The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Last modified: April 20, 2010
XML Daily Newslink. Tuesday, 20 April 2010

A Cover Pages Publication
Provided by OASIS and Sponsor Members
Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by:
ISIS Papyrus

W3C Invites Implementations of Widget Access Request Policy
Robin Berjon (ed), W3C Candidate Recommendation Technical Report

W3C has announced a call for implementations of the Candidate Recommendation specification Widget Access Request Policy. Implementation feedback based on any aspect of this specification is welcome and encouraged. This Last Call review period for the "Widget Access Request Policy" specification ended on 13-January-2010, for which a disposition of comments is available. The Web Applications Working Group hopes to advance this document to Proposed Recommendation once the Working Group has demonstrated at least two interoperable implementations — 'interoperable' meaning at least two implementations that pass each mandatory test in the test suite, as documented in an Implementation Report.

The "Widget Access Request Policy" specification defines the security model controlling network access from within a widget, as well as a method for widget authors to request that the user agent grant access to certain network resources or sets thereof. User agents running widgets are expected to provide access to potentially sensitive APIs (phone book, calendar, file system, etc.) that expose data which should not be exposed without the user's consent.

The purpose of this specification is to define the security model for network interactions from within a widget that has access to sensitive information. It provides means for a widget to declare its intent to access specific network resources so that a policy may control it.

An access request is a request made by an author to the user agent for the ability to retrieve one or more network resources. Access elements in the widget's configuration document express the author's requests to access network resources. To grant access means that the user agent authorises widget execution scopes to retrieve one or more network resources via the user agent. To deny access means that the user agent rejects an author's request to grant access. An access request policy, or policy for short, is a set of rules that details whether given some conditions the user agent will grant or deny access to a given network resource. A network resource is a retrievable resource of any media type that is identified by a URI that has a DNS or IP as its authority component..."

See also: the Widgets 1.0 Requirements specification

Last Call Public Review for View Mode Media Feature Specification
Robin Berjon, A. Bersvendsen, M. Cáceres, M. Hanclik (eds), W3C Technical Report

Members of the W3C Web Applications Working Group have published a Last Call Working Draft for the specification View Mode Media Feature. The Working Group has determined that this document has satisfied the relevant technical requirements and is sufficiently stable to advance through the Technical Recommendation process. The Last Call period ends May 18, 2010.

Web applications, be they widgets or in-browser, can on most platforms be run in multiple visual modes. At times they may occupy the entire screen, at others they may be minimised to a specific docking area; at times they may have chrome that matches the operating system's style while at others they may be providing their own controls in order to provide for a more immersive experience.

The user is generally in control of at least several aspects of these modalities, and it is therefore important for authors to be able to react to these in order to provide different styling to their applications. In order to achieve this, this specification defines a media feature that allows different CSS style rules to be applied depending on whether a given media query matches.

The view-mode media feature describes the mode in which the Web application is being shown as a running application on the platform. Values include: (1) windowed - a Web application running in a windowed manner, which is to say with chrome and without occupying the entire screen area; (2) floating - a Web application providing a more immersive interface, running in a windowed manner but without chrome, and with the viewport's initial background being transparent such that other system items (other applications, the display's background...) can be seen through parts of the viewport that are not being painted to; (3) fullscreen - a Web application that is occupying the entirety of the display, including the parts normally excluded from the screen area, e.g., a fullscreen video; (4) maximized - a Web application that is occupying the entirety of the screen area; (5) minimized - a Web application docked or otherwise minimised, but with a dynamic graphical representation being available nevertheless, i.e.; the application isn't entirely hidden, or maybe its icon is still shown and it has control over what it contains, wherre this may correspond for instance to a thumbnail of the application's content being shown..."

See also: the W3C Web Applications (WebApps) Working Group

IETF IRI Working Group Draft for Internationalized Resource Identifiers
Martin Dürst, Michel Suignard, Larry Masinter; IETF Internet Draft

Members of the IETF Internationalized Resource Identifiers Working Group have published an IETF level -00 WG Internet Draft for the specification Internationalized Resource Identifiers (IRIs). This document defines the Internationalized Resource Identifier (IRI) protocol element, as an extension of the Uniform Resource Identifier (URI). An IRI is a sequence of characters from the Universal Character Set (Unicode/ISO 10646). Grammar and processing rules are given for IRIs and related syntactic forms.

