A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS and Sponsor Members
Edited by Robin Cover
This issue of XML Daily Newslink is sponsored by:
Sun Microsystems, Inc. http://sun.com
Headlines
- Technical Specification for Security Content Automation Protocol (SCAP)
- OASIS Approves SAML and XACML Healthcare XSPA Profiles as Standards
- State Chart XML (SCXML): State Machine Notation for Control Abstraction
- Scramble on to Fix Flaw in SSL Security Protocol
- Telecom Providers Announce LTE Standard
- U.S. Senate Committee Passes Data Breach Laws
- U.S. National Security Agency to Get New High-Speed Encryption
Technical Specification for Security Content Automation Protocol (SCAP)
Stephen Quinn (et al, eds), NIST Recommendation
The U.S. National Institute of Standards and Technology (NIST) has announced publication of "The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0" as a Recommmendtion. NIST Special Publication 800-126 (63 pages) was edited by Stephen Quinn, David Waltermire, Christopher Johnson, Karen Scarfone, and John Banghart of NIST's Computer Security Division.
SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.0, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications.
SCAP 1.0 is comprised of six specifications: XCCDF (Extensible Configuration Checklist Description Format), OVAL (Open Vulnerability and Assessment Language), CPE (Common Platform Enumeration), CCE (Common Configuration Enumeration), CVE (Common Vulnerabilities and Exposures), and CVSS (Common Vulnerability Scoring System). These specifications are grouped into the following three categories: (1) Languages - SCAP languages provide a standardized means for identifying what is to be evaluated and for expressing how to check system state. (2) Enumerations - SCAP enumerations provide a standardized nomenclature (naming format) and an associated dictionary of items expressed using that nomenclature. For example, CVE provides a dictionary of publicly known information security vulnerabilities and exposures. (3) Vulnerability measurement and scoring systems - SCAP vulnerability measurement and scoring systems provide the ability within SCAP to measure and evaluate specific vulnerability characteristics to derive a vulnerability severity score.
An SCAP XCCDF document is a machine-readable XML document that defines the policies and test conditions to be evaluated or applied. Types of XCCDF documents include Definition documents that express policy statements and Result documents that contain both policy statements and actual test results... The OVAL Language provides a collection of XML schemas which standardize the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of the assessment. In this way, OVAL enables open and publicly available security content and standardizes the transfer of this content across the entire spectrum of information security tools and services..."
See also: Application Security Standards
OASIS Approves SAML and XACML Healthcare XSPA Profiles as Standards
Staff, OASIS Announcement
OASIS announced two Cross-Enterprise Security and Privacy Authorization (XSPA) profiles have been approved at OASIS Standard level. The OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee was chartered to "specify sets of stable open standards and profiles, and create other standards or profiles as needed, to fulfill the security and privacy functions identified by the functions and data practices identified by HITSP, or specified in its use cases."
"Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of Security Assertion Markup Language (SAML) for Healthcare Version 1.0" was produced by members of the OASIS Security Services (SAML) TC, chaired by Brian Campbell and Hal Lockhart, through editorial supervision by Mike Davis, Duane DeCouteau, and David Staggs. The document describes a framework that provides access control interoperability useful in the healthcare environment. Interoperability is achieved using SAML assertions that carry common semantics and vocabularies in exchanges.
This profile describes a Cross-enterprise Security and Privacy Authorization (XSPA) framework using the SAML core standard and specific attributes to satisfy requirements pertaining to information-centric security and privacy within the healthcare community. The Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of Security Assertion Markup Language (SAML) for Healthcare Version 1.0 is related to the work of the OASIS XSPA TC. The profile has been demonstrated by members of the XSPA TC along with the work of the XACML TC, specifically the Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare Version 1.0, at the Healthcare Information and Management Systems Society (HIMSS) 2009 conference. The XSPA profile is consistent with the TP 20 'Access Control Transaction Package' recognized by the Healthcare Information Technology Standards Panel (HITSP).
"Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare Version 1.0" was produced by members of the OASIS Extensible Access Control Markup Language (XACML) TC, chaired by Hal Lockhart and Bill Parducci. This profile describes a Cross-enterprise Security and Privacy Authorization (XSPA) framework using the XACML core standard and specific attributes to satisfy requirements pertaining to information-centric security and privacy within the healthcare community. It specifies the use of XACML 2.0 to promote interoperability within the healthcare community by providing common semantics and vocabularies for interoperable policy request/response, policy lifecycle, and policy enforcement..."
See also: the XSPA XACML profile
State Chart XML (SCXML): State Machine Notation for Control Abstraction
Jim Barnett, Rahul Akolkar, RJ Auburn (et al, eds), W3C Technical Report
W3C announced the publication of a revised draft of the SCXML specifcation, updating the WD of 2009-05-07. The State Chart XML (SCXML): State Machine Notation for Control Abstraction document is the sixth Public Working Draft of SCXML, published on 29-October, 2009 for review by W3C Members and other interested parties, and has been developed by the Voice Browser Working Group as part of the W3C Voice Browser Activity.
State Chart XML (SCXML) is a general-purpose event-based state machine language that can be used in many ways, including: (1) As a high-level dialog language controlling VoiceXML 3.0's encapsulated speech modules; (2) As a voice application metalanguage, where in addition to VoiceXML 3.0 functionality, it may also control database access and business logic modules; (3) As a multimodal control language in the MultiModal Interaction framework, combining VoiceXML 3.0 dialogs with dialogs in other modalities including keyboard and mouse, ink, vision, haptics, etc; it may also control combined modalities such as lipreading [combined speech recognition and vision] speech input with keyboard as fallback, and multiple keyboards for multi-user editing; (4) As the state machine framework for a future version of CCXML; (5) As an extended call center management language, combining CCXML call control functionality with computer-telephony integration for call centers that integrate telephone calls with computer screen pops, as well as other types of message exchange such as chats, instant messaging... (6) As a general process control language in other contexts not involving speech processing...
SCXML combines concepts from CCXML and Harel State Tables. Voice Browser Call Control: CCXML Version 1.0 is an event-based state machine language designed to support call control features in Voice Applications, specifically including VoiceXML but not limited to it. The CCXML 1.0 specification defines both a state machine and event handing syntax and a standardized set of call control elements... The goal of this document is to combine Harel semantics with an XML syntax that is a logical extension of CCXML's state and event notation...
SCXML is defined in terms of modules, which define logical units of functionality. Modules are customized and combined into profiles, each of which can be thought of as defining a variant of the language. This modularity allows implementations flexibility in selecting the features that they want to support. It is particularly intended to allow them the choice of which data manipulation language (e.g., ECMAScript, XPath) to embed..."
See also: the color-coded diff marked version
Scramble on to Fix Flaw in SSL Security Protocol
Robert McMillan, ComputerWorld
"Software makers around the world are scrambling to fix a serious bug in the technology used to transfer information securely on the Internet. The flaw lies in the Secure Sockets Layer (SSL) protocol, which is best known as the technology used for secure browsing on Web sites whose URLs begin with HTTPS. The bug lets attackers intercept secure SSL communications between computers using what's known as a man-in-the-middle attack. Although the flaw can only be exploited under certain circumstances, it could be used to hack into servers in shared hosting environments, as well as mail servers, databases and many other secure applications...
The flaw was discovered in August [2009] by researchers at PhoneFactor Inc., a mobile phone security company. They had been working for the previous two months with an association of technology vendors called the Industry Consortium for Advancement of Security on the Internet (ICASI) to coordinate an industry-wide fix for the problem, dubbed Project Mogul..."
