This issue of XML Daily Newslink is sponsored by:
Microsoft Corporation http://www.microsoft.com
- Last Call Public Review for Two XML Signature Working Drafts
- WebCGM Version 2.1 Submitted for Consideration as an OASIS Standard
- Updated Specification for The OAuth 1.0 Protocol
- W3C Invites Public Comment on First Draft of The System Information API
- HTML vs. Flash: Can a Turf War Be Avoided?
- Nuxeo Releases First CMIS-Enabled Digital Asset Management Application
- Codesion Emerges from CVS
- VMware Opens vCloud for Java, Python Developers
Last Call Public Review for Two XML Signature Working Drafts
Donald Eastlake, Joseph Reagle, David Solo, Frederick Hirsch (eds), W3C Technical Reports
Members of the W3C XML Security Working Group have released two specifications for Last Call public review through March 18, 2010, along with several other updated documents. The XML Security Working Group, part of the W3C Security Activity, was chartered to take the next step in developing the XML security specifications: the existing suite of XML security specifications has become a fundamental technology in the XML and Web Service worlds over the last 7 years: The joint IETF/W3C XML Signature Working Group specified mechanisms to digitally sign XML documents and other data, and to encapsulate digital signatures in XML. The W3C XML Encryption Working Group specified mechanisms to encrypt XML documents and other data, and to encapsulate the encrypted material and related meta-information in XML... The W3C Working Group continues its work on XML Encryption 1.1 and is also working on a 2.0 version of Canonical XML and XML Signature."
XML Signature Syntax and Processing Version 1.1 specifies XML digital signature processing rules and syntax. XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. Conformance-affecting changes against this previous recommendation mainly affect the set of mandatory to implement cryptographic algorithms, including Elliptic Curve DSA (and mark-up for corresponding key material), and additional hash algorithms... An explanation of the changes against the XML Signature 1.0 specification is available in the document Changes to XML Signature Syntax and Processing Second Edition for proposed XML Signature 1.1 Changes are focused on the set of mandatory to implement algorithms and markup for relevant key material.
XML Signatures can be applied to any digital content (data object), including XML. An XML Signature may be applied to the content of one or more resources. Enveloped or enveloping signatures are over data within the same XML document as the signature; detached signatures are over data external to the signature element. More specifically, this specification defines an XML signature element type and an XML signature application; conformance requirements for each are specified by way of schema definitions and prose respectively. This specification also includes other useful types that identify methods for referencing collections of resources, algorithms, and keying and management information. The XML Signature is a method of associating a key with referenced data (octets); it does not normatively specify how keys are associated with persons or institutions, nor the meaning of the data being referenced and signed. Consequently, while this specification is an important component of secure XML applications, it itself is not sufficient to address all application security/trust concerns, particularly with respect to using signed XML (or other data formats) as a basis of human-to-human communication and agreement. Such an application must specify additional key, algorithm, processing and rendering requirements.
XML Signature Properties, edited by Frederick Hirsch, outlines a proposed standard XML Signature Properties syntax and processing rules and an associated namespace for these properties. The 'SignatureProperties' element defined by XML Signature offers a means to associate property values with an XML Signature. This document defines specific properties that may be used by various applications of XML Signature, without requiring those applications to define such properties on a per case basis. This document defines how these properties are to be specified and processed when used but does not require their use—specifications that reference this document may or may not require their use. The changes proposed in this document would not be a breaking change to XML Signature, but warrant a new namespace for the properties themselves so that they can be used in various versions of XML Signature."
See also: XML Signature Properties
WebCGM Version 2.1 Submitted for Consideration as an OASIS Standard
Benoit Bezaire and Lofton Henderson (eds), OASIS Committee Specification
The OASIS CGM Open WebCGM Technical Committee has submitted an approved Committee Specification WebCGM Version 2.1 for consideration as an OASIS Standard. The Call For Vote will be issued to all Voting Representatives of OASIS member organizations on February 16, 2010.
