects to add more associations. In June 2008, the Information Card Foundation (ICF) was created with the stated goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards. Member companies include Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community. Paul Trevithick, CEO of Parity, is the current chairman of the ICF. Unlike having a credit card number, which anyone on the Internet can use at anytime, the ID card model proposed by the ICF requires that all three players (user, provider, reliant party) be synced in real time before the transaction can proceed...
See also: on the Information Card Foundation
JanRain Promotes OpenID Adoption Through the Long Tail
Mark Hendrickson, TechCrunch
JanRain, creator of some of the most popular OpenID software libraries and a forum-like communications tool called Pibb, has released a new SaaS offering for websites that want to become relying parties for OpenID. We're told that the service, simply called RPX, makes it possible to start accepting users with OpenID accounts within one day. This is actually the second SaaS solution provided by JanRain, the first being the similarly named OPX, which lets websites do the opposite: provide OpenID accounts to users, who can then sign into any other websites that accept them. JanRain also provides OpenID accounts to users directly through its myOpenID service. Helping websites become relying partners is more important (at least at this point in the game) than helping them become providing partners. That's because few popular sites accept OpenID and, consequently, consumers see little reason to set up OpenID accounts for themselves. This is an even bigger problem than the user experience issues that have plagued the movement over the last few years. RPX is being marketed toward medium sites that want to increase their registration conversation rates, import user information from elsewhere, and build out connections to other social services via OAuth. It's not meant as much for big internet sites like Blogger, Plaxo and AOL, who have become relying parties using their in-house technical resources. The question stands as to whether OpenID will gain momentum through the long tail or adoption by a critical mass of the big players. It will probably take a few very popular services, such as MySpace and Facebook (through their respective Data Availability and Connect services), to popularize the protocol. But once they do, services like RPX should help the long tail take advantage of it...
See also: the JanRain announcement
Beginner's Guide to OAuth, Part IV: Signing Requests
Eran Hammer-Lahav, OAuth Online Tutorial
This interactive tutorial puts into action concepts previously discussed about the OAuth Security Architecture. As an authorization delegation protocol, OAuth must be secure and allow the Service Provider to trust the Consumer and validate the credential provided to gain access. To accomplish that, OAuth defines a method for validating the authenticity of HTTP requests. This method is called Signing Requests. The explanation presented here is designed as an interactive walkthrough with customizable inputs. Next to each set of inputs you will find an expand "[+]" icon allowing you to change the example and see how such changes affect the intermediate and final results. To expand the forms, click on the "[+]" icons which will open the form or click again to collapse. Making changes to the pre-filled values will immediately change the walkthrough content. You can also adjust the default values the example starts with by choosing from one of the pre-configured use cases. You may select: (1) Example used in the OAuth Specification; (2) Non URL-Safe Parameter; (3) Non-English Parameter; (4) Create Your Own. In this walkthrough, the Consumer would like to access a Protect Resource... The Consumer has previously registered with the Service Provider and obtained the Consumer Key... It has executed the OAuth workflow and obtained a Token... To sign the request, the Consumer is using [one of the signature methods]... The OAuth information such as Consumer Key and Token is included in the request using special OAuth Parameters starting with the 'oauth_' prefix, most of which are mandatory... The OAuth Parameters and request parameters are collected together in their raw, pre-encoded form. The parameters are collected from three locations: the URL query element (as defined by IETF RFC 3986, section 3), the OAuth 'Authorization' header (excluding the 'realm' parameter), and parameters included in a single-part 'application/x-www-form-urlencoded' POST body (as defined by HTML4). The parameter locations are more relevant to the Service Provider as it needs to extract them from the incoming Consumer request. The Consumer should have all the parameters in their separated and pre-encoded form as it builds the request..." See other parts of the Beginner's Guide to OAuth.
See also: the OAuth web site
W3C First Public Working Draft for 'Widgets 1.0: Updates'
Marcos Caceres (ed), W3C Technical Report
Members of the W3C Web Applications Working Group have published the First Public Working Draft for the "Widgets 1.0: Updates" specification. The Web Applications WG is part of the Rich Web Clients Activity in the W3C Interaction Domain. It is expected that this document will progress along the W3C's Recommendation track. The 'Widgets 1.0: Updates' specification defines a model to allow a widget user agent to locate and replace a widget resource with a new or different version of a widget resource. The updates model is designed to work both over HTTP and from local storage. For updates performed via the Web, the model makes use a simple XML documents that authors place on a Web server to indicate, amongst other things, where the next most suitable version of a widget resource can be retrieved from. It also defines a mechanism that allows authors to be notified of installation errors or success. The specification also describes how to renegotiate security policies when widgets are updated.
See also: the W3C Rich Web Clients Activity
OASIS Launches Cross-Enterprise Security and Privacy Authorization TC
Staff, OASIS Announcement
OASIS has formed a new group to standardize the way healthcare providers, hospitals, pharmacies, and insurance companies exchange privacy policies, consent directives, and authorizations within and between healthcare organizations. The OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee will specify healthcare profiles of existing OASIS standards to support reliable, auditable methods of confirming personal identity, official authorization status, and role attributes. This work aligns with security specifications being developed within the U.S. Healthcare Information Technology Standards Panel (HITSP). A cooperative partnership between the public and private sectors, HITSP is a national, volunteer driven, consensus-based organization that is working to ensure the interoperability of electronic health records in the United States. XSPA will be developed at OASIS alongside other core security standards, such as the Security Assertion Markup Language (SAML), Web Services Trust (WS-Trust), and the Extensible Access Control Markup Language (XACML). The XSPA work will draw on these standards and the expertise behind them, as part of its goal to identify and fill in the gaps. In accomplishing the work of the XSPA Committee, OASIS is focused on addressing the very sensitive issues related to the access of patient information. David Staggs, co-chair of the OASIS XSPA Technical Committee: "While the primary focus of our work will center on the HITSP interoperability specifications, we expect XSPA will have broad applicability to health communities beyond government regulated transactions. We intend to solicit use cases from other instances of cognate data exchanges—particularly in healthcare privacy contexts—to improve our work." The work of the OASIS XSPA Technical Committee may even extend beyond healthcare to general business models and other industry applications where support for privacy rights is needed, such as finance.
See also: the XSPA TC public page
Google Code Adds Gadgets: MarkMail Helps
Staff, Mark Logic Announcement
See also: the MarkMail Google gadget wizard
Connecting People to Resources: Federated Access Management
Masha Garibyan, JISC Briefing Paper
For UK readers and other interested parties: Joint Information Systems Committee (JISC) is pleased to announce the development of a new Access Management Infrastructure for the UK educational sector. In November 2006, JISC launched its UK Access Management Federation. Educational institutions throughout the UK have been invited to join the UK federation and adopt the federated access management standards, based on SAML and Shibboleth. This will allow users to access a number of internal and external services while signing on only once. The briefing paper is aimed at UK higher (HE) and further (FE) education institutions that wish to adopt federated access management and join the UK Access Management Federation, either by using paid-for support or by subscribing to an 'outsourced Identity Provider'... These are some of the questions an institution may wish to ask the provider: (1) Will you commit to remaining compliant with the UK federation for the duration of my contract? (2) Does your solution work with other SAML-based federations internationally? (3) Can you provide user accountability? (4) Do you have a roadmap for future developments (ie Shibboleth 2.0, provision of embedded certificates etc)? [...] The UK federation uses the Security Assertion Markup Language (SAML) standards1 for the communication of authentication, entitlement and attribute information. The core of the federation is implemented using the Shibboleth2 software from Internet2. It is recognised, however, that any particular software implementation may not be suitable for all participants, and federation members may deploy any software that meets their specific service goals. It is likely that organisations which regularly update their implementations to use the latest version of the Shibboleth software from Internet2 will continue to benefit from the widest range of interoperability options with other federation members...
See also: the Technical Recommendations
ISO/IEC JTC 1/SC 34 Working Group 5 on Document Interoperability
SC 34 Secretariat, Public Announcement
From ISO/IEC JTC 1/SC 34 (Document Description and Processing Languages) Docuument N1106: "Call for Participation - SC 34/WG 5: Document Interoperability, distributed to P, O and L Members of ISO/IEC JTC 1/SC 34 ; ISO/IEC JTC 1 Secretariat; ISO/IEC ITTF. In accordance Resolution 8 of the SC 34 Jeju plenary meeting, Working Group 5 has been established. SC 34 members are invited to nominate their experts to participate in this Working Group. Please send a list of participants showing names, affiliations and e-mail addresses to the SC 34 Secretariat by 2008-11-15. The information received will be forwarded to the WG 5 Convener for creation of a mailing list. Resolution 8: Establishment of Working Group 5 SC 34 establishes Working Group 5 as follows: Title: Document Interoperability. Terms of Reference: Develop principles of, and guidelines for, interoperability among documents represented using heterogeneous ISO/IEC document file formats. The initial work includes preparation of the Technical Report on ISO/IEC 26300—ISO/IEC 29500 translation. SC 34 instructs its Secretariat to issue a call for participation to the SC 34 members and to request ISO and IEC to publicise the existence of WG 5 to encourage participation from all who are eligible..." See also from the N1099 Resolutions (2008-10-03), "Resolution 11: Appointment of Project Editors for 29166: Open Document Format (ISO/IEC 26300) / Office Open XML (ISO/IEC 29500) Translation. SC 34 appoints Mr. Ning LI (China), and Mr. NAM, Dong Sun (Republic of Korea) as the co-editors of Project 29166 and notes that the National Body of Germany is expected to nominate a third co-editor." [Note: ISO/IEC 26300:2006 = Information technology — Open Document Format for Office Applications (OpenDocument) v1.0; ISO/IEC DIS 29500 = Information technology — Office Open XML File Formats. ISO/OEC JTC 1/SC 34 is the international standardization subcommittee for Document Description and Processing Languages standards and technical reports related to structured markup languages (specifically the Standard Generalized Markup Language (SGML) and the Extensible Markup Language (XML)) in the areas of information description, processing and association.]
See also: the JTC 1/SC 34 web site
When Do You Want That?
Toby Considine, Blog
"One of the most fundamental acts of negotiating services is when something should occur. One would guess that this has been already well established, well completed. I know I assumed so when I was talking about the fundamental information that we needed to add for scheduling... You know that thing you click on to put something on your calendar? It is an ICalendar format. Corporate scheduling systems already use it. People already use it... VCAL is the original. It was developed as part of the Vision personal information manager. VCAL spawned VCalendar, developed by the Internet Mail Consortium. VCalendar spawned ICalendar, with the stamp of approval from the Internet Engineering Task Force (IETF). This nice standard is complete, but predates XML. Because the first significant application using ICalendar was the iCal program on the Macintosh, many people call the standard iCal. Information containing scheduling information in the iCalendar has the designated file extension '.ICS'. ICalendar defines different payloads. The Event defines something that begins and ends. The TODO has a due date, and can specify periodic reminders before that due date... Within the IETF, there was a draft proposal for a data transformation of iCalendar to XML in 1999 as the iCalendar XML DTD; it expired uncompleted in 1999... Microformats developed the intriguing hCalendar format, but this has been rejected by many groups, for usability issues; it still may be the best format for moving things into web services.There are concerns and incompatibilities surrounding the use of HCalendar, though... There is a calendar XML format, but it seems designed to transmit a monthly calendar for printing, not formats for exchanging schedules. All this leaves me in a quandary. Schedules, and exchanging schedule proposals, will be absolutely essential to building services and to demand response and to energy technology. And yet we do not seem to be able to standardize on an XML format for web services. What would you do?"
See also: earlier calendar references
The Book Cipher Algorithm: A Simple But Safe Approach to Security
Dejan Ristanovic and Jelica Protic, DDJ
Unless you're a professional cryptanalyst, writing cryptography code means meddling with "powers" you cannot fully comprehend, and seemingly insignificant slips can be fatal. During World War II, for instance, Polish and British mathematicians broke Germany's Enigma code only because the same message-key was enciphered twice at the beginning of every message. The Germans did this to avoid mistakes caused by radio interference, but at the same time, it ruined their carefully planned cryptosystem. And how many slips are there in the code that multiply big numbers, look for 1000-digits primes, and encrypt the fixed header of your document? With the Book cipher algorithm, you're safe from these kinds of errors because it is simple enough that you can code it in a few lines of C that are completely understandable, but still extremely secure. The so-called Beale ciphers, which point to a location of buried treasure somewhere in Bedford county, were coded in 1885, but still have not been decoded. This secret (or maybe hoax) has occupied some of the best cryptanalytic minds. Likewise, when Simon Singh gave 10 problems in the appendix of The Code Book, problem #5 (Book cipher) was the most difficult one for the winners of the 10,000 pound prize. Still, the Book cipher has probably never been used in commercial software... Basically, the Book cipher algorithm uses letters of subsequent words in some text or book as a key to encode a message... Cryptanalysts mostly agree that the Book cipher, if used properly, is practically unbreakable; nearly as good as the one-time pad. Why isn't it used every day? Maybe because of that "if used properly" clause—the complete algorithm is somehow "private." The next time you bury a treasure, you can describe its location within an encrypted message and be reasonably sure that it will not be decoded for the next 150 years, but if you have to organize a secure correspondence for a web of spies all over the world, finding, deploying, and protecting adequate books might prove very difficult. By implementing the Book cipher in your applications, you don't meddle with powers you cannot comprehend—you leave the meddling to users of your software.
XML Daily Newslink and Cover Pages sponsored by:
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/