In addition, this document provides named additional rule sets for processing otherwise invalid IRIs, in a way that supports other specifications that wish to mandate common behavior for 'error' handling. In particular, rules used in some XML languages (LEIRI) and web applications are given.

Defining IRI as new protocol element (rather than updating or extending the definition of URI) allows independent orderly transitions: other protocols and languages that use URIs must explicitly choose to allow IRIs. Guidelines are provided for the use and deployment of IRIs and related protocol elements when revising protocols, formats, and software components that currently deal only with URIs..."

This IETF Working Group was formed to produce a new version of RFC 3987: "Internationalized Resource Identifiers (IRIs)" using I-D 'draft-duerst-iri-bis' as the base, and a new version of RFC 4395: "Guidelines and Registration Procedures for New URI Schemes." The new version of RFC 3987 may be split into separate documents, if, in the opinion of the chair(s), it would facilitate distribution of the workload and allow more focused reviews. For example, the following breakdown has been suggested: Handling of Internationalized domain names in IRIs; Internationalization Considerations in IRIs, for BIDI, character ranges to avoid, special considerations; Syntax, parsing, comparison of IRIs. The WG coordinates with the W3C working groups on HTML5, XML Core, and Internationalization, as well as with IETF HTTPBIS WG to ensure acceptability...

See also: the formation of the IETF Internationalized Resource Identifiers (IRI) WG

Social Networking Web and OAuth: Twitter Client for Google App Engine
Xiaobo Yang, IBM developerWorks

"OAuth is an open protocol that lets users share their protected resources among different Web sites, without risking exposure of users' credentials. Part 1 of this series introduced OAuth and showed you how to develop an OAuth-enabled desktop Twitter client. In Part 2, you learned how to develop an OAuth-enabled Web Twitter client. In this final part of the series, we deploy the Web application developed in Part 2 to the Google App Engine (GAE).

GAE, which is provided by Google, enables Web applications to run on Google's infrastructure. A big benefit of GAE is that your applications can easily scale as your traffic and data storage needs grow. You can focus on software development, without worrying about Web and database server maintenance. With a reasonable amount of traffic to your applications deployed on GAE, you can use it for free. When more and more users are attracted to your site, you can buy more CPU time and data storage from Google. As of the writing of this article, GAE supports both Python and Java code...

OAuth provides a better way for a consumer site to access a user's protected resources held on a service provider. With OAuth, credentials are never exposed to sites other than where the user's data is originally held..."

"The OAuth 1.0 Protocol," recently published by IETF as (Informational) Request for Comments 5849, "provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections."

See also: The OAuth 1.0 Protocol published as RFC 5849

Layer 7 Launches Cloud Security, Connectivity and Management Solutions
Staff, Layer 7 Technologies Announcement

"Layer 7 Technologies, leader in security and management for Web and cloud services, has announced the general availability of its new CloudSpan family of products for enterprises and services providers. These three first-of-a-kind products help address critical connectivity, security and delivery needs of both consumers and providers of cloud services... Layer 7's SecureSpan and CloudSpan SOA and cloud products feature sophisticated runtime governance, agent-less Web services management and industry-leading XML security, and allows organizations to control, monitor and adapt their SOA and cloud services, no matter where they originate — in the enterprise or in the cloud.

The Layer 7 CloudSpan cloud broker suite is designed to remove critical adoption barriers for cloud consumers and providers wanting to more easily access cloud services, run applications safely in the cloud or publish APIs and programmatic services (IaaS, PaaS, and SaaS services) to clients, partners and developers.

Components include: (1) CloudConnect, which serves as an organization's gateway to the cloud. Using a combination of access control, secure integration and aggregated usage tracking, Layer 7 CloudConnect makes it possible for enterprises to create a secure channel to SaaS providers. (2) CloudProtect, which provides security in the cloud. Layer 7 CloudProtect helps enterprises establish secure perimeters around each cloud application (virtual private applications), ensuring data isolation and central policy control. (3) CloudControl, which gives service providers the ability to manage and control how their cloud services get published to clients, partners and developers.