Computer Graphics Metafile (CGM) is an ISO standard, defined by ISO/IEC 8632:1999, for the interchange of 2D vector and mixed vector/raster graphics. WebCGM is a profile of CGM, which adds Web linking and is optimized for Web applications in technical illustration, electronic documentation, geophysical data visualization, and similar fields. First published (1.0) in 1999, WebCGM unifies potentially diverse approaches to CGM utilization in Web document applications. It therefore represents a significant interoperability agreement amongst major users and implementers of the ISO CGM standard.
The scope of this WebCGMTM 2.1 specification includes these components. (1) an intelligent graphics profile of the ISO Computer Graphics Metafile (CGM) standard (ISO/IEC 8632:1999), tailored to the requirements for scalable 2D vector graphics in electronic documents on the World Wide Web; (2) a WebCGM Document Object Model (DOM), which provides an application programming interface to WebCGM objects in WebCGM-supporting applications; (3) definition of a standard WebCGM XML Companion File (XCF), which allows applications to externalize some non-graphical metadata from WebCGM instances, yet maintain a tight binding of the metadata to WebCGM objects; (4) definition of an Application Configurable Items (ACI) file, to improve predictability of interpretation of font specifications, and to precisesly specify some under-specified defaults..."
See also: the OASIS announcement
Updated Specification for The OAuth 1.0 Protocol
Eran Hammer-Lahav (ed), IETF Internet Draft
IETF has published an updated version of the Informational Internet Draft The OAuth 1.0 Protocol, previously titled The OAuth Core 1.0 Protocol. This -09 draft adds 'with a 200 status code (OK)' in two locations, changes the use of TLS/SSL when sending or receiving plain text credentials to a 'MUST', clarifies text about change control moving from the community to the IETF, and corrects typos. See then: version -10...
Document abstract: "OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end- user). It also provides a process for end-users to authorize third- party access to their server resources without sharing their credentials (typically, a username and password pair), using user- agent redirections."
The specification consists of two parts. The first part defines a redirection-based user-agent process for end-users to authorize client access to their resources, by authenticating directly with the server and provisioning tokens to the client for use with the authentication method. The second part defines a method for making authenticated HTTP (RFC 2616) requests using two sets of credentials, one identifying the client making the request, and a second identifying the resource owner on whose behalf the request is being made.
Background: "The OAuth protocol was originally created by a small community of web developers from a variety of websites and other Internet services, who wanted to solve the common problem of enabling delegated access to protected resources. The resulting OAuth protocol was stabilized at version 1.0 in October 2007, revised in June 2009, and published as OAuth Core 1.0 Revision A. This specification provides an informational documentation of the OAuth 1.0 protocol, and includes several errata reported since that time, as well as numerous editorial clarifications. The publication of this specification represents the transfer of change control from the community to the IETF by the authors of the original work... In the traditional client-server authentication model, the client uses its credentials to access its resources hosted by the server. With the increasing use of distributed web services and cloud computing, third-party applications require access to these server- hosted resources. OAuth introduces a third role to the traditional client-server authentication model: the resource owner... It also provides a process for end-users to authorize third- party access to their server resources without sharing their credentials (typically, a username and password pair), using user- agent redirections.
W3C Invites Public Comment on First Draft of The System Information API
Dzung Tran and Max Froumentin (eds), W3C Technical Report
Members of the W3C Device APIs and Policy Working Group have published a First Public Working Draft for The System Information API. This specification defines an API to provide Web applications with access to various properties of the system which they are running on. Specifically, "properties pertaining to the device hardware are addressed. Examples include battery status, current network bandwidth. Additionally, some of those properties offer access to the environment around the device, such as ambient brightness or atmospheric pressure. This release represents the early consensus of the group on the scope and features of the proposed System Information API. Issues and editors notes in the document highlight some of the points on which the group is still working and would particularly like to get feedback..."
Background: "In order for web applications to gain access to information only available to an operating system's native applications, they must be able to access various data present on the device, either related to the hardware state (e.g., CPU load), software data (e.g., pictures stored) or environment information (e.g. ambient brightness). The APIs defined by the Device APIs and Policy Working Group address this issue. Specifically, the API defined in this specification provides access to hardware devices, either internal (CPU, Thermometers) or ambient (light, noise or temperature)...
