This issue of XML Daily Newslink is sponsored by:
Oracle Corporation http://www.oracle.com
- Delivering XML Content to the Derivatives Markets
- Google Apps + OpenID = Identity Hub for SaaS
- More Holes Found in Web's SSL Security Protocol
- OpenSSO Express 8.0: Sun Updates Key Components of Identity Management Portfolio
- SAFE (Server-Side Asynchronous Framework Execution) Scripting Method
- Proposal to Edit Wikipedia Article on XML
- Integrate Creative Commons Licensing Into Your Content with ccREL
- Encryption Key Management: New Standards on the Horizon
- Interview on Wolfram-Alpha, a Computational Knowledge Engine
Delivering XML Content to the Derivatives Markets
Staff, KM-World Magazine
DocGenix, a provider of legal risk management solutions for international financial markets, announced that it has has deployed MarkLogic Server from Mark Logic to deliver XML content generated by the DocGenix inSight service.
According to the announcement text: "The docGenix inSight service utilizes proprietary legal data sequencing technology to translate and represent as XML the complex legal, credit, and operational terms contained in the legal agreements that govern relationships between participants in global over-the-counter (OTC) derivatives markets. This documentation is based on the legal contract suite published by the International Swaps and Derivatives Association, Inc. (ISDA). docGenix delivers the XML generated via its legal data sequencing technology to its customers via Synopsys, a MarkLogic-based application. docGenix customers now have an enhanced level of operational, documentation, and risk management capabilities demanded by today's challenging business and regulatory environment. The explosive growth of the OTC derivatives markets has been fuelled in part by the existence of ISDA's suite of legal contracts. As these contracts have proliferated, docGenix and its customer base have found that traditional methods of documentation risk management have made it difficult for OTC participants to rapidly analyze legal documentation portfolios that can number in the tens of thousands. As a result, institutions are prevented from reacting swiftly to market events."
See also: the MarkLogic announcement
Google Apps + OpenID = Identity Hub for SaaS
Yariv Adan, Google Announcement
Google announced "that the Google OpenID Federated Login API has been extended to Google Apps accounts used by businesses, schools, and other organizations. Individuals in these organizations can now sign in to third party websites using their Google Apps account, without sharing their credentials with third parties. In addition, Google Apps can now become an identity hub for multiple SaaS providers, simplifying identity management for organizations. For example, when integrated with partner solutions such as PingConnect from Ping Identity, the Google Open ID Federated Login API enables a single Google Apps login to help provide secure access to services like Salesforce.com, SuccessFactors, and WebEX—as well as B2B partners, internal applications, and of course consumer web sites...
If you prefer an out-of-the-box solution, we have been working with JanRain, a provider of OpenID solutions that already supports the new API as part of their RPX product. Supporting the API for Google Apps accounts is exciting news for the OpenID community, as it adds numerous new Identity Provider (IDP) domains and increases the OpenID end user base by millions. In order to allow websites to easily become Relying Parties for these many new IDPs and users, we defined a new discovery protocol. The protocol is designed to allow Relying Parties to identify that a given domain is hosted on Google Apps and to help provide secure access its OpenID Provider End Point. The current proposal is an interim solution, and we are participating in several standardization organizations, such as OASIS and the OpenID Foundation, to generate a next-generation standard..."
More Holes Found in Web's SSL Security Protocol
Robert McMillan, ComputerWorld
"Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet. At the Black Hat conference in Las Vegas, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers. This type of attack could let an attacker steal passwords, hijack an on-line banking session or even push out a Firefox browser update that contained malicious code... The problems lie in the way that many browsers have implemented SSL, and also in the X.509 public key infrastructure system that is used to manage the digital certificates used by SSL to determine whether or not a Web site is trustworthy...
Kaminsky and Sassaman say there are a raft of problems in the way SSL certificates are issued that make them insecure. All of the researchers agreed that the x.509 system that is used to manage certificates for SSL is out-of-date and needs to be fixed..."
