This issue of XML Daily Newslink is sponsored by:
Sun Microsystems, Inc. http://sun.com
- Oracle and Cisco Submit XACML Authorization API and AMF Specification
- Extensible Markup Language Evidence Record Syntax
- OGC Hosts Authentication Interoperability Experiment
- AICPA Publishes XBRL History: The Story of Our New Language
- A Maven Based CMIS Tck to Contribute in Apache Chemistry
- NIST Final Report: Recommended Security Controls for Federal Information Systems and Organizations
- Extended MKCOL for WebDAV: Call for Consideration as Proposed Standard
Oracle and Cisco Submit XACML Authorization API and AMF Specification
Hal Lockhart, Rich Levinson, Anil Tappetla; OASIS XACML TC Contribution
Oracle and Cisco have contributed technical materials to the OASIS Extensible Access Control Markup Language (XACML) Technical committee covering an XACML Authorization API and Attribute Manifest File Format (AMF) definition. The contribution has four parts: (1) An Overview Presentation introduces the Authorization API and Finding Input Attributes. (2) Java API Materials are packaged in a ZIP archive, being 378 files constituting the Authorization API code.
(3) The 'API Examples Document: Supplement to Authorization API' "includes supplementary materials for the proposed Java Az API. The Az API is primarily intended to allow Authorization decisions to be made by an XACML-compliant PDP, but could also be used to access other types of PDPs that are capable of making use of the inputs provided. It is intended primarily for use by infrastructure components which have be configured to populate the request context with Attributes and/or invoke Authorization decisions, prior to the execution of specified Methods, however it also may be used by applications which have specialized requirements or need to provide inputs not available to the infrastructure."
(4) The 'AMF Format Document: Attribute Manifest File' "defines a format, called an Attribute manifest File (AMF), for communicating metadata about information, in the form of attributes which may be used in making access control policy decisions. It specifies an XML format for exchanging this data. It describes several usecases in which this data might be consumed. It also suggests how the data might be generated. However, it does not specify an specific processing algorithms or system architectures for its generation or consumption... This specification defines a data format which should allow callers of a PDP to provide information more closely tailored to policy needs, while not breaking the encapsulation of the PDP."
See also: Felix Gaehtgens' blog
Extensible Markup Language Evidence Record Syntax
Aleksej J. Blazic, Svetlana Saljic, Tobias Gondrom (eds), IETF Internet Draft
Members of the IETF Long-Term Archive and Notary Services (ltans) Working Group have published an updated specification for "Extensible Markup Language Evidence Record Syntax."
This Working Group was chartered to "define requirements, data structures and protocols for the secure usage of the necessary archive and notary services... In many scenarios, users need to be able to ensure and prove the existence and validity of data, especially digitally signed data, in a common and reproducible way over a long and possibly undetermined period of time... Long-term non-repudiation of digitally signed data is an important aspect of PKI-related standards. Standard mechanisms are needed to handle routine events, such as expiry of signer's public key certificate and expiry of trusted time stamp authority certificate. A single timestamp is not sufficient for this purpose. Additionally, the reliable preservation of content across change of formats, application of electronic notarizations, and subsequent notary services require standard solutions..."
The "Extensible Markup Language Evidence Record Syntax" memo "specifies an XML syntax and processing rules for creating evidence for long-term non-repudiation of existence of data. ERS-XML incorporates alternative syntax and processing rules to ASN.1 ERS syntax by using XML language. Evidence Record Syntax in XML format is based on long term archive service requirements as defined in RFC 4810 ("Long-Term Archive Service Requirements"). XMLERS syntax delivers the same (level of) non-repudiable proof of data existence as ASN.1 ERS. The XML syntax supports archive data grouping (and de-grouping) together with simple or complex time-stamp renewal process. Evidence records can be embedded in the data itself or stored separately as a standalone XML file... Evidence Record maintains a close relationship to time stamping techniques. However, time-stamps as defined in RFC 3161, can cover only a single unit of data and do not provide processing rules for maintaining a long term stability of time-stamps applied over a data object. Evidence for an archive object is created by acquiring a time-stamp from a trustworthy authority for a specific value that is unambiguously related to a single or more data objects. The Evidence Record syntax enables processing of several archive objects within a single processing pass using a hash-treeing technique and acquiring only one time-stamp to protect all archive objects..."
OGC Hosts Authentication Interoperability Experiment
Staff, Open Geospatial Consortium Announcement
The Open Geospatial Consortium (OGC) announced the launch of an Authentication Interoperability Experiment on 2-October-2009. "The initiators of the experiment seek participation by other organizations interested in developing standard ways of implementing authentication and related security capabilities in applications involving OGC Web Services standards.
The Authentication Interoperability Experiment will test standard ways of transferring authentication information between OGC clients and OGC services using existing mechanisms such as HTTP Authentication, HTTP Cookies, SSL/X509, SAML, Shibboleth, OpenID, and WS-Security.
The purpose of this experiment is to develop a candidate OGC Best Practices document that documents standard ways of performing authentication in applications that implement OGC Web Services standards. The goal is to provide guidance about authentication to implementers of solutions and to organizations that seek to deploy such solutions. It is the belief of the initiators that if such a document is made available more OGC compliant commercial products that natively support authentication will be offered by vendors. The OGC members that are acting as initiators of the Interoperability Experiment are CubeWerx, Sierra Systems Group, Inc. and others..."
