A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS and Sponsor Members
Edited by Robin Cover
This issue of XML Daily Newslink is sponsored by:
IBM Corporation http://www.ibm.com
Headlines
- Kantara Initiative Announces Initial Focus Areas
- W3C Last Call Review for Delivery Context Ontology
- XSPA Profile of Security Assertion Markup Language (SAML) for Healthcare
- CMIS FileShare: Test Repository for CMIS Developers
- W3C Launches Open Web Education Alliance Incubator Group
- HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
- DISA Seeks Identity Management Technology
- Agile and UCD: Building the Right Thing, the Right Way
Kantara Initiative Announces Initial Focus Areas
Staff, Kantara Initiative Announcement
"Nearly forty-five (45) organizations from the global identity and Internet communities today announced the launch of Kantara Initiative, a new organization formed to solve the harmonization and interoperability challenges that currently exist among identity-enabled enterprise, Web 2.0 and Web-based applications and services. As of today's launch, nearly 20 initial work and discussion groups have been proposed by the growing Kantara Initiative community...
All output from Kantara Initiative will be based on open standards with the goal of ensuring end user convenience, security and privacy. A commitment to open standards means the Kantara Initiative community will collaborate on projects that make use of all of the identity frameworks, protocols and specifications in the marketplace today. This means solutions could be built based on one or a combination of several IAF, ID-WSF, IGF, Information Card, OAuth, OpenID, SAML 2.0, WS-*, XACML and XDI standards...
Proposed groups, which are being approved on an ongoing basis by the Leadership Council, include Concordia Use Cases, eGovernment, Federated Identity Model Agreement & Commentary (FIMAC), Health Identity and Assurance, Identity Assurance and Accreditation, Identity Provider Selection, Identity Theft Prevention, ID-WSF Evolution (OAuth Extensions), Japan, Multi-Protocol Identity Selector, Multi-Protocol Relying Party Deployment, Privacy and Public Policy, Telecommunications Identity, User Driven Information Technology and Volunteered Personal Information (VPI)..."
See also: the Kantara Initiative Dashboard
W3C Last Call Review for Delivery Context Ontology
José Manuel Cantera Fonseca and Rhys Lewis (eds), W3C Technical Report
Members of the W3C Ubiquitous Web Applications Working Group have published a Last Call Working Draft of the specification "Delivery Context Ontology." This W3C UWA Working Group focuses on extending the Web to enable distributed applications of many kinds of devices, including sensors and effectors. Application areas include home monitoring and control, home entertainment, office equipment, mobile and automotive.
The "Delivery Context Ontology" document defines a formal model of the characteristics of the environment in which devices interact with the Web or other services. The Delivery Context includes the characteristics of the Device, the software used to access the service and the Network providing the connection among others. The Delivery Context is an important source of information that can be exploited to create context-aware applications, thus providing a compelling user experience. The ontology is formally specified in the Web Ontology Language (OWL), and normative definition of the ontology terms is generated automatically from the OWL file.
See also: the W3C Ubiquitous Web Applications Activity
XSPA Profile of Security Assertion Markup Language (SAML) for Healthcare
Mike Davis, Duane DeCouteau, David Staggs (eds), OASIS Public Review Draft
Members of the OASIS Security Services (SAML) Technical Committee have published a public review draft of the specification "Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of Security Assertion Markup Language (SAML) for Healthcare Version 1.0," inviting comments through June 30, 2009. This profile describes a framework in which SAML is encompassed by cross-enterprise security and privacy authorization (XSPA) to satisfy requirements pertaining to information-centric security within the healthcare community.
The profile "describes a framework that provides access control interoperability useful in the healthcare environment. Interoperability is achieved using SAML assertions that carry common semantics and vocabularies in specified exchanges. It defines the minimum vocabulary necessary to provide access control over resources and functionality within and between healthcare information technology (IT) systems. Additional introductory information and examples can be found in the document "Cross-Enterprise Security and Privacy Authorization (XSPA) a Profile of Security Assertion Markup Language (SAML) Implementation Examples." Access Control Service (Service User): The XSPA profile of SAML supports sending all requests through an Access Control Service (ACS). The Access Control Service receives the Service User request and responds with a SAML assertion containing user authorizations and attributes. To perform its function, the ACS collects all the attributes (e.g. locality, structural role, functional role, purpose of use, requested resource, and actions) necessary to create the Service User requested assertion. In addition to creating the request, the requesting ACS is responsible for enforcing local security and privacy policy...
Access Control Service (Service Provider): The Service Provider ACS is responsible for the parsing of assertions, evaluating the assertions against the security and privacy policy, and making and enforcing a decision on behalf of the Service Provider. The profile utilizes the SAML 2.0 core specification to define the elements exchanged in a cross-enterprise service request that supports security and privacy policies. Requests MAY be exchanged using a SAML assertion containing elements such as 'saml:Issuer', 'saml:Subject', and 'saml:AttributeStatement'...
See also: the OASIS SAML TC public page
CMIS FileShare: Test Repository for CMIS Developers
Nico Rehmann, Blog
"A new test repository for CMIS developers is available in [CMIS FileShare] version 0.0.2... it uses the file system as its data store and therefore just provides limited functionality (no versioning, no relationships, no query, etc.). What is CMIS FileShare? CMIS FileShare is lightweight server implementation of the 'Content Management Interoperability Services' (CMIS) interface... CMIS FileShare is supposed to be a tool for CMIS client and server developers and it shouldn't be used in productive environments. CMIS FileShare exposes folders in a file system as repositories. It doesn't require more than a Servlet container such as Tomcat to run... Although the CMIS specification is still a draft, several groups and individuals are already building implementations. CMIS client developers need a CMIS server and CMIS server developers sometimes require a second opinion on how the specification draft should be interpreted. CMIS FileShare should serve these needs. It's not meant to be a reference but a working view on the specification draft. Since it doesn't require real repository software it has a small footprint and it can be set up almost everywhere in minutes. CMIS FileShare is also designed to follow changes in the specification draft...
See also: SourceForge CMIS FileShare Project
W3C Launches Open Web Education Alliance Incubator Group
Staff, W3C Announcement
"W3C is pleased to announce the creation of the Open Web Education Alliance Incubator Group, whose mission is to help enhance and standardize the architecture of the World Wide Web by facilitating the highest quality standards and best practice based education for future generations of Web professionals. The goal of this Incubator Group is to bring together interested individuals, companies, and organizations with a strong interest in the field of educating Web professionals, to explore the needs and issues around the topic of Web development education. The group will be chaired by John Allsopp.
The following W3C Members have sponsored the charter for this group: Adobe Systems Inc.; Mitsue-Links Co., Ltd; and Opera Software. This Incubator Group has been initiated by various independent projects and organizations such as the Opera Developer Community, Yahoo! Developer Network/Juku, Web Directions, Web Standards Project (WaSP) InterAct Curriculum, World Organization of Webmasters (WOW), and other groups, as a united forum within which to pursue their shared goals of improved Web development education.
Scope statement: "The current educational climate for Web development technologies and practices often does not meet the needs of industry. Because of significantly differing curricula and standards of quality between educational facilities, students are often not adequately prepared to immediately enter the Web development profession, and prospective employers do not have sufficient information to judge applicants' knowledge and skills. This is exacerbated by the rapidity of changes within the Web development industry, and by the varying implementations of technologies. Additionally, there is sometimes a disconnect between a theoretical approach, and the direct experience of professional developers who must adapt to the real-world capabilities of browsers. Finally, the wide scope of the profession, ranging from presentational design, to user interface design, to client-side and server-side programming, makes comprehensive education more difficult..."
See also: the W3C Incubator Activity
HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
Hugo Krawczyk and Pasi Eronen (eds), IETF Internet Draft
IETF has published an initial version -00 Internet Draft for the memo HMAC-based Extract-and-Expand Key Derivation Function (HKDF). From the Abstract: "This document specifies a simple HMAC-based key derivation function (HKDF) which can be used as a building block in various protocols and applications. The KDF is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions."