Cloud Control allows enterprises to securely expose their application APIs to customers and partners, creating a layer of abstraction or indirection between what enterprises provide internally and what customers see externally. Enterprises can use policy-based controls to customize the message, identity and interface level security for their APIs; track usage, monitor interface health, and even manage versions and updates without breaking client applications. Cloud Control also supports simple orchestration, allowing for the creation of new developer processes that can be controlled outside of code..."

See also: Network World

Avatier Identity Management Cloud Computing Solution
Staff, Avatier Announcement

"Avatier Corporation today announced its partnership with OASIS. Avatier will apply its expertise in Identity Management and Cloud Computing technologies with participation in several OASIS standards initiatives, including the Content Management Interoperability Services (CMIS) Technical Committee and the Darwin Information Typing Architecture (DITA) Technical Committee, with others to be determined.

Poised to help companies with their security and compliance needs, Avatier Identity Management Suite (AIMS) is the only 'no assembly required' Identity Management solution for the Cloud Computing environment that deploys in minutes, not months, and leverages an enterprise's existing infrastructure to help customers quickly realize compliance, security management and business goals.

Through its relationship with OASIS, Avatier will secure its place in the international community that recognizes the importance of interoperability and intelligent information exchange. Additionally, setting the standard for Identity Management in a Cloud Computing Environment, AIMS is the only Identity Management solution that fully supports over 29 languages. From the client interface to help desk ticketing, logging, alerting, and reporting interfaces, AIMS can meet the needs of its worldwide customers through complete language functionality...

Avatier is committed to develop integrated password-reset solutions that combine strong password policies with secure, self-service password reset and cross platform synchronization so organizations can meet their security needs while actually improving efficiency and productivity... Identity Analyzer allows you to have a complete holistic view of all of your accounts and current status across your enterprise systems. In other words, even before you begin any identity management project you will have the chance to check the status of each account..."

See also: Avatier Identity Management Suite

Pushing Messages from the Cloud with Amazon Simple Notification Service
Abel Avram, InfoQueue

"Amazon has launched a new service called Simple Notification Service (SNS) providing the means for setting up, publishing and sending notifications from the cloud, targeting monitoring applications, workflow systems, mobile applications or other notification-based applications.

Amazon has another notification service, Simple Queue Service (SQS), using a polling-based approach to messaging. SQS is used by distributed applications to communicate by sending messages to queues where they are stored awaiting to be consumed by clients. A client regularly polls a queue, retrieving any message of interest. This approach decouples the sender and the receiver of the message.

Unlike SQS, SNS uses a pushing approach to notification. An application or an administrator using a GUI tool creates a Topic or an Access Point identified by a subject or an event type. The owner of the topic determines who can publish/subscribe to it, and what protocol or protocols will be used for communication (HTTP, HTTPS, Email, Email-JSON, SQS queue). Clients interested in receiving messages will subscribe to these access points and will provide the URL or email address where notifications are to be sent. When an application wants to send a message, it sends it to the access point and SNS will take care of the delivering process.

Messages sent over Email will contain only the email's message body as sent by the publisher and it is intended to be addressed to people who are supposed to read those messages. All other protocols use a JSON package meant for automatic processing and containing structured information... If a message cannot be dispatched, the SNS system stores the message retrying to deliver it later until the client receives it. Messages are stored redundantly across multiple systems and data centers... Messages currently have a length of maximum 8KB and cost $0.06 for 100,000 notifications sent over HTTP and $2 for 100,000 emails. The first 100,000 HTTP notifications and 1,000 emails per month are free. SQS messages are not charged..."

See also: Amazon Simple Notification Service

Location Hiding: Problem Statement and Requirements
Henning Schulzrinne, Laura Liess, Hannes Tschofenig (et al), IETF Internet Draft

Members of the IETF Emergency Context Resolution with Internet Technologies (ECRIT) Working Group have published an Internet Draft for Location Hiding: Problem Statement and Requirements. The document provides a problem statement and lists requirements for situations where the Internet Access Provider (IAP) and/or the Internet Service Provider (ISP) are only willing to disclose limited or no location information.