See also: The Register
OpenSSO Express 8.0: Sun Updates Key Components of Identity Management Portfolio
Staff, Sun Microsystems Announcement
"Sun Microsystems, Inc. has announced new versions of OpenSSO Express and Sun OpenDS Standard Edition software, updating key components of its open source identity management portfolio. With OpenSSO Express 8.0, customers will benefit from simple, open, and Internet-scale security for .NET and Java-based applications, as well as software-as-a-service (SaaS) applications in a cloud environment. With Sun OpenDS Standard Edition 2.0 software, customers will benefit from better performance and scalability for large-scale deployments...
OpenSSO Express 8.0 is the first access management solution to provide mobile one-time password, which allows two-factor authentication out-of-the box without the need for a third party product. In addition, OpenSSO Express 8.0 also includes Fedlet support for .NET applications and rapid salesforce.com federation... Sun's award-winning Fedlet now supports .NET applications, allowing any SAML 2.0 identity provider to quickly federation-enable .NET service providers without compromising capabilities. A mere 1.5MB download, the Fedlet can be deployed in minutes, allowing companies, running a single Web application that are not interested in deploying and maintaining an entire federation infrastructure, to run a standalone service provider...
Additionally, Sun's OpenSSO Express 8.0 now offers rapid salesforce.com federation, allowing users to directly access Salesforce CRM and Force.com built applications using their enterprise login in just a few minutes. OpenSSO Express is the only access control solution that includes access management, federation, and secure Web services in a single product. OpenSSO Express is available in the world's largest open source, identity management project called OpenSSO.
See also: the Open Web SSO Project (OpenSSO)
SAFE (Server-Side Asynchronous Framework Execution) Scripting Method
Austin Cheney (ed), IETF Internet Draft
An updated IETF individual submission has been published for a "SAFE (Server-side Asynchronous Framework Execution) Scripting Method." The SAFE Scripting Method is a model for allowing application interactivity in email while simultaneously elminating security vulnerabilities associated with client-side scripting.
SAFE Scripting Method has only two intended objectives: (1) The model provides a method to allow behavior, or event-oriented, execution of programmatic application code across email. Such code will be referred to as script. (2) This models seeks to provide an alternative to client-side scripting of world wide web (WWW) documents free of security vulnerabilities with cross-site scripting (XSS) and cross-site request forgery (CSRF).
The first requirement is a standardized and well understood document structure definition, such as a markup language, that conforms to the conventions of the standardized Document Object Model (DOM) and accurately describes data intended for transmission across SMTP while simultaneously representing sufficient current common practices of representing or describing data intended for distribution as email or SMTP, which MUST NOT be (X)HTML... (2) The second requirement is a standardized and widely adopted transmission scheme that reflects the primitive model defined by RFC 5321... (3) The third requirement is a certificate authority granting organization that is entirely external to any organization providing Requirement 1 (Markup) or Requirement 2 (Protocol). This requirement shall be arbitrarily referred to as CA, short for certificate authority, for the remainder of this document. The third requirement is the standardization and adoption of a new programming language object, XMLSmtpPush object, which is intended to offer comparable functionality to the XMLHttpRequest object available on the WWW..."
Proposal to Edit Wikipedia Article on XML
Tim Bray, XML Developers List Posting
"I stumbled into Wikipedia's XML entry today and it's terrible. Sprawling, badly-organized, full of inessentials including some nonsense. I'm going to invest a few hours part-time in coming weeks in trying to make it smaller and cleaner. There are some related articles that need to be written, like maybe one on data formats for interchange purposes (sequester the whole boring XML vs JSON vs YAML vs S-exps over there). Based on early efforts, I smell the possibility of edit wars; there's one gentleman who's defending an assertion, in the 2nd paragraph of the intro, that s-expressions are isomorphic to XML but no other data formats are... If anyone wants to help, or to join a discussion on how the article should be structured, that'd be nice..."
Michael Kay replies in the XML-DEV thread: "The closer you get to subjects that first-year undergraduates have heard about, the more likely you are to find very poor quality articles in Wikipedia: the main problem is editing by people who don't realise how superficial their knowledge is. Another problem is structural decay of articles due to accretion of facts that distract from the overall story line. And yes, there's also the challenge of dealing with edits by people who want to promote the benefits of some alternative language or technology. Often, what they say has an element of truth; the problem is that it isn't necessarily relevant to the purposes or intended readership of the article. But it can also serve as a useful reminder that there are alternative points of view: we spend a lot of time talking to friends in the same technical community, and often ignore what people outside that community are saying.