'Introduction' excerpt: " A key derivation function (KDF) is a basic and essential component of cryptographic systems. Its goal is to take some source of initial keying material, and derive from it one or more cryptographically strong secret keys. This document specifies a simple HMAC-based KDF, named HKDF, which can be used as a building block in various protocols and applications, and is already used in several IETF protocols, including "Internet Key Exchange (IKEv2) Protocol" (RFC 4306), "Protocol for Carrying Authentication for Network Access - PANA" (RFC 5191), and "Improved Extensible Authentication Protocol Method for Third Generation Authentication and Key Agreement - EAP-AKA:" (RFC 5448). HKDF follows the "extract-then-expand" paradigm where the KDF logically consists of two modules. The first stage takes the input keying material and "extracts" from it a fixed-length pseudorandom key K. The second stage "expands" the key K into several additional pseudorandom keys (the output of the KDF)...
In many applications, the input keying material is not necessarily distributed uniformly, and the attacker may have some partial knowledge about it (for example, a Diffie-Hellman value computed by a key exchange protocol) or even partial control of it (as in some entropy-gathering applications). Thus, the goal of the "extract" stage is to "concentrate" the possibly dispersed entropy of the input keying material into a short, but cryptographically strong, pseudorandom key. In some applications, the input may already be a good pseudorandom key; in these cases, the "extract" stage is not necessary, and the "expand" part can be used alone. The second stage "expands" the pseudorandom key to the desired length; the number and lengths of the output keys depend on the specific cryptographic algorithms for which the keys are needed.
DISA Seeks Identity Management Technology
Doug Beizer, Federal Computer Week
U.S. Defense Department officials want to learn more about emerging identity and access management technologies used to get access to the department's computers and networks, according to an information request from the Defense Information Systems Agency (DISA)... DISA officials plan to evaluate emerging identity management techniques such as role-based access control, attribute-based access control, and risk-adaptive access control. With role-based access control, workers are not assigned individual permissions because organizations create roles for various job functions and permissions to access certain systems are assigned to specific roles...
According to "Identity and Access Management (IdAM) Development and Sustainment Support" (Solicitation Number E200247): "The Defense Information Systems Agency (DISA), Program Executive Office - Information Assurance/NetOps (PEO-IAN), is conducting this Request for Information (RFI) as market research to determine sources with CORE competencies and demonstrated experience in conducting experiments, pilots, and participating in exercises to demonstrate Identity and Access Management (IdAM) technical capabilities and product performance with regards to management of user authorizations, e.g. Privilege Management. Areas of focus will include development of a Privilege Management strategy for the DoD and evaluation and integration of implementation techniques such as Role Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Risk Adaptive Access Control (RAdAC). The DoD's net-centric information sharing environment, and evolution towards increased interoperability with other federal agencies and coalition partners, requires applications and systems to evolve their current authentication, authorization, and access control paradigms to support both anticipated and unanticipated users..."
See also: Defense Information Systems Agency Solicitation Number E200247
Agile and UCD: Building the Right Thing, the Right Way
Jon Dickinson and Darius Kumana, DevX.com
Since the Agile Manifesto was published, various software development methodologies that follow the manifesto's values have steadily gained popularity. Many organizations are adopting these lightweight processes to get their software built... another emerging methodology, User-Centered Design (UCD), focuses entirely on designing to meet the goals of real users. If Agile software development is about building the thing right, then UCD is about building the right thing. Understanding the needs and goals of the users is incredibly important to the success of software projects. It is certainly as important as other issues that receive a lot more attention, such as delivering on time and the maintainability of a system. Who wants to build software that is not going to be used or makes it harder for users to do their jobs? And how long will users accept clunky, difficult-to-use software? Projects often need to be re-implemented due to an unmaintainable code base or a legacy technology. If you are building software in a competitive market, the issue of software usability can mean the difference between a profitable company and going bust. This article explains how to integrate Scrum with UCD, as Scrum recently has become the most popular Agile methodology.
Sponsors
XML Daily Newslink and Cover Pages sponsored by:
IBM Corporation | http://www.ibm.com |
Microsoft Corporation | http://www.microsoft.com |
Oracle Corporation | http://www.oracle.com |
Primeton | http://www.primeton.com |
Sun Microsystems, Inc. | http://sun.com |
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: newsletter-subscribe@xml.coverpages.org
Newsletter unsubscribe: newsletter-unsubscribe@xml.coverpages.org
Newsletter help: newsletter-help@xml.coverpages.org
Cover Pages: http://xml.coverpages.org/