See also: a technical description of the SSL flaw
Telecom Providers Announce LTE Standard
Lance Whitney, CNET News.com
"In the battle between LTE and WiMax for wireless broadband, LTE may have just gotten another boost. A group of leading telecom service and equipment providers, including AT&T, Verizon, Nokia, and Samsung, announced a new standard Thursday for delivering compatible voice and messaging services using Long Term Evolution (LTE) networks...
The standard, dubbed the One Voice Initiative, offers a set of technical functionalities that telecommunication companies can use in their LTE services and products to provide both voice and Short Message Services (SMS). The group of companies setting up One Voice (which also includes LTE proponents Orange, Telefonica, TeliaSonera, Vodafone, Alcatel-Lucent, Ericsson, Nokia Siemens Networks, and Sony Ericsson), see the standard as a way to provide interoperability for broadband voice and SMS services. The goal is to give telecom providers and manufacturers a convenient technical profile for working with each other and save customers from wrestling with different and conflicting LTE technologies... The new specification will use existing functionality known as IP Multimedia Subsystem (IMS), which already defines how to provide data, voice, and other content over an IP-based network. IMS was established by the 3rd Generation Partnership Project (3GPP), a group comprised of telecom industry associations trying to set standards for 3G mobile networks..."
Note: Common functionalities, Emergency Service: UEs and networks compliant with this profile shall implement support for the 3GPP IM CN subsystem XML body as defined in section 7.6 of 3GPP TS 24.229 ("IP multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP), Stage 3").
See also: the document 'One Voice
U.S. Senate Committee Passes Data Breach Laws
Brian Prince, eWEEK
"Two sweeping bills that would set new standards for data breach notifications made their way out of the U.S. Senate Judiciary Committee on November 5, 2009. The committee voted yes on the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139). The vote means the bills are now headed to the full Senate for its stamp of approval.
The Personal Data Privacy and Security Act of 2009 establishes guidelines for performing risk assessments and vulnerability testing and controlling and logging access to sensitive information. There are also provisions tied to protecting data in transit and at rest, and a set of rules for notifying law enforcement, credit reporting agencies and individuals affected by a breach...
See also: InfoLawGroup
U.S. National Security Agency to Get New High-Speed Encryption
William Jackson, Government Computer News
The National Security Agency (NSA) has awarded General Dynamics C4 Systems a $7.6 million contract to develop the next generation of high-speed encryptors for the nation's military and intelligence communities. The KG-530 SONET OC-768C in-line encryptor will be the first to encrypt traffic at a full 40 gigabits/sec and will be based on the latest field-programmable gate array (FPGA) chips from Altera Corporation...
Mike Guzelian, General Dynamic's vice president of secure voice and data products: 'military and intelligence agencies would use the encryptors to secure very large data, image and video files classified up to top secret during transmission over synchronous optical networks (SONET). Currently they are aggregating racks of 10-Gbps encryptors, which creates delays and adds to network complexity'...
The KG-530 will be designed to use the government's AES encryption algorithm, but will be programmable to use other algorithms without changing out the hardware. Guzelian said that inability to do in-line encryption at a full 40 Gbps has been a roadblock in fully implementing DOD and intelligence community plans for data security. The KG-530 will be available only to federal users and will not be commercially available, although Guzelian said a commercial version could be developed if there is a market for it. Few nongovernmental organizations have the need for protecting large amounts of data at those speeds with strong encryption..."
Sponsors
XML Daily Newslink and Cover Pages sponsored by:
IBM Corporation | http://www.ibm.com |
Microsoft Corporation | http://www.microsoft.com |
Oracle Corporation | http://www.oracle.com |
Primeton | http://www.primeton.com |
Sun Microsystems, Inc. | http://sun.com |
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: newsletter-subscribe@xml.coverpages.org
Newsletter unsubscribe: newsletter-unsubscribe@xml.coverpages.org
Newsletter help: newsletter-help@xml.coverpages.org
Cover Pages: http://xml.coverpages.org/