This issue of XML Daily Newslink is sponsored by:
Standards Body Investigates C4I Security Tagging
Joab Jackson, Government Computer News
The Object Management Group's (OMG) working group for Command, Control, Communications, Computers and Intelligence (C4I) has begun investigating the possibility of either developing or adopting a set of standardized security tags that different service commands could use to share information among themselves, as well as with intelligence agencies and foreign military services. Meeting this week at an OMG conference held in Washington, the group is investigating whether any existing Extensible Markup Language-based (XML) standards will work for this task, or if it should develop a new set of tags entirely. The tags will be used by the middleware that bridges different C4I systems. When military data is passed from one system to another, the classification, or sensitivity level, of the data is frequently needed to determine how that data is processed. Without a previously agreed-upon definition of sensitivity level, the data must be channeled through point-to-point exchanges, which can be cumbersome to set up, or even conveyed by hand. A set of tags, if used by all the parties in a transaction, would provide a universal way of understanding the sensitivity of information being transmitted. Ideally, the tags would be used by the combat systems of multiple countries, so that allied forces could share information... One of the existing security standards that the group is considering adopting are those from [U.S.] National Information Exchange Model (NIEM). The Defense Department has already adopted the NIEM data model for security elements. Originally named the Global Justice XML Data Model (JXDM), this XML-based data model was first used to share information across state, local and federal criminal justice agencies, explained Jim Pringle, a NIEM spokesperson who gave a presentation at the workgroup meeting. NIEM has since been expanded to incorporate other elements of homeland defense-related data sharing... NIEM is a collection of data models from different domains of expertise, such as law enforcement or court proceedings, organized under a single namespace. By using NIEM, an agency can reduce the number of different exchange protocols it maintains with outside systems. For the security tagging, NIEM adopted the Intelligence Community Information Security Marking (IC-ISM), released in 2008 by the Director of National Intelligence. It is based on the current U.S. classification system...
See also: the C4I Task Force Work Plan
Location-to-Service Translation Protocol (LoST) Extensions
Andrea G. Forte and Henning Schulzrinne (eds), IETF Internet Draft
Members of the IETF Emergency Context Resolution with Internet Technologies (ECRIT) Working Group have published a revised specification for "Location-to-Service Translation Protocol (LoST) Extensions." Section 10 provides a RELAX NG Schema in XML Syntax. Overview: An important class of location-based services answer the question "What instances of this service are closest to me?" Examples include finding restaurants, gas stations, stores, automated teller machines, wireless access points (hot spots) or parking spaces. The Location-to-Service Translation (LoST) protocol (IETF RFC 5222) maps service identifiers (URNs) and civic or geospatial information to service URIs, based on service regions. While motivated by mapping locations to the public safety answering point (PSAP) serving that location, the protocol has been designed to generalize to other location mapping services. However, the current LoST query model assumes that each service URI has a service region and that service regions do not overlap. This fits the emergency services model, where the service region of a PSAP is given by jurisdictional boundaries, but does not work as well for other services that do not have clearly defined boundaries. For example, any given location is likely served by a number of different restaurants, depending on how far the prospective customer is willing to walk or drive. In emergency services, as soon as the service region changes, the client queries the LoST server in order to discover the new PSAP. This is important since clients need to know their PSAP before an emergency occurs, so that no time is wasted in discovering the correct PSAP during the emergency. Other location-based services are not as critical as emergency services, and points of interest can be discovered on demand, at the time they are needed and not before. Because of this, for location-based services other than emergency services, in many cases service regions will be of little or no use. This specification describes an extension that allows queries "N nearest" and "within distance X". The former returns the N points of interest closest to the client's physical location, the latter discovers all those points of interest residing within a given distance from the client's physical location.
See also: the IETF ECRIT Working Group
Eclipse Shines a Light on the IDE's Future: Eclipse 4 and Swordfish
Sean Michael Kerner, InternetNews.com
The open source Eclipse Foundation has its eye on making its integrated development environment (IDE) ready for the future, with new projects designed to better adapt to cloud-based architectures and to stake a claim in runtime frameworks. The projects, unveiled during the foundation's annual EclipseCon developer conference, include the debut of the Swordfish Enterprise Service Bus, or ESB, which is intended to enable more modular service-oriented architecture deployment. Swordfish is a next-generation enterprise service bus (ESB) that provides the flexibility and extensibility required by enterprises to successfully deploy a service-oriented architecture (SOA) strategy. Swordfish is based on the OSGi standard and builds upon successful open source projects, including Eclipse Equinox and Apache ServiceMix... While Eclipse is well known for its developer tools like its namesake Eclipse IDE, Swordfish signals that it's aiming to make a name for itself in runtime frameworks as well. Both come as applications of all sizes continue to migrate to the Web, to cloud-based delivery platforms and service-oriented enterprise architectures. As a result, developers and their tools are evolving to meet the modern reality. That's especially critical for the powers behind the Eclipse framework, which has emerged as an important infrastructure element for modern application development and the basis for tools from IBM, Oracle, SAP, Red Hat and others. Since its inception, however, the core Eclipse IDE has been a desktop application—a fact that's now poised to change. Swordfish, for instance, is taking Eclipse in a new direction. The SOA runtime is ESB based on OSGi, the plug-in architecture used for everything at Eclipse. Its key features include a dynamic services registry, so services can be more loosely coupled and deployed. Scalability is also key theme, with support for distributed ESB. Milinkovich also said Swordfish includes remote configuration agents and an extensible monitoring framework to monitor events and allow for detailed tracking...
