The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Last modified: April 27, 2010
XML Daily Newslink. Tuesday, 27 April 2010

A Cover Pages Publication
Provided by OASIS and Sponsor Members
Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by:
Oracle Corporation

OASIS Public Review: XSPA Profile of WS-Trust for Healthcare
Mike Davis, Duane DeCouteau, David Staggs, Jiandong Guo (eds), OASIS PRD

Members of the OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee have released a Committee Draft of Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of WS-Trust for Healthcare for public review through June 26, 2010. This profile describes a framework in which WS-Trust is leveraged by cross-enterprise security and privacy authorization (XSPA) to satisfy requirements pertaining to information-centric security within the healthcare community.

WS-Trust 1.3 defines extensions that build on the WS-Security Standard to provide a framework for requesting and issuing security tokens, and to broker trust relationships. WS-Security defines the basic mechanisms for providing secure messaging, and WS-Trust 1.3 uses these base mechanisms to define additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains. In order to secure a communication between two parties, the two parties must exchange security credentials (either directly or indirectly). However, each party needs to determine if they can 'trust' the asserted credentials of the other party. In the WS-Trust specification, extensions are defined which provide: (1) Methods for issuing, renewing, and validating security tokens; (2) Ways to establish assess the presence of, and broker trust relationships. Using these extensions, applications can engage in secure communication designed to work with the general Web services framework, including WSDL service descriptions, UDDI businessServices and bindingTemplates, and SOAP messages...

The XSPA profile of WS-Trust provides cross-enterprise authorization of entities within and between healthcare information technology (IT) systems by providing common semantics and vocabularies for interoperable coarse and fine-grained access control. Additional introductory information and examples can be found in Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of WS-Trust Implementation Examples...

The XSPA profile of WS-Trust supports sending all requests through an Access Control Service (ACS). The ACS receives the Request Security Token (RST) from the Service User and responds with a Request Security Token Response (RSTR) containing SAML assertions regarding user authorizations and attributes. To perform its function, the ACS may acquire additional attribute information related to user location, role, purpose of use, and requested resource requirement and actions. The requesting ACS is responsible for enforcement of the access control decision. It should be noted that the ACS may make an access control decision to deny access to remote resources based on local internal policies... The Service Provider ACS is responsible for the parsing of assertions, evaluating the assertions against the security and privacy policy, and making and enforcing a decision on behalf of the Service Provider... The XSPA profile of WS-Trust recommends the use of reliable [and secure] transmission protocols. Where transmission integrity and transmission confidentiality are required, this profile makes no specific recommendations regarding mechanism or assurance level..."

See also: the OASIS XSPA web site

Call For Participation: W3C Workshop on Privacy for Advanced Web APIs
Staff, W3C Announcement

A W3C Workshop on Privacy for Advanced Web APIs will be held in London, UK on July 12/13, 2010. This workshop serves to review experiences from recent design and deployment work on device APIs, and to investigate novel strategies toward better privacy protection on the Web that are effective and lead to benefits in the near term.

Background: "As the Web advances toward becoming an application development platform that addresses needs previously met by native applications, work proceeds on APIs to access information that was previously not available to Web developers. The broad availability of possibly sensitive data collected through location sensors and other facilities in a Web browser is just one example of the broad new privacy challenges that the Web faces today. Security considerations and design choices for sensitive APIs were the topic of the December 2008 W3C Workshop on Security for Access to Device APIs for the Web. Following up to that workshop, a report was published and the Device API and Policy Working Group was chartered. Earlier approaches to address privacy issues for the Web, especially through policy languages, have not seen broad implementation in current-generation Web browsers.

The July 12/13, 2010 workshop is expected to attract a broad set of stakeholders, including implementers from the mobile and desktop space, policy and privacy experts, and developers and operators of Web applications that make use of advanced APIs. All participants are required to submit a position paper by 1 June 2010. W3C membership is not required to participate in this workshop.

Topics for position papers may include, but are not limited to: (1) novel approaches and architectures toward privacy on the Web that W3C should pursue; (2) implementation experience with current generation device APIs; (3) deployment experience of current generation device APIs from a Web Application implementer's and provider's perspective; (4) implementation and deployment experience with current generation device APIs from a public policy and privacy perspective; (5) policy considerations for the future development of the Web platform in general, and advanced APIs in particular; (6) user experience and service design issues and approaches related to security and privacy technologies for the Web; (7) social or regulatory issues relating to privacy as they potentially impact any of the above..."