See also: the XML-DEV thread
Integrate Creative Commons Licensing Into Your Content with ccREL
Judith Myerson, IBM developerWorks
With Web 2.0, Cloud, and SOA, it's more important than ever to have a clear understanding of who owns information and what you are permitted to do with it. The Creative Commons License contains a mechanism for providing more open usage rights without giving up ownership. The Creative Commons (CC) Rights Expression Language (ccREL) allows you to embed this information into Web content so that information owners and information users can clearly see the rights granted and choose accordingly, even through automation...
Creative Commons is an alternative to traditional copyright, which is often designated as "some rights reserved." The purpose of the CC license is to permit some level of sharing of a creative work while retaining rights of ownership and commercial usage... In a previous article I wrote about the problems with proprietary Digital Rights Management (DRM) technologies and suggested some solutions. I wrote about license and work properties you should consider when you select a license. I gave an example of a cross-browser menu of usage rights criteria, permissions, constraints, and requirements that the consumer can choose. In this article, I explain how you can describe a Creative Commons (CC) license with CC Rights Expression Language (ccREL). I show you the abstract model for ccREL, what license types are available, and I give you an application example to show how you can integrate ccREL into your content..."
See also: Creative Commons references
Encryption Key Management: New Standards on the Horizon
Alan Earls, SearchDataBackup.com
"Encryption is not only increasingly desirable, it is often mandatory. But while encryption is proliferating, the means for tracking and managing the keys that make encryption schemes workable has not kept up... Security vendors, currently tend to offer key management products tightly linked to some particular set of storage products. For instance, Hewlett-Packard Co. offers its HP StorageWorks Secure Key Manager and NetApp markets the NetApp Lifetime Key Management system...
The underlying issue has been getting agreement across the industry on how to manage keys and achieving buy-in on standards from enough vendors to make extensive automation of the process feasible... Jon Oltsik, an analyst at Enterprise Strategy Group, notes standards solutions under now under development, including IEEE P1619-3 and KMIP... An initiative of the OASIS open-standards consortium, the Key Management Interoperability Protocol is envisioned as a way to provide interoperability between key management services by standardizing communication between encryption systems that use keys. KMIP contributes to this by defining a low-level protocol that can form the basis of an enterprise-wide key management system.
Kevin Bocek, director of product marketing at Thales e-Security and a member of the KMIP technical committee, said the whole development process has been 'very user driven.' For instance, said Bocek, one of the areas of focus for the committee is ensuring that the standard will work well with 64-bit systems while also functioning with older, legacy systems..."
Interview on Wolfram-Alpha, a Computational Knowledge Engine
Han Xu, InfoQueue
Wolfram|Alpha, the Computational Knowledge Engine from Wolfram Research, was officially released on May 18, 2009. Renowned for their flagship product Mathematica, Wolfram Research has long been one of the most respected suppliers of scientific computation software. The news about the launch of Wolfram|Alpha, a new search engine from Wolfram Research, thus has drawn much attention and hype.
Xiang Wang, a Business Manager of Wolfram Research Inc. in China: "It's a 'computational knowledge engine' because it generates output by doing computations on its own internal knowledge base, instead of searching the web and returning links... Search engines give you links to pages that exist on the web. Wolfram|Alpha computes answers to specific questions using its built-in knowledge base and algorithms. Wolfram|Alpha has sidebar links for doing web searches. Its purpose/strength is not today's search queries. It enables a whole new set of questions to be asked. Based on past experience in search, we expect that peoples' queries will rapidly evolve to be Wolfram|Alpha queries once they see the capabilities. Usage pattern different from search: people will use it more systematically, asking the same question with different parameters...
See also: the Wolfram-Alpha web site
XML Daily Newslink and Cover Pages sponsored by:
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: email@example.com
Newsletter unsubscribe: firstname.lastname@example.org
Newsletter help: email@example.com
Cover Pages: http://xml.coverpages.org/