See also: the announcement
OAuth Request Body Hash 1.0
Brian Eaton, Community Draft
This specification extends the OAuth signature to include integrity checks on HTTP request bodies with content types other than 'application/x-www-form-urlencoded'... The OAuth Core specification (OAuth Core Workgroup, 'OAuth Core 1.0') provides body integrity checking only for 'application/x-www-form-urlencoded' request bodies. Other types of request bodies are left unsigned. An eavesdropper or man-in-the-middle who captures a signed request URL may be able to forward or replay that URL with a different HTTP request body. Nonce checking and the use of https can mitigate this risk, but may not be available or effective in some environments. This specification describes a method to provide an integrity check on the request body without requiring signatures of arbitrary byte streams. An unkeyed hash of the request body is taken, the resulting hash value is added to the list of OAuth parameters, and the normal OAuth signature base string is signed. This extension is forward compatible: Service Providers that have not implemented this extension can verify requests sent by Consumers that have implemented this extension. If the Service Provider implements this specification the integrity of the body is guaranteed. If the Service Provider does not check body signatures, the remainder of the request will still validate using the OAuth Core signature algorithm. This specification is only useful when cryptographic signatures are used. The OAuth PLAINTEXT signature algorithm does not provide integrity checks for any portion of the request... Hash Algorithm: The body hash algorithm is determined by the OAuth signature method used. (1) If the OAuth signature method is HMAC-SHA1 or RSA-SHA1, SHA1 MUST be used as the body hash algorithm. (2) If the OAuth signature method is PLAINTEXT, use of this specification provides no security benefit and is NOT RECOMMENDED. New OAuth signature methods SHOULD specify the hash algorithm used to generate the body hash. From Appendix B: "This specification deliberately uses an unkeyed hash algorithm (SHA-1) to provide an integrity check on the body instead of a keyed hash algorithm such as HMAC-SHA1. This decision was made because signing arbitrary octet streams is poor cryptographic hygiene. It can lead to unexpected problems with cryptographic protocols. For example, consider a proxy that uses OAuth to add authentication information to requests sent by an untrusted third-party. If the proxy signs arbitrary octet streams, the third-party can use the proxy as an oracle to forge authentication messages. Including the result of an unkeyed hash in the normal signature base string allows the proxy to add an integrity check on the original message without creating a signing oracle..."
Internet Explorer 8 Final Available Now
Dean Hachamovitch, Microsoff IEBlog
IE8 makes what real people do on the web every day faster, easier, and safer. Anyone running Windows Vista, Windows XP, and Windows Server can get 32- and 64-bit versions now... We've blogged a lot here about what's in IE8. Stepping back from individual features, Internet Explorer is focused on how real people use the Web. We designed the product experience based on real-world data from tens of millions of user sessions. We worked closely with developers and standards groups to deliver a far better platform for the people who build the web. We cooperated closely with the security community to address the real threats that users face on the web, and keep users in control of their browsing and information. The resulting product takes a 'batteries included,' just works out of the box approach to delivering the next browser for how hundreds of millions of people really use the web. We think it will surprise people who haven't looked closely at IE in a while. Perhaps it's time to re-think conventional wisdom about IE. Today at the MIX conference, we showed IE8's technology and design in the context of what real people do all the time on the web... (1) You get where you want to go faster with real world performance. The core activity in the browser is navigating to a website. IE8 makes that faster and easier with its new address bar, new tab experience, favorites bar, and history in search box. IE8 is faster than IE7, and favorable to today's other browsers on today's common sites. Script benchmarks measure script; overall browser performance involves many different factors. Looking at a slow motion video of today's common web sites in the latest browsers, IE is often the fastest at real world sites. Unlike some other browsers, IE isolates misbehaving sites so that only that tab, not the entire browser, crashes. (2) Use more of the web, easier: With IE8, people can get what they want out of web pages, often with just one-click, in the flow of their regular browsing. Webslices make it easy to stay up to date on the latest information from a web page (like weather, traffic, or status updates). Accelerators make it easy to act on the current page (mapping, sending, sharing, etc.) using another web service without the tedious work of 'copy, new tab, navigate, paste'... (3) Stay safer from real world threats: IE8 has built-in protections to keep users safe from real threats. These defenses are easy to understand and use, from highlighting the current site's domain in the address bar to the clear indicator when IE is browsing 'InPrivate.' IE provides protection from today's dangers, like malicious software downloads, as well as tomorrow's, like cross-site scripting attacks. (4) Build on real world interoperability, standards, and compatibility. IE8 shows Microsoft's commitment to an open and interoperable web. IE8 by default shows web pages in its most standards compliant mode. With IE8, we're delivering the most complete and correct implementation of CSS 2.1 available in any browser...