See also: the Workshop Report for the December 2008 security event

HITRUST and Cloud Security Alliance to Collaborate on Cloud Security
Staff, CSA Announcement

"The Health Information Trust Alliance (HITRUST) and Cloud Security Alliance (CSA) have announced a joint collaboration focused on addressing cloud security initiatives related to improving the state of security and compliance in the healthcare industry. The two organizations will work together on cloud-based healthcare information security issues and with one another's respective communities to develop and promote security best practices.

As evidence of the value of this collaboration, CSA today announced the release of the Cloud Controls Matrix, a tool that maps security practices for the cloud with traditional security regulations and standards, such as PCI, HIPAA and ISO 27000. Part of the mapping is achieved by leveraging the HITRUST Common Security Framework (CSF), a comprehensive security framework that provides prescriptive guidance and best practices and incorporates the existing security requirements of healthcare organizations, including federal (e.g., HIPAA and HITECH), state, third party (e.g., PCI and COBIT), and governmental agencies (e.g., NIST, FTC and CMS). The Cloud Controls Matrix strengthens existing cloud information security by emphasizing business information security control requirements, normalizing cloud taxonomy, and encouraging consistent security measures.

Frank Grant, Senior Director, U.S. Healthcare, Cisco Systems: "As a member of the HITRUST Executive Council and an active member of the CSA, Cisco knows firsthand the contributions that these organizations have already made and we are excited by the future output resulting from their combined knowledge and expertise. Cisco is committed to supporting healthcare organizations with best practices and the necessary guidance and resources to support their information security needs..."

The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities..."

See also: the Cloud Security Alliance (CSA)

ECMA Common Language Infrastructure (CLI) Fifth Edition
Jonathan Allen, InfoQueue

"The ECMA working group in charge of the Common Language Infrastructure standard has produced released a working draft of the fifth edition. The Common Language Infrastructure represents the subset of Microsoft's .NET platform that has been placed in the care of ECMA International. Formally known as the European Computer Manufacturers Association, ECMA International both competes with and complements the International Organization for Standardization.

This third major version of the standard is being portrayed as the fifth edition: this situation arose from the cross-standardization process between ECMA and ISO. For example, after the third edition was ratified by ECMA in 2006 it entered ISO's fast-track process. Once ratified there, the resulting document, ISO/IEC 23271:2006, was adopted by EMCA as the fourth edition... ECMA standards have the advantage over ISO in that they are freely available. The current edition and all previous editions are available on ECMA's website as well as numerous mirrors.

From the ECMA-335-CLI-Public-Draft overview: "In August, 2000, the specification for the Common Language Infrastructure (CLI) was submitted to the international standardization organization Ecma. As a result, Ecma formed a task group (TG3) within TC39 (now moved to TC49), its technical committee responsible for programming languages and application development. This specification became known as Ecma-335. Since the initial submission, various Ecma member companies and individual contributors have produced two editions of the CLI standard, one in 2002 and one in 2006. Each Ecma edition was also submitted and approved by the International Standards Organization (ISO), specifically ISO/IEC JTC 1... Work on the 5th edition of Ecma-335 CLI standard began in mid-2009. The TC49-TG3 task group is working on extending both the virtual machine and class libraries of the CLI specification. In addition, improvements are being made to clarify existing elements of the specification. Many of these improvements are the result of feedback received from outside the task group, for which the task group is grateful...

Available Documents, current as of 27-March-2010: (1) CLI Partition I - Architecture; (2) CLI Partition II - Metadata and File Format; (3) CLI Partition III - CIL; (4) CLI Partition IV - Library; (5) CLI Partition V - Binary Formats; (6) CLI Partition VI - Annexes; (7) Class Library XML; (8) Class Library Detailed Specifications..."

