Cover Pages: XML Daily Newslink: Tuesday, 30 December 2008

A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS and Sponsor Members
Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by:
Microsoft Corporation http://www.microsoft.com

Headlines

OGC Launches Empire Challenge Pilot Effort
First Draft of Voice Extensible Markup Language (VoiceXML) 3.0 Published
PAPE Approved as an OpenID Specification
IBM's BPM Zero Project: RESTful Worflow Management
Researchers Hack VeriSign's SSL Scheme for Securing Web Sites
SOA World: BPEL Coming to People
Last Call Review for 'Widgets 1.0: Packaging and Configuration'
First Look: Linux Kernel 2.6.28 Officially Released
Microsoft Specs Out 'Pay-as-you-go' PC Scheme

OGC Launches Empire Challenge Pilot Effort
Patrick Marshall, Government Computer News

The Open Geospatial Consortium is seeking researchers from government agencies, private industry, and academia to participate in a pilot program to examine the suitability and performance of OGC Sensor Web Enablement and OGC Web Services standards for providing open management of and access to sensors of various types. The Empire Challenge is an annual demonstration sponsored by the U.S. Joint Forces Command and the National Geospatial-Intelligence Agency. It seeks to improve the interoperability of joint and coalition intelligence, surveillance, and reconnaissance activities. In OGC's Sensor Web Enablement (SWE) initiative, members are "building a unique and revolutionary framework of open standards for exploiting Web-connected sensors and sensor systems of all types: flood gauges, air pollution monitors, stress gauges on bridges, mobile heart monitors, Webcams, satellite-borne earth imaging devices and countless other sensors and sensor systems. SWE presents many opportunities for adding a real-time sensor dimension to the Internet and the Web. This has extraordinary significance for science, environmental monitoring, transportation management, public safety, facility security, disaster management, utilities' Supervisory Control And Data Acquisition (SCADA) operations, industrial controls, facilities management and many other domains of activity." OGC Web Services Testbed activities advance OGC's open framework of standards based on priority geospatial and location based interoperability requirements. OWS-6 includes Sensor Web Enablement (SWE), Geo Processing Workflow (GPW), Aeronautical Information Management (AIM), Decision Support Services (DSS), and Compliance and Interoperability Test and Evaluation (CITE). Sam Bacharach, executive director for outreach at OGC, spoke about last year's demonstration of a common interface during the Empire Challenge that allowed analysts to detect and access sensors from different sources: "Let's say you're an analyst and you want to find out what's going on in Bellingham, Wash., and you don't know what sensors are available in Bellingham... Is there a Predator [unmanned aerial vehicle] with an electrical-optical camera flying overhead? Maybe there are Washington State Patrol cameras on the interstates... [sensor data] can be put in a catalog so the operator could then come in and type in 'Bellingham' and magically get a map of all the sensors and all the data that is available covering Bellingham, Wash. The standards that enable such a capability were demonstrated on unclassified networks during last year's Empire Challenge, and three NASA satellites already use the OGC interface. The project for this year's Empire Challenge is to bring those capabilities into the classified environment of the Distributed Common Ground System, the architecture that the armed forces use to share sensor information and other data within the intelligence community..."

See also: the OGC announcement

First Draft of Voice Extensible Markup Language (VoiceXML) 3.0 Published
Scott McGlashan, R. Auburn, Paolo Baggia (et al, eds), W3C Technical Report

W3C announced that members of the Voice Browser Working Group have published "Voice Extensible Markup Language (VoiceXML) 3.0" as a First Public Working Draft. VoiceXML 3.0 is a modular XML language for creating interactive media dialogs that feature synthesized speech, recognition of spoken and DTMF key input, telephony, mixed initiative conversations, and recording and presentation of a variety of media formats including digitized audio, and digitized video. The primary goal of this version is to bring the advantages of Web-based development and content delivery to interactive voice response applications. The VoiceXML 3.0 language is published as a collection of modules. Each module is described at two levels: (1) Syntax level: The syntax is a set of XML elements, attributes, and events used by VoiceXML 3.0 application developers to specify applications. The VoiceXML 3.0 elements and attributes are specified within each module and in the XML schema in appendix TBD. The events are DOM level 3 events. This document provides a textual description of each element, attribute, and event. (2) Semantics level: The semantics of each module is described in terms of resources, resource controllers, and semantic events that the resource controllers may generate and consume. Semantics is described by both UML state chart visual diagrams and textual SCXML representations The resources, resource controllers, and the events they generate are intended only to describe the semantics of VoiceXML 3. Implementations are not required to use SCXML to implement VoiceXML 3, nor must they create objects corresponding to resources, resource controllers, and the SCXML events they raise. The logical components are useful for describing how different syntax use similar resources or for future extensions to the language that may use these resources or hook into specific places in the semantic framework, but only the behavior exposed is necessary for a conformant VoiceXML 3 interpreter. This document is very much a work in progress; to get early feedback, the group focused on defining enough functionality, modules, and profiles to demonstrate the general framework. To complete the specification, the group expects to introduce additional functionality (for example speaker identification and verification, external eventing) and describe the existing functionality at the level of detail given for the Prompt and Field modules. We explicitly request feedback on the framework, particularly any concerns about its implementability or suitability for expected applications. By the middle of 2009 the group expects to have all existing functionality defined in detail, the new functionality stubbed out, and the VoiceXML 2.1 profile largely defined. By late-2009 the group expects to have all functionality defined and both profiles defined in detail.

