This issue of XML Daily Newslink is sponsored by:
ISIS Papyrus http://www.isis-papyrus.com
- NIST Releases XCCDF Security Controls Specification for Public Review
- W3C Call for Implementations: Media Queries
- Zimbra Saddles up to SAML
- IETF Updates the vCard Format Specification
- W3C MashSSL Incubator Group Publishes Final Report
- CSA Creates Certificate of Cloud Security Knowledge (CCSK) Program
- Using pureXML in SCA Component Development
NIST Releases XCCDF Security Controls Specification for Public Review
Neal Ziring and David Waltermire (eds), NIST Report
NIST has announced the publication of draft Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 for public comment through August 30, 2010. The document (NIST IR-7275 Revision 4, 142 pages) was produced by Computer Security Division Information Technology Laboratory, National Institute of Standards and Technology (NIST). The XCCDF XML Schema (Appendix A) describes XCCDF in a manner that should allow automatic validation of most aspects of the format. Document Section 3.1 "Summary of Changes since Version 1.0" tabulates principal updates (Persistent/standard identifiers; versioning for Benchmarks, Rules, and Profiles; use of XML digital signatures; Interactive Value tailoring; multiple scoring models; Richer XHTML references; Boolean operators in Complex checks; improved compatibility with Common Platform Enumeration (CPE) identifiers; Dublin Core metadata format support; Weight reporting). The primary audience of the XCCDF specification is government and industry security analysts, and industry security management product developers. NIST and NSA welcome feedback from these groups on improving the XCCDF specification.
Purpose and Scope: "The XCCDF standardized XML format enables an automated provisioning of recommendations for minimum security controls for information systems categorized in accordance with NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, and Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, to support Federal Information Security Management Act (FISMA) compliance efforts... The general objective for XCCDF is to allow security analysts and IT experts to create effective and interoperable automated checklists, and to support the use of automated checklists with a wide variety of tools.
An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of security guidance or checklist compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance, and thereby foster more widespread application of good security practices.
XCCDF is designed to enable easier, more uniform creation of security checklists and procedural documents, and allow them to be used with a variety of commercial, Government off-the-shelf (GOTS), and open source tools. The motivation for this is improvement of security for IT systems, including the Internet, by better application of known security practices and configuration settings. XCCDF proposes to automate certain technical aspects of security by converting English text contained in various publications (e.g., configuration guides, checklists, the National Vulnerability Database NVD) into a machine-readable XML format such that the various audiences (e.g., scanning vendors, checklist/ configuration guide, auditors) will be operating in the same semantic context. The end result will allow organizations to use commercial off-the-shelf (COTS) tools to automatically check their security and map to technical compliance requirements. For example: (1) An academic group produces a checklist for secure configuration of a particular server operating system version. (2) A federally-funded lab issues a security advisory about a new Internet worm. (3) An industry consortium, in conjunction with a product vendor, wants to produce a security checklist for a popular commercial server..."
See also: the NIST Publications List
W3C Call for Implementations: Media Queries
Håkon Wium Lie, Tanek Çelik, Daniel Glazman, Anne van Kesteren (eds); W3C CR
Members of the W3C CSS Working Group have released a Candidate Recommendation for the Media Queries specification, together with a call for feedback from software implementations. W3C publishes a Candidate Recommendation to gather implementation experience.
In order for this 'Media Queries' specification to exit the CR stage, three conditions must be met: (1) There must be at least two interoperable implementations. For the purposes of this criterion, 'interoperable' means passing the respective test case(s) in the CSS test suite, or, if the implementation is not a Web browser, an equivalent test. Every relevant test in the test suite should have an equivalent test created if such a user agent (UA) is to be used to claim interoperability. In addition if such a UA is to be used to claim interoperability, then there must one or more additional UAs which can also pass those equivalent tests in the same way for the purpose of interoperability. The equivalent tests must be made publicly available for the purposes of peer review. An 'implementation' is a user agent which implements the specification, is publicly downloadable or available through some other public point of sale mechanism, and is shipped, or is a non-experimental nightly build. (2) There must be a Test Suite. (3) A minimum of another four weeks of the CR period must elapse.
Specification abstract: "HTML4 and CSS2 currently support media-dependent style sheets tailored for different media types. For example, a document may use sans-serif fonts when displayed on a screen and serif fonts when printed. 'screen' and 'print' are two media types that have been defined. Media queries extend the functionality of media types by allowing more precise labeling of style sheets. A media query consists of a media type and zero or more expressions that check for the conditions of particular media features. Among the media features that can be used in media queries are 'width', 'height', and 'color'. By using media queries, presentations can be tailored to a specific range of output devices without changing the content itself.
Media queries, as described in this specification, build on the mechanism outlined in HTML4. The syntax of media queries fit into the media type syntax reserved in HTML4. The media attribute of HTML4 also exists in XHTML and generic XML. The same syntax can also be used inside in the '@media' and '@import' rules of CSS. A media query consists of a media type and zero or more expressions that check for the conditions of particular media features... A media query is a logical expression that is either true or false. A media query is true if the media type of the media query matches the media type of the device where the user agent is running (as defined in the 'Applies to' line), and all expressions in the media query are true... Several media queries can be combined in a media query list. A comma-separated list of media queries. If one or more of the media queries in the comma-separated list are true, the whole list is true, and otherwise false. In the media queries syntax, the comma expresses a logical OR, while the 'and' keyword expresses a logical AND..."
Zimbra Saddles up to SAML
John Fontana, Ping Talk Blog
"Zimbra has its own proprietary protocol for handling assertions about user identity that is called Preauth, but now it is publicizing a standards-based alternative: SAML. Zimbra is in pre-production testing with a new Zimbra server extension option that will offer support for SAML tokens. The company says it is getting more requests for integrating single sign-on so users can integrate into corporate apps data pulled from the Web-based Zimbra collaboration suite without having to re-authenticate...
Zimbra [an enterprise-class, open source email, calendar, and collaboration platform] has a pretty impressive customer list including Century 21, H&R Block, Raytheon and Mozilla.org. In addition, as part of the sale to VMware, Yahoo will retain the right to use Zimbra tech in Yahoo Mail and Yahoo Calendar. [Blogger] Vishal Mahajan has provided diagrams and examples in his blog showing how the Zimbra server acts as the SAML relying party. And look for Zimbra to nail down SAML support in the near future; he published code showing how to support SAML assertions within Zimbra by writing a 'SamlAuthProvider' class that extends 'AuthProvider,' a Zimbra extension sub-class that knows how to process/validate Preauth..."
According to Vishal Mahajan's blog: "Zimbra now includes a proprietary protocol for achieving this assertion, which is referred to as 'Preauth'. Preauth works by having a key that is shared between a third party application/system and Zimbra. The third party specifies the userid, a timestamp, optionally an expiration time, and an SHA-1 HMAC value computed over that data using the shared key. The Zimbra server, after successfully validating the HMAC value received in the request, redirects the user to the target Zimbra service. SAML interactions/exchanges take place between entities referred to as the SAML asserting party and the SAML relying party. An asserting party is an entity that creates/issues SAML assertions. It is also sometimes called a SAML authority. A relying party is an entity that uses assertions it has received.
In one scenario, the Zimbra server acts as the SAML relying party: the user authenticates and requests a SAML assertion from the SAML authority; The SAML authority makes sure that the user has been authenticated (by some means) and then issues a SAML assertion for the user; The user's client sends a SOAP request containing an assertion identifier to the Zimbra server; Zimbra server calls the SAML Authority and inquires about the assertion by passing an identifier; The SAML Authority trusts the Zimbra server (relying party) and looks up its store of issued assertions and responds with the assertion; Based on its trust on the SAML authority, the Zimbra server validates the SAML assertion and sends back a response to the client..."
IETF Updates the vCard Format Specification
Simon Perreault and Peter W. Resnick (eds), IETF Internet Draft
Members of the IETF vCard and CardDAV (VCARDDAV) Working Group have released version -13 of the vCard Format Specification. This document defines the vCard data format for representing and exchanging a variety of information about individuals and other entities (e.g., formatted and structured name and delivery addresses, email address, multiple telephone numbers, photograph, logo, audio clips, etc.).
A companion vCard XML Representation specification defines a corresponding underlying data structure exactly the same as vCard's, enabling a 1-to-1 mapping between the original vCard format and the XML representation. The XML formatting may be preferred in some contexts where an XML engine is readily available and may be reused instead of writing a stand-alone vCard parser. Section 6 of the vCard specification level -13 (vCard Properties) defines an 'XML' property to include extended XML-encoded vCard data in a plain vCard. Its value type: A single text value (default) or a single binary value, with cardinality (0,n). The content of this XML property is a single XML element whose namespace MUST be explicitly specified using the xmlns attribute and MUST NOT be the vCard 4 namespace 'urn:ietf:params:xml:ns:vcard-4.0'. The element is to be interpreted as if it was contained in a 'vcard' markup element. The value type MAY be set to "binary", in which case the ENCODING parameter MUST be used. Support for this property is OPTIONAL, but implementations of this specification MUST preserve instances of this property when propagating vCards...
Changes in the "vCard Format Specification" version -13: Changed global ABNF to make explicit that VERSION comes first; Reworked example for LANGUAGE property; s/TYPE/FMTTYPE/ in two examples; Allow LANGUAGE parameter for text-valued BDAY, DDAY, and RELATED; Tightened language on LANGUAGE parameter regarding cardinality; Removed the NAME property; Adjusted semi-colon escaping rules; Added the ALTID parameter.
The ALTID parameter is now used to tag property instances as being alternative representations of the same logical property. For example, translations of a property in multiple languages generates multiple property instances having different LANGUAGE parameter which are tagged with the same ALTID value. This parameter's value is treated as an opaque string. Its sole purpose is to be compared for equality against other ALTID parameter values... The PID parameter is now used to identify a specific property among multiple instances. It plays a role analogous to the UID property on a per-property instead of per-vCard basis. It MAY appear more than once in a given property. It MUST NOT appear on properties that may have only one instance per vCard..."
W3C MashSSL Incubator Group Publishes Final Report
Siddharth Bajaj, Ravi Ganesan, Ben Wilson (eds), W3C XG Report
Members of the W3C MashSSL Incubator Group have concluded initial chartered activities and have published a MashSSL XG Final Report. This Incubator Group was chartered in October 2009 create an open security protocol "to solve a fundamental Internet security problem. Specifically, when two web applications communicate through a potentially untrusted user they do not have any standard way of mutually authenticating each other and establishing a trusted channel. The protocol outlined in the report is implementation ready, but needs to be further refined and expanded by a potential W3C Working Group...
The Incubator Group researched and validated the premise that the pattern of two web services communicating through a potentially untrusted user (or untrusted browser) was an extremely common 'pattern', whose prevalence is only likely to increase as mashups become a dominant web application architecture. How do the two web services mutually authenticate and establish a trusted path through an adversary? More critically, how do we achieve this without creating a brand new trust protocol and infrastructure?
Using the cryptographic innovation of a 'friend in the middle', the incubator group created a protocol that uses the widely used and trusted SSL protocol as starting point. The resulting protocol, MashSSL, in addition to inheriting some of SSL's trust properties, can leverage the existing SSL certificate infrastructure. The group defined MashSSL both for the core motivating three party use case, as well as for the two party case, which can someday be used between a browser and a server. In addition, the group advanced SSL by defining a single REQUEST-RESPONSE handshake method of optimizing the SSL abbreviated handshake. Such an optimization is now also being proposed in the IETF TLS community...
MashSSL is a new multi-party protocol that has been expressly designed to inherit, to the extent feasible, the security properties of SSL, and to be able to leverage its trust infrastructure. It is based on the unique insight that the introduction of a legitimate man in the middle into the SSL protocol (aka Friend in the Middle or FITM) actually results in a powerful new protocol, which can solve the core problem we identified and has a number of other applications. And, thanks to the work already done on SSL, MashSSL is lightweight with a short specification designed to be implemented in a RESTful fashion..."
See also: the Charter announcement
CSA Creates Certificate of Cloud Security Knowledge (CCSK) Program
Staff, Cloud Security Alliance Announcement
The Cloud Security Alliance (CSA) has "unveiled the industry's first user certification program for secure cloud computing. The Certificate of Cloud Security Knowledge (CCSK) is designed to ensure that a broad range of professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.
Cloud computing is being aggressively adopted on a global basis as businesses seek to reduce costs and improve their agility. Among the critical needs of the industry is to provide training and certification of professionals to assure that cloud computing is implemented responsibly with the appropriate security controls. The Cloud Security Alliance has developed a widely adopted catalogue of security best practices, the 'Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1'. In addition, the European Network and Information Security Agency (ENISA) white paper 'Cloud Computing: Benefits, Risks and Recommendations for Information Security' is an important contribution to the cloud security body of knowledge. The Certificate of Cloud Security Knowledge (CCSK) provides evidence that an individual has successfully completed an examination covering the key concepts of the CSA guidance and ENISA whitepaper.
eBay, Lockheed Martin and Sallie Mae join many other companies, including ING, Symantec, CA, Trend Micro and Zynga in their commitment to adoption of the CCSK. Online testing will be available starting September 01, 2010. Members of the CCSK Certification Board injclude representatives from: CloudAudit, CloudSecurity.org, CSA Israel, CSA Japan, CSA Mumbai, Daimler AG, ISMS Forum Spain/CSA Spain, KPMG, Oracle, Qualcomm, Qualys, Securosis, and Webroot.
The CCSK is a web-based, multiple choice examination of individual competency in key cloud security issues...The CCSK is NOT a substitute for other certifications in information security, audit and governance. Many certification programs help personal development within specific professional roles and job duties, and also provide vetting of individuals, which the CCSK does not do. The CCSK augments these other credentialing programs by encouraging an addition of competency in cloud computing security best practices, which we believe will help individuals better cope with the increasingly pervasive cloud computing issues they are now facing. The Cloud Security Alliance is a strong supporter of popular professional certification programs within our industry and looks forward to developing formalized relationships with these programs in the future..."
See also: the CCSK web site
Using pureXML in SCA Component Development
Jun Xue and Song Nian Shao, IBM developerWorks
Service components, which adopt the Service Component Architecture (SCA) programming model, use business objects for exchanging data among them. A business object (BO) is a container for application data, such as a customer or an invoice. Therefore, it becomes a common problem on how to store and query business objects when developing different kinds of SCA components.
DB2 V9 pureXML supports storing and querying Extensible Markup Language (XML) documents in its native hierarchical format. The underlying structure of a business object is an XML schema definition (XSD). You can parse business objects into a XML document and deserialize them from the XML document using Service Data Object (SDO) APIs.
Instead of the traditional way to access database using a Data Access Object (DAO) pattern with JDBC or hibernate, this article shows you web services-based access to DB2 using Data web services, a new feature provided by IBM Data Studio. In this article, you will learn how to develop SCA components using pureXML web services to store and query business objects with WebSphere Integration Developer.
The sample applications and code snippets help explain the benefits of integrating pureXML web services with SCA components. This article will cover basic principles that you need to know when using pureXML and developing SCA components. You will explore how to expose pureXML web services to access DB2, how to operate with business objects with SDO APIs, and how to call pureXML web services within your SCA component... DB2 pureXML provides intelligent XML data management services without forcing you to transform or shred your XML data into tabular structures behind the scenes. This minimizes administrative overhead, simplifies your database design, and reduces the complexity of your XML applications..."
XML Daily Newslink and Cover Pages sponsored by:
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/