Overview: "The emergency services architecture developed in the IETF Emergency Context Resolution with Internet Technology (ECRIT) working group describes an architecture where location information is provided by access networks to end points or VoIP service providers in order to determine the correct dial string and information to route the call to a Public Safety Answering Point (PSAP). The Location-to-Service Translation (LoST) Protocol as defined in IETF RFC 5222 allows callers and other call-routing entities to determine the PSAP Uniform Resource Identifier (URI) for a specific geographical location together with a service URI, per RFC 5031.

For emergency services, location information is needed in three ways: (1) Emergency call routing to the PSAP that is responsible for a specific geographical region (2) Dispatch of the emergency personnel to the scene of an accident, crime or other types of incidents (3) Additionally, a Voice Service Provider (VSP) may need to verify that an call is indeed an emergency call and may therefore require location information to ensure that calls routed to a specific URI point to a PSAP. This document focuses on item (1) and item (3). Providing location information by the ISP to the PSAP and to the emergency personnel are typically legal obligations covered by regulatory frameworks.

Location Hiding: Internet Access Providers (IAPs) and Internet Service Providers (ISPs)) typically have little incentives to provide location information to end hosts or independent VSPs (without monetary compensation) for any purpose, including for emergency call routing. The decision to deny disclosure of location information can be driven by a number of technical and business concerns. Some providers may perceive a risk that allowing users to access location information for non-emergency purposes or prior to an emergency call will incur additional server load and thus costs. Other providers may not want to make location information available without the ability to charge for it. Yet others fear problems with regard to privacy when disclosing location information to potentially unknown third parties..."

See also: the IETF Emergency Context Resolution with Internet Technologies (ECRIT) Working Group

Symantec Security Report Reveals Face of Data Breaches
Brian Prince, eWEEK

Symantec's latest Global Internet Security Report reveals that while the largest percentage of data breaches were caused by the physical theft or loss of a device with corporate information, hacking was the greatest cause of data records being exposed in 2009. That credit card number swiped in a data breach may go for as little as 85 cents in the cyber-underground, according to Symantec's latest Global Internet Security Report. The 97-page document details the company's review of the threat landscape in 2009...

According to Symantec, 60 percent of the data records exposed were compromised via hacking, up from 22 percent in 2008. Fifteen percent of breaches that could lead to identity theft were caused by hacking, a slight decrease from 2008... The financial sector was hardest hit among the verticals analyzed by Symantec, and accounted for 60 percent of the total identities exposed...

Web-based attacks associated with malicious PDF files skyrocketed during the year. According to Symantec, the number of attacks targeting PDF viewers such as Adobe Reader accounted for 49 percent of the Web-based attacks observed for the year, more than four times the 11 percent observed in 2008.The attack is not directly related to any specific vulnerability, but the contents of the malicious PDF file were designed to exploit arbitrary vulnerabilities in applications that process PDFs. Marc Fossi, executive editor of the report and manager of research and development with Symantec Security Response: 'Because [PDF is] now an open format, there are more PDF readers out there that can be potentially exploited...Part of it may also be related to some people potentially thinking PDF files are safer than other types of files, such as word processing documents or spreadsheets'..."

According to the Symantec report: "Attackers are leveraging the abundance of personal information openly available on social networking sites to synthesize socially engineered attacks on key individuals within targeted companies. Cybercrime attack toolkits have lowered the bar to entry for new cybercriminals, making it easy for unskilled attackers to compromise computers and steal information. One such toolkit called Zeus (Zbot), which can be purchased for as little as $700, automates the process of creating customized malware capable of stealing personal information. Using kits like Zeus, attackers created literally millions of new malicious code variants in an effort to evade detection by security software..."

See also: the Symantec announcement


XML Daily Newslink and Cover Pages sponsored by:

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

XML Daily Newslink:
Newsletter Archive:
Newsletter subscribe:
Newsletter unsubscribe:
Newsletter help:
Cover Pages:

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: