This issue of XML Daily Newslink is sponsored by:
ISIS Papyrus http://www.isis-papyrus.com
- W3C First Public Working Draft: Permissions for Device API Access
- Extensible Resource Descriptor (XRD) Version 1.0 Submitted for Ballot
- Specification of 3GPP IM CN Subsystem XML Body Handling
- Multilingual Web Workshop Program Published: Madrid 26-27 October 2010
- Vinton Cerf on Trust and the Internet
- How to Do Application Logging Right
- Alfresco 3.4 Delivers Collaborative Web Development, Spring Support
- Cross-Platform Data-Driven Interactive Applications with HTML5 and Ajax
W3C First Public Working Draft: Permissions for Device API Access
Paddy Byers, Frederick Hirsch, Dominique Hazaël-Massieux (eds), W3C Technical Report
The W3C Device APIs and Policy Working Group has released a First Public Working Draft for Permissions for Device API Access. The specification identifies the permissions that are needed to use specific client-side APIs which grant access to sensitive data and operations. This draft represents the early consensus of the group on what identifiable permissions should look like and they encompass. The group is now looking for feedback on this approach, and its applicability to various use cases, including widgets configurations, installable Web applications, existing permissions verifications.
From the Introduction: "A number of Web APIs, in particular those used to access private or sensitive data from the hosting device, are meant to be discoverable, as well as disabled or enabled on a site-by-site or application-by-application basis, depending on the security context. For instance, the feature element as defined in the Widget Packaging and Configuration specification (December 2009 Candidate Recommendation) allows a widget runtime engine to grant access only to the specific APIs that the configuration file of the widget listed. This document identifies and names the various permissions that are attached to existing Web APIs.
Each permission described is identified using a string declared in the specification (provisionally) Where these permissions needed to be identified as a URI (e.g. in a widget configuration file), a URI can be built from these strings by appending that string to the base URI 'http://www.w3.org/ns/api-perms/'. Permissions are defined for the Geolocation API, Contact API Capture API File API, and System Information API.
The W3C Device APIs and Policy Working Group has been chartered to create client-side APIs that enable the development of Web Applications and Web Widgets that interact with devices services such as Calendar, Contacts, Camera, etc. Additionally, the group will produce a framework for the expression of security policies that govern access to security-critical APIs... Devices in this context include also desktop computers, laptop computers, mobile internet devices (MIDs), cellular phones, etc..."
Extensible Resource Descriptor (XRD) Version 1.0 Submitted for Ballot
Eran Hammer-Lahav and Will Norris (eds), Candidate OASIS Standard
Members of the OASIS Extensible Resource Identifier (XRI) Technical Committee have submitted an approved Committee Specification for Extensible Resource Descriptor (XRD) Version 1.0 for consideration as an OASIS Standard. The three required Statements of Use have been presented by XDI.org, Google, and AOL. XRD (Extensible Resource Descriptor) "is a simple generic format for describing resources. Resource descriptor documents provide machine-readable information about resources (resource metadata) for the purpose of promoting interoperability. They also assist in interacting with unknown resources that support known interfaces.
For example, a web page about an upcoming meeting can provide in its descriptor document the location of the meeting organizer's free/busy information to potentially negotiate a different time. The descriptor for a social network profile page can identify the location of the user's address book as well as accounts on other sites. A web service implementing an API protocol can advertise which of the protocol's optional components are supported.
An XRD document MUST (a) be a well-formed XML document as defined by XML 1.0 with a root element of 'XRD> (b) validate against the normative XRD schema (.xsd), and (c) adhere to the additional syntactic constraints defined by Section 1.5, 'Common Data Types'... The XRD schema defines only the elements necessary to support the most common use cases, with the explicit intention that applications will extend XRD as defined in Section 3 ('XRD Extensibility') to include other metadata about the resources and links they describe...
XRD 1.0 is a much simplified version of the XRDS 2.0 OASIS document format. It is fully aligned with the IETF Web Linking RFC, borrowing much from the ATOM format 'link' markup element. XRD has a similar purpose as POWDER from the W3C, but is significantly simpler and optimized for identity and service discovery use cases. It also has some potential overlap with ISO 13250 (Topic Maps), but is much simpler and more appropriate for new web services development. XRD 1.0 is being used by the OASIS WS-Calendar specification proposal, as well as the IETF host-meta proposal..."
See also: the ballot announcement
Specification of 3GPP IM CN Subsystem XML Body Handling
John-Luc Bakker (ed), IETF Internet Draft
IETF has released a revised version of the Specification of 3GPP IM CN Subsystem XML Body Handling, published as Experimental. This document registers new disposition-types for the Content-Disposition header field that apply to the application/3gpp-ims+xml body used by 3GPP. The 3rd Generation Partnership Project (3GPP) was originally scoped "to produce Technical Specifications and Technical Reports for a 3G Mobile System based on evolved GSM core networks and the radio access technologies that they support (i.e., Universal Terrestrial Radio Access (UTRA) both Frequency Division Duplex (FDD) and Time Division Duplex (TDD) modes). The scope was subsequently amended to include the maintenance and development of the Global System for Mobile communication (GSM) Technical Specifications and Technical Reports including evolved radio access technologies (e.g. General Packet Radio Service (GPRS) and Enhanced Data rates for GSM Evolution (EDGE))."
As to the revised I-D: "The 'application/3gpp-ims+xml' body has the following three distinct uses: (1) for redirecting the emergency session to use a different domain (e.g. using a Circuit Switched call), (2) for delivering user profile specific information from the SIP registrar to an Application Server, and (3) for causing a UAC to attempt to re-register with the IMS. In the IMS it is possible that a UA attempts to place an emergency call when the IMS network does not support emergency services. The edge proxy detects the emergency call and can redirect the UE using a SIP 380 (Alternative Service) to place the emergency call using another domain (e.g. using a Circuit Switched network) or using another registeration context (e.g. one established using '"SOS Uniform Resource Identifier (URI) Parameter for Marking of Session Initiation Protocol (SIP) Requests related to Emergency Services', if a type XML element in the MIME body is set to "emergency"...
This document makes certain assumptions regarding network topology and the existence of transitive trust. These assumptions are generally not applicable in the Internet as a whole. The mechanism specified here was designed to satisfy the requirements specified by the 3rd Generation Partnership Project for IP multimedia subsystem (IMS) for which either no general-purpose solution was found, where insufficient operational experience was available to understand if a general solution is needed, or where a more general solution is not yet mature.
The document therefore registers new disposition-types for the Content-Disposition header field that apply to the 'application/3gpp-ims+xml' body used by 3GPP, and are to be registered in the IANA registry for Mail Content Disposition Values and Parameters: (1) '3gpp-alternative-service' - the body contains 3GPP IM CN subsystem XML with the 'alternative-service' XML element as described in Section 4.1; (2) '3gpp-service-info' - the body contains 3GPP IM CN subsystem XML with the 'service-info' XML element as described in Section 4.2..."
See also: the 3rd Generation Partnership Project
Multilingual Web Workshop Program Published: Madrid 26-27 October 2010
Staff, W3C Announcement
"The MultilingualWeb Project, funded by the European Commission and coordinated by the W3C, is looking at best practices and standards related to all aspects of creating, localizing and deploying the multilingual Web. The project will raise visibility of what's available and identify gaps via a series of four events, over two years.
The first Workshop takes place in Madrid, Spain on 26-27 October 2010. It is free and open to the public. A first view of the workshop program has just been published.
Speakers represent a wide range of organizations and interests, including: BBC, DFKI, European Commission, Facebook, Google, Loquendo, LRC, Microsoft, Mozilla, Opera, SAP, W3C, WHO, and the World Wide Web Foundation. Session titles include: Developers, Creators, Localizers, Machines, and Users. The Workshop should provide useful cross-domain networking opportunities.
