Back to newsletter listDate:
Tue, April 08, 2008 07:02:30 AMFrom:
Robin Cover
Subject:
XML Daily Newslink. Monday, 07 April 2008
XML Daily Newslink. Monday, 07 April 2008
A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS http://www.oasis-open.org
Edited by Robin Cover
====================================================
This issue of XML Daily Newslink is sponsored by
IBM Corporation http://www.ibm.com
====================================================
HEADLINES:
* Danish Agency Publishes Evaluation of SSO Open Standards Support
* Unicode Consortium Announces Release of Unicode Standard Version 5.1
* XML Schema for Media Control
* Web Security Context: Experience, Indicators, and Trust
* XACML Interoperability Demo for Health Care Scenario
* Concordia Project Demonstrates Multi-Protocol Interoperability
* RSA Conference 2008: Concordia Done, OSIS To Go
* SaaS Single Sign-On: It's Time for a Lighter Approach
* Web Oriented Architecture (WOA) May Soon Eclipse SOA
* XML and Government Schizophrenia
----------------------------------------------------------------------
Danish Agency Publishes Evaluation of SSO Open Standards Support
Announcement, Danish National IT and Telecom Agency
An April 03, 2008 press release from the the Danish National IT and
Telecom Agency (IT- og Telestyrelsen) announced the publication of a
92-page report titled "Evaluation of Ten Standard Setting Organizations
with Regard to Open Standards." This special study by IDC was
commissioned to evaluate the degree of "openness" of the leading
standard setting organizations. The study was conducted in support of
the Danish parliament's "Parliamentary Resolution B103", unanimously
adopted on 02-June-2006, on the use of open standards for software in
the public sector. The Resolution instructed the Danish Government to
ensure that the public sector's use of information technology, including
the use of software, should be based on open standards. Ten standard
setting organizations were evaluated and all organizations had the
opportunity to review and comment on the evaluation of their organization.
The ten organizations are: CEN, Ecma, ETSI, IETF, ISO, ITU, NIST, OASIS,
OMG, and W3C. Standards organizations are generally aware of the need
of openness because they all aim at providing successful, widely
accepted standards. However, the concepts of openness and consensus
have been implemented using different models that relate to the type
of organization, their formal foundation and their degrees of
formalization. The definition of "open standards" was specified to
consist of three criteria: (1) The standard is fully documented and
accessible by public [Open documentation]; (2) The standard should be
free to implement without economical, political or legal restictions --
now as well as in the future [Open IPR, Open access, Open
interoperability]; (3) The standard is managed and maintained in an
open forum through an open process [Open meeting; Consensus; Due process;
Open change; Ongoing standards support].
http://xml.coverpages.org/openStandards.html#AndersenIDC-OpenSSO
----------------------------------------------------------------------
Unicode Consortium Announces Release of Unicode Standard Version 5.1
Staff, Unicode Consortium Announcement
The Unicode Consortium has announced the release of Unicode Version 5.1,
containing over 100,000 characters, and provides significant additions
and improvements that extend text processing for software worldwide.
Some of the key features are: increased security in data exchange,
significant character additions for Indic and South East Asian scripts,
expanded identifier specifications for Indic and Arabic scripts,
improvements in the processing of Tamil and other Indic scripts,
linebreaking conformance relaxation for HTML and other protocols,
strengthened normalization stability, new case pair stability, plus
others given below. The Version 5.1.0 data files and documentation are
final and posted on the Unicode site. In addition to updated existing
files, implementers will find new test data files (for example, for
linebreaking) and new XML data files that encapsulate all of the Unicode
character properties. A major feature of Unicode 5.1.0 is the enabling
of ideographic variation sequences. These sequences allow standardized
representation of glyphic variants needed for Japanese, Chinese, and
Korean text. Unicode 5.1 contains significant changes to properties and
behaviorial specifications. Several important property definitions were
extended, improving linebreaking for Polish and Portuguese hyphenation.
The Unicode Text Segmentation Algorithms, covering sentences, words,
and characters, were greatly enhanced to improve the processing of Tamil
and other Indic languages. The Unicode Normalization Algorithm now
defines stabilized strings and provides guidelines for buffering.
Standardized named sequences are added for Lithuanian, and provisional
named sequences for Tamil. Unicode 5.1.0 adds 1,624 newly encoded
characters. These additions include characters required for Malayalam
and Myanmar and important individual characters such as Latin capital
sharp s for German. Version 5.1 extends support for languages in Africa,
India, Indonesia, Myanmar, and Vietnam, with the addition of the Cham,
Lepcha, Ol Chiki, Rejang, Saurashtra, Sundanese, and Vai scripts. The
Unicode Collation Algorithm (UCA), the core standard for sorting all
text, is also being updated at the same time. The major changes in UCA
include coverage of all Unicode 5.1 characters, tightened conformance
for canonical equivalence, clearer definitions of internationalized
search and matching, specifications of parameters for customizing
collation, and definitions of collation folding. The next version of
the Unicode locale project (CLDR) is also being prepared on the basis
of Unicode 5.1, and is now open for public data submission.
http://xml.coverpages.org/UnicodeV51.html
See also XML and Unicode: http://xml.coverpages.org/unicode-xml.html
----------------------------------------------------------------------
XML Schema for Media Control
Orit Levin (et al., eds), IETF Informational RFC
IETF announced that a new Request for Comments "XML Schema for Media
Control" is now available in online RFC libraries. The specification
has been produced by members of the IETF Multiparty Multimedia Session
Control (MMUSIC) Working Group. The RFC 5168 document defines an
Extensible Markup Language (XML) Schema for video fast update in a
tightly controlled environment, developed by Microsoft, Polycom,
Radvision and used by multiple vendors. This document describes a
method that has been deployed in Session Initiation Protocol (SIP)
based systems over the last three years and is being used across
real-time interactive applications from different vendors in an
interoperable manner. New implementations are discouraged from using
the method described except for backward compatibility purposes. New
implementations are required to use the new Full Intra Request command
in the RTP Control Protocol (RTCP) channel. The Multiparty MUltimedia
SessIon Control (MMUSIC) Working Group was chartered to develop
protocols to support Internet teleconferencing and multimedia
communications. These protocols are now reasonably mature, and many
have received widespread deployment. The group is now focussed on
the revisions of these protocols in the light of implementation
experience and additional demands that have arisen from other WGs
(such as AVT, SIP, SIPPING, and MEGACO)... The MMUSIC work items
are pursued in close coordination with other IETF WGs related to
multimedia conferencing and IP telephony (AVT, SIP, SIPPING, SIMPLE,
XCON, MEGACO and, where appropriate, MIDCOM and NSIS).
http://xml.coverpages.org/IETF-RFC-5168.txt
See also the IETF Multiparty Multimedia Session Control Status Pages: http://tools.ietf.org/wg/mmusic/
----------------------------------------------------------------------
Web Security Context: Experience, Indicators, and Trust
Thomas Roessler and Anil Saldhana (eds), W3C Technical Report
Members of the W3C Web Security Context Working Group have published
a revised version of the Working Draft specification "Web Security
Context: Experience, Indicators, and Trust." It defines guidelines
and requirements for the presentation and communication of Web security
context information to end-users; and good practices for Web Site
authors. To facilitate access to relevant background, various sections
of this document are annotated with references to input documents that
are available from the Working Group's Wiki, and to pertinent issues
that the group is tracking. The documents in the wiki include background,
motivation, and usability concerns on the proposals that reference them.
They provide important context for understanding the potential utility
of the proposals. The W3C Web Security Context Working Group focuses on
the challenges that arise when users encounter currently deployed
security technology, such as TLS: While this technology achieves its
goals on a technical level, attackers' strategies shift towards
bypassing the security technology instead of breaking it. When users
do not understand the security context in which they operate, then it
becomes easy to deceive and defraud them.
nla_internal_2835368.jpg also the W3C Web Security Context Working Group: http://www.w3.org/2006/WSC/
----------------------------------------------------------------------
XACML Interoperability Demo for Health Care Scenario
Staff, OASIS Announcement
At the RSA 2008 Conference, members of the OASIS open standards
consortium, in cooperation with the Health Information Technologies
Standards Panel (HITSP), demonstrated interoperability of the
Extensible Access Control Markup Language (XACML) version 2.0.
Simulating a real world scenario provided by the U.S. Department of
Veterans Affairs, the demo showed how XACML ensures successful
authorization decision requests and the exchange of authorization
policies. The XACML Interop at the RSA 2008 conference utilizes
requirements from Health Level Seven (HL7), ASTM International, and
the American National Standards Institute (ANSI). The demo features
role-based access control (RBAC), privacy protections, structured
and functional roles, consent codes, emergency overrides and filtering
of sensitive data. Vendors show how XACML obligations can provide
capabilities in the policy decision making process. The use of XACML
obligations and identity providers using the Security Assertion
Markup Language (SAML) are also highlighted. According to the
ANSI/HITSP announcement, the multi-vendor demonstrations "highlight
the use of OASIS standards in HITSP-approved guidelines, known as
'constructs,' to meet healthcare security and privacy needs. The
Panel's security and privacy specifications address common data
protection issues in a broad range of subject areas, including
electronic delivery of lab results to a clinician, medication workflow
for providers and patients, quality, and consumer empowerment. HITSP
is a multi-stakeholder coordinating body designed to provide the
process within which affected parties can identify, select, and
harmonize standards for communicating health care information throughout
the health care spectrum. As mandated by the U.S. Department of Health
and Human Services (HHS), the Panel's work supports Use Cases defined
by the American Heath Information Community (AHIC). 'This is the first
time the RSA Conference will highlight in an Interop demo the healthcare
scenario, the Electronic Health Records (EHR), and associated
interoperable terminologies of clinical roles, patient consent
directives, obligations, and business logic,' said John (Mike) Davis,
standards architect with the VHA Office of Information in the Department
of Veterans Affairs, and a member of the HITSP Security, Privacy and
Infrastructure Technical Committee."
http://xml.coverpages.org/XACML-HealthCareInterop.html
See also the HITSP announcement: http://www.ansi.org/news_publications/news_story.aspx?admin=1&articleid=1778
----------------------------------------------------------------------
Concordia Project Demonstrates Multi-Protocol Interoperability
Staff, Concordia Project Announcement
The Concordia Project, a global cross-industry initiative formed by
members of the identity community to drive harmonization and
interoperability among identity initiatives and protocols, announced
its first interoperability event taking place at RSA Conference 2008
in San Francisco on Monday, April 7 from 9:00am - 12:30pm. The event
will include FuGen Solutions, Internet2, Microsoft, Oracle, Ping
Identity, Sun Microsystems and Symlabs demonstrating varying
interoperability scenarios using Information Card, Liberty Alliance,
and WS-* identity protocols. Over 500 RSA Conference participants have
registered to attend the Concordia Project interoperability event to
date. The April 7 demonstrations have been developed to meet use case
scenarios presented to the Concordia Project by enterprise, education
and government organizations deploying digital identity management
systems and requiring multi-protocol interoperability of identity
specifications. Since the formal launch of the Concordia Project in
June of 2007, deployer use case scenarios involving Information Card,
Liberty Alliance and WS-* identity protocols have been presented by
AOL, the Government of British Columbia, Boeing, Chevron, General
Motors, Internet2, theNew Zealand State Services Commission, the US
GSA and the University of Washington. Concordia members decided
collectively on what interoperability demonstrations should be developed
first based on identity management commonalities and priorities
identified by the majority of deploying organizations. During the RSA
Conference event, Concordia members will demonstrate multi-protocol
interoperability based on two of the fourteen use case scenarios
submitted to the project to date. The first includes Oracle, Internet2,
FuGen Solutions, Microsoft, Ping Identity, Sun Microsystems and Symlabs
and is characterized by a user authenticating to an identity provider
(IdP) using an InfoCard and communicating that authentication to a
relying party through either SAML 2.0 or WS-Federation protocols. The
second includes Internet2, Oracle, Sun Microsystems and Symlabs
demonstrating SSO flow between chained SAML and WS-Federation protocols.
http://xml.coverpages.org/ConcordiaRSA2008.html
----------------------------------------------------------------------
RSA Conference 2008: Concordia Done, OSIS To Go
Pat Patterson, Identity Management Blog
The author blogs on the the Project Concordia workshop held at RSA 2008
on 2008-04-07, showing SAML 2.0/WS-Federation single sign-on from a
service provider to an identity provider, the identity provider
authenticating the user via a managed information card and sending
claims from the card to the service provider as SAML 2.0 attributes.
Note that not every combination of SAML 2.0/WS-Federation SP, IdP and
Information Card STS completely works, but enough that the approach was
proven. Slides from the "Concordia/RSA Interop Demo" describe the
products involved. OpenSSO primarily attracts enterprises interested in
deploying a web access management or federation solution using open
source tools. An Information Card RP Extension has been contributed
by Patrick Petit. The OAIS (Open Source Identity Systems) demonstration
shows the OSIS User centric identity network interoperability between
identity providers, card selectors, browsers and websites demonstrates
how users can 'click-in' to sites via self-issued and managed
information cards, or i-cards. Open ID, Higgins Identity Framework,
Microsoft CardSpace, SAML, WSTrust, Kerberos and X.509 components
interoperate within an identity layer from open-source parts...
http://blogs.sun.com/superpat/entry/rsa_conference_2008_concordia_done
See also the slides: http://blogs.sun.com/superpat/resource/ConcordiaRSA0408.pdf
----------------------------------------------------------------------
SaaS Single Sign-On: It's Time for a Lighter Approach
Kjell Backlund, SYS-CON SEO/SEM Journal
SaaS brings a lot of advantages to businesses - no need to invest in
purchasing and maintaining licenses and infrastructure, and no need
to worry about upgrades and bug fixes. Larger companies, however, face
a major challenge related to user authentication and management. Larger
companies have invested a lot of time and effort in improving user
productivity, compliance and security, and in cutting user management
costs. They have done so using technologies like single sign-on and
centralized user management. SaaS applications are now challenging
those efforts and threatening to bring them back to the situation
where every user has several different usernames and passwords and
the customers have several different user directories to maintain.
Currently there are a few common ways for SaaS providers to give users
single sign-on and/or to let customers use their internal user management
solutions to manage access to the SaaS application: (1) Identity
federation; (2) Delegated authentication; (3) Encrypted links; (4)
User directory synchronization. Identity federation, as a concept,
is exactly what is needed -- SaaS providers can offer customers single
sign-on and automated user management based on current information in
their internal user directory. Identity federation based on SAML,
WS-Federation or ADFS, however, requires each customer to invest in
and roll out software compliant with those technologies... Delegated
authentication provides users single sign-on by using an existing
logon, for instance on a corporate intranet, to generate tokens that
can be used to grant access to a SaaS application. However, delegated
authentication does not bring any help to maintenance of user profiles
and access rights, which still have to be maintained manually in the
application. It also requires time and technical resources by the
customer... Google Analytics, the SaaS application for monitoring web
site usage, offers a different and interesting view to the problem.
Each Analytics customer needs to integrate Analytics with its web site
in order to be able to collect and monitor usage statistics. By
choosing a scripting integration model requiring only a few lines of
JavaScript on the web pages, Google managed to lower the requirements
on the customers' web sites and the technical skills required to do
the integration. As a result, they managed to get hundreds of thousands
of customers in 18 months...
http://search.sys-con.com/read/536995.htm
----------------------------------------------------------------------
Web Oriented Architecture (WOA) May Soon Eclipse SOA
Dana Gardner, ZDNet Blog
A recent blog post questions whether services oriented architecture
(SOA) was driving substantive transformation inside of enterprise IT.
My conclusion is that something is not quite right in SOA-ville. The
uptake of general-purpose service enablement is by no means a hockey
stick trend line. The adoption patterns some five years into the SOA
evolutionary path do not show a slam dunk demand effect. The role,
impact and importance of SOA is, in fact, ambiguous -- still. Many
see it as merely an offshoot of EAI, rather than a full-blown paradigm
shift. Meanwhile, some other trends that do demonstrate more of a
hockey stick adoption pattern -- social media, Ruby/Phython, RESTful
interactions, and RIAs -- are worth a fresh look in the context of SOA.
The new kids on the innovation block are experimenting at break-neck
speed with social media, social networking, Ruby on Rails, SaaS, Python,
REST and the vital mix of rich Internet application (RIA) approaches.
Something is going on here that shows the compelling attraction of
better collaboration and sharing methods, of self-defining social and
work teams, of faster and easier applications development, of not
moving old systems to the Web but just moving to the Web directly, and
the recognition that off-the-wire applications with fine UIs are the
future... I'm wondering now whether the window for holistic SOA
deployment and value, as it has been classically defined, is being
eclipsed. Is it possible that Web interfaces and data disintermediation
for legacy applications will be enough? Is it possible that exposing
the old applications, and reducing costs of IT support via consolidation
and modernization is enough? In short, is the path of least resistance
to business transformation one that necessarily requires a fording of
the SOA stream? Or is there a shorter, dry path that goes directly to
Web oriented architecture? Is SOA therefore the impediment or empowerment
to transformation on the right scale and at Internet time?
http://blogs.zdnet.com/Gardner/?p=2631
----------------------------------------------------------------------
XML and Government Schizophrenia
Michael C. Daconta, O'Reilly Opinion
The U.S. Government is very leery of technology fads and that is why
it often has a love/hate relationship with XML. For every technology
that exists, the government has a huge legacy investment. So, while the
corporate world may turn on a dime and quickly adopt the latest and
greatest thing -- the government must contend with huge legacy issues,
a two-year (minimum) budget planning cycle, and a horde of technologists
actively engaged and personally invested in that legacy technology that
you want to throw away! [...] Let me briefly discuss a program that I
initiated when working for the Department of Homeland Security (DHS).
The National Information Exchange Model (NIEM) started as a joint-venture
between DHS and the Department of Justice (DOJ) to harmonize and speed
up the process of information sharing between the federal government
and state and local governments -- actually State, Local and Tribal
governments. The basic idea is that it combines a registry of standard
data objects (modeled via XML Schema), a process for quickly producing
an exchange message, a governance process for the model, and robust tool
support. The model leveraged and extended an existing model called the
Global Justice XML Data Model (GJXDM). It is widely used by law
enforcement at all levels of government and now is also being widely
used at DHS. It has multiple success stories behind it including the
Amber Alert and the national sex offender registry. I highly encourage
everyone to look at it and help make it better. So, what does this mean
for Government Schizophrenia? For information sharing, XML is a favorite
but is attacked continuously in relation to weak data modeling support,
weak encoding of binary objects, performance issues, and many more...
http://www.oreillynet.com/xml/blog/2008/04/xml_and_government_schizophren.html
See also the NIEM web site: http://www.niem.gov/
----------------------------------------------------------------------
XML Daily Newslink and Cover Pages are sponsored by:
BEA Systems, Inc. http://www.bea.com
EDS http://www.eds.com
IBM Corporation http://www.ibm.com
Primeton http://www.primeton.com
SAP AG http://www.sap.com
Sun Microsystems, Inc. http://sun.com
----------------------------------------------------------------------
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: newsletter-subscribe@xml.coverpages.org
Newsletter ***: newsletter-***@xml.coverpages.org
Newsletter help: newsletter-help@xml.coverpages.org
Cover Pages: http://xml.coverpages.org/
----------------------------------------------------------------------