See also: the ECMA-335-CLI-Public-Draft overview

VMforce: Cloud and Java Marriage of Necessity for VMware and Salesforce
Dana Gardner, ZDNet Blog

"It's not surprising that cloud has become a strategic objective for VMware and SpringSource — both before after the acquisition that brought them together. VMware was busy forming its vCloud strategy to stay a step ahead of rivals that seek to make VMware's core virtualization hypervisor business commodity, while SpringSource acquired CloudFoundry to take its expanding Java stack to the cloud — even as such options were coming available for .NET and emerging web languages and frameworks like Ruby on Rails...

VMware's more pressing need is to make vSphere the de facto standard for managing virtualization and making vCloud, the de facto standard for cloud virtualization... In turn, wants to become the de facto cloud alternative to Google, Microsoft, IBM, and when they get serious, Oracle and SAP. The dilemma is that Salesforce up until now has built its own walled garden... The challenge is that Salesforce, having made the modern incarnation of remote hosted computing palatable to the enterprise mainstream, now finds itself in a larger fishbowl outgunned in sheer scale by Amazon and Google, and outside the enterprise, the on-premises Java mainstream...

So VMforce is the marriage of two suitors that each needed their own leapfrogs: VMware transitions into a ready-made cloud-based Java stack with existing brand recognition, and steps up to the wider Java enterprise mainstream opportunity. Apps written using the Spring Java stack will gain access to's community and services such as search, identity and security, workflow, reporting and analytics, web services integration API, and mobile deployment. But it also means dilution of some features that make platform what it is..."

From the announcement: " and VMware have announced a partnership to jointly deliver, sell and support a new enterprise Java cloud called VMforce. VMforce will provide the trusted, open path to the cloud for 6 million enterprise Java developers, including the two million member Spring community. VMforce will enable Java developers to instantly tap into platform services, including the database, Chatter collaboration, workflow, analytics and search. VMforce will include new VMware vCloud technology that dramatically simplifies the management and orchestration of applications on VMware vSphere-based infrastructure. Part of the industry-leading cloud platform, VMforce will enable Java developers to quickly and easily build next-generation enterprise Cloud 2 apps that are instantly social, mobile, and collaborative..."

See also: the VMware announcement

Don't Count on Kerberos to Thwart Pass-the-Hash Attacks
Roger Grimes, InfoWorld

"Readers have responded to previous postings on pass-the-hash attacks, asking if Kerberos authentication versus LANManager, NTLM, or NTLMv2 was an effective defense... Invented at MIT, Kerberos is an open authentication protocol used on a variety of computer systems. Kerberos systems pass cryptographic key-protected authentication "tickets" between participating services. The password hashes are neither sent nor stored, so they can't be captured and reused as easily...

Kerberos is the default authentication protocol implemented in Windows 2000. More recent operating systems use Kerberos to connect to Windows 2000 and to later network Kerberos-protected resources and services. In most of today's Windows networks, Kerberos authentication is widespread. Kerberos has the potential to reduce pass-the-hash risk, but not nearly as much as one would initially think.

For one, pass-the-hash attacks only work against interactive—right at the computer—logons. In Windows, password hashes are not sent or stored on the remote server or hosting process in Windows over network connections (with the notable exception of RDP connections), whether using NTLM/NTLMv2 or Kerberos. The attacker can only capture password hashes that are stored on the local computer in the SAM or Active Directory database or from users logged on interactively.

Second, when a user logs on interactively to a computer that uses Kerberos, his or her NT password hash is stored in the computer's memory and is available to be stolen. This is because all Windows computers must support at least one other authentication protocol, such as LanManager, NTLM, or NTLMv2... Kerberos may be able to reduce pass-the-hash risk in some specific scenarios, but it doesn't significantly reduce risk in most environments. Still, there are at least a half-dozen better reasons (performance, other security protections, mutual authentication) Kerberos should be used instead of the older authentication protocols. Realistically, however, once the attacker has the elevated access needed to mount pass-the-hash attacks, such assaults are one of a thousand new risks..."

Vendors Team on CMIS Content-Sharing Specification
Joab Jackson, InfoWorld

"A cadre of enterprise content management (ECM) software vendors is close to finalizing a standard for sharing data across their systems. Next week, OASIS is expected to ratify the Content Management Interoperability Services (CMIS) specification, a set of bindings that would allow different content management systems to offer access to their content in a single, uniform fashion. CMIS is the effort of a number of ECM heavyweights, including IBM, Microsoft, EMC, and Alfresco... It is a standard much needed by both vendors and their enterprise customers, observers say..."