See also: the MSIE 8 download site
Collection Synchronization for WebDAV
Cyrus Daboo (ed), IETF Internet Draft
WebDAV IETF RFC 4918) defines the concept of 'collections' which are hierarchical groupings of WebDAV resources on an HTTP (RFC 2616) server. Collections can be of arbitrary size and depth (i.e., collections within collections). WebDAV clients that cache resource content need a way to synchronize that data with the server (i.e., detect what has changed and update their cache). This can currently be done using a WebDAV PROPFIND request on a collection to list all members of a collection along with their HTTP ETag values, which allows the client to determine which resources were changed, added or deleted. However this does not scale well to large collections as the XML response to the PROPFIND response will grow with the collection size. One way to synchronize data between two entities is to use some form of synchronization token. This defines the state of the data being synchronized at a particular point in time. That token can then be used to determine what has changed since one point in time and another. HTTP already defines a synchronization token in the form of an entity tag which is attached to a resource. However, the entity tag is not always required to be 'strong' and thus cannot be relied on absolutely as a valid synchronization indicator. In addition, there is no concept of an entity tag for a collection's contents. This specification defines a new WebDAV REPORT that results in the server returning to the client only information about those resources which have changed, are new or were deleted since a previous execution of the REPORT on the collection. In order to synchronize the contents of a collection between a server and client, the server provides the client with a synchronization token each time the synchronization REPORT is executed. That token represents the state of the data being synchronized at that point in time. The client can then present that same token back to the server at some later time and the server will return only those items that are new, have changed or were deleted since that token was generated. The server also returns a new token representing the new state at the time the REPORT was run. Additionally, a new property is added to collection resources that is used to convey a "synchronization token" that is guaranteed to change when the contents of the collection have changed... This document uses XML DTD fragments, Section 3.2) as a purely notational convention. WebDAV request and response bodies cannot be validated by a DTD due to the specific extensibility rules defined in Section 17 of RFC 4918 and due to the fact that all XML elements defined by this specification use the XML namespace name "DAV:".
Selected from the Cover Pages, by Robin Cover
The Distributed Management Task Force (DMTF) has announced publication of Open Virtualization Format Specification Version 1.0.0 as a DMTF Standard. The Open Virtualization Format (OVF) Specification describes an open, secure, portable, efficient and extensible format for the packaging and distribution of software to be run in virtual machines. The OVF Specification was produced by members of the DMTF System Virtualization, Partitioning, and Clustering Working Group as part of VMAN. DMTF's Virtualization Management Initiative (VMAN) "includes a set of specifications that address the management lifecycle of a virtual environment. VMAN's OVF (Open Virtualization Format) specification provides a standard format for packaging and describing virtual machines and applications for deployment across heterogeneous virtualization platforms. As described in the OVF Technical Note, OVF "is a common packaging format for ISVs to package and securely distribute virtual appliances. A virtual appliance is a pre-built software solution, comprised of one or more VMs that are packaged, maintained, updated and managed as a unit. By creating virtual appliances, software developers can ship preinstalled, pre-configured solutions that enable end-users to literally plug applications into their environments with minimal effort. This enables portability of virtual appliances across multiple virtualization platforms and products... OVF uses XML for capturing metadata about virtual appliance. By packaging virtual appliances in OVF independent software vendors can create a single pre-packaged appliance that can run on customers' virtualization platforms of choice. OVF provides meta-data that can be used to simplify the installation and deployment process for customers. Customers also get greater flexibility by facilitating the mobility of virtual appliances across diverse virtualization platforms. The OVF XML file contains metadata about VMs and includes multiple sections. These sections contain metadata such as virtual disk, network, resource requirements (e.g., CPU and memory limits), licensing, product, VM startup sequence as well as configuration information about one or more virtual machines. OVF is extensible and enables the OVF package author/creator to include additional metadata..." Key benefits of the OVF standard include: Portable virtual machine (VM) packaging; Optimization for secure distribution; Simplified installation and deployment; Support for both single VM and multi-VM configurations; Vendor and platform independent; Extensible; Localizable.
XML Daily Newslink and Cover Pages sponsored by:
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/