The workshop is expected to attract a broad set of stakeholders, including managers and practitioners working in the areas of content development, design, localization, and production management; developers of tools such as translation tools, content management systems, editors, etc; researchers and developers working with language technology and resources; browser implementors; standards and industry body representatives; and many more. The interchange of information and perspectives from this diverse group is expected to provide a more thorough picture of the existing landscape for multilingualism on the Web..."
See also: the earlier CFP
Vinton Cerf on Trust and the Internet
Vinton G. Cerf, IEEE Internet Computing
Trust is essential to most human transactions. A decision to trust is usually associated with an explicit or implicit assessment of risk. If risk is low, it's easier to trust; if risk is high, trust is generally less willingly assumed. The use of credit cards for transactions illustrates some methods for risk mitigation—for example, credit-card issuers indemnify their users for anything over US$50 in personal liability, assuming the loss is reported promptly. This both reduces risk and promotes use. The merchant pays fees based on the credit-card issuer's assessment of the merchant's practices (face-to-face, over the phone, and over the Internet transactions have different degrees of validation and associated risk).
It's worth observing that trust doesn't always scale well. We can establish trust among a small group of people known to us, but it's harder to achieve trusting relationships on a larger scale. How do trust notions apply to the Internet? The Internet is nearly 2 billion users probably trust the Internet's applications more than they should but don't engage in risk mitigation practices as much as they should. They use easily guessed passwords, frequently the same one for many accounts.
We know that there are compromises of the systems we use, and we know that personal computers can be compromised. But we assume this won't happen to us, even though there's no good basis for that belief. Even without all the various malware attacks and password- guessing incidents, computers and thumb drives are lost every day, most of them containing personal information or, worse, personal information about others. [So we need] cryptographically supported, one-time passwords so that exposure doesn't create a significant opportunity for reuse. Ideally, such a device could contain multiple identities and the capability to generate one-time passwords for each of them so that a single device can support distinct, strong authentication for different services. This might be done through biometrics or a password that activates it... Alternatively, we might use public-key cryptographic methods to perform mutual authentication through the exchange of random, encrypted challenges. For this method to work, we must know and trust the other party's public key.
A high percentage of all the cash dispensed in the US is taken from ATMs via conventional, magnetic stripe cards. If the banks concluded that smart cards that could produce non-reusable authenticators would make for a more secure system, it seems likely that most users would agree to use the smart cards for purposes of cash withdrawal. Once an infrastructure of smart cards and readers for use by the general public is in place, you could imagine a wide range of additional functions that could be enabled. Transactions requiring more than casual authentication might be supportable in such a system. If the cards were capable of holding more than one identity and strong authenticators for each, they would represent one possible implementation of the ideas discussed here..."
How to Do Application Logging Right
Anton Chuvakin and Gunnar Peterson, IEEE Security and Privacy
"As threats shift toward applications and as more companies struggle with compliance mandates, the need for useful, comprehensive application logging can only increase... Problems with many application logs are truly staggering. Logs are often missing, they omit critical details, or they have no standard form or content. On top of this, many security practitioners must deal with debugging logs masquerading as security audit logs. [In this article] we provide guidance on application logging to application developers and architects and to security professionals.
So, what types of events should you log? The first type is authentication, authorization, and access events... The second type is changes... The third type is availability issues... The fourth type is resource issues... The fifth type is 'badness' or threats... Typically, logging subsystems are placed to detect events around sensitive assets, which means that they'll come into contact with sensitive data. Sanitizers can filter and remove sensitive data from logs. A sanitizer's location is important because it determines whether sensitive data is filtered by the log browser or removed from persistent storage (sensitive data is never stored in the log).
Most systems store logs inside the enterprise, but as with many IT areas, the cloud offers new opportunities and potential solutions and problems. The cloud has proven to be an effective way to store data. However, because in the cloud storage model, the data is stored and possibly processed outside enterprise security, challenges remain owing to requirements for encryption and other controls. For example, PCI DSS provides a starting point for log storage requirements, but meeting them might be difficult in a cloud model....
Certainly, logging standards such as Mitre Common Event Expression will help, but several years might pass before they develop and their adoption increases. Pending a global standard, organizations should quickly build and implement their own standard using the guidelines we presented. They should also use standard-language APIs, libraries, and logging mechanisms while ensuring that their logs record all relevant information..."
Alfresco 3.4 Delivers Collaborative Web Development, Spring Support
Darryl K. Taft, eWEEK
"Alfresco, which provides an open platform for social content management, has announced the availability of its latest version, Alfresco Community 3.4, for download. Alfresco 3.4 expands the company's open source and open standards-based content management platform with new tools and services for Spring Framework developers. Alfresco 3.4 also features Web Quick Start for easy Website deployment and content integration with enterprise portals. This builds on Alfresco's strategy of offering a content platform that delivers the flexibility and affordability required across the enterprise..."
According to the text of the announcement: "Key product capabilities for the Alfresco Community 3.4 release include (1) Collaborative Web Authoring, where Alfresco Web Quick Start is a set of out-of-the-box templates for building content-rich websites on top of Alfresco Share; Quick Start combines the power of Alfresco Share for web team collaboration, with powerful content authoring and publishing services like in-context web editing. (2) Office-to-Web Framework, where Using Microsoft's Office SharePoint Protocol and CIFS (shared file drive), along with a new API integration with Google Docs, users can now author documents in their native office suite, collaborate in Alfresco or Google Docs, transform and re-purpose if required, and then publish straight to the web... (3) Web Content Services for Spring - Built using the popular Spring and Spring Surf frameworks, Alfresco now offers key content management services that can be accessed via OpenCMIS and integrated into any web application. (4) Integration with Enterprise Portals and Social Software, where the new DocLib portlets allow seamless integration with enterprise portals like Liferay, Quickr and Confluence; using Single Sign On (SSO), the portlets provide access to both content and project repositories from within any JSR-168 compliant portal. (5) Distributed Content Replication - Native support for content replication allows organizations to run federated content repositories...
John Newton, Alfresco CTO: 'The demand for collaboration and social sharing around enterprise content is rising—and content that was once meant just for the intranet is now being repurposed for the public web, external portals or even to destination sites across the web. Through our implementation of CMIS (OASIS Content Management Interoperability Services Version 1.0) as a core standard and new features in Alfresco 3.4, our content services platform can now manage and deliver enterprise content to any internal or external application in a way that traditional, monolithic ECM products can't enable without significant time and expense'...
Alfresco has seen major adoption of its open source and open standards content management platform throughout the world, with more than two million downloads of Alfresco Community. Alfresco Community is a free-to-download, free-to-use version developed on an open source stack that runs on Windows, Linux or Mac. Alfresco Community members are able to access and share knowledge on the Alfresco Wiki and Forums and contribute extensions on the Alfresco Forge..."
See also: the announcement
Cross-Platform Data-Driven Interactive Applications with HTML5 and Ajax
Liza Daly, IBM developerWorks
"As the number of mobile platforms increases, developing cross-platform standards-based applications becomes increasingly attractive. HTML5 offers the ability to write complete mobile-friendly applications that include offline use, just like their native-application counterparts. This article explores how to create offline-capable web applications using only open source tools and techniques familiar to web developers.
The sample application developerd here is designed for use on a wide range of desktop and mobile devices. The application includes the ability to remain accessible while offline. That ability is enabled by including the manifest attribute. The cache manifest typically contains two sets of resources: (1) A list of resources required to be cached for offline use; (2) A list of resources that may only be available when the document is online...
XML Daily Newslink and Cover Pages sponsored by:
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/