Security and Privacy Considerations: A Web application using this API has access to device specific data which may contain information that the user considers private. For instance a user may object to a Web application transmitting the device's CPU load to an untrusted server, or letting another application modify the device's screen brightness without the user's consent. Therefore, a conforming implementation of this specification must provide a mechanism that protects the user's privacy and this mechanism should ensure that no information exposed by this API is retrievable or modifiable without the user's express permission..."
HTML vs. Flash: Can a Turf War Be Avoided?
Stephen Shankland, CNET News.com
"A difference of opinion among developers has become a high-profile debate over the future of the Web: should programmers continue using Adobe Systems' Flash or embrace newer Web technology instead? The debate has gone on for years, but last week's debut of Apple's iPad — which like the iPhone doesn't support Flash — turned up the heat. Before that, Adobe had been saying with some restraint that it's happy to bring Flash to the iPhone when Apple gives the go-ahead. But Chief Technology Officer Kevin Lynch took the gloves off Tuesday with a blog post that said Apple's reluctance to include Flash on its 'magical device' means iPad buyers will effectively see a crippled Web. And he played the Google Nexus One card, too...
Flash has indeed spread to near-ubiquity on computers, with better than 98 percent penetration, according to Adobe's statistics. Its roots lay with graphical animations, but its success was cemented by providing an easy streaming video mechanism to a Web that had been plagued with obstreperous and incompatible technology from Microsoft, Apple, and Real. But a collection of new technologies—including a rejuvenated HTML (Hypertext Markup Language) standard used to write Web pages -- are aiming to reproduce some of what Flash offers.
Bruce Lawson, Web standards evangelist for browser maker Opera Software, believes HTML and the other technologies inevitably will replace Flash and already collectively are "very close" to reproducing today's Flash abilities. It's not just a matter of the installed base of Flash on the Web, though. Although HTML5 and its associated technologies are maturing rapidly, and because they evolve concurrently with browser support, they're arriving and relevant now even though incomplete...
Additional reference: Application Development: 20 Essential Things to Know About the HTML5 Web Language.
See also: the draft HTML5 specification
Nuxeo Releases First CMIS-Enabled Digital Asset Management Application
Staff, Nuxeo Announcement
Nuxeo, an Open Source Enterprise Content Management (ECM) company, has announced general availability for its open source Digital Asset Management offering Nuxeo DAM. Nuxeo DAM is the latest application based on the Nuxeo open source ECM platform, Nuxeo EP. Nuxeo DAM addresses the complex and resource-intensive demands of managing the rich media assets that companies rely on. Designed to meet the creative and ever-changing needs of marketing and brand managers, as well as the custodians of digital artifacts in education, government, military and cultural institutions, Nuxeo's digital asset management software opens up new opportunities for the creators, users and consumers of rich media to take control of their critical image, video or audio content...
Nuxeo DAM is said to be "the first application of its kind to meet the currently available draft of the OASIS Content Management Interoperability Services (CMIS) specification. Nuxeo, along with many other industry leaders such as Microsoft, IBM, and Adobe Systems, is involved with CMIS. CMIS is a proposed standard for interoperability across multiple ECM and web content management systems that is expected to be approved this year. Nuxeo EP, as the underlying ECM platform offering from Nuxeo, includes a CMIS Server, based on the latest CMIS specification, ensuring that packaged applications such as Nuxeo DAM and Nuxeo DM benefit from the interoperability enhancements...
Nuxeo DAM 1.0 - Feature highlights: (1) Asset Capture /Batch Import: Media file uploads with IPTC and EXIF metadata extraction; quickly upload batches of media assets; bulk tagging with metadata; (2) Annotations: Annotate pictures and office documents directly from the browser; (3) Intellectual Property and Rights Management: Manage attributions and expiration dates; administrators view rights to asset folders; (4) Renditions: Store multiple formats of a media file for different use cases; (5) Filter-based Navigation: Browse the asset repository using dynamic visual filters on metadata -- by full text, content type, folder name, geographical coverage, etc. (6) Watermarking and Export of Media Files: Watermark images to ensure appropriate distribution and attribution; configure export formats; expose a unique URL for assets, to ease integration; (7) Security and Access Control: Control sharing and access to assets with Access Control Lists (ACLs) on folders; support complex authentication setups, user sources, user groups, etc. (8) Configurable Content Model: Quickly define and configure the right content model for assets—define metadata, controlled vocabularies, etc. (9) Fully Browser- and Web-based: Use of web standards and technologies to provide a rich fully browser-based user experience no plug-in/Flash required; (10) Deep Integration Across IT Ecosystem: Leveraging enterprise-class features from Nuxeo EP, Nuxeo DAM works with existing IT infrastructure applications --LDAP for user/group management, SSO for authentication, CMIS Server, etc..."
See also: CMIS references
Codesion Emerges from CVS
Sean Michael Kerner, Developer.com
"There was a time when CVS (Concurrent Versioning System) dominated the open source, software-version-control landscape, but no more. More modern systems like SVN (subversion), Mercurial, Bzr (Bazaar) and Git offer developers newer opportunities to collaboratively develop software at scale. One of the companies caught in the middle of the evolution of version control is hosting vendor CVSdude, with more than 50,000 users. CVSdude is now evolving along with the market for version control, and this week is rolling out a new professional edition of its on-demand Software as a Service (SaaS) offering. The company is also changing its name to Codesion as part of the overall movement away from CVS, though CVS still continues to have a role in the global development marketplace...
Moving beyond the debate over CVS versus SVN, Codesion is now deploying a platform that provides a security and redundancy framework that will enable the firm to plug in other source code versioning systems over time. Seed noted that Codesion could add potentially add support for the open source Mercurial, Git and Bazaar source control systems, if customers expressed an interest..."
According to the company blog: "As of February 1, 2010, we are excited to announce that CVSDude is now Codesion - 'Bringing cohesion to code control.' Codesion ushers the next phase of our growth, which will expand from Subversion hosting (and CVS/Trac/Bugzilla/DAV) to a range of software development services, all of which are centrally managed from the FrogSAFE Platform..."
See also: the Codesion feature set
VMware Opens vCloud for Java, Python Developers
John K. Waters, Application Development Trends
"VMware wants developers to build software for its vCloud infrastructure, and it's giving them the tools to do it. To that end, the virtualization market leader released two new open source software development kits (SDKs) last week. The kits—one for Java and one for Python—are targeted toward independent software vendors accessing VMware vCloud APIs. Enterprise developers can use the vCloud API kits to build internal clouds based on the VMware stack. The kits help with workflow automation and provisioning of vCloud services. Developers can also use the kits to develop applications that deploy and manage virtualized workloads in internal and external clouds...
The vCloud API, introduced last year, is an open and RESTful API that supports multitenancy. It's based on the Open Virtualization Format (OVF) and supports the uploading and downloading of so-called 'vApps,' which are OVF-based applications optimized for the cloud. VMware developed OVF as a platform-independent packaging and distribution format for virtual machines. The vCloud initiative is designed to pull together a set of tools, technologies and guidelines that enable on-premise and off-premise clouds to work together more easily. Aimed at the enterprise, VMware unveiled its vCloud initiative last September . The vCloud platform essentially federates compute capacity on demand between virtual datacenters and cloud service providers...
The vCloud initiative has garnered wide support among VMware's partners, including BT, Rackspace, SAVVIS, Sungard, T-Systems and Verizon Business. New software offerings have been rolled out by two partners—including Cloudera, a commercial distributor of the open source Hadoop data storage and processing platform, and WebAppVM, a maker of cloud application management solutions. Those two companies both used SDKs that leverage vCloud Express, a pay-as-you-go infrastructure..."
XML Daily Newslink and Cover Pages sponsored by:
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/