AICPA Publishes XBRL History: The Story of Our New Language
Karen Kernan, AICPA Paper
The American Institute of Certified Public Accountants (AICPA) has published a history of XBRL, (Extensible Business Reporting Language), an XML-based "open standard which supports information modeling and the expression of semantic meaning commonly required in business reporting." Title: "XBRL: The Story of Our New Language. Personalities, Cultures, and Politics Combine to Create a Common, Global Language for Business," edited by Karen Kernan, based on a chronicle of Charles Hoffman and Louis Matherne. To produce this 39-page report, the AICPA interviewed many of the XBRL contributors, in order to encapsulate the journey from its original development to the creation of a consortium of over 550 organizations who work together to continue to build a common language for business reporting and support its adoption.
From the Introduction: "XBRL has been a journey of high and lows that met with great successes in 2008... The first critical decision was deciding to make XBRL intellectual property available in the public domain. The belief of shared development and use made this decision easy, but it doesn't take away from the significant impact it had on ensuring that XBRL wouldn't become just a tool for financial reporting by CPAs for CPAs... The fundamental decision to develop applications outside of financial reporting—the broader footprint previously mentioned -- ensured that XBRL could be leveraged in the U.S. jurisdiction for the reporting of all types of business information. Then Securities and Exchange Commission (SEC) Chairman Chris Cox deserves credit for seeing the broader business reporting vision that led to his support of the U.S. generally accepted accounting principles (GAAP) project through XBRL-US, Inc., the U.S. jurisdiction of XBRL International. As XBRL moves forward, the broader footprint will result in projects focused on tax information, business regulatory metrics, corporate actions, tracking of asset-backed securities, and even state-tostate based regulatory models. All of these tasks can fully utilize the power of XBRL and its ability to create and analyze common data..."
See also: Charles Hoffman's XBRL blog
A Maven Based CMIS Tck to Contribute in Apache Chemistry
Gabriele Columbro, Blog
"Lately I've been involved into refactoring the Alfresco CMIS Test Harness into an external TCK (Test Compatibility Kit) module to contribute to the Apache Chemistry. At the moment it's mostly focused on the AtomPub part (including an Apache Adbera extension), but being based on Apache Maven standards should be fairly easy to scale out to WebServices binding testing. This would be this first real contribution from Alfresco to the Chemistry project, where David Caruana and I have the luck of being involved as committers. At the moment the code for the will-be-called chemistry-atompub-tck is still hosted under the Alfresco contrib SVN space as still to be completed, but already offering quite some nice functionality to test the compatibility of your server to the CMIS 0.6.2 standard. The code (which was already in Alfresco and kept up to date to the CMIS standard directly by David) is now almost ready for contribution as it's completely decoupled from Alfresco and uses a standard Maven build process (Junit + Surefire) to run compatibility tests against an existing (and running) CMIS server... The idea at the base of this contribution is that this TCK can be used to test virtually any CMIS implementation and Maven profiles provide us a nice way to aggregate the full test fixture and publish the result in a nicely aggregated fashion. [We] would like all the other open source vendors involved in Chemistry to maintain their own profile which will serve as community reference for the CMIS readiness of a specific platform..."
See also: CMIS specification references
NIST Final Report: Recommended Security Controls for Federal Information Systems and Organizations
William Jackson, Government Computer News
The U.S. National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. The controls are included in the final version of Special Publication 800-53, Revision 3, "Recommended Security Controls for Federal Information Systems and Organizations," just released. NIST called the document historic: "For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non-national security systems... the updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems..."
From NIST Special Publication 800-53 Chapter 1: "The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government to meet the requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components of an information system that process, store, or transmit federal information."
NIST also has released a draft of SP 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP), for public comment. SCAP is a suite of specifications that use the Extensible Markup Language (XML) to standardize how software products exchange information about software flaws and security configurations. It includes software flaw and security configuration standard reference data, provided by the National Vulnerability Database (NVD), is managed by NIST and sponsored by the Homeland Security Department. SCAP supports automated vulnerability checking, technical control compliance activities and security measurement.
See also: NIST Special Publication 800-53
Extended MKCOL for WebDAV: Call for Consideration as Proposed Standard
Cyrus Daboo (ed), IETF Internet Draft
The Internet Engineering Steering Group has received a request from members of the vCard and CardDAV WG (VCARDDAV) Working Group to consider "Extended MKCOL for WebDAV" -05 as an IETF Proposed Standard, and solicits final public comment on this action.
The specification "Extended MKCOL for WebDAV" specification extends the Web Distributed Authoring and Versioning (WebDAV) MKCOL method to allow collections of arbitrary resourcetype to be created and to allow properties to be set at the same time. One or more 'DAV:set' XML elements may be included in the 'DAV:mkcol' XML element to allow setting properties on the collection as it is created. In particular, to create a collection of a particular type, the 'DAV:resourcetype' XML element must be included in a 'DAV:set' XML element and MUST specify the expected resource type elements for the new resource, that MUST include the 'DAV:collection' element that needs to be present for any WebDAV collection..."
The VCARDDAV Working Group was chartered to revise the vCard specification (RFC 2426) at proposed standard status and produce an address book access protocol leveraging the vCard data format. "A personal address book (PAB) contains a read/write copy of attributes describing a user's interpersonal contacts. This is distinct from a directory which contains a primarily read-only copy of users within an organization. While these two data objects share a large number of common attributes, their use and access patterns are fundamentally different. The IETF has a standards-track data format (vCard) which has been successfully used to interchange both personal-address-book and user directory entry data objects..."
See also: the vCard Format Specification
XML Daily Newslink and Cover Pages sponsored by:
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/