PAPE Approved as an OpenID Specification
Mike Jones, OpenID Announcement

On behalf of the OpenID's PAPE Working Group, Mike Jones announced the approval of PAPE 1.0: "The OpenID Foundation membership has approved OpenID Provider Authentication Policy Extension 1.0 as an OpenID specification by a vote of forty-two to three, with seven abstentions. This is a significant development for the OpenID community for two reasons: First, this is the first new specification to be developed under the OpenID Foundation's IPR policies and procedures, which ensure that all are free to use it (like the existing approved specifications) —paving the way for additional specifications to come. Second, the PAPE specification provides an important security enhancement to OpenID Authentication, which can be used with both OpenID 1.1 and OpenID 2.0. Specifically, the PAPE Specification enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform the Relying Parties which policies were actually used. With PAPE, for instance, a Relying Party can request that the OpenID Provider employ a phishing-resistant authentication method for authenticating the user, and know whether such a method was used or not. The specification can also be used to request multi-factor authentication and to learn what NIST level (or other levels) the authentication conforms to. At the time of this writing, the working group is aware of at least four implementations of the specification: PHP, Ruby, and Python development versions from OpenID Enabled and a .NET version from the DotNetOpenID project. The PAPE working group looks forward to seeing use of the specification help make OpenID interactions more secure in the real world!"

See also: the PAPE specification text

IBM's BPM Zero Project: RESTful Worflow Management
Jean-Jacques Dubray, InfoQueue

Christina Lau, distinguished engineer at IBM, gave recently a presentation at the Devoxx Conference 'BPM 2.0: a REST based architecture for next generation workflow management'. The goal of her presentation is to help us better understand BPM-as-a-Service (BaaS) to better prepare for it. Lau defines BaaS with five key concepts, based on Rashid Khan's post on the topic: (a) model and execute processes in a hosted environment; (b) integrate with both inside the firewall data and internet services; (c) business users collaborate to create the business processes with a browser using RIA technologies; (d) monitor, administer, rate, discuss processes over the internet; (e) Web-based reporting and monitoring (BAM) capabilities... She has initiated the BPM Zero project (which is part of IBM's Project Zero and ultimately WebSphere sMash) following these principles. BPM Zero will offer a Web-based BPMN editor. Her presentation also features specialized BPMN activities dubbed 'HTTP activities': Receive, Reply, Invoke. BPM Zero integrates with ILOG JRules to offer a business-centric configuration of decision services. Christina and her team sees a tight integration between BPM Zero and what she calls 'RESTful SOA': Feeds, Twitter, Chat, email, SaaS (Google Apps), IaaS (Storage). She explains that a lightweight workflow can act as a scripting engine to tie together RESTful services. The key characteristics of this scripting language are: (1) Compatible subset of BPEL execution semantics; (2) Up and running in seconds; (3) Built-in extension mechanism; (4) Built-in security support... Recommendations to get ready for taking advantage of BPM-as-a-Service (include): use BPMN to describe your processes, REST-enable your Assets [make content simple and human readable (XML, Atom, JSON); make them available via URL with HTTP actions (GET, POST, PUT, DELETE)], and leverage low cost deployment and third party applications hosted on the cloud...

See also: the presentation

Researchers Hack VeriSign's SSL Scheme for Securing Web Sites
Robert McMillan, ComputerWorld

With the help of about 200 Sony Playstations, an international team of security researchers has devised a way to undermine one of the algorithms used to protect secure Web sites—a capability that the researchers said could be used to launch nearly undetectable phishing attacks. To accomplish that, the researchers said today that they had exploited a bug in the MD5 hashing algorithm used to create some of the digital certificates used by Web sites to prove they are what they claim to be. The researchers said that by taking advantage of known flaws in the algorithm, they were able to hack VeriSign Inc.'s RapidSSL.com certificate authority site and create fake digital certificates for any Web site on the Internet. Exploiting the MD5 bug to carry out an attack would be hard, because cybercrooks would first have to trick a victim into visiting the malicious Web site that hosts a fake digital certificate. That could be done, however, by using what's called a man-in-the-middle attack. Last August, for example, security researcher Dan Kaminsky showed how a major flaw in the Internet's Domain Name System could be used to launch such attacks. And with this latest research, it's now potentially easier to attack Web sites that are secured using Secure Sockets Layer (SSL) encryption, which relies on trustworthy digital certificates... Cryptographers have been gradually chipping away at the security of MD5 since 2004, when a team lead by Shandong University's Wang Xiaoyun demonstrated flaws in the algorithm. Given the state of research into MD5, certificate authorities should have upgraded to more secure algorithms such as SHA-1 "years ago," said Bruce Schneier, a noted cryptography expert and chief security technology officer at BT PLC. RapidSSL.com will stop issuing MD5-based digital certificates by the end of January and is looking for ways to encourage its customers to move to new certificates after that, said Tim Callan, VeriSign's vice president of product marketing. But first, Callan added, VeriSign wants to get a good look at the new research. Molnar and his team have communicated their findings to VeriSign indirectly, via Microsoft, but they have yet to speak directly to VeriSign, out of fear that it might take legal action to quash their talk...

See also: the complete MD5 details

SOA World: BPEL Coming to People
Manoj Das and Bhagat Nainani, SYS-CON Virtualization

Business systems and IT architectures have evolved to include process orchestration as a fundamental layer, due in no small part to the emergence and widespread adoption of the Web Services Business Process Execution Language (WS-BPEL) standard. Most real-world processes involve some human interaction, for example, for approvals or exception handling. While WS-BPEL addresses the industry's need for rich and standard service orchestration semantics, it does not cover human interaction with processes. Efforts are underway to address this gap in WS-BPEL with a set of specifications commonly referred to as BPEL4People. In this article, we provide an overview of the BPEL4People standards and explore how this standards area will emerge over the next few years... People often ask whether the BPEL4People specifications will cause changes to the BPEL specification itself. We do not anticipate such an impact. BPEL was designed with extensibility in mind, and the BPEL4People specifications comply with BPEL's extensibility mechanisms. It's reasonable to expect that the standard will not only become more rigorous but also include more functionality. Two enhancements that we hope will make it to the final standard are patterns and policies. We'd like to see support for common routing patterns (such as management chain approvals and group votes) in a simple, intuitive, and declarative fashion. Likewise, support for policies such as automatic skip and exception handling would be a welcome addition. While it's reasonable to expect that meaningful implementations of BPEL4People will be available only when the specification approaches the finish line, there are vendors, including Oracle, that essentially implement very similar concepts in a very similar architecture. In fact, the BPEL4People specifications were created by leveraging customer scenarios and requirements learned from support of such implementations. Also, within the broader umbrella of related standards in the business process management (BPM) area, the next frontier is standardization of notation and its alignment with BPEL and BPEL4People. Significant efforts are underway at the Object Management Group to define a Business Process Modeling Notation (BPMN) 2.0 specification. ... The field of Business Process Management (BPM) is experiencing renewed effort, propelled by the success of BPEL as a standard and its adoption by mainstream vendors and enterprises. BPEL skills, training, and resources are now widely available and the move away from proprietary skills and technologies is driving a lower total cost of ownership (TCO). The BPEL4People specifications address BPEL's lack of explicit support for human interactions and remove one of the very few objections to BPEL. The BPEL4People architecture, which separates the task engine from the process engine, also significantly reduces customer risk, because many customers can have multiple process engines but prefer to have a unified task list application. BPEL4People, along with BPMN, will complete the BPEL story for process management. We believe it will significantly increase the market adoption of BPM by mainstream enterprises...

See also: BPEL4People references

Last Call Review for 'Widgets 1.0: Packaging and Configuration'
Marcos Caceres (ed), W3C Technical Report

W3C's Web Applications Working Group has published the Last Call Working Draft for "Widgets 1.0: Packaging and Configuration." The Last Call period ends on January 31, 2009. This version reflects over of two years work addressing requirements 1 to 23 of the Widgets 1.0: Requirements document. The requirements were addressed and specified through extensive research, and via consultation with W3C members and the public via the Working Group's mailing lists. The purpose of this Last Call is to give external interested parties a final opportunity to publicly comment on how widgets should be packaged and configured before the Working Group makes a call for implementations. This specification standardizes a Zip-based packaging format, an XML-based configuration document format and a series of steps that user agents follow when processing and verifying various aspects of widgets.The packaging format acts as a container for files used by a widget. 'Widgets; are full-fledged client-side applications that are authored using Web standards. They are typically downloaded and installed on a client machine or device where they typically run as stand-alone applications outside of a Web browser. Examples range from simple clocks, stock tickers, news casters, games and weather forecasters, to complex applications that pull data from multiple sources to be "mashed-up" and presented to a user in some interesting and useful way. The XML-based configuration document is an XML vocabulary that authors can use to declare metadata and configuration parameters for a widget. The steps for processing a widget resource describe the expected behavior and means of error handling for widget user agents while processing the packaging format, configuration document, and other relevant files. This document also defines conformance criteria and expected behavior for conformance checkers, which are tools that aid authors in verifying that Zip archives and configuration documents conform to the specification.

First Look: Linux Kernel 2.6.28 Officially Released
Ryan Paul, ars technica

Lead kernel developer Linus Torvalds has announced the official release of Linux 2.6.28. The new version introduces some noteworthy changes that will put the kernel in a strong position for growth and advancement in the coming year. This latest release follows a few months after version 2.6.27, which was released in October 2008... One of the most significant additions in 2.6.28 is the Graphics Execution Manager (GEM), a new GPU memory manager that was developed primarily by Keith Packard and Eric Anholt of Intel. In some early benchmarks that Intel conducted back in May, GEM was said to boost framerates by between 50 and 60 percent for Intel 915 graphics hardware. GEM represents a significant and much-needed step towards modernization for the Linux graphics stack... Another significant milestone in version 2.6.28 is that the ext4 filesystem has been declared stable and no longer designated as "experimental". As the successor to ext3, the most widely-used Linux filesystem, ext4 boosts performance and reliability and provides a clean migration path for existing ext3 users so that it can be adopted without necessitating a reformat. In ext4, the theoretical maximum filesystem size has been increased to 1 exabyte and the 32,000 limit on the number of subdirectories that can be contained in any given directory has been eliminated. The filesystem check (fsck) process is also significantly faster in ext4 thanks to the new uninitialized block group feature... Prominent Linux developer Greg Kroah-Hartman has left a particularly special present for kernel hackers under the source tree in 2.6.28. The -staging branch, which contains incomplete or unstable drivers, has been merged into the mainline kernel and placed in a new "staging" directory. It is hoped that this move will increase the visibility of work-in-progress drivers and encourage other developers to help contribute to the effort of readying them for full adoption...

Microsoft Specs Out 'Pay-as-you-go' PC Scheme
Gregg Keizer, InfoWorld

Microsoft applied last week for a patent that spells out a "pay-as-you-go" concept where users would be charged for both the software they run and the computing horsepower they use. According to the patent application filed last week with the U.S. Patent and Trademark Office, the "Metered Pay-As-You-Go Computing Experience" scheme would meter software use and access to specific computer hardware. Fees would be charged against a pre-paid or billed account. "The current business model for computer hardware and software relies on a user purchasing a computer with hardware and software that is suited to the most demanding applications that the user expects to encounter," said Microsoft in the application. "Therefore, a user may buy a multi-core processor with a significant amount of memory and advanced video support for gaming applications that are only used on the weekend, while the user's day-in, day-out activities may involve little more than word processing or web-browsing." Microsoft's plan would instead monitor the machine to track things such as disk storage space, processor cores, and memory used, then bill the user for what was consumed during a set period. "A different business model may allow a more granular approach to hardware and software sales," Microsoft argued. "A computer may have individually metered hardware and software components that a user can select and activate based on current need. When the need is browsing, a low level of performance may be used and when network-based interactive gaming is the need of the moment, the highest available performance may be made available to the user." [...] The security module would also lock the PC to a specific supplier, perhaps an ISP, much as a subsidized cell phone is locked to a specific mobile carrier for the life of a contract. "The metering agents and ... the security module allow an underwriter in the supply chain to confidently supply a computer at little or no upfront cost to a user or business, aware that their investment is protected and that the scalable performance capabilities generate revenue commensurate with actual performance level settings and usage," said Microsoft...

See also: the ChannelWeb commentary


SEARCH \| ABOUT \| INDEX \| NEWS \| CORE STANDARDS \| TECHNOLOGY REPORTS \| EVENTS \| LIBRARY

Headlines

Sponsors