Ian Howells, the chief marketing officer at Alfresco: "Today, the hooks for fetching and changing data in systems such as EMC Documentum and Microsoft SharePoint are different for each system. Each application programming interface is completely unique... As a result, developers building applications that pull data from ECMs face a lot of work, especially if their creations need to access multiple content management systems. For each system, the content is in a proprietary format, the metadata is in a proprietary form, and the API is proprietary. It's a nightmare... CMIS could simplify matters insofar as it offers a single set of bindings that a developer could write to, and not worry about the underlying CMS. The bindings are based on either the REST (Representational State Transfer) protocol or the Web services-based SOAP (Simple Object Access Protocol)..."

What remains to be seen is to what extent the ECM vendors support the CMIS standard in their products. A vendor could claim to support it but do so only minimally. Also, this is not the first time the ECM community has attempted a cross-platform standard. The Java Content Repository (JCR), which aimed at cross-platform compatibility for Java-based CMSes, never took hold due to relatively poor adoption. Thus far the vendors that have participated in CMIS seem enthusiastic. They have held a number of plug-fests to demonstrate that front-end querying software can draw data from a variety of back-end repositories.

Tony Byrne (The Real Story): "CMIS could be helpful to customers in that it separates the repository layer from the application layer... This approach can free organizations to more easily use a wider variety of software, such as SharePoint for a front-end user interface and Documentum for storing documents on the back end. But even if the vendors are enthusiastic about the standard, it will take years for most of them to work it into their products... [since] the standard addresses only repository independence. It does not address process integration. Because I have an application that can talk to a neutral standard doesn't mean my business processes have gotten integrated..."

See also: CMIS 1.0 references

Java Web Services: CXF Performance Comparison for Axis2 and Metro
Dennis Sosnoski, IBM developerWorks

"The Apache CXF Web services stack builds on some of the same technologies as the Apache Axis2 and Metro stacks discussed in earlier articles of this series. Like Axis2, it uses the Apache WSS4J WS-Security implementation. Like Metro, it predominantly uses JAX-WS 2.x Web services configuration and JAXB 2.x data binding—even using the same reference implementation of JAXB as Metro, though versions may differ between the two stacks. Beyond these common components, however, the stacks differ in many ways, including their processing engines and WS-SecurityPolicy configuration handling.

In this article, we demonstrate how CXF performance compares with the most-recent releases of both Axis2 and Metro. This article takes the approach of measuring the time required to execute a particular sequence of requests when both the client and the server run on a single system. This approach does a great job of comparing Web services processing overhead, because it eliminates the impact of network latencies and overhead from timing results. Assuming the client code isn't significantly slower than the server, the figures are also good representatations of actual server performance under load...

Based on the test timings reported in this article, it looks like Metro 2.0 is faster in basic request/response processing than either Axis2 1.5.1 or CXF 2.1.7. When it comes to WS-Security processing, though, Metro's XWSS library is no faster overall than the WSS4J library used by both Axis2 and CXF. Probably the most interesting aspect of these results is the implication for Axis2. Earlier tests showed that Axis2 was much slower than Metro in WS-Security processing. These test results show that the difference is not due to the WS-Security implementation code, so it must be due to the way Axis2 handle messages being passed to and from WSS4J. Axis2 also requires significantly more memory to run the tests than the other stacks, most noticably for the 'signenecr' configuration. These issues reinforce the earlier impression that Axis2 wastes processing time and memory doing unnecessary conversions between different message representations as part of the WS-Security handling.

The performance overhead of using WS-Security signing and encryption is substantial for all the stacks tested. This overhead can be problematic for services with heavy usage. In the next article we will discuss the WS-Trust and WS-SecureConversation add-on technologies, which can reduce the WS-Security overhead when clients make extensive use of a particular service..."

See also: the WS-Security specifications


XML Daily Newslink and Cover Pages sponsored by:

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

XML Daily Newslink:
Newsletter Archive:
Newsletter subscribe:
Newsletter unsubscribe:
Newsletter help:
Cover Pages:

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: