The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Last modified: October 22, 2009
XML Daily Newslink. Thursday, 22 October 2009

A Cover Pages Publication
Provided by OASIS and Sponsor Members
Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by:
Sun Microsystems, Inc.

W3C Launches New MashSSL Incubator Group Supporting Internet Security
Staff, W3C Announcement

W3C has announced the creation of a new MashSSL Incubator Group. Part of the Incubator Activity, the MashSSL Incubator Group has been chartered to "create an open security protocol to solve a fundamental Internet security problem. Specifically, when two web applications communicate through a potentially untrusted user they do not have any standard way of mutually authenticating each other and establishing a trusted channel. This problem which has existed for a long time (e.g. an eCommerce site creating a link to Paypal), and is usually solved using proprietary cryptography and special purpose credentials. The problem is becoming much more widespread with the advent of various mashup technologies, for instance cross domain XHR. Initiating W3C Members include DigiCert, Venafi, and VeriSign. Siddharth Bajaj of VeriSign serves as the initial MashSSL Incubator Group Chair.

The W3C Cross-Origin Resource Sharing (CORS) Working Draft does address the issue of protecting an honest user visiting a malicious or compromised site, from malware that unobtrusively accesses other legitimate sites the user might be logged onto. However, that specification, was not intended to, nor does it in any way, protect legitimate sites from a malicious user. Other examples where the problem manifests is in federation protocols like SAML and OpenID where it Identity Providers and Relying Parties have to authenticate each other. The recent 'session fixation' vulnerability discovered in the OAuth delegated authorization protocol is another example of exactly the same problem. In each case the problem tends to be 'solved' with untested cryptography and requires a new credentialing trust infrastructure and still more credentials for an organization to manage.

The MashSSL Incubator Group aims to produce a recommendation for a common building-block standard that can be used in multiple use cases where this problem occurs. Further, it is our intent to develop a recommendation for a standard that leverages the proven SSL protocol, and allows organizations to use SSL certificates with which they are familiar, to solve the problem. Currently SSL is a two-party protocol operating at the transport level. MashSSL will be a multi-party version that inherits all of SSL's security attributes but runs within HTTP..."

See also: the MashSSL Incubator Group Charter

Transforming E-government and E-participation Through IT
Peristeras, Mentzas, Tarabanis, Abecker; IEEE Intelligent Systems

"Public administrations are considered the heaviest service industry worldwide. During the last decades, governments all over the world have undertaken huge investments in information and communication technologies (ICT), but they are still far from satisfying their constituents, as they usually operate inefficiently and ineffectively. E-government and e-participation research aims to refocus government on its customers—citizens and businesses—and provide the models, technologies, and tools for more effective and efficient public administration systems as well as more participatory decision processes. To this end, there is currently a growing interest in how this challenging domain can benefit from emerging "intelligent" technologies, tools, and applications—such as the Semantic Web, service-oriented architectures (SOAs), Web 2.0, and social computing. Initiatives and projects both in Europe and the US reflect this interest...

In this of special issue of 'IEEE Intelligent Systems' we identify and discuss four major areas that could benefit from intelligent technologies. The first two—linked data and knowledge creation—are relevant to both e-government and e-participation. They relate to the challenge of using, reusing, and combining information kept isolated in separate islands and stovepipe systems, to distill, create, and distribute knowledge within governments. The other two areas—mass collaborative public networks and complex, dynamic, cross-organizational processes -- relate to e-participation and e-government respectively. These four research areas are indicative of the present and future research topics for e-government and e-participation in the emerging Web 3.0 era, which fuses social software (also known as Web 2.0) and the Semantic Web...

Semantic SOAs with formal service ontologies, event-driven architectures, model-driven architectures, social SOA, and Web-based lightweight SOA architectures are only some of the approaches to enabling a new level of service provision in an area where tremendous governmental financial investments (in national e-government portals, for instance) have so far not offered the expected returns..." [Note: this article serves as a Guest Editors' Introduction to the September/October 2009 issue of 'IEEE Intelligent Systems'.]

ECRIT Direct Emergency Calling
James Winterbottom, Martin Thomson (et al, eds), IETF Internet Draft

Members of the IETF Emergency Context Resolution with Internet Technologies (ECRIT) Working Group have released a level -00 Internet Draft for "ECRIT Direct Emergency Calling." The current IETF ECRIT architecture "focuses on devices where emergency calls are routed primarily through the subscriber's home VSP and the direct signaling communication between the end host and the PSAP that contains the IP-based PSAP is only an exception. This is a convenient assumption if one considers the regular communication patterns of the device and the potential proprietary protocol implementations used between the end host and the VSP and the ability to move the interoperability challenges away from the end device and closer to VSPs. There are, however, challenges for regulators to enforce emergency services functionality when the VSP is located in a different jurisdiction with the current model. Inclusion of a VSP introduces unnecessary elements into the emergency call path making the overall solution more cumbersome...

This document describes the regulatory challenge and illustrates a model for direct communication between the end host and the PSAP that is supported by the basic SIP communication patterns. With the help of the Location-to-Service Translation protocol a PSAP URI is discovered that allows the end device to directly send SIP communication requests towards the PSAP...

This memo attempts to address the issues raised above and describe the requirements, procedures and operations necessary for a generic IP emergency calling client. The intent of this client is that it will be able to use the available ECRIT building blocks to allow any IP enabled device with access to the Internet to make an emergency call without requiring a voice service subscription. Further more, a means for call-back in the event of a dropped call is also described..."

See also: the IETF ECRIT Working Group Status Pages

Definitions for Expressing Standards Requirements in IANA Registries
Olafur Gudmundsson and Scott Rose (eds), IETF Internet Draft

An initial version of the Internet Draft Definitions for Expressing Standards Requirements in IANA Registries has been published in the IETF General Area.

From the document Abstract: "RFC 2119 ('Key Words for Use in RFCs to Indicate Requirement Levels') defines words that are used in IETF standards documents to indicate standards compliance. These words are fine for defining new protocols, but there are certain deficiencies in using them when it comes to protocol maintainability. Protocols are maintained by either updating the core specifications or via changes in protocol registries. For example, protocols often use external algorithms to to provide security functionality such as cryptography. Cryptographic algorithms frequently have limited lifecyles as new algorithms are phased in to replace older algorithms.

This document is motivated by the experiences of the editors in trying to maintaining registries for DNS and DNSSEC. For example, DNS defines a registry for hash algorithms used for a message authentication scheme called TSIG, the first entry in that registry was for HMAC-MD5. The DNSEXT working group decided to try to decrease the number of algorithms listed in the registry and add a column to the registry listing the requirements level for each one. Upon reading that HMAC-MD5 was tagged as "OBSOLETE" a firestorm started. It was interpreted as the DNS community making a statement on the status of HMAC-MD5 for all uses. While the document was definitely overreaching in its specification, the point remained there was no standard way to tag different requirements levels in protocol registries...

This document proposes standard terms to use in protocol registries and possibly in standards track documents to indicate the life cycle support of protocol features and operations... As to 'Implementation vs. Operations requirements': It is common that before a new technology is considered "useful" it has to gain widespread deployment. Thus it makes sense to have different levels of RFC 2119 words requirement on implementations than on operations. In a world of protocol maintenance when something is being 'retired' it is nice if operations can easily migrate to a newer functionality. This document includes certain extra requirements on implementations during the phase-out of a functionality...

Proposed requirement words for IANA protocol registries include: MANDATORY, OPTIONAL, OBSOLETE, ENCOURAGED, DISCOURAGED, RESERVED, and AVAILABLE..."

Sun Updates GlassFish Communications Server for Telecom
Vance McCarthy, Integration Developer News

Sun Microsystems Inc. is shipping an upgrade to GlassFish Communications Server an open source, high performance SOA-based service delivery platform for telecom. Sun's GCS 2.0 also: (1) Integrates SIP servlet technologies with the Java EE platform; (2) Harnesses the power, ease of use, an support from a large community of users and developers of the GlassFish Enterprise Application Server; (3) Provides an integrated development experience with popular IDEs like NetBeans and Eclipse; (4) Delivers a cost-effective, carrier-grade platform."

According to the announcement text: "A robust Java EE and Session Initiation Protocol (SIP) convergence platform, the new GlassFish Communications Server has key new features, including SIP session replication, rolling upgrade and Diameter support. Based on the latest version of the Sun GlassFish Enterprise Server 2.1.1, the GlassFish Communications Server 2.0 helps service providers and network operators accelerate the adoption of an IP multimedia subsystem (IMS) architecture, by offering a highly scalable, standards-based platform that simplifies development of value-added applications and services that drive new revenue models, such as: VoIP, IPTV, virtual PBX, and fixed mobile convergence... Developed in open source as part of Project Sailfin, the open-source version of the GlassFish Communications Server software has been downloaded more than 50,000 times in the past 12 months with a growing community of more than 250 developers. Customers and developers looking to create new SIP services can also participate in Project SailFin CAFE, a sub-project of Sailfin, which was created to help simplify the development of converged applications. Leading media and communications companies, such as Cedar Point Communications and Malden Labs, have adopted the GlassFish Communications Server..."

See also: the Sun announcement

BPMN 2.0 Adds Notation to Handle BPM Choreography
Jack Vaughan,

"BPMN has been around since the early 2000s, but it seems to be reaching a new plateau as, one: business users call on IT to create more business process-oriented applications and, two: an all-important Version 2.0 of BPMN begins to appear in tools offerings. A choreography model is an important addition.

Many organizations and more than a few individuals wait for a 'Version 2.0' before they try out anything. S o BPMN 2.0 will get special attention in many quarters. More important, perhaps, BPMN 2.0 adds XML schema support that enables BPMN 2.0 output to be transformed for use by BPEL-empowered rules engines for BPM. BPMN 2.0 is still on its way to formal standards ratification, but it has reached a point where vendors are able to field some BMPN 2.0 capabilities...

The new version of BPMN includes enhancements to some of the original BPM notation, which comprised Activities, Events, Gateways, Connections, Artifacts and Swimlanes. The new version includes extensibility mechanisms..."

See also: Messaging and Transaction Coordination standards


XML Daily Newslink and Cover Pages sponsored by:

IBM Corporation
Microsoft Corporation
Oracle Corporation
Sun Microsystems, Inc.

XML Daily Newslink:
Newsletter Archive:
Newsletter subscribe:
Newsletter unsubscribe:
Newsletter help:
Cover Pages:

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: